Superannuation in the crosshairs: the legal and strategic risk landscape for 2026-27

Governance and culture: APRA moves from guidance to enforcement

APRA's governance focus has sharpened from guidance to enforcement.

The headline finding is stark: 32% of APRA-regulated entities carry governance risks outside APRA's risk appetite, and 8% carry significant risks. Its March 2025 discussion paper proposed eight significant reforms to SPS 510 (Governance), SPS 520 (Fit and Proper), and SPS 521 (Conflicts of Interest). Draft standards are expected in Q2 2026.

These proposed reforms include:

• stronger director skills and capability requirements

• mandatory independent board performance reviews (at least every three years for significant financial institutions)

• a 12-year lifetime tenure cap for non-executive directors

• mandatory conflicts registers and extended conflict-management requirements.

Alongside these, the Financial Accountability Regime (FAR) attaches individual accountability obligations to named senior executives.

Governance failures can now follow people, not just institutions.

The best financial interests duty: enforcement teeth and litigation risk

The best financial interests duty (BFID), embedded in section 52(2)(c) of the SIS Act, has moved from policy aspiration to live enforcement risk.

Although the Superannuation (Objective) Act 2023 does not create enforceable obligations to deliver income for a dignified retirement, it's become a reference point for regulators applying BFID. Trustee expenditure decisions that cannot be justified by clear member benefit now attract heightened scrutiny both from ASIC and APRA.

APRA's enforcement posture on expenditure governance has sharpened into concrete action. In August 2024, APRA imposed additional licence conditions on a major industry fund following an independent review that identified fundamental deficiencies in fitness and propriety processes and expenditure management practices. In February 2025, APRA accepted a court enforceable undertaking requiring a holistic risk transformation program to address significant and persistent weaknesses in operational risk management, governance, and related concerns. APRA simultaneously commenced an investigation into possible breaches of the SIS Act with a specific focus on expenditure management. Where a fund's expenditure governance is found wanting, APRA's message is unambiguous: licence conditions, enforceable undertakings, and formal investigation are all live responses

Performance risk is also sharpening. While all 52 MySuper products passed the 2025 YFYS test, concerns remain. Seven platform trustee-directed products failed (down from 37 in 2024). But APRA found that over 40% of platform trustee-directed products with a 10-year performance history show significant investment underperformance. Funds that fail twice lose the right to accept new members. Litigation funders are watching.

CPS 230: Governance failure is now a licensing issue

CPS 230 came into full effect on 1 July 2025, imposing obligations on regulated entities to identify critical operations, maintain tested disruption tolerance levels, and oversee service providers, including those offshore.

The legal stakes are stark. A trustee that cannot demonstrate tested operational resilience, a robust vendor oversight regime, and a cyber-aware board faces targeted APRA review and, potentially, licence conditions or RSE licence revocation. Near-miss reporting under paragraph 32 confirms APRA's intent. It is not waiting for incidents before it intervenes. The exposure is sharpest for smaller and mid-tier funds, where a single significant cyber incident – including one in the third-party supply chain – can become a licensing issue.

Investment strategy risk: private markets, liquidity, and the YFYS performance test

Superannuation's rapid asset growth has driven a structural shift into unlisted and private market investments.

According to APRA, unlisted assets such as equity, property, infrastructure, and private debt account for approximately 20-25% of total fund investments across the sector, with the largest industry funds carrying materially higher concentrations. In September 2025, ASIC put the private credit sector on notice, describing it as fast-growing, immature, and untested in a crisis.

Unlisted asset valuations are where ASIC's scrutiny bites hardest. ASIC's REP 816 found that RSEs have been taking inconsistent approaches to categorising unlisted investments, making meaningful member comparison impossible. Valuations that are stale, insufficiently independent, or inconsistently applied will attract regulatory scrutiny and, given that YFYS performance test calculations incorporate unlisted asset valuations, they risk test distortion as well.

Liquidity risk is the flip side. The COVID-19 early access scheme in 2020 was the last real stress test. Many funds passed it narrowly. Since then, illiquid allocations have grown, but the buffer has not kept pace.

Trustees should stress-test their liquidity frameworks now, not when redemption pressure arrives.

Greenwashing and ESG claims: enforcement risk in plain sight

ASIC's greenwashing enforcement campaign is ongoing and intensifying, and superannuation funds are squarely in its sights. The first civil penalty against a superannuation fund for greenwashing resulted in a penalty exceeding $11 million. A further penalty of $12.9 million followed against an investment manager. Infringement notices have been issued to multiple other funds. ASIC's corporate plan makes plain this is a sustained enforcement priority, not a one-off campaign.

