This guide provides information to trustees of super funds and their administrators or service providers on how to use the SuperMatch service and meet the requirements.
This user guide is to be read in conjunction with the SuperMatch terms and conditions of use. It applies to the operation of both the single and bulk service.
We released SuperMatch as a real-time web-service in 2015. We continue to refine our terms and conditions of use and user guide in response to observations about solution development and implementation, usage and risk management.
The SuperMatch user guide sets our specific and detailed requirements, noting:
- the intent of the service is to provide information to trustees of super funds to help their members make informed decisions regarding their superannuation interests
- the trustee is responsible for maintaining the integrity of the SuperMatch service by ensuring it is used appropriately and to recognise and report instances of misuse.
For a portable format document (PDF) of this content, see: SuperMatch user guide v9.0 (PDF 433KB).
Background
Trustees of eligible super funds are permitted to use an individual’s tax file number (TFN) to search for superannuation accounts, under section 299LA of the Superannuation Supervision (Industry) Act 1993 (SISA).
The SuperMatch service enables super fund trustees (excluding self-managed super funds) to obtain details of active super fund accounts including lost accounts or any ATO-held super for an individual.
Use of this service is restricted to trustees of super funds and can be used for:
- beneficiaries (members) of the fund
- individuals who are applying to become a member of that fund.
Providing this information to super fund trustees will assist consolidation of superannuation accounts for their members. SuperMatch is not a consolidation service itself but provides an individual with information on their active superannuation accounts and attributes to assist in any decision to consolidate their accounts.
Any inter-fund consolidation initiated by the member following a SuperMatch request is a new interaction. Trustees must have procedures in place to safeguard the integrity of the consolidation activities of the member. It will also enable the transfer of ATO-held super money into their accounts, if requested, by the super fund utilising the service.
Given the data returned by SuperMatch, it is critical that the trustee’s implementation, and their use, is in the member’s best interest.
For information on how the SuperMatch service operates and responses provided through the service, refer to Attachment A.
Access to SuperMatch
Access to the SuperMatch service is controlled by the ATO and is available to trustees of the following superannuation entities (referred to as super funds):
- APRA-regulated funds
- approved deposit funds
- retirement savings account (RSA) providers.
To make a SuperMatch request, funds are required to build the SuperMatch service themselves or engage a digital service provider who is registered with us and has built the Standard Business Reporting (SBR)-certified SuperMatch enabled software.
Before we provide access to use SuperMatch, funds need to:
- complete the application process
- provide an overview of each proposed usage of SuperMatch
- provide detailed process documents outlining how they comply with the SuperMatch terms and conditions of use and requirements provided in this user guide.
You can request an application form from SPREnablingServices@ato.gov.au.
For more information on details trustees must provide, refer to Attachment E – Application process in this guide.
No ‘non-trustee’ access to SuperMatch
SuperMatch can only be used by the trustee of a super fund directly or through an administrator or service provider acting for the trustee. An entity is considered an administrator or service provider of the super fund trustee if the trustee has an agreement with the entity to provide administration services for the fund as per SPS231 – Outsourcing. No other entities can use SuperMatch.
Trustees are not allowed to on-disclose SuperMatch search results to other entities.
Third party financial advice businesses or other non-superannuation entities that offer superannuation search or consolidation functions are not permitted to use SuperMatch or obtain information from SuperMatch results from trustees.
Parent companies or related companies to a super fund trustee are not permitted to use SuperMatch as it is not direct use by a fund trustee. These entities may link or connect their own clients or members to the super fund. The trustee or their administrator or service provider may then use SuperMatch for an applicant or member of the fund.
Trustees who fail to ensure their access to SuperMatch is not used as outlined in the SuperMatch terms and conditions of use and user guide will have any and all access to SuperMatch removed.
Using SuperMatch
Access and use of the SuperMatch service is governed by the terms and conditions of use including this user guide. To use the service, you must accept the terms and conditions of use and adhere with the user guide. This applies to both single and bulk solutions.
A trustee is responsible for access and use of the SuperMatch service. They need to provide assurance that all SuperMatch usage associated with its ABN, including via an administrator or service provider they have authorised on their behalf, is compliant with the SuperMatch terms and conditions.
