Comparing APRA, the FCA, and MAS on AI governance reveals three distinct regulatory strategies for the same fundamental challenge: ensuring financial institutions use AI safely and fairly. APRA issued its first AI-specific industry letter on 30 April 2026, based on a targeted review of large banks, insurers, and superannuation trustees. The FCA applies its existing principles-based framework to AI, supplemented by sector-specific guidance under the UK's cross-regulator approach. MAS is developing the most comprehensive AI-specific regime through its AI Risk Management Guidelines consultation (November 2025), building on the established FEAT Principles. For financial institutions operating across these markets, understanding how each regulator's expectations differ โ and where they converge โ is essential for building governance frameworks that satisfy all three.
APRA โ principles with supervisory teeth
APRA's 30 April 2026 industry letter represents its first published, AI-specific expectations. Drawing on a late-2025 targeted review, APRA found that governance, risk management, assurance, and operational resilience practices are not keeping pace with AI deployment. APRA expects: formal AI governance frameworks with clear reporting lines; ownership and accountability across the full AI lifecycle; comprehensive AI use case inventories; human involvement for high-risk decisions; structured staff training; and robust vendor management including tested exit strategies. APRA anchors these expectations in existing prudential standards โ CPS 230 (operational resilience), CPS 234 (information security), and CPS 220 (risk management) โ rather than creating new AI-specific standards. The message is that existing standards already cover AI risk; APRA is making explicit what was previously implied.
FCA โ the principles-based approach
The FCA does not have a standalone AI regulation. Instead, it applies existing regulatory principles to AI contexts: the Consumer Duty (fair outcomes for customers, including those affected by AI decisions), the Senior Managers and Certification Regime (individual accountability for AI-related decisions), and existing rules on algorithmic trading, credit scoring, and insurance pricing. The FCA published its AI Update in April 2024, signalling how it expects firms to approach AI governance within the existing framework. The UK's approach is sector-led: the FCA, PRA, Bank of England, and other regulators each address AI within their mandates, coordinated by DSIT's pro-innovation framework. The advantage is flexibility; the challenge is that firms must piece together expectations from multiple regulators.
MAS โ toward comprehensive AI rules
MAS is developing the most prescriptive AI governance framework of the three. The FEAT Principles (Fairness, Ethics, Accountability, Transparency), published in 2018 and updated since, provide the foundational framework. The AI Risk Management Guidelines consultation, published November 2025, proposes detailed requirements covering AI governance structures, model risk management, data management, and customer outcomes. MAS is also developing AI Verify โ a testing toolkit that allows firms to demonstrate compliance with fairness and transparency standards. The expected finalisation of the AI Risk Management Guidelines in mid-2026 will create the most detailed AI-specific requirements of any financial regulator globally.
Where they converge
Despite different approaches, all three regulators expect the same foundational capabilities: board-level AI oversight and literacy, comprehensive AI system inventories, human oversight mechanisms for high-risk AI decisions, model risk management including validation and monitoring, third-party AI vendor governance, incident response capability for AI failures, and evidence-based assurance rather than reliance on management assertions.
Practical approach for multi-jurisdiction firms
Build your AI governance framework to satisfy MAS requirements (the most prescriptive), which will generally exceed APRA and FCA expectations. Map your AI systems to each regulator's specific requirements. Ensure board and senior management reporting covers the specific areas each regulator expects to see. Maintain jurisdiction-specific documentation where approaches diverge (particularly around model validation standards and vendor governance expectations).
Primary sources: APRA Letter to Industry on AI, 30 April 2026 | FCA โ AI and machine learning | MAS Consultations
