Go to top of page

Vulnerabilities

In this section:


Vulnerability refers to the characteristics of an industry sector that make it vulnerable to criminal exploitation. This includes customer types, products and services, delivery channels and the foreign jurisdictions with which it deals. With some $1.26 trillion in assets (4), the superannuation sector contains numerous features that make it vulnerable to criminal exploitation.

Customers

The risk profile of superannuation funds is impacted by the compulsory nature of superannuation. While the sector has relatively simple customer types (mostly individuals), it has a very large customer base. Moreover, superannuation funds cannot reject membership applications, nor can they exit high risk members (5).

Individuals

Most SMRs lodged by superannuation funds in the sample period were in relation to an individual member of the fund – in some cases as the victim of a crime and in other cases as the suspected perpetrator. These included situations in which the fund deemed the behaviour of the member to be suspicious, or scenarios where the member’s account had been compromised and subjected to attempted fraud.

With some 28 million superannuation accounts in APRA-regulated superannuation funds in Australia (6), many funds advised that member disengagement was one of their most significant risks. This was particularly the case for younger members who were still many years from preservation age, and therefore less likely to notice fraudulent activity on their superannuation account. Many funds consulted by AUSTRAC reported attempting to improve the level of engagement with their members, including through developing new apps and real-time online notification of contributions or payments.

Post-preservation accounts present the greatest opportunities for criminal abuse, as once a member reaches preservation age, they can make transactions to and from their superannuation account, much like a bank account. This increases the likelihood of the account being subject to attempted fraud, and presents a possible ML channel.

Funds also observed that older members were particularly vulnerable to scams. For example, funds reported cases in which older members would receive a phone call from a scammer claiming to be a government official. The scammer would convince the member to provide personal and sensitive details, which the scammer could then use to gain access to the member’s account.

Agents and financial advisers

Only 14 SMRs (five per cent) in the sample period were in relation to agents of customers. Of these, some were relatives trying to fraudulently obtain a family member’s benefits. Others related to financial advisers, with one fund consulted by AUSTRAC viewing fraudulent financial hardship claims made through financial advisers as an emerging trend and significant vulnerability.

Some funds were aware of financial advisers impersonating a member and calling funds directly. While in many instances this was to avoid the additional work associated with involving the member, some funds were also aware of advisers who were attempting to steal from members.

Some funds also highlighted the possibility of rollover schemes being promoted to individuals by unscrupulous advisers, with the members potentially unaware of the illegality of the transaction. One fund advised it had provided training to its staff to recognise this behaviour.

Funds also reported cases in which criminals hacked into members’ webmail accounts and emailed instructions to the member’s financial adviser to make a superannuation transaction purportedly on behalf of the member.

Politically exposed persons

PEPs are considered higher risk customers. All reporting entities are required under the AML/CTF Rules to screen their customer base for PEPs. Following changes introduced in 2014 to the definition of PEPs in the AML/CTF Rules, reporting entities are now required to conduct screening for domestic, as well as foreign, PEPs. During discussions with AUSTRAC, several funds noted they had identified many PEP customers as a result of these changes. But some funds and industry experts noted it was likely that some were still not aware of, or did not understand, this requirement.

Due to the compulsory nature of superannuation, it is likely that a large number of domestic PEPs will have accounts with APRA-regulated funds; however, very few SMRs from superannuation funds relate to PEPs. One fund noted that most PEPs in its fund were in a defined benefits scheme, which is a lower risk product. It is unlikely that APRA-regulated superannuation funds would have accounts for foreign PEPs. Further information about obligations relating to PEPs can be found in the AUSTRAC compliance guide.

Back to top


Source of funds and wealth

Fund contribution payments received from an employer carry a low level of risk as the source can be readily established; however, payments direct from a member present a higher risk because of the potential difficulties in determining their source. Many funds consulted by AUSTRAC identified assessing a member’s source of funds or wealth as a challenge.

