Changeflow GovPing Banking & Finance APRA Decommissions D2A System Due to Security V...
Priority review Notice Removed Final

APRA Decommissions D2A System Due to Security Vulnerabilities

Favicon for www.apra.gov.au APRA News & Publications
Published March 27th, 2026
Detected March 27th, 2026
Email

Summary

The Australian Prudential Regulation Authority (APRA) has decommissioned its Direct to APRA (D2A) data submission system due to identified security vulnerabilities. APRA is accelerating its transition to the APRA Connect portal and has provided interim instructions for data submissions.

View original document View source feed page

What changed

APRA has permanently decommissioned its legacy Direct to APRA (D2A) data submission system, effective March 20, 2026, following the discovery of security vulnerabilities during a penetration test on March 19, 2026. This action is precautionary and aims to mitigate risks to APRA and regulated entities. APRA is accelerating its program to migrate all data collections to the APRA Connect portal, which offers enhanced security features.

Organisations that used D2A are instructed to immediately uninstall the D2A client to mitigate residual risk and review their own system and data security measures. For interim data submissions due before the full migration to APRA Connect, entities should complete files using normal protocols (XML or XBRL preferred) and contact dataanalytics@apra.gov.au for secure submission instructions. APRA will provide further guidance on the transition to APRA Connect.

What to do next

  1. Immediately uninstall the D2A client.
  2. Review system and data security measures.
  3. Contact dataanalytics@apra.gov.au for instructions on secure data submission for interim filings.

Source document (simplified)


Media Releases

Direct to APRA security update and accelerated decommission

Friday 27 March 2026

Print Email The Australian Prudential Regulation Authority (APRA) has decommissioned its legacy Direct to APRA (D2A) data submission system for entity access. The system was taken offline on Friday 20 March following the identification of security vulnerabilities through a routine penetration test on Thursday 19 March.

APRA is accelerating its program to transition all APRA’s data collections onto the singular interface of APRA Connect.

This action is precautionary and in line with APRA’s low risk tolerance for system vulnerabilities that may expose APRA or regulated entities to attack. APRA is not aware of any security breaches or exploitation on APRA’s systems.

Preventative security action

Organisations that use D2A should take additional measures as a precaution:

  • Immediately uninstall the D2A client. The presence of the D2A program could pose a residual risk. Removal is advised to protect your organisation’s data integrity and security.
  • Review system and data security measures and undertake additional checks as a preventative measure.

Meeting reporting obligations

APRA is expediting its multi-year program to migrate all data collections from D2A to the APRA Connect portal, which includes enhanced user experience, performance and security features.

APRA has also put in place arrangements to ensure continuity and security of the data we collect on behalf of industry, and for other agencies and the public.

For an interim period, organisations with data submissions due are instructed to:

  • Complete their files as per their normal protocols in the lead up to the due date of their submission. XML or XBRL files are preferred.
  • Contact dataanalytics@apra.gov.au for instructions on how to securely submit these files. APRA will provide further information in due course about the program to move all data collections to APRA Connect.

D2A and APRA Connect enable financial institutions to lodge entity information and regulatory data to APRA. APRA Connect has a superior user interface as well as operational and security characteristics. The move to a singular system for data collection will improve the experience for entities over the long term, while reducing costs and managerial complexity.

Contact Us

For any questions relating to the information and instructions above, please contact dataanalytics@apra.gov.au.

The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9.8 trillion in assets for Australian depositors, policyholders and superannuation fund members.

Subscribe for updates

To receive media releases, publications, speeches and other industry-related information by email Subscribe

Related changes

Favicon for www.apra.gov.au Intermediated General Insurance Statistics Release
Routine Mar 30, 2026 APRA News & Publications Banking & Finance
Favicon for www.apra.gov.au Capital Treatment of Longevity Products for Retirement Income
Priority review Mar 30, 2026 APRA News & Publications Banking & Finance
Favicon for www.apra.gov.au APRA Appoints Two New Executive Directors
Routine Mar 30, 2026 APRA News & Publications Banking & Finance
Favicon for www.regulations.gov Personal Identification Form Information Collection Extension
Routine Mar 31, 2026 Regulations.gov Final Notices Government & Legislation
Favicon for www.cbo.gov Federal Discretionary Spending FY2025 Infographic
Routine Mar 30, 2026 CBO Publications Government & Legislation
Favicon for www.cbo.gov Mandatory Spending in Fiscal Year 2025
Routine Mar 30, 2026 CBO Publications Government & Legislation

Source

Favicon for www.apra.gov.au
APRA News & Publications apra.gov.au/news-and-publications
Banking & Finance
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
APRA
Published
March 27th, 2026
Instrument
Notice
Legal weight
Binding
Stage
Final
Change scope
Substantive
Supersedes
Direct to APRA (D2A) data submission system

Who this affects

Applies to
Financial advisers Banks Insurers
Industry sector
5221 Commercial Banking 5241 Insurance 5223 Credit Unions
Activity scope
Regulatory Data Submission
Geographic scope
Australia AU

Taxonomy

Primary area
Financial Services
Operational domain
IT Security
Topics
Cybersecurity Data Management

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 266 Consumer & Competition 1 Consumer Protection 44 Courts & Legal 363 Data Privacy & Cybersecurity 75 Defense & National Security 52 Education 20 Energy 107 Environment 85 Government & Legislation 285 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 114 Legal & Courts 1 Pharma & Drug Safety 103 Securities & Markets 104 Tax 65 Tax & Revenue 1 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Banking & Finance alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when APRA News & Publications publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.