The core issue is simple: misalignment between stated ESG claims and actual holdings. ESG claims in product disclosure statements and marketing materials are scrutinised against actual portfolio composition. Where the gap is material, through holdings in industries the fund claims to exclude, or aspirational claims unsupported by documented methodology, trustees face civil penalty exposure.

ESG positioning is no longer a marketing choice – it's a legal representation that needs appropriate governance.

AFCA complaints as a leading indicator: when service failures become legal risk

Member service failures have never carried a higher legal price. In November 2025, a major industry fund was ordered to pay a $23.5 million penalty for serious failures in processing death benefits and insurance claims. AFCA received more than 12,200 superannuation-related complaints in 2024-25, up from 11,000 the previous year. The volume is not declining, and REP 829 confirms that member service failures remain an explicit ASIC enforcement priority for 2026.

That outcome is not an outlier. It is a signal. AFCA determinations are binding on the parties and are increasingly cited in regulatory proceedings as evidence of systemic governance failures. Trustees with elevated AFCA complaint rates should treat this as an early warning indicator, not merely a claims management issue.

Superannuation-related fraud and scam activity represent a growing enforcement exposure that the complaints data underplays. ASIC's 2025-26 enforcement priorities explicitly identify superannuation scams as a focus area. Trustees whose member verification and scam-detection frameworks lag ASIC's expectations face both regulatory scrutiny and direct liability to members who suffer loss.

The retirement income covenant: from obligation to enforcement risk

More than 1.5 million superannuation member accounts are already in the retirement phase, with a further 2.5 million expected to enter it over the next decade. By 2045, two in five trustees will have more than half their members in or entering retirement. The Retirement Income Covenant (RIC), embedded in the SIS Act, requires trustees to formulate and implement a retirement income strategy for that cohort. The scale is not abstract. It is imminent.

The November 2025 joint ASIC-APRA Retirement Pulse Check found a widening gap between trustees proactively improving retirement outcomes and those doing the bare minimum. ASIC's REP 818 found a lack of urgency in retirement communications, with some trustees offering a one-size-fits-all approach and none having developed specific communications for vulnerable members. The RIC is not a disclosure obligation. It is a conduct obligation. Both ASIC and APRA have made plain they intend to enforce it as one.

Superannuation tax reform and legislative pipeline risk

Division 296 is now law. The Superannuation (Building a Stronger and Fairer Super System) Imposition Act 2026 imposes a 15% tax on earnings above $3 million and a further 10% on earnings above $10 million, applying from the 2025-26 income year. The ATO expects approximately 80,000 accounts in the initial cohort. Treasury's own regulatory impact analysis projects this will exceed 500,000 by 2050 if the threshold remains unindexed. Constitutional litigation over the taxation of unrealised gains is coming. The only question is who files first.

Funds without member-level tax assessment systems are already exposed. The unindexed $3 million threshold is not just an equity issue. It is a structural risk that will progressively draw in members who sit comfortably below it today. Trustees should be communicating proactively with large-balance members ahead of the first assessment cycle.

The first tranche of the Delivering Better Financial Outcomes reforms is already law as the Treasury Laws Amendment (Delivering Better Financial Outcomes and Other Measures) Act 2024 (Cth), redefining personal advice and altering the standard against which trustees are assessed. A second tranche, covering the "qualified adviser" framework and the superannuation advice levy, was at exposure draft stage as of early 2026 and remains subject to further legislation. Trustees who have not mapped their intra-fund advice model against the enacted DBFO framework carry live liability to members right now.

From 1 July 2026, the Payday Super measure requires most employers to remit superannuation guarantee contributions on each payday, by receiving and allocating superannuation contributions made by employers to member accounts, or returning those contributions, within three business days of receipt. This change represents a significant acceleration compared to currently applicable timeframes. In addition, the ATO has issued the new SuperStream 3.0 standard, commencing 1 July 2026. It introduces improved verification and error messaging, including a Member Verification Request service that allows fund details to be confirmed before contributions are made. The ATO is, however, concerned that a material number of trustees are not currently on track to deliver all elements of SuperStream 3.0, particularly the key Member Verification Request service. Trustees who have not assessed their platform capacity and readiness to deliver elements of SuperStream 3.0 are already behind.

Why the risks are compounding

These risks do not operate silos. A failure in governance culture creates the conditions for BFID breaches; operational resilience failures expose members to loss and trustees to liability; investment strategy decisions that prioritise growth over liquidity feed through to AFCA complaints; and legislative change creates implementation risk that only well-resourced, well-governed trustees can manage.

Regulators have made their intentions plain: enforcement is no longer a tail risk. It is a planning assumption. Those who treat compliance as a box-ticking exercise, or who confuse the absence of enforcement action with the absence of risk, will find that 2026-27 is the year the bill comes due.

Key risks and mitigation steps

_Disclaimer

_{Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.}