ASIC urges super trustees to enhance their anti-scam and fraud protections

ASIC has conducted a review of the websites of 47 super funds and contrasted them with comparable online content from the big four banks. The review focused on the availability, quality and actionability of anti-scam and anti-fraud content.

Most super funds scored around 40% to 60% on ASIC’s criteria, falling well short of the regulator’s expectations. The following deficiencies were identified:

• Availability: the website material was often difficult to find and lacked prominence.
• Quality: the content was often outdated, generic or too complex.
• Actionability: only around one-third of websites provided action steps for affected members and even fewer provided relevant contact information.

ASIC has now contacted selected super trustees to express its concerns and to highlight the need for immediate improvement to scam and fraud prevention measures.

These developments are the latest in ASIC’s ongoing work to ‘disrupt investment scams’, which is a current strategic priority for ASIC as noted in ASIC’s 2025-2026 Corporate Plan. Holding super trustees to account for member service failures is an enforcement priority for ASIC in 2026.

ASIC has already demonstrated its willingness, in the context of cybersecurity, to take enforcement action against companies who fail to protect their members against ever-evolving digital and online threats. Action has been taken against RI Advice Group Pty Ltd, FIIG Securities Limited and Fortnum Private Wealth Limited for breach of their statutory obligations as Australian financial services licence (AFSL) holders. 

This pattern is a critical lesson that ASIC has its sights set on super trustees who fail to adequately protect their members against digital attack. Unlike the cybersecurity matters, scams and fraud are experienced by the members directly, meaning super trustees must take a member-first approach to implementing protective measures. Those who do not risk significant regulatory consequences.

Super trustees, as AFSL holders, must comply with the general obligations set out in s 912A(1) of the Corporations Act 2001 (Cth) (Corporations Act). They must:

• do all things necessary to ensure that financial services are provided efficiently, honestly and fairly (s 912A(1)(a));
• have available adequate resources (including financial, technological and human resources) to provide financial services and to carry out supervisory arrangements (s 912A(1)(d)); and
• have adequate risk management systems (s 912A(1)(h)).

These obligations could underpin action against a super trustee for failing to implement sufficient anti-scam and anti-fraud measures. In addition, super trustees are required to comply with the covenants set out at s 52(2) of the Superannuation Industry (Supervision) Act 1993 (Cth).

ASIC has alleged breaches of the above three licensee obligations in the prosecution of FIIG mentioned above. In that case, FIIG has been found by the Federal Court of Australia (among other things) to have failed to:

• allocate sufficient financial resources towards appropriately skilled and experienced personnel to manage cybersecurity;
• implement adequate cybersecurity measures and risk management systems, such as a cyber incident response plan accessible to all staff;
• employ or outsource sufficient human resources with the appropriate skill and knowledge of cybersecurity to monitor cybersecurity threats; and
• ensure ongoing staff training and regular patching/updating of software and applications.

The recent FIIG prosecution demonstrates that ASIC expects AFSL holders to not only have sufficient practices and measures in place to protect against digital threats, but also to avoid those measures becoming outmoded through staff training and software updates. Applying this trend to present issues, it’s clear that AFSL holders, including super trustees, should focus on implementing robust anti-scam and anti-fraud strategies, training staff to act on those strategies and updating those practices wherever and however necessary.

Should ASIC commence a similar enforcement proceeding against a super trustee, we expect it would seek, like in the case against FIIG, both court declarations of contravention and pecuniary penalty orders. Trustees should consider the recommendations we have set out below to avoid these undesirable outcomes.

ASIC has encouraged super trustees to review the January 2025 reports on anti-scam practices of the four major banks and outside the four major banks to inform their own anti-scam and anti-fraud procedures.

Super trustees should immediately begin to consider:

• Does their website content meet the availability, quality and actionability criteria that formed the subject of ASIC’s review?
• Is there a scam and fraud prevention strategy in place? Is this strategy documented, regularly reviewed by the Board or senior management and distributed business-wide?
• Are staff adequately trained on this strategy? Should specialist fraud prevention staff be employed to ensure the strategy is properly executed?
• How are members being educated about common scam and fraud techniques, so they can recognise when a transaction is illegitimate?
• Is there a dedicated contact method or hotline for members to get rapid assistance before or after a suspected scam or fraud occurs?
• Are vulnerable members identified in advance and given additional guidance? Are there measures in place so these members can differentiate between legitimate and illegitimate contact from the trustee? 

This list of queries is not exhaustive. Super trustees should conduct internal reviews of existing scam and fraud prevention methods and identify areas where strategies are either missing or not adequately meeting ASIC’s expectations. 

This is an exercise that must be aimed at improving the strategy of the organisation as a whole (and not just the Board or senior management), so that ASIC is satisfied that the trustee is discharging its duties and obligations under the SIS Act and Corporations Act to act with care, skill and diligence, and to put the financial interests of its members first.