Show download pdf controls
  • Superannuation information technology services incident communication strategy – July 2018

    On this page:

    The ATO Superannuation information technology services incident communication strategy has been developed to complement the ATO business continuity plan (BCP) and provides further detail of how the ATO will respond in the event that ATO superannuation services are not performing as expected.

    The ATO provides critical enabling services that the superannuation industry utilises as part of their everyday operations. As these services are critical in nature, it is essential that there be an agreed approach on how the ATO will communicate with the superannuation industry in instances when these systems are not operating as expected.

    This document provides the framework to achieving a consistent and timely approach to communication with the superannuation industry. It also defines the roles, responsibilities and steps the ATO will follow in order to provide prompt and effective communication with the superannuation industry during a system incident. The outcome is a pragmatic process which the industry participants can confidently rely upon in managing their services and relationships.

    Background

    During late 2016 and early 2017, the ATO had significant system failures each lasting several days at a time. This resulted in superannuation stakeholders not being able to process member requests and make payments in a timely manner. This compromised their ability to meet their legal and client service obligations. Those events were followed by a series of smaller events in July 2017 further impacting stakeholder’s confidence in the resilience of ATO systems.

    The industry has since requested more timely and informative messages regarding the outages. Industry have requested and suggested a suitable mitigation would be that a joint communication plan is implemented to deal with these events should they occur in the future. This and other feedback has been captured in the ATO Systems Report (‘the Report’), May 2017.

    Scope

    This communication strategy covers incidents affecting the operation of ATO superannuation enabling services from when an incident is confirmed through to resolution.

    Currently, the scope of this communication strategy is limited to services that are critical to the operation of superannuation funds. Services that are critical include:

    • SuperTICK
    • Fund Validation Service (FVS)
    • SuperMatch
    • Member Account Attribute Service (MAAS)
    • Member Account Transaction Service (MATS)
    • Small Business Superannuation Clearing House (SBSCH).

    The strategy will complement the ATO’s business continuity plan, and the information provided can be utilised by the industry as part of their BCPs. This is not designed to replace existing arrangements or requirements by APRA.

    Where there are incidents that affect other superannuation services, such as remittance advice and recovery runs and the Departing Australia superannuation payment (DASP) online system, the ATO will continue to issue CRT Alerts.

    Planned outages are currently communicated to industry through the Superannuation DashboardExternal Link and won’t be dealt with in this strategy.

    Note: For printing purposes, the web address of the Superannuation Dashboard is http://sses.status.ato.gov.au/External Link

    ATO business continuity plan

    The ATO BCP has been updated since the Report and provides an overarching strategy for the ATO in supporting the different community sectors, including the superannuation industry. It provides the organisational roles and directions on assessing the risk and approach treatments. It recognises there will be consistent approaches to communication and messaging across community sectors during a system incident. It also recognises that sector and service impacts differ and tailored communications are most effective.

    Table 1: roles and responsibilities

    Group responsible

    Role

    Superannuation Response Group – made up of ATO staff and a cross section of the superannuation industry

    The Superannuation Response Group’s purpose is to determine and advise the ATO Superannuation Systems Co-ordinator on the following (more detail below the table):

    • how to best contain and minimise adverse impacts to the industry
    • options to maintain services and operations (for example, remittance runs)
    • contingency planning
    • the resumption process
    • key communications messages and key stakeholders.

    The Superannuation Response group will be made up of:

    • ATO SuperStream Delivery
    • ATO Small Business Superannuation Clearing House Senior Executive (where required)
    • ATO IT systems Senior Executive
    • ATO Super Systems Support
    • ATO Superannuation Services or Small Business Superannuation Clearing House Director
    • ATO Service Delivery
    • ATO Marketing & Communications Super Audience Team
    • Gateway Network Governance Body Executive Officer
    • superannuation industry representatives
    • APRA representative where required as determined by the ATO SuperStream Delivery Senior Executive
    • other ATO representatives as required.
     

