APRA Executive Director Carmen Beverley-Smith's remarks to the ASFA Conference 2025

Building trust

Superannuation in Australia, particularly, is built on a system of trust.

Fund members entrust their retirement savings to the safekeeping of superannuation funds.

They trust that their monies will be managed well and invested in their best interests.

Even those most disengaged with their super, will have some level of confidence that their super is safe, their “nest egg” is growing and will be available to them in retirement.

In our superannuation system, which has earned recognition on the world stage for its strength and success, that trust has been readily gained. But it should never be taken for granted.

After a year marked by cyberattacks, multiple operational incidents and the high-profile collapse of two managed investment schemes offered through trustee-provided platforms, public trust and confidence in superannuation is certainly being put to the test.

It is a recurring theme in the media, at industry events and in my own discussions with the Chairs, trustee board directors, CEOs and executives of funds that APRA regulates.

As each new high-profile challenge emerges, the effectiveness with which funds manage the challenge, and support members through that challenge, attracts increasing public scrutiny and shapes community expectations.

The events of this year serve as a reminder that trust is not static. Funds must continuously strive to maintain member confidence in their super as the stewards of it. My observation is that the best way to do this is by focusing on achieving three baseline capabilities: strong leadership, operational resilience and member-centricity. 

Strong Leadership

The challenges and complexities of Australia’s $4.3 trillion super industry demand strong, courageous, accountable and transparent leadership.

Leadership by all industry participants.

Strong collaboration by industry bodies and leaders at the highest level of superannuation funds is essential to support cohesive and timely responses to external threats and strengthen member confidence.

Effective leadership within fund themselves is also critical. I am often asked why I dedicate a large proportion of my time interacting with trustee directors and fund executives. While there is no prudential standard that articulates an overt obligation for trustees and fund executives to be “good leaders”, leaders set the tone, the direction, the expectations, the standards, the culture and ultimately determine the performance and success of their organisations.  

Leadership matters. Strong leadership is critical to having a well-run super fund and I am more than “interested” in that.

It is also why APRA is specifically interested in the quality and capability of trustee boards. APRA is currently engaging with the industry to uplift board governance standards, not just in super but also across banking and insurance. The proposals, which were amended following the recent industry consultation, cover board member fitness and propriety, tenure and capabilities and skills, among other things.  

APRA expects to release draft governance standards and guidance in the second quarter of next year.  

While the governance review was not triggered by any superannuation-related issues, APRA has experienced concerns about how some boards have assessed fitness and propriety of directors in the not-so-distant past.

Through our supervision work, we have also identified concerns regarding the strength of board oversight in areas core to superannuation, including investment governance.

A recent APRA thematic review into unlisted asset valuations and liquidity risk governance found that, although asset valuation governance had improved since a previous review in 2021, 12 out of the 23 in-scope trustees required material improvement in either or both their valuation governance policies and practices or the design and operations of their liquidity risk management frameworks.  

APRA also observed cases of weaknesses in board oversight of asset valuations and conflicts of interest management.  

Just last month, APRA concluded a review of platform trustees and identified significant weaknesses in the practices of some trustees.  

The gaps are in areas such as due diligence and onboarding practices, ongoing monitoring of investment options, and remedial action where member outcomes are not being delivered. The in-scope trustees of that review are collectively responsible for 95 per cent of member assets held on platforms.

APRA has required all trustees involved in that review to assess their practices, address weaknesses, and report any breaches of the prudential standards to us as a matter of urgency. In parallel, APRA has performed its own assessment of those trustees’ practices, who should expect to hear from us shortly.

Where required, we will take appropriate supervisory or enforcement action to drive improvements and ensure member funds are being managed prudently.

We expect this will be an ongoing, significant area of focus into 2026.

Operational resilience

Given the non-discretionary nature of superannuation contributions, Australians have an expectation that those who manage their superannuation savings are doing so well.

Whether stated or implied, they rightly expect that funds have capable people, effective processes, sound data management practices and modern systems commensurate with their funds’ requirements.

While some in this room might acknowledge that superannuation can be complex, many Australians believe it is “simple”.  And they expect the simple, done well: that is, their fund collects, grows and protects their retirement savings and then when they need it, that core services, such as rollovers and pension payments, are delivered without a hitch.

Which brings me to the second baseline capability – operational resilience.

As funds grow and the industry evolves and matures to become increasingly reliant on digital technology and third-party providers to deliver the services and experience members expect, the threat environment is heightened and the need for robust practices, processes and risk management increases significantly.

The launch of APRA’s operational risk management standard CPS 230 in July, and the implementation of the Financial Accountability Regime for super, which also took effect this year, have clarified and emphasised the obligations and accountability of funds and their leaders for managing operational risks.