Rollovers into a superannuation fund from an SMSF also create an avenue for ML in the sector. The origins of this money is difficult to determine, but can include the proceeds of crime.

One fund advised that its call centre had started contacting members in relation to some after-tax (voluntary) contributions, to assist in determining whether the contribution was legitimate or suspicious.

Employer risks

Several funds noted that employers (in their capacity as payers of superannuation contributions) were a potential risk for illegal activity, with one fund saying that understanding employer risk was an industry ‘blind spot’ and needed further attention.

In some cases, funds reported employers committing fraud, such as through registering fake employees, creating a potential money laundering channel. While under the AML/CTF Act the employer is not the customer of the fund, an SMR may be lodged under section 41 in relation to the fictitious employee, which may lead to scrutiny of the employer’s conduct.

In other cases, employers were the target of fraud. One fund was aware of members who were defrauding their employers, then putting the proceeds into their own superannuation accounts. In this scenario the fund could submit an SMR based on the reasonable suspicion that the information may be relevant to investigation of, or prosecution of a person for, an offence against a law of the Commonwealth or a state or territory. In discussions with AUSTRAC, some funds highlighted the challenges associated with having limited visibility over employers (7). Some reported conducting a variety of due diligence and analytics work on employers before they were accepted or formally registered with the fund. For example, one fund checks ABNs, conducts monthly analysis for employers using common addresses, and checks for employers who have an unusual number of employees without a tax file number.

Back to top


Products and services

Superannuation products and services present various levels of vulnerability. Lower risk products include eligible rollover funds and defined benefits funds where they do not allow members to make contributions. Higher risk products include accumulation funds and post-preservation accounts, which allow relatively easier movement of funds.

There are several factors that limit the vulnerability of most superannuation fund products for money laundering These include:

  • conditions and restrictions on when money can be moved to and from superannuation accounts
  • taxes levied on excess/voluntary contributions
  • the high level of visibility of transactions by the ATO
  • the relatively low level of customer anonymity; and the non-transferability of superannuation accounts between people.

These factors do not, however, reduce the vulnerability of these products to fraud.

Outgoing transactions

Outgoing transactions from the superannuation sector – such as payments to members and rollovers to other funds – are large in scale and volume. These factors present significant vulnerabilities, particularly in relation to fraud. In 2015, benefit payments from APRA-regulated funds totalled $62.8 billion (8).

Almost two-thirds of SMRs in the sample period related to outgoing transactions:

  • 128 SMRs (44 per cent) related to benefit payments
  • 66 SMRs (22 per cent) related to rollovers to another fund.

Most of these SMRs detailed attempted fraud and/or suspected illegal early release of superannuation savings, with a small number in relation to terrorism financing. These are detailed in the ‘Criminal threat environment’ section of this risk assessment.

Attempted fraud is often detected by superannuation funds when payments are released, as this is the stage when the identity of the member must be verified, as per requirements under the AML/CTF Act.

Mitigating the threat of illegal early release

Some funds consulted by AUSTRAC were mitigating the risks associated with illegal release through a range of controls, including:

  • not making early release payments to agents
  • calling members to ask questions in relation to rollovers to other funds
  • only making cheque payments to registered addresses (not PO Box addresses), including when making rollover payments to another fund
  • only processing hardship claims if members consented to the fund seeking information from previous funds
  • asking members to authorise fund access to DHS information to verify if members were receiving applicable income support.

Forum shopping

Some funds had observed members engaging in ‘forum shopping’ to identify which funds had weaker AML/CTF controls. For example, a member would make an application for early release due to hardship, and if unsuccessful, they would roll over their account to a new fund, and make another hardship application there. Although the ATO would be advised of these payouts, individual funds have no visibility of prior attempts by a member to access an early release, due to the tipping off provisions in the AML/CTF Act.

