What to watch in the year ahead

In the year ahead, we expect to see:

• continued regulatory scrutiny of the delivery of member services, particularly in relation to complaints handling and failures in the oversight of administrative service providers;
• a continued focus on the protection of superannuation savings, as the fallout from the Shield and First Guardian Master Funds collapses continues to be felt, and scams and fraud prevention come into greater focus for regulators;
• an ongoing evolution of governance expectations, driven by APRA’s governance review, alongside sustained enforcement focus by ASIC and APRA on perceived governance failures;
• a continued emphasis on cyber resilience and the responsible adoption of AI, including among superannuation trustees; and
• a tapering-off of the recent heightened focus on greenwashing, bearing in mind ASIC’s indication that it will adopt a pragmatic and proportionate approach to supervising and enforcing the new mandatory climate-related financial disclosure requirements.¹

We set out below further details on recent developments in each of these focus areas.

The fallout from the collapse of the Shield and First Guardian Master Funds has continued to be a key area of focus for ASIC and APRA throughout 2025 and into 2026. Approximately 6,000 First Guardian investors and 5,800 Shield investors, with combined balances of around $1.1 billion, are estimated to have been impacted. The enforcement response has been designated as a standalone ASIC enforcement priority.

Proceedings against trustees

Civil proceedings have been commenced against Equity Trustees and Diversa, with ASIC alleging deficiencies in investment governance, due diligence and monitoring. The allegations are framed as contraventions of the covenants of care, skill and diligence and the best financial interests duty; the obligation to act efficiently, honestly and fairly; and the investment governance covenants in s52(2) of the SIS Act.

APRA has imposed licence conditions on Equity Trustees and Diversa in December 2025 and Fiducian in April 2026 in response to prudential concerns regarding their investment governance frameworks.

Macquarie and Netwealth entered into a settlement with ASIC, under which they have agreed to admit contraventions and return net capital to affected members—Macquarie in the amount of $321 million, and Netwealth in the amount of  $100 million—and, as a result, have avoided the imposition of penalties. ASIC has emphasised that its decision not to seek penalties was based on the strong public interest in prioritising the prompt return of the capital to members.⁴

Action beyond trustees

ASIC commenced proceedings in November 2025 against Interprac, the advice licensee whose authorised representatives directed approximately 6,800 clients to invest around $677 million into Shield and First Guardian. ASIC has also taken action against SQM Research, marking the first time ASIC has brought an action against a research house, on grounds of misleading conduct, and breaches of obligations to act efficiently, honestly and fairly. ASIC has cancelled a number of AFS licences, banned numerous advisers and taken personal action (including investigating serious criminal offence provisions) against a number of individuals.

Treasury's legislative response

The Shield and First Guardian Master Funds collapse has led to a number of Treasury consultations on proposed regulatory reforms intended to address some of the underlying risks and causes of member loss.

The most significant for superannuation trustees is 'Enhancing member protections in the superannuation system', released in April 2026 and closing in May 2026.⁵ A number of the changes proposed by Treasury, particularly regarding strengthening platform governance, are premised on the basis that the existing legislative framework establishes clear 'baseline expectations' but that Shield and First Guardian have highlighted that strong obligations do not always translate into consistently robust investment governance. Key proposals include:

• strengthening governance requirements for platform trustees, including through mandatory holding limits and codified due diligence requirements;
• limiting certain platform-specific conflicted arrangements, including payments linked to product listing and volume incentives;
• restricting certain trustee operating models, namely so-called 'trustee-for-hire' models;
• increasing civil penalties under the SIS Act, with options including doubling the current maximum or aligning with the Corporations Act position;
• a waiting period for inter-fund superannuation switching;
• limiting fee deductions for switching-related financial advice; and
• requiring platform trustees to compensate members for eligible losses arising from external fraud or theft, payable from the trustee's personal capital.

Scams and fraud

In February 2026, ASIC called for action from superannuation trustees following a review of anti-scam and fraud-related website content across 47 superannuation funds, which identified areas requiring improvement.⁶

The Scams Prevention Framework, passed in February 2025, creates an overarching framework requiring businesses in particular sectors to take reasonable steps to prevent, detect and disrupt scams. While the initial sectors covered are banks, telecommunications and digital platforms, the Government has stated its ability to expand coverage to other sectors, including superannuation, which is becoming a focus of regulatory scrutiny in this area.