APRA expects funds to understand intimately their key processes that deliver on commitments to members and to manage the risks and vulnerabilities in those processes and the data and systems that enable them – regardless of who physically performs those processes, be it in-house teams or contracted third parties.

It may not always be possible to prevent things from going wrong, but we expect funds to be ready to respond quickly if they do, to minimise the impact on their members.

APRA will continue to engage with entities to assess their adherence with the standard.

The evolving and elevated cyber risk environment in which the superannuation industry operates is another area that requires ongoing and diligent oversight by senior leaders and a co-ordinated industry approach.

Cyber resilience is a high priority focus for APRA, our peer regulators and government.

Although the credential stuffing incidents which occurred earlier this year were relatively minor and contained, the occurrence exposed persistent weaknesses in access controls, specifically authentication across the industry.

These incidents followed multiple warnings from APRA, including our clear message that multi-factor authentication is the bare minimum expectation in relation to cyber controls.

After those attacks, APRA required all trustees to review their information security controls, including their authentication controls, and to submit breach notifications to APRA if any material control weaknesses were identified.

We are in the final stages of assessing the responses from industry, including the more detailed actions required by the entities directly affected by the incidents.

I would like to think I don’t need to say this, but APRA expect trustees to demonstrate that they meet their obligations under APRA’s Information Security standard CPS 234 on an ongoing basis. I also acknowledge that, given the pace at which the threat environment is evolving and maturing, what was required to meet those obligations a month ago might not be sufficient today. It is important to remember that CPS 234 articulates compliance obligations or minimum requirements. It by no means represents the level of information security governance that well managed funds should aspire to.

Commitment to act in best financial interests of members

The third baseline capability for building trust is acting consistently in the best financial interests of members. This is not an expectation as such; it is a legal obligation.

One area where we’ve been concerned that some funds might not be meeting their best financial interests duty is in relation to expenditure decisions.

A year ago, we intensified our scrutiny of how funds were spending members’ monies. That work has been supported by fund-level expenditure data that APRA now collects and publishes on an annual basis.

We wanted to challenge spending by funds where the benefit to members was not immediately apparent or could not be reasonably justified. We have since sought information from 14 trustees, of varying scale and differing business models, and reviewed thousands of documents relating to discretionary expenditure including in relation to sponsorships, marketing, conferences, entertainment and related entity spending.

Earlier this year we provided industry with an update on our fund expenditure work, including key observations and examples of better practice and areas for improvement, which we expect trustees have reviewed and compared against their own practices.

We’ve also made it clear that where practices fall short of legal requirements, APRA will utilise the full range of its powers to hold a trustee accountable.

Another way that super entities can demonstrate they are acting in the best interests of members is through their commitment to embrace their obligations under the Retirement Income Covenant.

The covenant was introduced three years ago to ensure the industry had strategies to support the growing numbers of Australians transitioning to retirement, as well as those already in the retirement phase.

It has put a much-needed emphasis on the retirement phase of superannuation, building upon the industry’s long-standing focus on and success in the accumulation phase.

Despite the continued increase in members and sharp growth of assets in the retirement phase, the industry’s progress in implementing the covenant has been somewhat inconsistent.

A thematic review conducted by APRA and ASIC one year after the covenant came into effect showed a lack of urgency the industry to meet their obligations.

While we have seen progress and improvements since then, there is a clear and growing gap between trustees who are meeting baseline expectations and those who have embraced retirement as a strategic and competitive imperative.

We will be able to share more insights into trustees’ progress in meeting their covenant obligations with the release of the results of the latest APRA and ASIC pulse check survey in two weeks’ time.

But it is clear that, in many cases, trustees can and should be doing more to support their members in retirement.

With another 2.5 million fund members expected to transition from the accumulation phase to the retirement phase this decade, trustees who are doing the bare minimum now may struggle to retain members when better retirement support and solutions are being offered elsewhere.

Conclusion

One definition of the word “trust” given by the Concise Oxford Dictionary is “confident expectation”.

I think that neatly sums up the attitude that we would all want fund members to hold in relation to their superannuation. To have the confident expectation that their retirement savings will be collected, invested and protected during the accumulation phase, to provide a reliable, long-term source of retirement income in their later years.

The events of this year have been a wake-up call that that while the expectation component of that definition is clear and a given, member confidence is not.

As stewards of many Australians’ retirement savings for over three decades, trustees and fund executives must continue to earn the trust of their members each and every day. It is the obligation of everyone in this room and some not here today to play your part to ensure ongoing confidence in this extraordinary industry.

Whatever your role: demonstrate strong and courageous leadership. Lead safe, strong and secure superannuation businesses with consistency for your members. And make that commitment to act, make every decision, in the best financial interests of the nearly 23 million superannuation fund members, whose financial futures you all collectively steward.

While you are the custodians of trillions of dollars of retirement savings for the majority of people in this country, their trust is arguably the most important asset you will ever manage.

Thank you.