    ATO SuperStream Delivery Senior Executive

    • owner of the Superannuation Information Technology Services Incident Communication Strategy
    • when an incident could affect or is affecting the Gateway Network, the GNGB Executive Officer will be notified as soon as possible
    • call and facilitate Superannuation Response group tele conference meetings (as required)
    • consult other ATO areas as required
    • make decisions where Superannuation Response Group consensus is not able to be achieved
    • log, monitor and resolve actions
    • communicate outcomes of Superannuation Response Group meetings to broader industry via email
    • notifying APRA where appropriate
    • implement Superannuation Response Group recommendations where appropriate
    • post-recovery monitoring.
     

    ATO Systems Relationship managers – DPO (OBT)

    • often the first point of contact if Stakeholder is experiencing IT issues
    • manage service resumptions and onboarding.
     

    ATO Super Systems Support

    • responsible for logging and tracking the progress of an incident
    • provides critical insight into service impacts, service status and remediation activities
    • coordinates the flow of information from and between the DPO, ecommerce, CAS ERA, EOC and other business and EST teams.
     

    APRA

    • attend Superannuation Response Group meetings where required
    • liaise with other APRA areas as required
    • provide support and advice to the Superannuation Response Group.
     

    Industry stakeholders

    • attend Superannuation Response Group meetings
    • provide support and advice to the Superannuation Response Group.
     

    The Superannuation Response Group’s purpose

    The Superannuation Response Group's purpose is to determine and put into effect the following arrangements.

    How to best contain the impacts on the industry

    The Superannuation Response Group will:

    • assess potential impact on industry
    • determine any practical steps to minimise disruption
    • discuss available service options for the Industry to consider.

    Identify options to maintain operations where possible

    The Superannuation Response Group will recommend alternative arrangements / short-term workarounds to be put into place (if any).

    The resumption process

    The Superannuation Response Group will provide advice to the ATO Superannuation Systems Co-ordinator on the impact/consequence of different options to resume services.

    Key communications messages and key stakeholders

    The Superannuation Response Group will provide advice on communications to key stakeholders:

    • advice on key messages on the incident, taking into consideration impacts to integrity and confidence
    • determine stakeholders to receive communications, including consideration of communications to regulators, clients and other potentially impacted parties.

    The ATO will call for nominations for participants in the Superannuation Response Group through its key consultation groups. From this, the ATO will select a small, diverse cross-section of the superannuation industry, including gateways, funds and administrators and other interested parties.

    Incident phases

    The phases of the BCP process are:

    1. Incident notification

    2. Incident management

    3. Resumption of services

    4. Finalisation and review

    This document highlights how the ATO will communicate through the Incident Phases outlined above.

    1. Incident notification

    The ATO becomes aware of incidents in a number of different ways including internal systems monitoring or reports from the superannuation industry. Superannuation industry representatives are reminded to raise incidents through the Digital Partnership Office (DPO).

    The ATO will communicate confirmed superannuation industry wide incidents through the Superannuation DashboardExternal Link.

    Impacted stakeholders will take appropriate actions per their own incident guidelines based upon their impact and experience.

    2. Incident management

    The timing of response communication activities would be dependent upon the timing of the outage event. For the purpose of this section core hours are defined as 7.00am–9.00pm which covers major processing centre hours across the industry.

    The guidelines below set a minimum expectation for communication. The SuperStream Delivery Senior Executive may call a Superannuation Response Group meeting more urgently should there be a need.

    In core hours the following response timeframes are:

    • short-term unplanned outage (up to four hours)
      • an announcement is published to the Superannuation DashboardExternal Link indicating we are aware of the outage and investigating (holding message)
      • a further announcement is published as more details are known if required
      • if the outage is not resolved by 9.00pm, a holding message will be placed on the dashboard, with a further update provided at 7.00am
      • when the services resume communications this will be advised through the Superannuation Dashboard.
       
    • medium-term unplanned outage (four hours to 24 hours)
      • publish an announcement to the Superannuation DashboardExternal Link at least every four hours as additional information is available about the incident. Dashboard subscribers will get an email notification prompting them to visit the dashboard to read each new announcement
      • if the outage is not resolved by 9.00pm, a holding message will be placed on the dashboard, with a further update provided at 7.00am
      • the ATO SuperStream Delivery Senior Executive will notify APRA of the outage
      • when services resume publish an announcement to the Superannuation DashboardExternal Link.
       