Incoming transactions

Receiving money into a superannuation fund account presents a relatively lower risk than making outgoing payments to members and rollovers, particularly in relation to fraud. However, some incoming transactions pose higher levels of risk, such as voluntary (non-concessional) contributions from members, because the source of these funds is more difficult to determine. These contributions could include the proceeds of crime derived from tax evasion or corruption, and may be part of the ML process. This risk is elevated by the fact that funds are required to accept all contributions made by employers and members.

Another significant challenge for the sector is the scale and volume of transactions. In 2015, contributions to APRA-regulated funds (including employer and member contributions) totalled $103.9 billion(9).

Funds generally do not perform a customer identification procedure at this point due to the exemption in section 39 of the AML/CTF Act. Despite this limitation, several funds are submitting SMRs on incoming contributions.

In the sample period, 64 SMRs (22 per cent) were in relation to incoming transactions:

  • 56 SMRs (19 per cent) related to the acceptance of a contribution or premium
  • eight SMRs (three per cent) related to rollovers received from another superannuation fund.

Back to top


Delivery channel

The growing reliance on online delivery of superannuation products and services makes the sector vulnerable in a number of ways.

Superannuation funds have very limited face-to-face contact with their members. The frequent use of email communication between funds and customers creates a favourable environment for cybercrime.

A clear trend in many funds is an increased emphasis on the ‘member experience’. That is, developing new and novel capabilities that empower members to make changes online to their profiles, contact details, payment frequency and payment amount. Without robust safeguards in place, these types of changes could unintentionally create new and significant vulnerabilities.

Using technology to mitigate risk

Several funds and fund administrators have developed, or are developing, data analytics capabilities to detect unusual or suspicious activity. One fund is currently developing a real-time sophisticated digital fraud protection framework. This includes data matching and analytics on a range of data and information sources including IP addresses, device recognition software, the incidence and type of changes made to member details, and member calls to the call centre. These checks, balances and frameworks are being designed to identify potentially suspicious matters in real time.

After an attempted online attack from an organised crime group, one fund instituted a range of new controls. The fund placed restrictions on pension payment variation requests and refreshed the existing awareness training program for staff to assist in identifying the risks associated with the attack. The fund also submitted a paper to the board on lessons learned from the attack, identified key gaps in their controls, and recommended actions for improvement.

Back to top


Foreign jurisdiction

Superannuation funds tend to have minimal exposure to jurisdiction risk, as most have only a very small number of overseas-based members; for example, when an Australian citizen is working overseas for an Australian organisation.

However, jurisdiction risk can be an issue in relation to departing Australia superannuation payments (DASP). One fund advised AUSTRAC that it only provides DASPs by electronic funds transfer to low- and medium-risk countries, and only when an AUD cheque could not be presented in that country. Some funds only make DASPs to domestic bank accounts and do not make payments to overseas accounts or addresses.

Fourteen SMRs (five per cent) in the sample period referred to countries other than Australia, several of which were higher risk jurisdictions. The total value of these reports was $1.5 million. All but one of these SMRs referred to outbound transactions.

Back to top


Use of cash

Cash transactions are generally a significant indicator of money laundering placement risk, though these appear to be extremely uncommon for the superannuation industry. Of the SMRs analysed, only four (one per cent) mentioned the use of cash transactions. Most were reported on the basis that they appeared to involve suspicious behaviour or unusual account activity.

There appears to be a trend among funds to limit or cease the acceptance of cash payments to the superannuation fund trustee’s premises. This is due to the high-risk nature of cash, as well as the requirements of maintaining cash-handling facilities. This is reflected in the data submitted in threshold transaction reports (TTRs) by superannuation fund trustees (10).

TTRs submitted by superannuation fund trustees

1 March 2014 to 29 February 2016

  • 28 TTRs submitted
  • $782,933 in total value
  • $27,962 average value
  • 5 superannuation fund trustees submitted at least 1 TTR.

Back to top


Operational vulnerabilities

Superannuation funds and industry experts consulted for this report also highlighted some common internal and operational vulnerabilities.

Data security was identified as a critical vulnerability, as funds continue to move towards digitising their internal operations, such as through cloud services and offshore service providers.

