Issue 872, 11 October 2022
In this issue:
Optus data breach: data sharing between Optus and APRA-regulated entities
Following the widely reported Optus data breach, the Government has announced that it has prepared amendments to the Telecommunications Regulations 2021. These are designed to allow Optus and other telecommunication companies to better coordinate with financial institutions, the Commonwealth, and states and territories, to detect and mitigate the risks of cyber security incidents, frauds, scams and other malicious cyber activities.
The amendments will enable:
- telecommunications companies to temporarily share approved government identifier information (such as drivers licence, Medicare and passport numbers of affected customers) with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by the data breach
- Optus to share identifiers to assist Commonwealth, and state and territory agencies, to detect and assist in preventing fraud.
The Government has indicated that the proposed regulations include strong privacy and security safeguards to ensure that only limited information can be made available for certain purposes. These include stipulations that:
- information can only be used for the sole purposes of preventing or responding to cyber security incidents, fraud, scam activity or identify theft
- entities that wish to receive the data must provide written commitments to the ACCC that they will comply with their obligations under the Privacy Act 1998, attest to APRA that they meet the relevant information security standard, and confirm in writing that the information they are seeking is necessary and proportionate
- approved recipients must satisfy robust information security requirements and protocols for any transfer and storage of data
- information received must be destroyed once it is no longer required.
The proposed regulations themselves have not, at this time, been released.
APRA has published some frequently asked questions (FAQs) in relation to the announcement. These indicate that:
- It is proposed that APRA-regulated entities, excluding branches of foreign banks, may choose to opt in to receive the Optus data. The process will require a financial services entity to provide written attestation to APRA that the data will be managed in accordance with Prudential Standard CPS 234 Information Security
- the CPS 234 attestation will require that, “Once the legislation is passed, the entity will meet, on an ongoing basis, the principles and requirements of Prudential Standard CPS 234 Information Security, in relation to the data it receives from Optus.”
APRA has advised that it will update the FAQs as the initiative progresses.
AUSTRAC has also encouraged reporting entities to consider implementing controls to respond to the increased risk of identity theft, including when accepting new customers and monitoring for existing customers who may have had their personal data compromised.
APRA heatmap FAQs
APRA has released new and updated frequently asked questions (FAQs) on the superannuation heatmaps, with the 2022 MySuper and Choice Heatmaps to be released in December.
The FAQs confirm:
- the list of reporting forms APRA will use for data to generate the heatmaps
- the use of data for historical reporting periods up to 30 June 2022 for the ‘investment returns’ and ‘sustainability of member outcomes’ metrics, and data as reported at 1 October 2022 for the ‘fees and costs’ metric
- the inclusion in the Choice Heatmap of multi-sector investment options in choice products in the accumulation phase, with standard fees and costs arrangements, excluding options offered on platform investment menus.
APRA Insight: managing outsourcing arrangements
APRA has published an Insight article on the outcomes of its recent thematic review into superannuation trustees’ outsourcing arrangements.
APRA’s review found that, since the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, trustees have strengthened their board oversight and monitoring of outsourcing arrangements and service providers.
The thematic review, conducted between February 2019 and October 2021, involved an in-depth review of the management of outsourcing arrangements across a sample of 10 retail superannuation trustees. The review covered four key services – administration, financial advice, investment management and insurance – across the sampled trustees.
APRA’s key observations focus on three areas:
- assessment of service providers’ value-for-money – trustees should understand and challenge existing cost and service standards, not simply justify the status quo
- measurement and monitoring of service providers’ performance – trustees should have timely, reliable reporting that balances value, compliance, quality and efficiency
- oversight of service providers trustees should ensure they are adequately supported in the oversight of outsourcing arrangements by skilled and capable personnel.
The Insight article includes ‘better practice’ and ‘poorer practice’ examples for each of these three areas.
APRA has noted that the findings from the thematic review have informed draft CPS 230 Operational Risk Management and will also be used to develop guidance to accompany CPS 230. (APRA is currently consulting on draft CPS 230, see ASFA Action issue 862 for background.)
WA de facto family law super splitting: social security instrument
As reported in ASFA Action issue 870, amendments to Commonwealth and Western Australian (WA) legislation commenced on 28 September to extend the family law superannuation splitting regime to separating WA de facto couples.
The Government has now registered the Social Security Amendment (Family Law—Western Australia De Facto Superannuation Splitting) Determination 2022. This Determination makes consequential amendments to four instruments relating to valuing superannuation income streams for the purposes of the social security means test, to reflect the reforms. The impacted instruments are:
- Social Security (Family Law Affected Income Streams) Principles 2022
- Social Security (Guidelines for Determining Whether Income Stream is Asset-test Exempted) Determination 2022
- Social Security (Retention of Exemption for Asset-test Exempt Income Streams) Principles 2022
- Social Security (Partially Asset-Test Exempt Income Stream – Exemption) Principles 2017.
Treasurer’s Investor Roundtable
The Treasurer has announced the establishment of an Investor Roundtable, “to identify and unlock investment opportunities in national priority areas”.
According to the Treasurer, the Roundtable will “bring together leaders from the investment community including from some of Australia’s largest superannuation funds, the major banks and global asset managers, to identify and overcome barriers to investment”.
The first Roundtable will be held in November, focusing on housing. The discussion will cover topics including:
- addressing barriers to investment within the housing sector
- improving revenue streams and investor confidence in the project pipeline to meet risk and return preferences
- identifying partnership opportunities for government coinvestment.
Future roundtables will examine topics including data and digitisation and clean energy.
ASFA REGULATORY WATCHLIST
ASFA’s Regulatory Watchlist (ARW) tracks developments in Legislation, inquiries, consultations
and other regulatory announcements relevant to superannuation.