Show download pdf controls
  • Security guidelines

    Inputs to the FDR are protected by the use of machine credentialsExternal Link (installed via Relationship Authorisation Manager (RAM) or, for cloud based software, by your digital service provider) as an online security credential.

    We recommend you review this information regularly. We will update it as we become aware of issues and relevant information, which will help you maintain the highest levels of security.

    Security credentials

    A security credential is an electronic file and, or software used for identification purposes when transacting over the internet.

    A security credential is used to establish a secure environment for online transactions. This provides you with assurance that your online transactions with us are safe by letting us know we are interacting with the right person for each transaction.

    Modern security credentials make fraud very difficult. For someone to gain access to our online services as you, they would have to be using a computer on which the credential is installed and they would have to know your password.

    Every person associated with your super entity who wants to deal with us online on behalf of your ABN will need their own security credential.

    Looking after your security credential

    The security of the information you want to guard through the use of a credential is only as good as the care you take to keep this credential protected.

    Never disclose your password to anyone including our staff or the provider of your credential.

    When deciding on a password, make sure that it is sufficiently complex. Your password must:

    • be at least eight characters long
    • contain numeric as well as alphabetic characters
    • have a mix of upper and lower case alphabetic characters
    • have at least one special character (for example,!, @, #).

    Your role in securing your information

    Technology and computers cannot safeguard information automatically. You need to protect your own and your members' information related to using this service.

    We strongly recommend that you:

    • never disclose your credential password to anyone, including us or the credential issuer
    • do not download your credential to general use computers. Access the portal only from computers to which you have exclusive use, or that you share under one of the following conditions   
      • the computer is configured for multiple users
      • each user has a unique account
      • other users are individuals you can trust
       
    • keep your computer software up to date, especially with security upgrades and patches – these are usually available from the licenser of the software
    • ensure that your anti-virus software is current and running on your computer at all times – scan new programs or files for viruses before opening, running, installing or using them
    • ensure that you have anti-intrusion software (commonly referred to as a firewall) to provide added security around your information and protection from misuse of your identity
    • avoid opening, running, installing or using programs or files you have obtained from a person or organisation unless you are positive that you can trust them
    • conduct secure disposal practices such as cleansing of the hard disk on disposal of your computer.

    What to do if someone obtains your password or your deviceis stolen

    This situation should be treated with the same degree of urgency that you would give to the loss of a credit card.

    See also:

    Descriptions for FVS data labels

    The Commissioner of Taxation requires certain information in order to complete the FDR and make it functional (for example, fit for purpose) for all users. The following provides descriptions and context for key terms.

    Organisation ABN

    This is the ABN of a registrable superannuation entity (RSE). You should verify that you have recorded the ABN of the fund, not the ABN of the trustee or administrator.

    Organisation name

    This is the name of the RSE. The name needs to match the fund or trading name as recorded on the Australian Business Register (ABR). From time to time, we may correct any deviations from the ABR (including correction of any obvious spelling errors or abbreviations that may exist).

    Effective date (from)

    Date on which the information takes effect; the start date from which a USI can receive rollovers and/or contributions using the details provided.

    Effective date (to)

    The date on which the information ceases to take effect; USIs where the effective date (to) has passed will not be available through the FVS services. If the USI does not have an end date, the default end date (31 December 9999) must be used.

    Note: Providing an end date will have the effect of making the USI inactive from that date. If you wish to reactivate an existing USI, you will need to lodge new details and an updated Effective date (from).

    Profile

    Each fund must adopt a profile that indicates their capability to enable the secure exchange of business-to-business transactions using web services. The user profiles are defined in the Superannuation Data and Payment Standard 2012, Schedules 1 and 5.

    Certification details

    The version of each standard for which the fund is certified to receive messages for rollovers (ROLL) and contributions (CONT).

    You will need to provide assurance that your fund is certified to receive SuperStream standard messages for rollovers (ROLL) and contributions (CONT), the version of each standard that they are certified for, and the type of certification obtained (including all error messaging).

    The values for certification details are in Table 8.

