The trustee of the $94 billion construction industry super fund Cbus, United Super, is under investigation by the regulator over possible breaches of the Superannuation Industry (Supervision) Act in making payments to the Construction, Forestry and Maritime Employees Union (CFMEU), and has entered a court-enforceable undertaking (CEU) to address behavioural, cultural and organisational issues that have plagued it since at least 2019.
The Australian Prudential Regulation Authority (APRA) said it has launched an investigation into United Super “regarding possible breaches of the SIS Act, with a focus on expenditure management practices”. It released no further information on the investigation.
The investigation and CEU cap a tumultuous period for the trustee, which has been the subject of regulator-ordered independent reviews and reports, media reports uncovering severe insurance death benefit payment issues, probing by a senate inquiry led by Liberal Senator Andrew Bragg; and which lost three CFMEU-appointed directors when the union was placed into administration (those three positions were subsequently filled).
All of this in the year Cbus celebrated its 40th anniversary with an event that cost members $387,000.
The CEU focuses on four areas: operational risk management; information and IT resilience; insurance claims processing and administration; and fitness and proprietary expenditure management.
The regulator said while United Super had taken action to address issues as they came up, it remains concerned “the broad nature and scope of the weaknesses identified, and their persistence over time, indicate that there may be underlying behavioural, cultural and/or organisational factors which contributed to their occurrence”.
The regulator said United Super “has yet to holistically reflect on the underlying root causes of the weaknesses”, and while United Super may undertake further work to address the issues APRA has identified that “may not address the underlying causes that could prevent recurrence”.
Also on Tuesday, in-line with additional licence requirements imposed on it by APRA, United Super released a 34-page “rectification plan” in response to an independent review by Deloitte.
The Deloitte review examined whether United Super had complied with prudential standards and statutory framework for fitness and propriety, and how payments made to the CFMEU fitted with its Best Financial Interest Duty Requirements (BFID).
Two dozen issues
The Deloitte review identified around two dozen issues relating to deficiencies in United Super’s governance and oversight, documentation and process alignment, assessment and monitoring, and mechanisms and metrics across. These issues affected several aspects of the United Super’s operations, including the design of fit-and-proper arrangements, how the fund met its Best Financial Interests Duty, and past expenditure decisions.
Under the terms of the CEU, United Super will appoint an independent expert to undertake a root cause analysis of the concerns flagged by the regulator and will develop an “integrated plan” to identify the causes. This plan will assess steps taken by United Super to address issues already raised by the regulator, including the rectification plan released on Tuesday.
Cbus chief executive Kristian Fok said in a statement “the fund and its board are united in their ongoing commitment to uplift practices to ensure members receive the best possible services”.
“Our priority is to ensure Cbus meets the highest standards that are rightfully expected of us by our members as one of Australia’s leading superannuation funds,” he said.
“We take our responsibilities to our members very seriously and are committed to ensuring that we operate to the highest standards of governance and compliance to provide the best retirement outcomes for our members.
“While we have made progress in some areas there is more work to be done, and it must be done at pace.”
Cbus said it noted APRA’s intention to “review historic strategic expenditures including partnership payments to unions and employer groups”.
“The issues raised by APRA continue to be addressed as part of a Rectification Plan, published today in response to the Deloitte review which will assist us demonstrate how partnership arrangements will be undertaken in the best financial interests of members,” it said.
Going back to 2019
The concerns underlying the CEU date back to at least mid-2019 when APRA appointed KPMG to conduct a review of the United Super’s risk management framework. The review uncovered one “minor control weakness” issue, and six opportunities to improve operational risk management.
Two years later, in September 2021, a prudential review of United Super’s operational risk management framework found the framework “had not been fully implemented or embedded effectively in the business”.
By September 2022 United Super still had not satisfied the regulator that its operational risk management framework was in place and working, and in December 2024 APRA concluded that:
- United Super’s approach to operational risk management is not fit for purpose for the scale and complexity of United Super’s evolving business model;
- United Super has been slow to implement the required changes to its operational risk management framework;
- Insufficient investment has been made into United Super’s line 1 and line 2 risk functions to support the necessary change;
- Board oversight of operational risk requires improvement in certain respects (including oversight and execution of major risk transformation projects); and
- A dedicated program of work is required for sustained improvement to United Super’s operational risk management practices with clear milestones, timeframes for delivery, appropriate levels of resourcing and accountability from the Board and senior management.
Information and IT resilience
In November 2022 APRA requested that United Super engage EY to review its compliance with CPS 234 Information Security. In late April the following year EY’s report pinpointed several areas for improvement, yet a full year after that APRA’s IT Resilience Review still identified areas for improvement with United Super’s technology risk management.
Even though United Super had taken steps to address these issues, APRA said in the CEU it remained concerned that:
- Many of the IT resilience and information security weaknesses are like those identified with United Super’s operational risk framework;
- United Super did not improve processes sufficiently until regulator-initiated reviews were undertaken; and
- The underlying causes of the IT issues still may not have been identified and addressed in full.
Insurance claims processing delays and administration
Media reports in mid-2023 lead APRA to query United Super about its insurance claims handling. Two months later United Super told the regulator it had investigated claims made by the media and blamed the fund’s external administrator, citing its “inadequate
systems, workflow management, resourcing, training, lack of adherence to contracted
service level agreements and inadequate data construction and reporting”.
Another month after that, United Super lodged a breach report and APRA said that “throughout 2024” it met regularly with United Super to address its rectification plan.
The CEU says APRA remains concerned that
- There are material gaps in the operation of United Super’s risk management framework and the oversight by the board and management of operational risk;
- United Super’s approach to breach reporting is inadequate; and
- United Super needs to do more work to fully address the weaknesses that have been identified and to address the underlying root causes.
APRA said United Super also lodged a breach report in December 2024 outlining “an increase in insurance administration errors by its third-party service provider”.
“These administrative errors included provisioning of incorrect insurance cover, failure to provide insurance cover where required/requested and over-charging or under-charging of insurance premiums,” it said.
APRA said it is concerned that United Super may not be compliant with SPS 250 Insurance in Superannuation, and SPS 231 Outsourcing.
Fitness and Propriety and Expenditure Management
Under additional licence conditions imposed on United Super in August 2024, United Super engaged Deloitte to examine its fitness and propriety and expenditure management practices, including payments to the CFMEU, and the findings were published in a report in late November the same year.
APRA says Deloitte made 26 recommendations for changes and United Super has agreed to implement these recommendations. These are contained in the rectification plan published on Tuesday.
