Almost exactly two decades ago the Commonwealth Superannuation Scheme (CSS) was targeted in a scam that almost saw $150 million stolen from the accounts of members. Only the actions of the then-custodian, JP Morgan, prevented the money disappearing forever.
This experience in June 2004 prompted a flurry of concern and hand wringing over the security of the superannuation system, and how easy it was for such a huge fraud to be perpetrated. The total value of superannuation assets at the time was $570 billion; an event on the same scale today would involve roughly $1 billion of members’ savings.
It was a different time – the technology at the centre of the CSS fraud was the fax machine – but the fundamental issues today remain no different at all. Superannuation funds as a cohort must do a lot more to protect members against fraud and scams and other attempts to access their savings. These sorts of attacks will only increase, both in volume and in sophistication, as we saw last week.
From 30 June this year 12 per cent of every working Australian’s pay packet will be diverted to their superannuation fund. The pool of retirement savings will power well past the $4 trillion mark, and we’re on-track to have the second-largest pool of retirement savings in the world in just a few years’ time. It’s simply irresistible to scammers.
While all of this is going on, superannuation funds continue reliably to deduct the fees they charge for the services they provide. If only everything they did was as reliable as that.
APRA data shows that since 2004, when CSS was targeted, super funds have collectively taken more than $115 billion from members’ accounts in administration and operating fees alone. This does not include fees deducted for actually managing members’ money.
Despite the torrent of fee income flooding into funds’ coffers, they have seen fit to spend very little of it protecting members from some of the worst elements of society: those who would scam members out of their hard-earned savings.
It beggars belief that low-value reward schemes such as FlyBuys and Everyday Rewards have instituted multi-factor authentication but some super funds safeguarding billions of dollars in retirement savings have not.
There are no excuses. In July last year, Super Consumers Australia research found more than four out of five fund members wanted their fund to provide more active protection against scams.
While it is easier for hackers to steal money directly from those in pension mode, even those in accumulation mode need stronger cyber protection.
Every year, funds typically process around 25,000 compassionate releases and around 80,000 hardship releases, according to ASFA. A fast-tracked legislative change during the Covid pandemic just a few years ago pushed early release volumes nearly 50 times higher. Who’s to say there won’t be more entry points opened, given the pace of never-ending regulatory changes? Hackers have a habit of finding a way and moving quickly.
Lobbying against regulatory changes (or attacking the regulator for doing its job) suggests hubris has crept into the system. Let’s not forget regulation, largely via the superannuation guarantee, is the core reason this industry exists.
The superannuation system was created by a far-sighted government decision, and it has been propped up by taxpayers, primarily through concessions on fund earnings. In return, it’s supposed to grow and safeguard members’ money.
That implicit agreement between members (who have no say in whether they contribute) and their funds to invest and protect members’ savings forms a social licence, an acceptance and legitimacy based on the understanding that funds will always act in the best interests of members and the broader economy. It hinges on trust, integrity, and accountability.
Without this licence, the very existence of the superannuation system in its current form is open to question. In recent months that licence has been sorely tested by funds’ shoddy governance practices, their inability to process life insurance death benefits, their inability to comply with rules about merging multiple accounts, and now their inability to take even rudimentary steps to stop members’ money being stolen.
In this context it’s not unreasonable to ask: what’s the point? If super funds can’t act ethically and prudently, if they don’t prioritise members’ interests over their own and if they are not transparent and accountable in all of their operations, it undermines their reason to exist in their current form – and in particular, to continue to receive such generous taxpayer support.
Super funds have grown, executives who work in the funds have prospered and thousands of people are employed in a sector that was created for the sole purpose of gathering, managing and protecting Australians’ retirement savings.
If funds can’t do that efficiently and fairly, and if they can’t even provide basic protections against the most rudimentary of cyber-attacks, then maybe it’s time to see if there’s a better way of doing it – or at least, a better group of people to manage it.
