APRA Deputy Chair Margaret Cole - Speech to the Conexus Chair Forum Sorrento

Leaning into the challenges in super

Good morning. It’s good to be here.

I’ve been asked to speak today about APRA’s priorities for 2024. But really what I want to do is influence yours.
Much of what we have set out to do this year will require significant oversight and accountability from you as trustees, and a deeper understanding at board-level of APRA’s initiatives and what they mean for your organisations.

In determining where to target our efforts, and where our attention is most needed in superannuation, APRA has prioritised activities that address key challenges facing the industry, including:

• building the resilience of superannuation funds as part of a stronger, more stable financial system. A strong, stable and vibrant super system is vital for the financial protection of fund members and Australia’s social and economic wellbeing more broadly; and
   
• improving outcomes for fund members across the accumulation and retirement phases of superannuation. Australians should be able to have confidence that the super system will support them in retirement.

We are strongly committed to making a difference in these areas. It’s imperative that you as trustees lean into the challenges that we should all be seeking to address.
 

APRA’s priorities for 2024

APRA’s immediate areas of focus for superannuation have been well flagged.

Our priorities were set out in letters to trustees late last year; amplified in addresses to recent industry forums; discussed as part of our ongoing supervisory engagement; and highlighted again yesterday by APRA Chair John Lonsdale as part of APRA’s broader policy and supervision priorities for 2024.

We want to be transparent about what we are doing, both in terms of updates to the prudential framework and areas of focus from a supervision perspective.

It’s a commitment we reiterated in the context of the Financial Regulator Accountability Authority review last year. We also acknowledge that you want greater visibility of our prudential priorities, and the sequencing of our activities, so that you can plan accordingly.

High on our agenda this year is our continued push with ASIC into improving practices in retirement income. 
Last year’s retirement income covenant review, conducted jointly with ASIC, focused on the progress that 15 trustees had been making in implementing the covenant.

We found that while trustees were improving their offerings of assistance to members in retirement, there was variability in the quality of approach taken and a lack of urgency in embracing the intent of the covenant.  

Building on this work, we have turned our attention to how the broader industry has responded to the recommendations and findings. We are keen to learn what trustees across the industry are doing to address any gaps in their retirement income strategies and in their understanding of devising answers for members’ needs.

The trustee self-assessments that we asked you to complete are due back to us next week. This is important information for us. In a meeting with a CEO recently I heard that some of you are doing more here than is understood and appreciated. If that is the case, make sure you tell us about it.

We will also be paying close attention to the responses to Treasury’s Discussion Paper on the Retirement Phase of Superannuation due by 9 February.

We are enhancing transparency in superannuation, especially in fund performance, fees and expenditure, through our data collection, the annual performance test and APRA’s heatmaps.

As announced in November last year, APRA is transitioning to a more aligned approach to fund performance scrutiny. Starting this year, a detailed transparency package covering investment returns, fees and performance test metrics, will be published soon after the annual performance test. This will provide a more comprehensive overview and improve efficiencies for APRA and the industry.

Working again with ASIC, we are prioritising the industry’s preparations for the implementation of the Financial Accountability Regime which comes into effect for superannuation and insurance in March next year.

We also remain keenly focused on improving investment governance. In 2023 we released a new standard and associated guidance to drive better governance in areas including unlisted asset valuation and liquidity management.

This year, through formal reviews and supervision activity, we will explore the impact this has had on trustees’ investment governance practices.

But it’s our focus on operational risk and resilience that I’d like to spend time discussing today, and more specifically your obligations under the cross-industry prudential standards CPS 234 Information Security and CPS 230 Operational Risk Management.

You may wonder why one standard that has been in effect for more than four years and another standard that doesn’t come into force until mid-2025 should be high on your agenda this year.

Let me explain why.
 

Doubling down on cyber risks

CPS 234 came into effect in 2019 to strengthen the resilience of APRA-regulated financial institutions against information security incidents, including cyber-attacks, and enhance their ability to respond swiftly and effectively in the event of a breach.

At the time the standard was introduced, it was already clear that the scope and sophistication of potential malicious activity was on the rise as technological developments continued to expand.

Nearly five years later, and after a spate of damaging and high-profile cyber-attacks, a number of financial institutions – including superannuation trustees - have yet to address significant gaps in their cyber controls.

Effective management of fraud, cyber and data risk is critical to the safety and security of members’ benefits and services, and is the responsibility of every trustee board member and executive leader.

