The Australian Prudential Regulation Authority has decommissioned its legacy Direct to APRA (D2A) data submission system for entity access after a routine penetration test identified security vulnerabilities, and is accelerating the migration of all regulatory data collections to the APRA Connect portal. The D2A system was taken offline on 20 March, and APRA reported no known security breaches or exploitation. As a precaution, organisations that use D2A are advised to immediately uninstall the D2A client and review system and data security controls. To meet reporting obligations during an interim period, entities with submissions due should continue preparing returns under existing processes and be ready to provide their files for secure submission, with XML or XBRL preferred. APRA also set out continuity arrangements intended to maintain the security of data collected on behalf of industry and other users. APRA indicated it will provide further information on the expedited program to move all data collections onto APRA Connect, which it positions as a single interface with improved user experience, performance and security while reducing costs and managerial complexity.
Australian Prudential Regulation Authority 2026-03-26
Australian Prudential Regulation Authority decommissions Direct to APRA submission system after security vulnerabilities and accelerates migration to APRA Connect
The Australian Prudential Regulation Authority has decommissioned its Direct to APRA data submission system due to security vulnerabilities and is expediting the migration to the APRA Connect portal. Entities are advised to uninstall the D2A client and maintain data security controls, with interim reporting to continue under existing processes. APRA will provide further details on the transition to APRA Connect, which promises enhanced user experience and security.