Personnel Vetting & Criminal Background Checks - One‑Pager

Purpose and scope

This one‑pager summarises Virtus Group’s personnel vetting and criminal background check approach for any person who may access client environments, client data, or sensitive operational information.

It applies to employees, contractors, associates, and subcontractors engaged on client work, including on‑site, remote, and support roles.

• No access to client systems, data, or premises is granted until baseline vetting is complete and recorded.
• Vetting evidence is handled as sensitive information (restricted access, encrypted storage, retention controls).
• Vetting obligations flow down to subcontractors and partners through contractual clauses and onboarding checks.

Baseline checks

• Identity verification: Government-issued ID and address verification.
• Right to work: Where relevant, verify work eligibility.
• Reference checks: Professional references or prior employment verification (role dependent).
• Criminal background checks: NZ Ministry of Justice (MoJ) criminal record check for NZ-based resources, or a functionally equivalent check for non-NZ residents.

Revalidation cadence and triggers

Criminal background checks are refreshed on a fixed cadence to maintain recency and reduce insider‑risk exposure.

• Every 24 months: criminal background check refresh for all engaged resources
• Role change: earlier refresh where a role changes to include increased privilege or access to sensitive data
• Incident trigger: earlier refresh or additional checks where a security, conduct, or integrity concern is identified
• Access change: privileged access requires explicit approval and may require additional verification

Offshore and distributed resources

Where offshore resources are engaged, we apply the same baseline and revalidation expectations using local equivalents.

• Documented jurisdiction (country of residence) and check type used (local police/justice authority or approved provider)
• Evidence of recency (≤ 24 months) and translation/interpretation if required
• Access restrictions where equivalence cannot be demonstrated (e.g., no client data access, no privileged roles)
• Remote‑work safeguards: screen‑lock, privacy practices, and secure workspace requirements

We do not currently have offshore personnel. Offshore engagement (if any) is communicated, recorded, and access is limited to what is strictly required for the engagement, with enhanced monitoring where applicable.

Assurance, records, and access safeguards

We maintain a controlled register of vetted personnel (name, role, check date, next due date) and can provide an attestation statement on request.

To mitigate incidental exposure risks (e.g., shoulder‑surfing), we enforce workspace and device controls for all staff.

• Workstation hardening: MFA, full‑disk encryption, auto‑lock, and password manager usage
• Workspace controls: clean‑desk/clear‑screen, restricted visitor access, and no visible sensitive material
• Separation of duties and least‑privilege access, with time‑boxed elevation where feasible
• Offboarding: access removed promptly and client artefacts returned or securely destroyed per contract

Record keeping and privacy

• Evidence of screening completion is recorded (date, type of check, outcome status). Where feasible, sensitive documents are minimised; confirmation of completion is preferred over retaining full reports.
• Records are stored securely with least-privilege access, and retained only as long as required for operational and contractual needs.

Adverse findings, exceptions, and decision rights

• Adverse findings are assessed using a documented risk review (role sensitivity, recency, relevance, and mitigation options).
• Exceptions (if ever needed) require senior approval and are documented, including compensating controls (e.g., reduced access scope, increased supervision, or removal from the engagement).

Governance

• Personnel screening and refresh schedules are managed by Virtus Group leadership and are subject to periodic internal review.
• Engagement onboarding includes confirmation that assigned resources meet the applicable screening requirements.