Keeping abreast of updates as superannuation funds prepare for the next wave of change

Article
Updated: 

Short on time? Read the key takeaways.

With the new financial year underway, the superannuation industry is experiencing significant changes. The ongoing impacts of recent cyber security attacks are creating waves of customer concern, alongside a rapidly evolving regulatory landscape, digital transformation, and increased scrutiny of investments made through the private capital market.

Superfunds must adapt to these changes while facing investment growth pressures. With total superannuation assets reaching approximately $2.9 trillion as of March 31 2025, the stakes have never been higher, and superfunds must find the right balance between regulation and innovation to succeed.

Regulatory compliance and reforms

The regulatory environment is dynamic in nature, and superannuation trustees must keep up with and anticipate the big changes coming. Having navigated the implementation of the Financial Accountability Regime from 15 March 2025, attention now turns to the next wave of change.

From 1 July, all APRA regulated superannuation funds will need to comply with the new Prudential Standard CPS 230 – Operational risk management. CPS 230 is a cross-industry standard on operational resilience which sets out a new foundation for maintaining and effectively managing operational risks, maintaining critical operations within tolerance levels, and managing the risks associated with the use of service providers. For more information on how organisations can effectively implement 230 to become resilient, read our in-depth report.

In addition to CPS 230, new sustainability reporting requirements will continue to put additional regulatory pressures on superfunds. Superannuation funds, as asset owners, meet the Group 2 criteria under ASIC’s reporting requirements which statesthose with assets in excess of $5 billion will be expected to comply for the year ending 30 June 2027. This sounds a long way off, but the level of planning required should not be underestimated. Our sustainability reporting roadmap outlines further details around which entities need to report and the timings of reporting the rollout continues.

The superannuation sector must undertake a series of strategic preparatory actions this year to ensure compliance with the new AML/CTF framework, which comes into effect on 31 March 2026. The updated legislation marks a shift from a compliance-based model to a risk-based, outcomes-focused approach. Key changes include, but are not limited to:

  • Incorporating proliferation financing (PF) risks into the money laundering and terrorism financing (ML/TF) risk assessment
  • Appointing a ‘Fit and Proper’ individual as the Anti-Money Laundering Compliance Officer (AMLCO)
  • Updating onboarding procedures to assess customer risk profiles, screen for politically exposed persons (PEPs), and check for financial sanctions
  • Implementing both initial and ongoing customer due diligence processes to manage ML/TF/PF risks effectively.

Cyber security and data privacy

With the increased use of data and technology comes greater organisational risk. Superannuation funds collect and store large volumes of data, and as our working lives become longer and longer, with the average age of retirement currently 56, super funds could potentially store the personal and financial data of members for decades.

Unfortunately, this means that superfunds can become targets for large-scale and devastating cyberattacks, which can cause not only financial loss but also reputational damage and loss of trust from members. Recent cyber attacks on the industry have shown there are gaps in the armour of some super funds that need to be considered and quickly filled to ensure protection for the trillions that funds oversee.

Superfunds must strengthen cyber security protocols and go beyond the Australian Privacy Principles (APPs) to ensure that risks from all potential avenues of attack have been mitigated. Whilst leadership teams are ultimately responsible, cyber security must be built into the training and processes for staff of all levels at an organisation.

For regulatory bodies, it’s a huge issue that is only getting larger. APRA is deeply involved in supervising cyber resilience, and superfunds need to ensure they can meet the requirements of CPS 234 Information Security.

ASIC areas of focus

Alongside the raft of APRA regulatory changes, superannuation also remains a significant area of focus for ASIC. Having reviewed 50 per cent of the financial reports lodged by RSE’s in the prior year, their attention will turn to the other 50 per cent of reports for 2025/26. They will also continue their surveillance of RSE audit files.

Following on from their release of the review into the Governance of Unlisted Asset Valuations and Liquidity Risk Management in Superannuation in December 2024, asset valuations and liquidity stress testing and the role of those charged with governance will face ongoing scrutiny, as will the handling of death benefit claims.

Conclusion

As the custodians of a large percentage of the country’s wealth, superannuation funds are under scrutiny like never before. Whilst funds are under pressure to grow investments for the good of their members, there is also a fine balancing act they must undertake to ensure growth is sustainable and at an acceptable level of risk.

Recent cyber security concerns across the industry showcase how important it is for superannuation funds to consider not only how to build compliance into operations but also how to prepare for the next wave of change, which will put even more pressure on funds to protect and perform. In order to succeed and continue a robust growth strategy, compliance and resilience must be built into operations at every level, and there’s no better time to start.

How BDO can help

At BDO, wealth and asset management is a core focus for our financial services experts. Working with superfunds across the country, our team offer comprehensive services and advice on the complex issues that the sector is facing, including consumer mistrust, technology modernisation, and regulatory and compliance transformation.

Our industry knowledge empowers our clients to retain and grow their assets, mitigate risks, and adeptly navigate regulatory changes from bodies such as APRA, ASIC and AUSTRAC.

BDO can help you thrive in an ever-changing landscape. Contact us today to find out how we can help your organisation thrive over the coming twelve months and beyond.

Key takeaways

Get CPS 230-ready by 1 July 2025 to safeguard operational resilience
  • APRA’s new Prudential Standard CPS 230 requires superannuation funds to strengthen risk management, ensure continuity of critical operations, and oversee service providers. Early action helps avoid compliance risks and operational disruption.
Plan now for sustainability reporting and AML/CTF reforms
  • Super funds with over $5 billion in assets must prepare for ASIC’s Group 3 sustainability reporting by 2028. Concurrently, AML/CTF obligations will shift to a risk-based model by March 2026, requiring updates to onboarding, due diligence, and compliance roles.
Prioritise cyber resilience to protect member data and trust
  • With increasing cyber threats, super funds must go beyond basic privacy standards and embed CPS 234 compliance across operations. A proactive cybersecurity strategy is essential to safeguard sensitive data and maintain stakeholder confidence.

Read the full article for further information or contact our financial services team to discuss your options.

Subscribe to receive the latest insights.

Authors

Matina Moffitt
Matina Moffitt
Partner, Financial Services – Superannuation, Audit & Assurance