Telstra Super and RG 271: why IDR is now a licence governance issue

The old complaints model is no longer safe

Complaints delays were once too easily treated as operational friction: a backlog, a resourcing issue, or a customer service problem. The Telstra Super IDR decision makes that approach unsafe. Complaints handling now sits squarely within legal risk, licence governance and conduct assurance.

In ASIC v Telstra Super Pty Ltd [2026] FCA 527, the Federal Court found that Telstra Super failed to comply with its internal dispute resolution procedures. ASIC reported that Telstra Super failed to respond to about one third of relevant complaints made between 22 October 2021 and 13 January 2023 within the mandatory 45-day timeframe, and that about 30% of those delayed responses were issued more than 100 days after the complaint was received.

What changed

The key change is not that complaints are suddenly important. It is that RG 271 obligations are enforceable and can produce direct legal consequences. The judgment confirmed that the IDR Instrument validly altered s 912A(1)(g) of the Corporations Act, requiring relevant licensees to comply with their IDR procedures. The Court found contraventions of ss 912A(1)(g) and 912A(5A), while not finding a breach of s 912A(1)(a) or that Telstra Super had failed to adequately resource its IDR process.

That nuance matters. The decision does not say every complaints failure is automatically an “efficiently, honestly and fairly” breach. It does say that defective IDR execution can be legally actionable on its own.

Who is exposed

This is relevant to all RG 271 firms, including AFSL holders, superannuation trustees, credit licensees and other financial firms required to maintain compliant IDR systems. RG 271 expressly applies across a broad range of financial firms and its highlighted standards and requirements are enforceable.

The exposure is sharper where complaints handling depends on outsourced administrators, offshore teams, legacy workflow tools or fragmented ownership between operations, legal, compliance and member services. A service provider may operate the process, but the regulated entity owns the legal risk.

Practical compliance implications

Firms should now test IDR as a control framework, not merely as a procedure. That means:

1. complaint identification controls at the front line, including non-obvious expressions of dissatisfaction;

2. clear ownership of each complaint, timeframe and exception pathway;

3. escalation for “ageing complaints” well before day 45;

4. delay notices that are not generic and actually address the RG 271 criteria, reasons for delay, AFCA rights and AFCA contact details;

5. board and committee reporting that covers ageing, exceptions, root cause themes, AFCA conversion, repeat issues and outsourced SLA performance; and

6. assurance testing of administrators, including file sampling, workflow review and evidence of timely decision-making.

ABML perspective

Complaints data should be treated as conduct-risk intelligence. A rising complaint theme may point to a disclosure weakness, claims-handling failure, defective process, conflicted incentive, poor administration, misleading communication or systemic member harm. Boards and responsible managers should expect complaints MI to identify those signals early and document how the firm responded.

The practical takeaway is simple: IDR should now sit inside legal, compliance and risk assurance plans. A complaints register is no longer enough. Firms need evidence that complaints are identified, triaged, escalated, resolved, analysed and reported in a way that is defensible to ASIC, AFCA, auditors and the board.