Super trustees ‘weak’ on protecting funds

Superannuation, along with housing, is a key retirement investment for Australians.

Therefore, super funds are the gatekeepers of their members’ money, totalling trillions of dollars, and those members have every right to expect the funds are diligent in protecting them from scams. 

However, a review of funds by the Australian Securities and Investment Commission (ASIC) found none of the funds had an organisation-wide scams strategy in place. 

ASIC has written to superannuation trustees urging them to strengthen anti-scam practices, or risk exposing members to harm. 

Retirees with large super accounts are more vulnerable and are a “favoured target” of scammers, ASIC notes. It concludes that the need for improved protection increases as more super members reach preservation age. 

In its letter to super funds, ASIC says the risk of scams and fraud in superannuation is increasing. 

“Across the whole financial system, technological innovations and data breaches – including breaches involving identity documents – continue to heighten the risk of scams and fraud.” 

ASIC’s review of fund protections distinguished between fraud (or unauthorised transactions) and scams. 

In the case of a scam, a member has been tricked into either:  

• Transferring funds out of their superannuation account to a scammer, or  
• Aiding a scammer to make a transfer (e.g. by providing a scammer who may be impersonating the superannuation fund with a one-time password). 

The review found trustees: 

• Were overly reliant on anti-fraud measures and have limited focus on the specific risks and harms associated with scams. For example, they focused on confirming that the person requesting a transfer was the member rather than looking for flags to indicate that the member may have been tricked. 

• Did not have sufficient oversight of their external administrators’ anti-scam and anti-fraud practices. Superannuation trustees use specialist administrators, who make sure the fund meets all the compliance and regulatory requirements. For example, funds referred in general terms to their administrators’ systems and processes but lacked knowledge about key details. “One trustee was unable to identify whether its administrator undertook basic interventions, such as engaging with members over scams,” the report found. 

• Lacked many foundational anti-scam practices. None of the trustees had:  

  • A dedicated scams strategy 

  • Dedicated reporting on scam, though some did include references to scams within broader fraud-reporting regimes  

  • Reviewed their scam prevention, detection, and response capabilities. 

Trustees claim they have not seen many, if any, instances of scams impacting their members, but ASIC blames their poor focus and processes for detecting scams.  

In its letter, ASIC has chosen the soft path of requesting the funds lift their game, and take some obvious actions, such as: 

• Capturing and recording scam and fraud attempts accurately, so they have the necessary data to properly assess the real risk of scams to members 

• Conduct a preliminary assessment of anti-scam and anti-fraud measures – including for services provided by external administrators – to identify any areas for improvement 

• Address the concerns raised in its letter and learn from protection strategies employed by the banks 

• Appoint dedicated in-house anti-scam managers 

• Share information and promote improvements across the industry.