As well as encouraging members to keep their personal data secure, funds should also consider risks posed from employees, fund administrators, financial planners and other outsourced providers who can access sensitive information. This should also apply to contractors, including those based overseas, who may be engaged to assist with product design and digital strategies, and may have access to member information. Funds should have controls in place to audit internal access to members’ information to prevent misuse and fraud.

Fund employees in particular may be in positions where they could facilitate or execute money laundering, or a predicate crime such as fraud. One fund suggested in discussions with AUSTRAC that post-preservation accounts are most vulnerable to internal fraud because of the ability to withdraw a lump sum payment.

Outsourcing fund administration

When outsourcing operations relating to superannuation accounts, the fund trustee remains responsible for meeting obligations under the AML/CTF Act. The common practice of outsourcing fund administration requires trustees to remain highly engaged with their administrators to ensure effective AML/CTF controls are in place, including the capacity to identify and report SMRs.

Trustees should have a clear understanding of the processes used by their administrator and clearly communicate their own requirements and procedures. They should also follow up on implementation to ensure their requirements are consistently met.

One fund reported that it organised workshops with its administrator to go through every SMR trigger being used, to ensure the trustee understood the triggers and how they were being applied. As part of this exercise, triggers that were no longer relevant to the fund were removed and new ones were added.

For administrators, constraints in the AML/CTF Act around tipping off were identified as a vulnerability. An administrator working for many funds could identify suspicious behaviour by a member in multiple funds but cannot provide this holistic perspective to individual fund clients, thereby limiting the capacity to understand and mitigate risks posed by members.

Back to top


AML/CTF systems and controls

It is highly likely that there is significant under-reporting and non-reporting of suspicious matters across the superannuation industry, which would indicate that internal controls and compliance cultures need to be strengthened. This view is strongly supported by various superannuation funds and industry experts that provided input to this report.

Reporting of SMRs was concentrated among a small group of funds, with only five superannuation funds accounting for over half of the total reports received in the sample period. In addition, AUSTRAC would expect to see suspicious matter reporting from the sector that better reflects the value of money moving through the superannuation system, the number of superannuation accounts, and the capability of criminals to target the sector (including concerns raised by industry). The various misconceptions about the submission of SMRs outlined in this assessment may contribute to deficiencies in reporting.

One significant impact of this is that AUSTRAC and its partner agencies lack the information needed to develop a comprehensive and accurate picture of the criminal threat to the sector. This hinders the government’s ability to investigate and respond to criminal activity.

AUSTRAC notes, however, that during consultation for this assessment, a number of AML/CTF compliance officers showed a very high level of awareness and understanding of the threat environment and vulnerabilities facing their funds. In several cases, these officers described sophisticated mitigation responses that had been implemented – or were in the process of being implemented – by their fund. One fund talked about its commitment to engage and educate frontline staff so they were better able to identify suspicious behaviour. As a result, there was a significant increase in referrals of potentially suspicious matters. Other mitigation responses are detailed throughout this assessment.

Some funds reported that their boards were highly accessible, engaged and aware of the risks associated with ML/TF and the various predicate offences. However, both funds and industry experts were concerned that this level of accessibility and board engagement may not be consistent across the sector.

Back to top


Footnotes

  1. Australian Prudential Regulation Authority, Quarterly Superannuation Performance Statistics December 2015.
  2. With the exception of corporate superannuation funds that may apply eligibility rules for membership.
  3. Australian Prudential Regulation Authority, Annual Superannuation Bulletin Statistics June 2015.
  4. The risk posed by an employer may be lower for a corporate fund.
  5. Australian Prudential Regulation Authority, Quarterly Superannuation Performance Statistics December 2015.
  6. Australian Prudential Regulation Authority, Quarterly Superannuation Performance Statistics December 2015.
  7. All reporting entities must submit a TTR for transactions involving physical currency or e-currency valued at AUD10,000 (or foreign equivalent) or higher.

Back to top

Last modified: 31/10/2016 07:59