The trustee of the super fund must acknowledge that information provided by the Commissioner of Taxation in response to a search request for an individual (a member or an applicant to be a member of the fund) is for the purpose of any of the following:
- informing them of one or more of their interests in a super fund
- assisting in a choice to maintain or create a superannuation interest
- assisting to give effect to their choice to maintain or create a superannuation interest
- informing them of an amount of ATO-held super that may become payable, credited or otherwise dealt with in relation to that individual
- assisting them to give effect to a choice they may make or action they may take in relation to an amount of ATO-held super.
The trustee of the super fund and their administrator or service providers agrees that no fees or charges will be applied to any beneficiary, holder or applicant for:
- submitting a search request
- the receipt, acceptance and subsequent provision to them of information obtained from us in response to a search request
- the receipt, acceptance and subsequent provision to them of credits of ATO-held super obtained from us in response to a search request.
The trustee of the super fund and their administrator or service providers agree that:
- where SuperMatch is used as part of an application or join process, it must be clear and transparent to the individual which fund or product they are joining before any SuperMatch request is made.
- the SuperMatch service cannot be used to support employee commencement activities and cannot be integrated into employer solutions.
Monitoring of usage and trustee ongoing obligations
Once access is granted and established, fund trustees must actively monitor their SuperMatch usage to ensure their systems and controls are operating effectively and are compliant with the terms and conditions of use.
The trustee must have considered the risk around access to and use of the service. They must have appropriate processes in place to monitor fraudulent or inappropriate usage.
You must disclose to us in writing within 24 hours of identifying any of the following events:
- any behaviour or activity that puts the use of the SuperMatch service at risk of fraudulent or inappropriate use
- if members’ information returned by the service is at risk of fraudulent or inappropriate use
- there is a breach of the SuperMatch terms and conditions.
You must also inform us where there are any changes to the SuperMatch solution after your application has been approved, including:
- moving or partnering with a new or different service provider or administrator
- introducing a new type of service interaction not previously covered in a self-application
- changes that potentially affect your compliance with the SuperMatch terms and conditions of use.
Periodic confirmation of ongoing compliance with terms and conditions of use
The fund trustee or an appropriately senior and qualified officer of the super fund as approved by us (for example, a Chief Risk Officer) will need to make a statement of compliance at least annually, or otherwise as requested by us.
Details of this requirement will be communicated to trustees when they are granted access to the service.
Consent
The trustee of the super fund or their administrator or service provider must obtain explicit consent from the individual before a search can be made using the SuperMatch service. This consent must be sought from the individual prior to using their TFN for the purposes of a SuperMatch search.
A separate consent must be captured to reunite the individual with any ATO-held super. This consent can be captured together but must be clearly differentiated.
Consent may be stored for the bulk search process or searches in the future. You must inform the member of the details involved in storing the consent and how they can opt-out of any stored consent.
An individual is not considered to have provided consent if it is only contained within a product disclosure statement and has not been captured explicitly in a separate process.
Customer verification requirements
Prior to using SuperMatch for an individual, trustees must successfully complete customer verification. This is to ensure they are providing access to the SuperMatch service and the results to the person they are dealing with.
This customer verification must generally be completed by the fund trustee. There may be limited circumstances where a fund trustee can be assured (and can easily demonstrate to us) that the same level of customer verification has been completed by another entity, for example:
- by an employer prior to the employer creating an account in the fund for that employee (for example, where there is a corporate or limited membership fund)
- by a related financial institution prior to their customer becoming a member or creating an account in the fund
- by another fund trustee prior to a successor fund transfer occurring.
There would be limited circumstances in which this approach could satisfy the requirements as it requires the trustee:
- to have an adequately in depth understanding of the customer verification policy and procedures of another organisation or entity
- to have assurance that the policy and procedures were/are followed by the other organisation or entity
- to obtain relevant evidence of the above and be able to provide that to us.
We will consider each case on its facts and the evidence that is able to be provided by the trustee and the entity conducting the customer verification during the application process.
Minimum customer verification requirements
Electronic-based verification
For electronic-based verification the customer’s name and either their address or date of birth or both must be verified against two reliable and independent electronic data. This must include at least one primary Government ID verified against the Document Verification Service (DVSExternal Link) where applicable.
