ASFA Action 16 November 2016 

Issue 612, 16 November 2016 

In this issue: 

• ASIC industry funding model: further consultation 

• Enhanced governance requirements for super trustees 

• Budget tax measures: bills introduced 

• Objective of super: Bill introduced 

• SuperStream: standards amended 

• APRA on risk culture 

• Information security: APRA expectations 

• Information security and SuperMatch2: ATO comments 

• AUSTRAC risk assessment of superannuation sector 

• Record-keeping obligations for financial services licensees: ASIC clarification 

 

ASIC industry funding model: further consultation 

The government has released a second consultation package on a proposed industry funding model for ASIC, following on from its initial consultation in late 2015 (see ASFA Action issue 578). 

The package updates ASIC’s proposed model for annual industry levies and revised fees-for-service. It also provides details of ASIC’s costs of regulating each sector and the metrics for how the proposed levies could be calculated for each sector. The funding model is intended to apply from the 2017/18 financial year onwards. 

If you have any feedback on the proposed funding model that you would like ASFA to consider including in our response, please forward it to Andrew Craston by close of business Friday 2 December. 

 

Enhanced governance requirements for super trustees 

On 3 November 2016, APRA released updated governance requirements for APRA-regulated superannuation trustees (RSE licensees) with a final revised prudential standard and prudential practice guide on governance. 

The amendments to the prudential standard SPS 510 include requiring RSE licensees to have in place a governance framework which sets out policies and procedures to support effective governance practices, and requirements for these policies to address the nomination, appointment and removal of directors, board renewal, director tenure limits and board size. 

The prudential practice guide SPG 510 has been updated to clarify APRA’s expectations regarding key governance practices, to support the new requirements set out in the prudential standard. 

The revised SPS 510 will take effect on 1 July 2017. APRA expects RSE licensees to consider the updated guidance in SPG 510 immediately. 

 

Budget tax measures: bills introduced 

On 9 November 2016, the government introduced the Treasury Laws Amendment (Fair and Sustainable Superannuation) Bill 2016 and the Superannuation (Excess Transfer Balance Tax) Imposition Bill 2016 into the House of Representatives. The bills implement many of the superannuation changes announced in the May 2016 Budget (see ASFA Action issue 601). 

Changes from the Exposure Draft legislation include that, with respect to the transfer balance cap 

• members now have 60 days to make an election to commute or object 

• if the excess transfer balance is less than $100k, and is caused by an existing income stream as at 1 July 2017, the member now has six months to rectify. 

The Bills have been referred to the Senate Economics Legislation Committee for report by 23 November 2016, with submissions closing on 17 November 2016. 

 

Objective of super: Bill introduced 

On 9 November 2016, the government introduced the Superannuation (Objective) Bill 2016 into the House of Representatives. The Bill seeks to enshrine in law that the objective of the superannuation system is to provide income in retirement to substitute or supplement the Age Pension. 

As outlined in our submissions to the government’s April 2016 consultation paper and September 2016 exposure draft legislation, ASFA continues to be strongly committed to the formalisation of an objective for superannuation that reflects the core purpose of the system in providing adequate retirement outcomes for all Australians. 

The Bill has been referred to the Senate Economics Legislation Committee for report by 14 February 2017. 

 

SuperStream: standards amended 

The ATO has registered the Superannuation Data and Payment Standards (Payments and Information from the Commissioner of Taxation) Amendment 2016 to amend the SuperStream data and payment standards. 

The amendment requires trustees to be ready to interact with the Commissioner of Taxation under the SuperStream standards in relation to a range of amounts, including unclaimed superannuation, low income superannuation contributions, and superannuation guarantee amounts. 

A range of effective dates will apply. The Rollover Version 2 Message Implementation Guide and Contribution Version 2 Message Implementation Guide give more detail on the timeframes and scope of the transactions. 

 

APRA on risk culture 

On 18 October 2016, APRA released an information paper: Risk Culture, providing a snapshot of current practice in risk culture in a range of superannuation, banking and insurance businesses. 

The paper notes that while there has clearly been a stronger focus on risk culture in recent years amongst APRA-regulated institutions, continued effort and ongoing attention is required by institutions to better understand and manage their risk cultures. 

The paper is an outcome from an ‘information gathering’ exercise conducted by APRA from late 2015. APRA’s key conclusion from the exercise is that approaches to understand and manage risk culture are still at a relatively early stage of development. Other findings included: 

• most APRA-regulated institutions’ efforts have focussed on understanding and assessing the current state of risk culture 

• many institutions are grappling with how best to clearly articulate what type of risk culture they aspire to, identify any specific weaknesses in their current risk culture, and effectively address those weaknesses 

• approaches to understand and manage risk culture varied by institutional size, business mix and complexity 

• larger institutions noted that their size and complexity introduced additional challenges, particularly regarding the greater prevalence of sub-cultures — as a result, their efforts were often segmented, typically by geography or business unit 

• there is agreement on the central role of leadership in shaping and driving organisational and risk culture. 

APRA Chairman Wayne Byres said that while APRA “cannot regulate sound risk culture into existence, it will apply greater supervisory intensity to institutions that are either unwilling or unable to address behaviours that are inconsistent with prudent risk management practices.” 

APRA will also continue to work to identify practices that are associated with sound, and less sound, risk cultures, and share these observations with regulated institutions and other stakeholders. 

According to the paper, APRA’s future priorities in the area of risk culture include: 

• conducting a range of initiatives to maintain the prominence of risk culture within regulated institutions 

• refining and sharpening its approach to assessing risk culture, including through pilot risk culture reviews, to achieve a more anticipatory supervisory approach 

• reviewing industry remuneration practices to gauge how well existing requirements are being implemented and how they are interacting with the risk cultures of regulated institutions. 

