APRA has sharpened its expectations on investment governance and, over the past year, begun backing them with enforcement. The standards apply with equal force whether a trustee outsources investment management, runs it in-house, or operates a hybrid. Our concern, drawn from years leading risk functions inside investment managers, is a quieter one that the enforcement headlines have yet to reach: as more funds have brought investment management in-house, has the risk and compliance capability meant to support it kept pace?
Over the past decade a growing number of superannuation funds have internalised investment management. The stock pickers, deal teams and portfolio management capability now sit inside the trustee, and that investment capability is usually well built out. The second and third lines have often had less time and investment to scale alongside it. Independent oversight and challenge of the investment function is demanding work, and the risk and compliance capability to match a maturing in- house investment team takes time to build.
There is a good reason attention has sat elsewhere. In superannuation, the functions closest to the member naturally command the most focus. Complaints, death and disability claims, member disclosures, and the core business of accepting contributions and paying benefits are visible, time- critical and emotionally significant. It is understandable that risk and compliance effort has concentrated there. Investment governance, by contrast, can feel remote from the member, until a valuation dispute, a unit pricing error or a poorly monitored option makes it very close indeed.
This article sets out why the same rigour trustees expect of their outsourced managers should be turned inward, and what recent regulatory activity tells us about the cost of leaving that gap open.
The standards converging on investment governance
Investment governance in superannuation rests first on SPS 530 Investment Governance, which has applied in its strengthened form since 1 January 2023. Under SPS 530 a trustee must prudently select, manage and monitor investments, and maintain an investment governance framework appropriate to the size, business mix and complexity of its operations, with the board ultimately responsible. The strengthened standard sharpened expectations on valuation governance, liquidity management and stress testing, the same areas APRA had found wanting in its review of unlisted asset valuations.
SPS 530 does not operate alone. SPS 515 Strategic Planning and Member Outcomes ties investment decisions back to the outcomes members receive. From 1 July 2025, CPS 230 Operational Risk Management added a resilience layer. It treats investment management as a critical operation or material service whether the function is outsourced, internalised, or a combination of both, and it raises the bar on how trustees identify and oversee the service providers they depend on, including the fourth parties sitting behind their direct providers. Since early 2025, the Financial Accountability Regime has placed named, personal accountability on trustees, their directors and senior executives. Accountability, in APRA’;s words, cannot be outsourced.
Taken together, these requirements ask trustees to govern the substance of investment decisions, connect them to member outcomes, make the function operationally resilient, and stand behind it personally. The distinction APRA is now testing is not whether a function was competently procured, but whether it is competently governed on an ongoing basis. That answer must hold wherever the function sits, and for many trustees it is easier to give for what they outsourced than for what they built themselves.
The gap that has opened up in-house
A common assumption is that internalisation reduces governance risk, because the trustee now controls the function directly. We are curious at to whether that consistently holds true. An outsourced relationship sits inside a contracted framework: there are service levels, defined reporting, due diligence rights, and a counterparty that is itself regulated. When a fund brings investment management in-house, that external scaffolding falls away, and it is not always replaced with an equivalent internal control environment.
Internal investment teams typically grow out of a small initial footprint and scale quickly alongside funds under management. The second and third lines often do not grow at the same rate. Risk and compliance coverage of the investment function often lags the front office in both capability and resourcing. Many trustees lack a dedicated second line with the technical depth to challenge portfolio
managers on execution quality, counterparty selection, mandate adherence and the conflicts specific to managing money in-house. Valuation governance for unlisted assets is particularly sensitive, since the investment team whose performance is judged on those assets often has the deepest knowledge of them and, without clear separation, can end up influencing how they are valued.
It is worth asking whether the internalisation of investment management was matched by a corresponding uplift in the risk and control functions that oversee it, and whether the same standard of due diligence, monitoring, control assurance and conflicts management a trustee expects of an external manager would hold if applied to the internal team. For many funds, that is still developing. The opportunity is to bring the internal control environment up to the standard already expected of outsourced investment management.
Having led risk and compliance functions inside investment managers, the PX Partners team has seen this from the inside. We know how quickly an internal capability can outgrow the controls around it, and how easily independent oversight becomes an afterthought when the investment team is delivering.
The point is not that in-house management is wrong. It is that it carries obligations trustees cannot
meet by governing the internal team more lightly than they would an external one.