Document-based verification
For document-based verification the customer’s name and either their address or date of birth, or both, must be verified against:
- an original or certified copy of a primary photographic identification document
- both
- an original or certified copy of a primary non-photographic identification document
- an original or certified copy of a secondary identification document
- any document used for verification must not have expired (other than an Australian passport which can be used if it expired within the past two years).
The following table provides an example of the different types of documentation that could be used.
Type of Identity Document |
Examples |
---|---|
Original primary photographic identification document |
If a travel document or identity card is in a foreign language, the customer must provide an accredited English translation if the person verifying the documents doesn’t understand the foreign language used. |
Original primary non-photographic identification document |
If a foreign birth certificate or citizenship certificate is in a foreign language, the customer must provide an accredited English translation if the person verifying the documents doesn’t understand the foreign language used. |
Original secondary identification document. |
|
Reliable and independent electronic data |
To determine whether electronic data is reliable and independent you must consider whether the data is:
|
We and super funds must keep pace with the rapid growth of the digital ecosystem and respond to security concerns including cybercrime and fraud activities. Required level of customer verification may change in response to an increase in the risk to the security of the SuperMatch service.
Renewal of customer verification
Customer verification is not a once-off event and must be maintained to ensure the individuals identity has not been compromised.
Where there is no positive activity from the member on their account for a period of two years, the trustee must complete customer verification to the minimum level prescribed above before the SuperMatch service can be used for that member.
‘No positive activity from the member’ is something trustees must establish parameters for monitoring. The following are relevant considerations:
- positive activity from a member is something funds would already monitor their membership for as it is relevant to assessing whether there are any lost member accounts. We provide information about lost and inactive member accounts on our website, but the following is relevant
- Positive activity may include member activity such as
- deferring a benefit in the fund
- electing to roll over all or part of their benefit from their original policy to another product (and it is not an automatic transfer)
- initiating a transaction (for example, a switch)
- changing their contact details
- initiating a change to their account (such as nominating a beneficiary)
- making an enquiry (such as an account balance query, performance of their account) or complaint
- responding to a communication issued by you
- accessing your secure website to view or obtain information about their account.
- This activity indicates the member is aware of where their money is and is engaged with their account, so you should exclude the member from being a lost member.
- Positive activity may include member activity such as
- Member activity may include by the members directly or an authorised or legal representative of the member.
- Trustees of super funds are required to provide us with evidence of effective monitoring for positive activity from the member to appropriately consider the requirements for customer verification renewal prior to using SuperMatch.
Layering of services and TFNs
A trustee can only use a tax file number (TFN) provided by the individual in a SuperMatch search.
Any TFN provided by us from services such as SuperTICK or member account attribute services (MAAS) cannot be used in a SuperMatch search. Fund trustees must have controls in place to ensure this does not occur.
SuperTICK is designed for internal use only by the trustee and must not be incorporated into external services that a super fund may provide.
Tax file numbers
A trustee of a super fund or their administrator or service provider must include a member’s TFN in any search request.
When using a member’s TFN in a search request, a trustee of a super fund or their administrator or service provider must comply with any legal obligations relating to the use of that TFN, including:
- section 299LA of the Superannuation Industry (Supervision) Act 1993
- section 137A of the Retirement Savings Account Act 1997
- regulations made under those sections.
Online use of SuperMatch
Where the SuperMatch service is used in an online portal, website or application, the provider of this solution, being the trustee of a super fund or their administrator or service provider must ensure the following:
- The website or portal satisfies information security requirements set out in Prudential Standard SPS 234 Information SecurityExternal Link Australian Prudential Regulatory Authority July 2019.
- Requests are initiated by the individual only and are in accordance with the following
- SuperMatch is hosted within the trustee approved portal and accessed from an official webpage of the super fund. Links must not be used in an unsolicited email that requests personal or financial information from the member
- links which seek to connect members to SuperMatch services must take a member to the trustee nominated home page, allowing them to engage with the member services portal (including to authenticate) from that site
- any personalised URL provided to the member to assist them linking to the portal must expire within 30 days of issue
- a member’s identity has been confirmed by the trustee prior to that member being granted access to the SuperMatch function in line with the customer verification requirements set out above.
- SuperMatch is hosted within the trustee approved portal and accessed from an official webpage of the super fund. Links must not be used in an unsolicited email that requests personal or financial information from the member
- Two-factor authentication is completed prior to disclosure of any SuperMatch results, in line with the principles of the Trusted Digital Identity FrameworkExternal Link or equivalent government standard.
