Issue 851, 3 May 2022
In this issue:
Superannuation Data Transformation Phase 2 – reminder regarding comments
As reported in ASFA Action issue 849, APRA has commenced consultation on Phase 2 of its Superannuation Data Transformation (SDT) project.
SDT is a multi-year project to enhance the breadth, depth and quality of data collected from the superannuation industry. APRA has released a discussion paper setting out the objectives, scope and consultation process for Phase 2.
In Phase 2 APRA will focus on lifting the depth/granularity of the data it collects across the superannuation industry’s business operations. APRA aims to deliver more comprehensive data on:
- retirement outcomes for superannuation members
- the performance and efficiency of the industry
- governance, risk management practices, fund operations and industry risks
APRA will also identify and discontinue redundant data collections.
If you have any feedback that you would like ASFA to consider in relation to the SDT Phase 2 discussion paper, please forward it to Fiona Galbraith by close of business Friday 6 May.
Collective responsibility for data security: consultation
On 6 April (just prior to the termination of Parliament ahead of the election), the Government commenced a consultation on data security as part of the ongoing development of Australia’s National Data Security Action Plan.
As part of the consultation, the Department of Home Affairs (DHA) released a discussion paper detailing the nature of the evolving threat environment, outlining existing and developing mechanisms to strengthen resilience, and proposing options to address identified gaps.
The discussion paper seeks to:
- explore with industry, and state and territory governments, on how government and business can position themselves to meet data security expectations, now and into the future
- consider how data security responsibilities are best assigned to keep Australians’ data safe
- open discussion on how governments, businesses and individuals can share responsibility for data security in the future to get the best outcome for everyone.
The DHA is seeking submissions by close of business Friday 10 June.
Crypto-assets: APRA’s risk management expectations & policy roadmap
APRA has written to all regulated entities to set out its initial risk management expectations for engaging in activities associated with crypto-assets. The letter also sets out APRA’s policy roadmap as it develops the “longer-term prudential framework for crypto-assets and related activities in Australia in consultation with other regulators internationally, to ensure consistency in approach”.
The letter notes that APRA expects that all regulated entities will adopt a prudent approach if they are undertaking activities associated with crypto-assets, and ensure that any risks are well understood and well managed before launching material new initiatives. In particular, APRA expects that all regulated entities will:
- conduct appropriate due diligence and a comprehensive risk assessment before engaging in activities associated with crypto-assets, and ensure that they understand, and have actions in place to mitigate, any risks that they may be taking on in doing so
- consider the principles and requirements of Prudential Standard CPS 231 Outsourcing or Prudential Standard SPS 231 Outsourcing when relying on a third party in conducting activities involving crypto-assets
- apply robust risk management controls, with clear accountabilities and relevant reporting to the Board on the key risks associated with new ventures
- ensure they comply with all conduct and disclosure regulation administered by ASIC. This will require robust conduct risk management and consideration of distribution practices and product design, as well as consideration of disclosure
- consult with APRA and ASIC where they are unclear on prudential, disclosure or conduct requirements and expectations when undertaking activities associated with crypto-assets.
Ransomware attacks and digital currencies: new AUSTRAC financial crime guides
AUSTRAC has released two new financial crime guides to help businesses stop ransomware attack payments and the criminal abuse of digital currencies:
- Detecting and reporting ransomware – financial crime guide – this includes practical information and key indicators to help businesses understand, identify and report suspicious activity where someone could be the target of a ransomware payment, or trying to profit from a ransomware payment.
- Preventing the criminal abuse of digital currencies financial crime guide – this provides financial indicators to help businesses, including digital currency exchange providers, recognise and report criminal activity through digital currencies.
AUSTRAC CEO Nicole Rose said businesses must understand how to distinguish between criminal activity and customers using digital currencies for legitimate purposes, and the importance of reporting suspicious activity to AUSTRAC. “Financial service providers need to be alert to the signs of criminal use of digital currencies, including their use in ransomware attacks.”
AUSTRAC expects financial services businesses to use the information in the guides, and their own monitoring systems, to help them spot potential illicit use and report suspicious activity.
Derivatives: updated APRA prudential standard
APRA has updated its cross-industry prudential standard dealing with margin requirements for non-centrally cleared derivatives transactions to reflect changes to international regulatory standards.
The Banking, Insurance, Life Insurance and Superannuation (prudential standard) determination No. 1 of 2022 formally determines Prudential Standard CPS 226 Margining and risk mitigation for non-centrally cleared derivatives. It also revokes a prior version of CPS 226.
According to APRA, the update to CPS 226 involves a minor amendment to add to the list of foreign regulators whose margin requirements are eligible for substituted compliance with the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA).
APRA has published a letter to regulated entities about the change, as well as a marked-up version of CPS 226.
The updated version of CPS 226 took effect on 18 April.
Superannuation Guarantee non-compliance: audit of ATO performance
The Australian National Audit Office (ANAO) has released a report on its recent audit of the ATO’s activities in addressing Superannuation Guarantee (SG) non-compliance.
Some of the ANAO’s key findings, outlined in Addressing Superannuation Guarantee Non-Compliance, Auditor-General Report No 24 2021-22, include:
- the ATO’s activities in addressing SG non-compliance are partly effective.
- the ATO’s risk-based SG compliance framework is partly effective.
- the ATO’s compliance activities are partly effective in achieving greater employer compliance with SG obligations. They have had a small influence on reducing the SG gap (an estimate of non-compliance) over time.
- compliance activities continue to be mainly corrective and reactive.
The ANAO has recommended:
- the ATO implement a proposed preventative approach to SG compliance
- the ATO assess its performance measures against the Public Governance, Performance and Accountability Rule 2014 and enhance its public SG performance information by:
- setting targets for measures, including the SG gap; and
- including explanations for performance results, including performance changes over time.
- to maximise the benefit to employees’ superannuation funds, the ATO:
- make more use of its enforcement and debt recovery powers
- develop performance measures for evaluating the effectiveness of debt recovery
- consider the merit of incorporating debtors holding the majority of debt into the prioritisation of debt recovery actions.
The ATO has agreed to the recommendations, with some qualifications in relation to setting targets for measures including the SG gap.
ASFA REGULATORY WATCHLIST
ASFA’s Regulatory Watchlist (ARW) tracks developments in Legislation, inquiries, consultations
and other regulatory announcements relevant to superannuation.