Cyber resilience

Strengthening cyber resilience is a strategic priority for both ASIC and APRA in 2025–26, with APRA also focused on addressing systemic cyber vulnerabilities and potential risks associated with AI across the superannuation industry.

Following the cyberattacks on various superannuation funds in late March and early April 2025, APRA wrote to all RSE licensee board chairs in June 2025, requiring a self-assessment (or special purpose engagement under SPS 310, where the licensee was impacted in the cyberattacks) of information security controls to be undertaken, submission of material control weakness notifications where robust authentication controls were deficient,¹⁰ and confirmation of the accountable person under FAR for CPS 234 compliance, by 31 August 2025. This process was targeted at ensuring trustees had undertaken appropriate assessments to identify information security control weaknesses and to take steps to remediate such weaknesses, strengthening their cyber resilience.

We expect the regulators' focus on cyber resilience to continue, given the ever-evolving nature of this threat, and the need for trustees to regularly monitor, test the effectiveness of and (when required) uplift or update their information security controls, and improve their cyber security posture. This focus also aligns with the commencement of APRA Prudential Standard CPS 230 on 1 July 2025, which (among other things) requires superannuation entities to treat technology risk and data risk as a core aspect of their operational risk management framework.

Artificial intelligence

Both ASIC and APRA have committed to supporting the responsible adoption of AI, with a particular focus on AI governance. ASIC has urged market participants to ensure their governance practices and risk management systems keep pace with their adoption of AI, and has stated that it will take enforcement action where necessary in relation to AI, with a focus on the poor use of AI and technology-enabled scams and misconduct.

On 30 April 2026, APRA issued a letter to all regulated entities, outlining observations and expectations regarding AI adoption, following its targeted supervisory engagements with select large banks, insurers and superannuation trustees in late 2025.¹¹ APRA's engagements found that while AI is being actively adopted, governance, risk management, assurance, and information security practices are failing to keep pace with the scale and complexity of AI deployment. While APRA acknowledged the potential benefits of AI adoption, it also outlined that it expects entities to promptly address identified gaps in relation to the sufficiency and appropriateness of current governance processes and board oversight, supplier risk management practices and assurance mechanisms. APRA has warned that inadequate identification, management and control of AI risks (in a manner proportionate to the entity's size, scale and complexity) would result in stronger supervisory action, or enforcement.

In other developments, frontier AI technology (such as Anthropic's recently announced Claude Mythos Preview)¹² is presenting opportunities for organisations to harness AI to help identify vulnerabilities, mitigate cyber threats and uplift their cyber security posture. However, these developments also highlight increasing cyber security risks associated with AI-enabled threats. In light of this, the Australian Signals Directorate (ASD) has advised organisations to continue to focus on good security practices, including by implementing a strong cyber security baseline aligned with the ASD's published cyber security framework and mitigation strategies.¹³ On 8 May 2026, ASIC issued a letter to licensees and directors urging them to act now to strengthen their cyber resilience fundamentals in light of the rapid evolution of frontier AI technology, and encouraged entities to use the ASD's guidance on frontier AI technology and cyber security more generally.¹⁴ ASIC called on organisations to take a number of specific actions (while noting that these were not new expectations), including to reassess cyber plans, strengthen cyber security fundamentals (including core controls), and prepare for an incident response by maintaining and exercising incident response plans and playbooks. In this letter, ASIC also underscored the importance of governance and accountability, and its expectations of boards and senior executives to understand their organisation's cyber security posture while not relying solely on assurances.

Organisations' adoption of AI also intersect with their privacy obligations, and from December 2026, organisations will have additional transparency obligations in relation to automated decision-making under amendments to the Privacy Act 1988 (Cth). APPs 1.7 to 1.9 will mandate disclosure of the use of automated decision-making within privacy policies where it is used to make decisions that could 'reasonably be expected to significantly affect the rights or interests of an individual'.

Recent cyber-related enforcement action

ASIC's recent cyber security-related enforcement action against FIIG Securities Limited, resulting in a $2.5 million penalty, and Fortnum Private Wealth Limited reflects its emphasis on cyber security as a core component of AFS licensee obligations under s912A of the Corporations Act. Additionally, the recent outcome of the Office of the Australian Information Commissioner's proceedings against Australian Clinical Labs has provided further judicial guidance regarding baseline expectations for organisations' cyber risk management practices (including preparedness activities and during or following incidents), which we consider will likely be informative for other regulators (eg APRA and ASIC). This resulted in a $5.8 million penalty, which was the first civil penalty under the Privacy Act.