Scams in superannuation: Integrating operational and strategic resilience

Key takeaways for the Superannuation Industry

ASIC’s call to action

In its Open Letter, ASIC requested superannuation trustees to take the following actions:

• Conduct a preliminary assessment of anti-scam and anti-fraud measures, including for services provided by external administrators.
• Address the baseline measures set out by ASIC in REP 761 and REP 790 on scams in the banking context, as well as areas of risk and weakness identified in the Open Letter (e.g. identifying flags where a member may have been tricked into certain transactions such as transferring funds out of their superannuation account).
• Consider whether it is appropriate to allocate the scam (and fraud) management key function to an accountable person under the Financial Accountability Regime (FAR).
• Leverage industry bodies and bilateral relationships for information sharing and uplift industry standards on scams.

More broadly, one of ASIC’s strategic priorities is advancing digital and data resilience and safety, including by focusing on business, cyber and operational resilience.⁴ Consistent with this focus, ASIC has demonstrated a willingness to take enforcement action against financial institutions when it has concerns about their ability to protect customers from scams.

Interconnectedness of various regimes

Although the SPF has not yet extended to the superannuation industry, trustees can leverage policies and processes developed for compliance with current regimes to identify and manage scam risks. Trustees should revisit their existing compliance frameworks to gain insights into scam risks throughout their service offerings (including risks from third-party contractors), and should determine how to best manage such risks.

For instance, we discuss below how trustees can make use of their frameworks and/or data obtained from processes developed to comply with ASIC’s Regulatory Guide 271, the Financial Accountability Regime (FAR), and APRA’s Prudential Standard CPS 230 to shape their approaches to uplifting protections against scams.

Complaints handling procedures

To identify any patterns, emerging trends and vulnerabilities within their operations to combat scams, superannuation trustees should revisit whether staff are adequately trained to identify and record complaints, and should conduct systematic analysis of the data obtained from their internal complaints systems under ASIC’s Regulatory Guide 271.

Ongoing analysis and reporting of aggregate complaints data to senior management will support both a proactive and holistic assessment of a fund’s exposure to scams which can, in turn, inform strategic decisions on risk management and how internal controls are to be improved. For instance:

• Complaints can provide useful details on how scammers are targeting members (e.g. phishing, identity theft, impersonation of staff).
• Demographic data attached to complaints may identify if certain member segments (e.g. age, cultural background, location, account type) are particularly exposed to scams.
• System or process vulnerabilities may be revealed where complaints suggest inadequacies in, for instance, processes of the superannuation trustee or any outsourced service providers, communication channels, or online portals (e.g. the lack of multi-factor authentication⁵.).
• Time sensitive analysis may reveal any seasonal fluctuations of scam activities and whether increases are potentially linked to broader events (e.g. financial year cycles, regulatory or economic changes, cyber incidents).

This analysis can assist in drafting member communications to raise awareness, in upgrading detection or monitoring systems and internal controls in response to identified vulnerabilities in processes or systems, and in shaping strategic decisions around fraud and operational risks (including the extent to which contracted third parties are increasing the exposure to the risks of scams and what additional measures are required to guard against those risks).

Accountability and governance

The FAR commenced for superannuation trustees from 15 March 2025. The FAR imposes a strengthened responsibility and accountability framework for entities in the banking, insurance and superannuation industries and for their directors and senior executives. Designed to uplift the risk and governance cultures of Australia’s financial institutions, the FAR highlights the continued regulatory focus on scam management, which is identified as a “RSE licensee key function”. The FAR reinforces the need to ensure that scam management is approached from a governance and conduct perspective, with board-level focus and responsibility embedded into key risk frameworks, especially where cyber incidents and outsourcing to third party service providers have become commonplace. The Open Letter has specifically requested superannuation trustees to “consider whether it is appropriate to allocate the scam (and fraud) management key function to one of your accountable persons”.

Where a FAR accountable person has been designated to oversee scam management, it is important that supporting frameworks are embedded to maximise impact – for instance:

• Mapping clear reporting lines and establishing escalation channels to ensure appropriate escalation of scam activities and trends gathered by various business units (e.g. through internal complaints data, monitoring tools, regular audits). This informs strategic decisions to invest in improving policies, processes and technology.
• Establishing protocols to ensure the accountable person can coordinate efforts across teams to effectively respond to scam incidents and manage stakeholder communications, given these incidents often involve multiple teams (e.g. customer service, fraud, legal/compliance).
• Investing in ongoing education to drive a culture of vigilance throughout the business and member population to help swiftly identify and guard against scams.

Operational risk management

Superannuation trustees have traditionally relied on external providers to deliver various services, such as IT support, administration and investment management. While outsourcing can present a range of benefits for superannuation trustees, the decision to outsource and the choice of service provider can directly affect member outcomes. The imminent commencement of APRA’s Prudential Standard CPS 230 from 1 July 2025 means it is imperative that superannuation trustees focus on strengthening their operational risk management, particularly in relation to third/fourth party oversight.

Vulnerabilities in outsourced providers’ processes or systems are prone to be exploited by scammers. As part of their CPS 230 compliance efforts, superannuation trustees should focus on specific scam protection measures such as:

• Conducting adequate due diligence on outsourced service providers in key areas including scams prevention, fraud detection and monitoring, cyber security and data protection (e.g. real-time alerts to notify members of account activities such as withdrawal requests), and incident management and escalation.
• Ensuring there are robust contractual mechanisms in place to conduct ongoing monitoring and regular audits, performance management, information sharing and notification requirements to inform the superannuation trustee of any scam-related incidents which may affect members.
• Verifying how the service provider manages its own subcontractors and ensuring that their security practices are sound.

Lessons learnt from other jurisdictions

While jurisdictions tend to manage the rising threat of scams in different ways depending on local considerations, the Australian superannuation industry can draw on learnings from overseas jurisdictions to tailor their approach to effectively manage the risk of scams.

For instance, in the United Kingdom, The Pensions Regulator’s General Code of Practice issued in January 2024 provides guidance on the obligation for governing bodies of certain schemes to establish and operate an effective system of governance which is proportionate to the size, nature, scale, and complexity of the activities of the scheme. The General Code of Practice provides specifically that internal controls include taking appropriate steps to mitigate the risk of scams, and relevant entities should take various measures such as:

• Ensuring they are aware of warning signs of a scam
• Checking whether there are such signs when a member requests to transfer or withdraw their benefits
• Carrying out due diligence on the recipient scheme to which a member wishes to transfer their benefits
• Ensuring members are educated of the risks of pensions scams, such as through providing clear information on how to identify a scam in member communications, and including website warnings to alert members of the risk of scams

Conclusion

Scammers, who often operate on a global scale across multiple jurisdictions, are constantly adopting new ways to get their hands on members’ assets or steal their identity. Superannuation trustees that adopt a forward-looking approach to effectively integrate an interconnected scams prevention regime into their operations will not only be supporting their members’ best interests by reducing losses due to fraud, but will be better placed to maintain their members’ trust and have a stronger and more resilient fund.