 

Information security: APRA expectations 

On 31 October, APRA wrote to all RSE licensees outlining its expectations regarding management of the risks arising with implementation of innovative new business practices, including aspects of administration, communication and account consolidation practices driven by new technologies. 

APRA’s letter makes it clear that it is looking to RSE licensees to ensure that they appropriately identify, assess and manage the risks of new business processes. Importantly, this must include a prudent assessment of the materiality of arrangements with outsourced service providers, with a particular focus on ensuring the security of member data. 

Areas of particular concern for APRA include: 

• sending of bulk, unsolicited electronic communications requesting members to enter personal data – APRA considers that such activity may undermine the efforts made by financial institutions and the government to educate the public on safe online behaviour (see also the following article, regarding the ATO’s SuperMatch2 service) 

• bulk provision of sensitive member data to third parties, for purposes such as administration, communication, account consolidation, business intelligence, customer analytics and marketing – as well as properly assessing outsourcing risk, APRA considers that RSE licensees need to be mindful of the heightened risk posed by bulk extraction of sensitive member data from core administration systems. 

While supportive of the wider use of technology to engage members, APRA has reminded licensees of their responsibility to promote the financial interests of members and to ensure that members’ interests are not compromised. 

 

Information security and SuperMatch2: ATO comments 

The ATO wrote to fund trustees on 18 October, raising concerns about the risks of using unsolicited email and text messages to communicate with members, particularly when including a link to a website requesting personal or financial information from the member. While supportive of the use of technology, the ATO has reminded trustees that the opportunities must be balanced against any security risks that are created. 

The ATO’s concerns arose in the context of practices adopted by some funds in relation to use of the ATO’s SuperMatch2 service, which provides trustees with information to help them consolidate members’ accounts. The ATO’s review was initiated when it became aware that solutions used by some funds did not appear to fully comply with the self-certification requirements for allowing members to transact with the SuperMatch2 service through member portals. The ATO wrote to trustees on 18 October, identifying three specific issues with the observed practices – the use of email and SMS to interact with members, compliance with the requirement to know the client, and the need to ensure information provided by the ATO is fully displayed to members. As a result of its review, the ATO has clarified the terms of use for SuperMatch2. 

The ATO’s letter also highlights a more general concern about communicating with members via unsolicited emails and texts. While the ATO acknowledges that this is a common electronic direct marketing technique, it has warned trustees to ensure they manage the risk of members being becoming susceptible to phishing behaviour as a result of the interactions they use. 

The ATO notes that industry practice manages this risk by ensuring links provided in unsolicited emails do not request personal or financial information from the member, and take the member to the fund or bank website home page – enabling them to have an interaction with the normal trustee member services portal. This also allows the member to go to the home page by typing the address in the address bar of the browser without using the link provided. The ATO considers that activities which do not follow these common industry practices create risk for the member. 

 

AUSTRAC risk assessment of superannuation sector 

On 31 October 2016, AUSTRAC published the first money laundering and terrorism financing (ML/TF) risk assessment into Australia’s superannuation sector, identifying a range of opportunities for the sector to “further harden itself against threats”. 

The report notes that while AUSTRAC assesses the overall ML/TF risk for superannuation as medium, the sector—as with the whole financial sector—is facing unprecedented technological and other changes, and therefore increased vulnerability to criminality. 

Key points from the report include: 

• fraud is by far the most commonly identified crime affecting superannuation funds 

• cybercrime is a key growing threat, with some funds seeing almost daily attempts to hack accounts for information or funds access 

• cases of falsified documents and attempted illegal early release of superannuation savings are common 

• other suspicious matters reported to AUSTRAC by funds include potential tax evasion, unusual account activity, unusually large transfers and unauthorised account transactions 

• terrorism financing is a limited but emerging threat, with instances of foreign terrorist fighters, who are generally self-funded, having accessed superannuation accounts to finance their activities. 

Announcing the release of the report, the Minister for Justice said many funds in the sector are aware of these criminal risks and have “demonstrated a commendable willingness to work with AUSTRAC to ensure safe environments for customer’s super funds – now and into the future”. 

 

Record-keeping obligations for financial services licensees: ASIC clarification 

ASIC has clarified the record-keeping obligations of Australian financial services (AFS) licensees when giving personal advice. 

ASIC Corporations (Amendment) Instrument 2016/1006, registered on 26 October, amends class order [CO 14/923] Record-keeping obligations for Australian financial services licensees when giving personal advice. 

The amendments to the record-keeping obligations: 

• place beyond doubt that AFS licensees must have access to records for the period of time in which the records are required to be kept, even if a person other than the licensee holds the records; and 

• make explicit that authorised representatives who are advisers must keep records, and give the records to their authorising licensee if the licensee requests the records for the purposes of complying with financial services laws. 

Although the amendments clarify, rather than amend, the record-keeping obligations, ASIC recognises some licensees may nevertheless need to make changes to their systems as a result of the class order. As a result, ASIC will take a facilitative compliance approach for the first six months in relation to the obligation on advice licensees to ensure that they have access to records, where licensees make a good-faith attempt to comply with the obligation. The facilitative compliance period will end on 26 April 2017. 

ASIC has also made a minor amendment to [CO 14/923] to restore the original policy intent of the class order, so the exemption to the record-keeping obligations only applies where the modified best interests duty applies. 

The amendment to the class order follows on from ASIC’s December 2015 consultation paper CP 247 Client review and remediation programs and update to record-keeping requirements, which sought feedback on proposed guidance on review and remediation conducted by AFS licensees that provide personal advice and clarification to the record-keeping requirements for AFS licensees relating to the best interests duty. ASIC released guidance on review and remediation in September 2016 (see ASFA Action issue 609).