- A SuperMatch request cannot be initiated unless the TFN has been provided directly by the member or via their employer and is linked to their account.
- Where member consent has not been provided or has been revoked, the ability to initiate a SuperMatch request is disabled for that member.
- Risk processes are in place to monitor fraudulent or inappropriate usage.
- Any behaviour or activity that puts the use of the service, or the members’ information returned by the service, at risk of fraudulent or inappropriate use or where there is a breach of the SuperMatch terms and conditions must be disclosed to the ATO in writing within 24 hours of the event being identified.
- The ATO will be informed where there are any changes to the SuperMatch solution after application has been approved, including
- moving or partnering with a new or different service provider or administrator
- introducing a new type of service interaction not previously covered in a self-application
- changes that potentially affect your compliance with the SuperMatch terms and conditions of use.
Multi-factor authentication
Where an individual will be viewing results through an electronic channel there must be a multi-factor authentication before detailed results can be viewed.
Multi-factor authenticationExternal Link is defined as ‘a method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier’.
The authentication factors that make up a multi-factor authentication request must come from two or more of the following:
- something the claimant knows (for example, a personal identification number [PIN], password or response to a challenge)
- something the claimant has (for example, a physical token, smartcard or software certificate)
- something the claimant is (for example, a fingerprint or iris scan).
The claimant being authenticated may be a person, device, service, application or any other security principal that can be authenticated within the system.
An authentication verifier is an entry point to a confined sub-system where a single technical authentication policy is enforced.
Multi-factor authentication often involves the use of passphrases in addition to one or more of the following multi-factor authentication methods:
- universal 2nd factor (U2F) security keys
- physical one-time pin (OTP) tokens
- biometrics
- smartcards
- mobile apps
- short message service (SMS) messages, emails or voice calls
- software certificates.
If an authentication method at any time offers a user the ability to reduce the number of authentication factors to a single factor, it is by definition no longer a multi-factor authentication method.
A common example of this is when a user is offered the ability to ‘remember this computer’ for a public web resource. In such a scenario, a user may be authenticated initially using multi-factor authentication. A token is then set on their device such that subsequent authentications use a single factor (usually a passphrase) as long as the token on their device is accessible and valid.
In this scenario, the claimant verified by the token is the user’s web browser rather than the user. As such, it violates the requirement for two or more authentication factors to authenticate a single claimant to a single authentication verifier. Furthermore, the token has characteristics more akin to a session token than an authentication factor, which makes it unsuitable for the purposes of authentication.
Disclosure of results
Information about members obtained by the trustee of the super fund or their administrator or service provider from us through SuperMatch is confidential and subject to the taxpayer confidentiality provisions in Division 355 of Schedule 1 to the Taxation Administration Act 1953 (TAA).
The trustee of the super fund or their administrator or service provider must inform each individual for whom a search request was submitted of the complete results of that search as soon as practicable after receiving a response to a search request. This includes 'no matches' if reported.
The use of emails, physical mail outs, SMS and electronic notifications to a member, whether solicited or unsolicited, must be general in nature. They cannot contain specific SuperMatch response data, and specifically no:
- member details
- super fund or account details
- account balances
- any ATO-held super balances.
If a URL link is provided in the message it must direct the member or potential member to a secure portal or platform where they can be authenticated and verified before viewing results.
There must be multifactor authentication before any SuperMatch data can be displayed in an electronic channel, including cached data.
All response data we provide to a search request should be provided to the applicant or member to assist them to make consolidation decisions. Some super fund details from the response file can be omitted from this requirement, specifically:
- super fund contact name
- super fund contact – phone area code
- super fund contact – phone number
- super fund address.
Relevant caveats, including when the search results were received from us, may be displayed to ensure the member is fully informed that the account balance may have changed since last reported to us.
Claiming ATO-held super
Where payment of ATO-held super is sought through a search request, the trustee of the super fund or their administrator or service provider must have received consent from each member whose details are included in the search request. This consent will allow the payment of identified amounts through the search process to be made to the unique superannuation identifier (USI) provided in the search request.
The trustee of the super fund or their administrator or service providers must agree to accept payment of any credits identified and to transfer any such payments to the relevant member’s account with that fund.
