Scam prevention and regulatory risk: APRA-regulated superannuation funds must address scam vulnerabilities

With banks, telecommunications providers and other financial services organisations facing increasing pressure over their anti-scam measures, superannuation funds could soon encounter similar scrutiny. The Australian Securities and Investments Commission (ASIC) has flagged its interest in the scam risks relating to superannuation funds and their potential lack of preparedness to address these risks. This follows a recent review of 15 superannuation trustees, which found that none had an organisation-wide strategy to address scams.

Given that investment scams are a priority focus area for ASIC and are consistently reported as Australia’s leading scam type by dollars lost in our quarterly Australian Scam Culture Report, superannuation funds are likely to be subject to regulatory scrutiny sooner rather than later.

In conjunction with greater examination from ASIC, superannuation funds that are regulated by the Australian Prudential Regulation Authority (APRA) will also need to consider this as part of their implementation of Prudential Standard CPS 230 Operational Risk Management. APRA’s release of CPS 230 aims to strengthen operational risk management and resilience across banking, insurance and superannuation fund organisations. 

This is an opportunity for superannuation funds to achieve stronger resilience outcomes by applying more of a risk-based lens to their approaches. CPS 230 will require them to implement effective processes to respond to risk events to reduce impacts, mitigate any disruption to their operations, and provide solutions to their customers and wider market.

How do scammers target superannuation fund members?

Superannuation fund members generally gain greater access to their retirement savings once they reach retirement age. Scammers are aware of this and often target the over-65 age group, who are likely to have higher superannuation balances. This demographic typically also has limited knowledge of newer investment strategies such as cryptocurrency trading and is potentially less technology savvy when screening sophisticated scams. 

At a consumer level, superannuation fund scams can be seen as an extension of investment scams. Victims can be scammed into superannuation withdrawals, setting up self-managed superannuation funds (SMSF) and executing ‘investments’ based on scam ‘advice’ that promises extraordinary returns and transferring funds which are quickly redirected offshore or converted into other asset classes like gold or cryptocurrency.

Other scam methods targeting superannuation funds can include ‘pig butchering’, a long-term scam where victims are gradually lured into making increasing contributions before losing everything. A common tactic includes providing ‘advice’ on extracting funds from superannuation accounts. 

According to the Australian Financial Complaints Authority, scam-related complaints in superannuation averaged $89,000 in losses per victim for the 2023 financial year, with the highest individual scam loss reaching $344,000. Comparatively, the average superannuation balance for men aged between 65 to 69 was $428,533, while the average superannuation balance for women of the same age group was $379,483 in 2022. 

How do scammers target superannuation funds? 

Scammers use a combination of techniques, including authorised push payments, breaches, and fraud to attack superannuation funds. Many superannuation funds outsource operational activities such as information technology (IT) systems, security, payments processing, and investment strategy, leading to third-party risk issues. Those superannuation funds that engage third-party providers still maintain overarching responsibility for preventing scams relating to those services.

Scammers exploit these vulnerabilities through attacks such as compromising business emails to get third parties to transfer funds and creating false impersonation websites with the same look and feel of the real site. Superannuation funds need to ensure that their third-party providers have acceptable risk profiles.

The roles and responsibilities for anti-scam measures

In the ongoing battle against scams, everyone has a crucial role to play to remain vigilant, but superannuation funds and trustees have an obligation to ensure their customers are protected, and the new regulatory environment will only further increase this responsibility. 

As larger entities with greater capacity and capability bolster their defences against scams and fraud, scammers increasingly pivot to target the smaller institutions which are perceived to have less robust prevention, detection and response capabilities. If unaddressed, the resulting cascading effects - where scammers target the ‘weakest link’ in the ecosystem - can have a profound impact on consumers, and wider consumer trust. 

Regulators and superannuation funds and trustees have a critical role in protecting, informing and educating consumers about the ongoing and emerging risks so that they remain risk responsive. 

Anti-scam measures for funds and trustees 

Superannuation funds and trustees can take proactive steps to safeguard their organisation and their members for the anticipated regulatory measures, including CPS 230.

Our recommendations include: 

  • Educate and inform: Superannuation funds should provide their members with case studies about the techniques and different ways scammers may attempt to gain access to their funds 
  • Stay up to date on emerging scam techniques: With the ongoing proliferation of artificial intelligence (AI) and constantly changing scam techniques, it’s crucial for superannuation funds to stay up to date on emerging techniques to protect their members and their organisation 
  • Outsourced administrators and providers: Superannuation funds must ensure that their external administrators have effective anti-scam strategies and a detailed understanding of prevention, detection, and response measures. The implementation of CPS 230 places further scrutiny on vendor management, and the regulation takes the level of focus further than just third to fourth parties. Superannuation funds need to know where their member data is stored, both externally to the fund/trustee and internally within the fund/trustee 
  • Don’t be complacent: Just because the superannuation industry hasn’t been a major focus for scammers to date doesn’t mean it won’t be in the future. Superannuation funds should not rely on relatively low levels of reported scams as an indicator of safety. The latest research from ASIC shows that the level of risk is high, and funds and trustees need to act now to ensure the safety of their member’s investments. It’s also crucial to broaden your perspective beyond the local industry - funds and trustees should look at what entities in other sectors and industries, both here and oversees, are facing in terms of challenges and solutions 
  • Be proactive: Conduct evaluations of anti-scam measures, including those of external administrators, and ensure that scam prevention, detection, and response receive the same attention as other financial crime risks.

How BDO can help 

The superannuation fund industry will be undergoing significant regulatory reform. It is, therefore, crucial to stay ahead and ensure your organisation is prepared for the upcoming changes. 

BDO’s forensic services team can assist with strengthening your organisation’s risk preparedness against scams. Contact our forensic experts if you require assistance in preventing, identifying and responding to suspicious activity.

BDO’s financial services team work with APRA-regulated clients of all sizes, including superannuation funds, and can support you in navigating the complexities of the upcoming CPS 230. Contact us today to ensure you're fully prepared.