    Table 8 – Certification details values

    Certification value

    Meaning

    Nil

    Has not achieved certification for rollovers or contributions

    ROLL1.0-X

    Finished induction for Rollover V1.0

    CONT 1.0-X

    Finished induction for Contributions V1.0

    ROLL2.0-X

    Finished induction for Rollover V2.0

    GROL2.0-X

    Finished induction for Government Rollover V2.0

    CONT2.0-X

    Finished induction for Contributions V2.0

    GCON2.0-X

    Finished induction for Government Contributions v2.0

    Funds should list their highest level of certification. For example, a fund completes induction for ROLL2.0-X after previously completing induction for ROLL1.0-X. The fund will need to update the FVS and update their certification from ROLL1.0-X to ROLL2.0-X.

    The certification values are backwardly compatible. Having a certification value of ROLL2.0-X means the fund has also completed induction for ROLL1.0-X.

    Where a fund does not provide a value for contributions, they are unable to receive contributions in the Standard.

    We introduced validation of accepted values for this label in August 2017. Where a fund makes an update to their USI and has included an unexpected certification value, that message will be rejected with a validation error and will not be processed. The fund will need to correct the certification value and re-submit the request.

    See also:

    • SuperStream – for more information on induction testing

    Unique superannuation identifier (USI)

    The unique superannuation identifier (USI) is used to identify a fund’s products and, or channel preference for receipt of data and monies. This may be the SPIN or ABN plus three numerals. A SPIN can be provided as a USI. However the associated fund and product names must match the data maintained on the SPIN registerExternal Link.

    Superannuation product name

    This is the name of the product or product-channel nominated by a RSE for receiving a contribution or rollover. Each row of data in the FDR has a USI. Funds must ensure that every USI has a unique product name which is aligned to that USI and only that USI as it relates to the FDR.

    Contribution restrictions

    This is an indication that there is a restriction on which employers can make a contribution to the product.

    Is there a restriction on which employers can make a contribution to the USI? You will need to indicate whether the USI can accept contributions from all employers from 1 July 2014. Employers will be asked to contact you directly before making a contribution if a USI displays a Y in this field.

    Primary destination

    Bank state branch

    A bank state branch (BSB) number is a unique six-digit number that identifies banks and branches in Australia. The BSB for the account designated to receive contribution payments for a particular USI.

    Financial institution account number

    A unique number assigned by a financial institution to identify the entity's account. The financial institute account (FIA) number designated to receive contribution payments for a particular USI.

    FIA name

    Name of the FIA held by the entity. Account name designated for receiving contribution payments for a particular USI. The FIA has a maximum of 32 characters (in accordance with the Bulk Electronic Clearing System standard).

    BPAY details

    BPAY Biller code designated for receiving contributions for a particular USI. Each employer using BPAY also needs a customer reference number (CRN) unique to that employer (not captured).

    Electronic service address

    The primary destination – electronic service address – is the end point destination for the contribution message. This must be a unique resource locator (URL) or internet protocol (IP) address. URLs are preferred. An example of a typical URL would be https://en.example.org/. The correct address will be advised to you by your gateway provider.

    Secondary destination

    BSB

    The BSB for the account designated to receive rollover payments for a particular USI.

    FIA number

    FIA number designated to receive rollover payments for a particular USI.

    FIA name

    Account name designated for receiving rollover payments for a particular USI.

    Electronic service address

    The secondary destination – electronic service address is the end point destination for the rollover message. This must be a unique resource locator (URL) or internet protocol (IP) address. URLs are preferred. An example of a typical URL would be https://en.example.org/. The correct address will be advised to you by your gateway provider.

    Contact person

    Given name

    The given name is the first name of person to contact if there are technical issues when processing contributions or rollovers. Generic contact details should be supplied with the first word on the Given name field, and the remainder in the Family name field. For example, ‘Help desk contact officer’ should be recorded with ‘Help’ in the Given name field and ‘Desk contact officer’ in the Family name field.

    Family name

    Surname of person to contact if there are technical issues when processing contributions or rollovers.

    Email

    Email address for correspondence relating to technical issues when processing contributions or rollovers.

    Phone number – area code

    This is the area code of a phone number to call if there are technical issues when processing contributions or rollovers. For toll-free and mobile phone numbers (for example, 1800, 13, 0414) leave this field blank.

    Phone number

    This is the phone number to call if there are technical issues when processing contributions or rollovers. For toll-free and mobile phone numbers (for example, 1800, 13, 0414), place the entire number in the contact phone number field. For example, 1800 123 123.

    Website address

    This is the entity's website address. This must be a valid website address provided where available. It should be the home page of your fund. When submitting your data it should follow the following format:

    • http://www.example.com.au
      Last modified: 01 Jul 2020QC 35422