Attachment A: How the SuperMatch service operates
SuperMatch is an ATO web service utilising the Standard Business Reporting (SBR) infrastructure. Fund trustees or their administrators or service providers will either need to:
- build the approved software
- integrate with existing software
- purchase approved software or services from a developer who has this.
For more information about SBR, visit Digital service providersExternal Link on the SBR website.
To connect to the ATO and use the SuperMatch service directly, you must:
- be using a software package that is SBR-SuperMatch enabled and ATO approved
- have a machine to machine (M2M) credential permitted to access the service.
Alternatively, you may a use a digital service provider who delivers this for you.
Refer to Attachment C for further information on machine credentials.
Appointing an administrator or service provider to act on behalf of the trustee
A fund trustee that uses the SuperMatch service can provide authority for their administrator or service providers to act on their behalf using the Access Manager application.
Access Manager is a stand-alone system. You need to log in to Access Manager using an Administrator myID to manage access and permissions (including the authorisation of access to an administrator or service provider).
The fund trustee bears responsibility for the maintenance of access manager permissions and the usage and conduct of users under authorised permissions.
Supporting information can also be accessed by logging in to Access Manager and viewing the Help topic at Access Manager
SuperMatch channels
There are two channels available to submit search requests:
- single request processor (SRP) channel
- batch bulk request processor (BBRP) channel.
Selection of the channel depends on the number of member requests:
Channel |
When to use the channel |
Service response time |
---|---|---|
SRP |
When an instant response is required or preferred |
95% of responses within five seconds |
BBRP |
When up to 10,000 SuperMatch requests for unique members are submitted in one file for processing |
Usually within 24–48 hours (depends on processing load on our services at the time of request) |
Note: A sender submitting SuperMatch transactions through the bulk service channel may only include SuperMatch requests for one fund or ABN per file.
Service responses
The SuperMatch service compares member details received in the request message from a fund against member information held in our client register.
Complex data matching processes are used to determine whether the member details provided can be matched against a single ATO record to the satisfactory level of confidence.
Where mandatory member information is not provided or provided in an incorrect format, the request from the fund or sender will be rejected and an error response message returned.
For messages that have passed validation and have been processed by us, the SuperMatch service will provide one of two messages to the sender:
- matched + member and superannuation account information
- unmatched.
Matched
If the member details supplied are matched to a single ATO client with a high level of confidence, a ‘matched’ response will be returned through the system.
A transfer of ATO-held super money will be initiated where this has been requested, which will be transferred in our next payment run.
Included with the matched response will be a list of member details and open superannuation accounts, as per the table of information below. This information is sourced from member account form (MAF) reporting by funds through the member account attribute service (MAAS). It will return a value from the table below where one has been provided by the fund who reported the account.
For further information, see the SuperMatch (SMAT) message structure tableThis link will download a file on the SBR website.
Fields
- Member details
- member tax file number
- member's name – family name
- ATO-held money details
- super co-contributions (co-cons)
- super guarantee (SG)
- superannuation holdings account (active) (SHAA)
- superannuation holding account (inactive) (SHAI)
- unclaimed superannuation money – resident
- unclaimed superannuation money – temporary resident
- low income super contribution (LISC)
- Member details
- member's account number
- member's unique superannuation number (USI)
- member's identifier number
- Super fund details
- super fund name
- super fund ABN
- super fund contact name
- super fund contact – phone area code
- super fund contact – phone number
- super fund postal address – street name and number – line 1
- super fund postal address – street name and number – line 2
- super fund postal address – suburb or town
- super fund postal address – postcode
- super fund postal address – state or territory
- super fund postal address – country code
- Member account details
- does the provider accept governmentt contributions on behalf of the member?
- insurance indicator
- defined benefit indicator
- inward rollovers accepted indicator
- activity status of the account
- account balance.
Note: The following fields cannot be auto-consolidated into your super fund on behalf of your member. The member will need to contact us separately to claim these amounts:
- superannuation holding account (inactive) (SHAI)
- unclaimed superannuation money (USM) – temporary resident
- where the member is deceased the rollover of ATO-held money to super funds will not be processed.
Where the member holds more than one active superannuation account the data labels associated with member, super fund and account details will be returned for each account in the response.