A recent review by APRA, ASIC and the ATO considered how data stolen during recent highly publicised cyber incidents might put superannuation fund members’ personal information at higher risk of being used in fraudulent activity. By analysing new fraud behaviours, the review identified specific key vulnerabilities that trustees needed to address.

Last year APRA communicated with CROs about these vulnerabilities so that the information could be used in their risk assessments and management of fraud risks. It’s imperative that your organisations have put appropriate controls in place.

We expect trustees to have clear oversight of their organisations’ cyber resilience, and the board capabilities to do so.

APRA will not hesitate to take action against entities with significant deficiencies in their information security and cyber controls. A case in point is the additional licence conditions APRA imposed on NGS Super in December last year after deficiencies were identified in NGS’ cyber controls.
 

Operational risk: Time to get on the front foot

Cyber threat is one of the many operational risks facing financial institutions.

The introduction of the new cross-industry operational risk standard CPS 230 will strengthen the management of operational risk, improving business continuity planning and managing the risks from the use of service providers for all APRA-regulated entities.

While the standard’s July 2025 implementation date may seem a long way away, it needs to be on your radar now for several reasons.

The regulation represents an increased focus on trustee accountability for operational risk.

Under CPS 230, boards will become ‘ultimately accountable’ for their organisation’s operational risk management. Trustee boards aren’t expected to manage the risk directly – but you will need to understand the material risks your organisation faces against critical operations and to ensure those risks are being managed appropriately by senior management.

You will likely need more time to prepare than you realise.

The runway to implementation of CPS 230 is getting shorter, with only 17 months remaining. Any trustees who have yet to start implementation will be on a fast track to non-compliance.

We are aware that there are some trustees who have decided to take a “wait and see” approach, by putting their preparations on hold until APRA releases final guidance. That’s a problem because many super funds still have a significant amount of work to do.

A substantial part of that work is the need to identify and document the processes and resources needed against each critical operation in your organisation. A critical operation is one where an operational failure would have a material adverse impact on your members.

Some critical operations are prescribed in the regulations, but APRA expects trustees to identify and document any other critical operations they may have as well as how these are supported by material service providers. This process mapping against critical operations needs to be in place before the standard takes effect mid-next year.

And don’t forget the Financial Accountability Regime for superannuation will be in effect by then too.
 

The days of a ‘set and forget’ approach to service providers are over.

So too are the days of trustees pointing the finger at a service provider for failures or breaches, which is a behaviour and mindset that APRA has observed from some entities.  CPS230 will close this gap and sharpen the focus on effective risk management of critical operations.

If you outsource processes supporting any critical operations and something goes wrong in the delivery of service to your members, you remain on the hook.

The expectation is that you will understand how the service provider operates in regard to your critical operations, the suppliers it uses, the risk it faces in delivering your critical operations, and how those risks are mitigated.

APRA acknowledges that upgrading operational resilience to the levels required under CPS 230 represents a significant undertaking.  We’re applying the regulations on a proportionate basis, with each organisation’s approach to operational risk appropriate to its size, business mix and complexity.

Additionally, CPS 230 will serve to reduce regulatory burden by consolidating five prudential standards, including four which currently apply to superannuation, into one.

Cost of implementation has been raised as a concern by some trustees. However, not having strong risk controls in place for your organisation or your service provider network will prove far more costly to you, in both financial and reputational terms and will cause detriment to your members.

And if we all think operational resilience is an important subject now, it will only gain in importance when more of you are paying out to far greater numbers of members in their retirement phase.

Robust risk management won’t prevent things from going wrong, but it will put you in a much better position when they do. APRA doesn’t expect that nothing will ever break, but we do expect that if something does, you’ll know about it, you will understand quickly what it means for your business, and you will be prepared to move quickly to remediate the situation and minimise the impact on your members.
 
And if the incident is likely to have a material financial impact or material impact on a critical operation, we expect you to notify us, too.
 

Conclusion

The breadth of APRA’s prudential priorities for superannuation reflects the broad range of challenges facing the industry.

In a period of unrelenting growth and change in superannuation, APRA needs to ensure appropriate guardrails are in place to maintain the system’s resilience and its ability to meet the financial needs of Australians in retirement.
 
There is work for all of us to do. This is a relatively young industry regulated by a prudential framework introduced just 10 years ago. Its successes are evident and to be celebrated, but cannot be taken for granted.

We look to you, as chairs and senior leaders in the industry, to work with us to build resilience in your organisations, to eliminate poor industry practices, and to improve outcomes for your members.

With the Australian Open still fresh in mind - the ball is in your court.