One lens, wherever the function sits
CPS 230 and SPS 530 apply the same test regardless of the operating model. CPS 230 asks the operational questions: can you identify the critical operation, understand its dependencies and the
providers behind it, set tolerances for disruption, monitor against them, and respond when something fails? SPS 530 asks the substantive ones: can you evidence that investments were prudently selected and are being properly monitored and valued? Neither standard cares whether the function is run by a third party or by a team down the corridor. The trustee owes the same answer either way.
Where trustees run more than one model, there is an additional layer to manage. Hybrid arrangements, with some asset classes managed internally and others left with external managers, create a
coordination point between the two that benefits from clear ownership. It is worth checking that the standard applied to external managers also informs the internal approach, and that member facing impacts have a clear owner rather than sitting between functions.
Where the gaps typically appear
- For outsourced functions, the recurring weakness is what happens after onboarding. Initial due diligence tends to be thorough. Ongoing oversight then narrows to performance reporting, an annual due diligence questionnaire and the occasional site visit. Operational risk indicators, control attestations, visibility into sub-custodians and sub-advisers, business continuity testing and exit planning are often underdone. CPS 230 has raised the bar here, extending the
expected depth of oversight beyond the direct provider to the fourth parties they in turn rely on. - For internalised functions, the gaps are structural. A common gap is second-line depth: the specialist skills needed to challenge the front office on investment risk take time and investment
to build. Compliance coverage of trade execution, mandate adherence and conflicts of interest is often still maturing. Valuation governance for unlisted assets warrants particular attention. - For hybrid models, the risks of both combine.
What APRA has signalled
APRA has put its focus on investment governance beyond doubt. On 7 October 2025 it wrote to platform trustees, following a thematic review covering trustees responsible for around 95 per cent of platform assets, calling for stronger action on investment governance (the accompanying letter is available here). Two of its findings travel well beyond platforms. First, a trustee’s core duties are the same irrespective of its business model. Second, accountability for deciding what belongs on the menu, and for the outcomes members experience, stays with the trustee no matter how many parties
sit in between.
APRA has since acted on those findings. On 17 December 2025 it accepted a court-enforceable undertaking from Netwealth Superannuation Services over the depth of due diligence and monitoring applied to onboarded options and the management of related-party conflicts, and imposed additional licence conditions on Equity Trustees Superannuation the following day. It has since taken action against further platform trustees, including HTFS Nominees, the trustee of the HUB24 Super Fund, in May 2026. The detail cuts against a comfortable assumption, that outsourcing investment management reduces the governance burden. It does not. The same logic runs in the other direction: bringing the function in-house does not reduce it either. APRA&’s Deputy Chair has said the platform segment will remain a supervisory priority throughout 2026, and the events sitting behind these actions, including the First Guardian and Shield collapses, have produced member losses and compensation running into the hundreds of millions. The stakes of weak investment governance are no longer hypothetical.
What separates mature trustees
Across our engagements with trustees running internalised, outsourced and hybrid models, three themes consistently separate mature investment governance from the rest.
1. Govern the function, not the form. Internal investment teams should be held to the same standard as external managers: documented mandates through investment policies, performance and risk monitoring, control assurance, conflicts management and contingency planning. The test is simple. If you would expect an external manager to produce it, your internal team should produce it too.
2. Build the second and third line to match the first. Investment risk and compliance need real technical depth. Investment risk management keeps strategies running true to label, but the area that most often needs attention is the expertise to review and challenge front office controls, such as execution quality and counterparty selection, and to understand the conflicts unique to managing
money in-house. For trustees with internalised capability, this is often where the greatest investment is required.
3. Anchor everything in member impact. Investment governance is not a back-office discipline. Unit pricing errors, delayed switches, valuation disputes and performance issues flow downstream from investment management to the very member-facing activities that already command a trustee's attention. Tolerances under CPS 230, and objectives under SPS 530, should be set against member outcomes, not internal service levels alone.
Why trustees should act now
APRA’s focus has shifted from documentation to demonstration, and the events of late 2025 show what that shift looks like in practice. The question is no longer whether the material service provider register is current. It is whether the tolerances, controls and oversight hold when tested, and whether the trustee can show it, for the functions it runs as much as the ones it buys.
This cannot be retrofitted on a supervisory timetable. Building second and third line technical depth takes time. Setting tolerances and objectives that connect to member outcomes, and testing them under stress, takes longer still. Trustees who start now will have something defensible by the time it is tested. Those who wait will be assessed against what their peers have already done.
In our experience, the trustees getting ahead of this are interrogating their in-house investment governance against SPS 530 and CPS 230, testing whether they can evidence the same rigour internally as they expect of their external managers. Having sat on both sides of that question, inside investment managers and now advising trustees, we think it is the right one to be asking.