Some pension accounts will be returned in a SuperMatch response, where the account has been reported as closed and in pension phase and:
- has a balance greater than 0
- is a defined benefit account and has a balance equal to 0.
There are some occasions where there will be no superannuation information provided with a matched response. This means there are no active superannuation accounts recorded in our systems, which may be the result of:
- a delay in reporting due to timeframes from an open/closed message through MAAS
- the member has just joined the workforce and has no previous superannuation accounts
- all superannuation accounts are reported to us with a closed status.
Self-managed super fund (SMSF) accounts are returned in a SuperMatch response file. These accounts are displayed without a USI. In some cases where the SMSF has not lodged their first SMSF annual return, only the SMSF ABN can be returned in the response file. A complete SuperMatch response file will be returned for the SMSF account after the SMSF lodges their annual return.
If any other unexpected responses received in a SuperMatch request, contact SPREnablingServices@ato.gov.au
Unmatched
A response of ‘unmatched’ means we were unable to match the member details provided to us with an appropriate level of confidence.
We may have been unable to match the member details for the following reasons:
- your member has provided you with incorrect details
- the records held by us do not match those provided to you
- the TFN has a protected, compromised or duplicate status on our systems.
We encourage you to check the information with the member and revalidate at the next available opportunity.
To update or confirm personal information details on our systems, the member can check ATO Online services through myGov or phone us on 13 28 65.
Further information on updating details for individuals is available on our website at: Update your contact details or authorised contacts
Note: An unmatched response is not a notice under section 299TB of the Superannuation Industry (Supervision) Act 1993 (SISA).
Common errors
The following are common error messages that may be received in response to a SuperMatch call, including a description and treatment response.
Code |
Short description |
Treatment |
---|---|---|
CMN.ATO.GEN.EM0001 |
Request failed. |
Please advise the member’s account details may have been withheld due to, but not limited to, the following reasons:
Contact Super CRT and quote error message 60369. |
CMN.ATO.GEN.EM0001 |
Request failed. |
The error may have occurred due to member having an account with a fund that has an end-dated ABN or not closed correctly through MAAS (or both). Contact Super CRT and quote error message 40544. |
CMN.ATO.SMAT2.EM1004 |
Invalid ABN |
An account returned is from a state authority. We ATO cannot provide a list of accounts for this individual as one of the members accounts is from a state authority. Contact Super CRT |
Attachment B: Glossary
Term |
Definition |
---|---|
Administrator or service provider |
An entity would be considered an administrator or service provider of the super fund trustee if the trustee has an agreement with the entity to provide administration services for the fund as per SPS231 – Outsourcing |
Applicant |
An individual that has applied to become a member of an APRA regulated super fund. |
ATO-held super |
Includes but is not limited to:
|
Digital service provider (DSP) |
An entity registered with the ATO to develop digital wholesale services who meets the requirements outlined in the DSP Operational Framework. |
Electronic channel |
Any type of electronic communication. This generally includes email, SMS and online activities. |
Explicit consent |
Consent must be sought from the member at the time of the beneficiary initiation to use their TFN for the purposes of a SuperMatch search and a distinct consent to reunite the beneficiary with their ATO held superannuation. Storing the consent to search must include the information provided by the member’s explicit consent and include information on how to opt out of consent being provided to the beneficiary at the time of consent. |
Holder |
Section 9 of the Retirement Accounts Act 1997 defines holder in respect of an account. A person holds an account if the account is opened in the person’s name. The person is the holder of the account. |
Machine credential |
Machine credential (M2M) is an authentication solution for business-to-government online services. |
myID |
the Australian Government's digital identity provider which aims to transform the way Australians interact with government. |
Member account attribute service (MAAS) |
The member account attribute service (MAAS) is the service for reporting changes to member's account phases and attributes when they occur (event-based reporting). This includes the opening and closing of member accounts. |
Matched |
A match has been found for the TFN supplied. Also known as a ‘valid’ response. |
Member |
A member of a super fund, the depositor of an approved deposit fund, the holder of an RSA or a member of a SMSF. |
Super fund |
Includes an APRA-regulated super fund, approved deposit fund or RSA provider. |
Unmatched |
A match has not been found for the TFN supplied. Also known as a ‘not valid’ response. |
Attachment C: Machine to machine credential guidelines
The SuperMatch service (the service) is a secure service protected accessed with a machine 2 machine (myID + Relationship Authorisation Manager [RAM]) credential.