    • long-term unexpected outage (over 24 hours)
      • teleconferences for the Superannuation response group are convened as soon as it is known that the outage is expected to continue for more than 24 hours or the outage has continued for 24 hours. Future teleconferences will be scheduled as decided by the ATO SuperStream Delivery Senior Executive in consultation with the Superannuation Response Group
      • the Superannuation DashboardExternal Link will be updated as new information comes to hand. Notifications on the dashboard will include a time when the next update will be provided. Dashboard subscribers will receive an email alert each time we publish a new announcement prompting them to visit the dashboard to check the latest announcement.
       

    When services resume a Superannuation DashboardExternal Link announcement will be published. The Superannuation Response Group may also meet again to review the incident if deemed necessary by the ATO SuperStream Delivery Senior Executive in consultation with the Superannuation Response Group. For incidents that are initiated in non-core hours, a communication message via the Dashboard will be provided at 7.00am.

    3. Resumption of services

    The plan for the resumption of services will be determined on a case-by-case basis and the plan for the resumption of services will be communicated through the Superannuation Dashboard for each incident.

    Resumption messages will contain clear directions on the process for the industry to resume usage of the services. In developing the process for the resumption of services, the ATO will minimise the impact on the industry and consider the following factors:

    • the appropriate priority of services for resumption
    • resumption approach (gradual whitelisting required or not)
    • throttling backlogs where necessary and possible.

    The priority of the services is outlined in Appendix 1.

    4. Finalisation and review

    The ATO will update the superannuation industry of any material learnings from post implementation reviews.

    The stakeholders that are potentially affected and the action they must take are as follows:

    • super funds – report to government and manage contributions and rollovers and make payments
    • administrators and gateway operators – provide administration and data routing services for superfund and employer clients
    • regulators (APRA/ATO/ASIC) – provide oversight of funds, employers and intermediaries in meeting their responsibilities
    • members – use ATO and fund services to make informed investment decisions
    • employers and clearing houses/bureaus – send contributions to funds.

    Services covered under this communication strategy

    SuperTICK

    SuperTICK is used by trustees in a number of different circumstances outlined below:

    Guidance for trustees on legislative obligations

    Registrable superannuation entity (RSE) licensees must comply with RSE licensing law at all times. APRA's view is that, any action taken against an RSE licensee due to failure to meet the three-day rule, in exceptional circumstances including administration peak periods or material ATO superannuation service disruptions would be remote, providing the RSE licensee could demonstrate they took reasonable action and non-compliance was unavoidable.

    Fund Validation Service

    The Fund Validation Service contains critical information relating to each superannuation fund, including bank accounts for rollovers and contributions. Prior to processing transactions, the Fund Validation Service is generally checked to ensure the correct information for the fund is being used.

    SuperMatch

    The SuperMatch service can be used by funds to get a complete listing of their member’s accounts when they have their member’s permission.

    Member Account Attribute Service

    Requires all super providers to report all member account details and updates to these member accounts within five business days, effective from 1 April 2018 using the MAAS service. Also known as (event-based reporting).

    Member Account Transaction Service

    Requires all super providers to report all member account contributions and transactions within ten business days, effective from 1 July 2018 using the MATS service. Funds are required to report member contributions or transactions more frequently and at a transactional level.

    Small Business Superannuation Clearing House

    A free online super payments service administered by the ATO that can be used by employers with 19 or fewer employees or have an annual aggregated turnover of $10 million or less, to pay super contributions in one transaction to a single location.

    Appendix 1 – ATO superannuation enabling service priorities

    The priority of the services has been determined by assessing the services against the following:

    • ATO service required to be used by super funds to conduct superannuation transactions
    • ATO service required to receive superannuation transactions from super funds
    • ATO service required to send ATO superannuation transactions (including Small Business Superannuation Clearing House)
    • ATO service required to receive super fund to ATO reporting
    • ATO service used for member engagement activities.

    The services that support superannuation transactions have been prioritised over services that are used for reporting to government purposes and discretionary member information services.

    The priorities for ATO superannuation enabling services are as follows:

    • SuperTICK
    • Fund Validation Service
    • superannuation reporting to the ATO
    • SuperMatch
    • SBSCH
    • MAAS and MATS.
    Last modified: 03 Oct 2018QC 56918