We have developed a plan of transition for superannuation DSPs that already provide SuperStream functionality within their software product or service. The transition plan intends to enable DSPs to continue to providing this functionality, as they work towards meeting the DSP Operational Framework Requirements to utilise ATO digital services (DOCX, 807KB) of the DSP Operational Framework.
In acknowledgement that the different market segments are at varied points in their progression towards meeting the framework requirements, there have been separate transition plans created for:
- superannuation gateway providers
- funds and fund administrators
- SMSF administrator providers.
Superannuation gateway providers
Superannuation gateway providers are already meeting many of the requirements for the DSP Operational Framework under the Superannuation Transaction Network Information Security requirements (STN ISR). For requirements not already being met, the following timeline was agreed to:
- By 31 December 2019 - Superannuation gateway providers must submit a DSP Operational Framework Security Questionnaire (DOCX, 895KB) to the ATO providing evidence for:
- Encryption at rest
- Encryption key management
- Data hosting requirements
- Multi-factor authentication
- Independent ISO27001 certification obtained
For those requirements met under the STN ISR, appropriate evidence should be provided with completion of the security questionnaire.
Trustees and fund administrators
Trustees and fund administrators that provide SuperStream functionality within their software are required to meet the following timeframe:
- By 15 March 2019 - Trustees and fund administrators must submit a DSP Operational Framework Security Questionnaire (DOCX, 895KB) to the ATO.
For any requirements not been met at this point, the questionnaire must include a plan detailing how and when the outstanding requirement will be met.
We will make contact with trustees and fund administrators in June 2019 and then again in September 2019 to check on how they are progressing. We will offer guidance where required.
- By 31 December 2019 - Trustees and fund administrators providing a software product or service which provides any or part of a SuperStream function will have provided suitable evidence to us that all of the DSP Operational Framework requirements have been fully met.
SMSF administrator providers
In consultation with SMSF superannuation providers we have agreed on the following transition timeframe:
- By 31 December 2019 - SMSF administrator providers will have provided suitable evidence to us that all of the DSP Operational Framework requirements have been fully met.
Any superannuation providers who are new to developing with the ATO need to meet the DSP Operational Framework Requirements to utilise ATO digital services (DOCX, 807KB) before they can be whitelisted to consume any ATO SBR products.
Any exceptions to meeting the transition timeframes are on a case by case basis and are agreed in consultation with the ATO. If you would like to discuss your particular circumstances, or have any questions on the Operational Framework, contact us via Online services for DSPs or by emailing DPO@ato.gov.au.