Machine credentials
A machine credential is installed on a device and enables you to interact directly with government online services through your business software.
Machine credentials are created in RAM and replaced AUSkey used in software.
You will use a machine credential if you:
- are a digital service provider who offers cloud-based Standard Business Reporting (SBR)-enabled software. You will need to create a machine credential and install it on your server to enable software authentication by third party users
- use desktop or locally hosted software. You will need to create a machine credential. Your digital service provider will let you know when your software has been updated.
If you use cloud-based SBR-enabled software you will not need to create a machine credential. Instead, your digital software provider will install it on their server.
myID Terms of use – Machine
https://www.myid.gov.au/mygovid-terms-of-use-machineExternal Link
Attachment D: Interim arrangements for existing members prior to 1 March 2020
On 15 May 2020 we disconnected access to SuperMatch while version 9 of the terms and conditions of use and user guide were updated. The updates included strengthened controls to protect the security and integrity of the SuperMatch service.
To balance the implementation of the new requirements with the impact on existing members, trustees or their administrator or service provider can allow SuperMatch use for members where customer verification checks may not have occurred prior to using SuperMatch for members who both:
- joined the fund prior to 1 March 2020
- have an account balance greater than $0 at the time of the SuperMatch request.
This is an interim approach that will be in place until 30 June 2021. By this date, super fund trustees and their administrator or services providers will be required to have implemented relevant customer verification checks for any member they use SuperMatch for, including those members who had an account created prior to 1 March 2020.
Where a fund trustee requests SuperMatch access be reinstated and used in line with the interim approach, the trustee will need to demonstrate both:
- adequate controls that ensure the service is only used for members in line with the interim approach
- sufficient consideration and plans including a timeframe for delivering a compliant solution before 30 June 2021.
Funds that rely on this interim approach will have to engage with us again to provide assurance that the interim approach has ended by 30 June 2021.
Attachment E: Application process
A trustee intending to use the SuperMatch service must complete an application form for each SuperMatch process they will undertake. An application will not be approved for a trustee until we are satisfied the trustee has disclosed all instances of SuperMatch usage for that trustee.
We recommend you engage with us early via the SPREnablingServices@ato.gov.au mailbox if you are building a solution to clarify any details before implementation.
On the application form you must include comprehensive technical and business documentation (for example, business requirements, flow diagrams and screenshots) of each SuperMatch solution to the SPR Enabling Services mailbox for review. This will include:
- who your service provider is
- all end-to-end applicant registration and existing member processes
- portal or web (screen shots and process flows)
- mobile app (screen shots and process flows)
- paper (sample letters)
- voice call (sample scripting and process)
- how you satisfy the customer verification requirements
- explicit consent capture, storage and overt opt out processes
- multi-factor authentication steps, if required, and at what stage in your processes
- how results are notified, displayed and distributed.
Controls in place to ensure only those member who meet all requirements are included in SuperMatch requests (including where the trustee is using the interim approach – see Attachment D).
The application must be provided by the trustee. Administrators or service providers can engage with us on behalf of fund trustee clients if they have clear authority from each trustee and a statement from the trustee that they understand the solution and declare it is compliant.
Access will not be provided to SuperMatch until an application form has been received, reviewed and approved by us. Requests for access to the service that are not accompanied by a complete application form will not be actioned.
We will provide an email acknowledging receipt for your application. Following consideration of your application (or applications), we will provide the outcome by email.
Trustees must remain compliant with SuperMatch service terms and conditions and should review their solution with each update or change. Material changes will require re-application with evidence provided to us in accordance with the application process.
Note: We will periodically review trustee compliance with SuperMatch terms and conditions of use in addition to any review or surveillance as well as support any action undertaken by ASIC and APRA that involves review of the use of the service. The reviews may impact on the trustee’s continued use of the service.
Attachment F: Links to further information
Further information is available online:
- SuperMatch service page on the SBR website (including technical artefacts)
- Superannuation (SPR)External Link
- ATO Superannuation DashboardExternal Link – notification of SuperMatch outages
- Information about digital service providers and the operational framework
- myID websiteExternal Link
- Relationship Authorisation Manager websiteExternal Link
- Using Access Manager