APRA and ASIC: What Australian Financial Services Firms Need to Know About AI Regulation

Australian banks, insurers, and superannuation funds face AI governance expectations from two powerful regulators simultaneously. APRA's operational risk prudential standards and ASIC's responsible lending and market conduct obligations apply to AI in ways that many compliance teams haven't fully mapped.

Key Takeaways

APRA's CPS 230 (operational risk management) directly applies to AI systems used in material business activities of APRA-regulated entities — banks, insurers, superannuation funds.
ASIC has explicitly stated that responsible lending, best interests duty, and anti-hawking obligations apply to AI-driven customer interactions and decision systems. RG 271 (IDR) has AI-specific implications.
The Robodebt Royal Commission findings, while focused on government, have materially changed how Australian regulators approach automated decision-making in any sector that affects individual rights.
APRA-regulated entities should assess AI against CPS 230, CPG 234, and CPS 220 concurrently — different AI applications may engage different prudential standards.
Model risk management frameworks developed for statistical models (analogous to SR 11-7 in the US) are now expected to cover machine learning models. Many existing MRM frameworks have significant gaps when applied to AI/ML.

"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."

The dual regulator challenge for Australian financial services AI

Australian banks, insurers, and superannuation funds operate under a dual regulatory architecture that creates layered AI governance obligations. APRA regulates prudential soundness — the financial and operational resilience of regulated entities. ASIC regulates market conduct — how entities treat customers, manage conflicts, and represent their products and services. Both regulators have existing powers that apply to AI, and both have signalled expectations that AI governance should be integrated into entity governance frameworks, not treated as a separate technology matter.

APRA's AI governance expectations

CPS 230 — Operational Risk Management: APRA's operational risk management standard, which took effect in 2025, directly applies to AI systems used in material business activities. CPS 230 requires that entities identify, assess, and manage operational risks associated with technology, including AI. Entities must maintain adequate controls, test business continuity, and manage third-party technology service providers — relevant to AI providers and model vendors.

CPG 234 — Information Security: APRA's information security prudential guidance applies to AI systems as information technology. The guidance's requirements for asset management, access controls, incident management, and third-party assessments all have direct application to AI systems. An AI model is an information asset and should be treated as such under CPG 234.

CPS 220 — Risk Management: APRA's risk management standard requires that entities have a comprehensive risk management framework covering all material risks, including emerging risks. AI risk is an emerging risk that APRA expects to see identified, assessed, and managed in entity risk frameworks. Board and senior management accountability for AI risk flows from CPS 220's accountability requirements.

Model risk management: APRA's supervisory focus on model risk has extended from traditional statistical models to AI/ML models. APRA expects that existing model risk management frameworks — validation, documentation, monitoring, and escalation — apply to machine learning models. Most existing MRM frameworks have significant gaps when applied to the interpretability and distribution drift challenges that machine learning models present.

ASIC's AI conduct expectations

Responsible lending obligations: AI-driven credit assessment, document verification, and loan decisioning must comply with the responsible lending obligations in the National Consumer Credit Protection Act. ASIC has made clear that the use of AI does not alter the substance of these obligations — lenders remain responsible for reasonable inquiries and verification regardless of whether the process is automated.

Best interests duty (financial advice): AI-assisted financial advice or advice-adjacent digital tools must comply with the best interests duty in the Corporations Act. ASIC's guidance on digital advice makes clear that the duty applies regardless of the degree of automation.

RG 271 — Internal Dispute Resolution: ASIC's IDR regulatory guide requires that complaints about AI-driven decisions be handled in the same way as complaints about human decisions. Organisations cannot use automation as a basis for denying complaints processes or providing inadequate explanations for adverse decisions.

The Robodebt effect on Australian AI governance

The Robodebt Royal Commission findings have had a material effect on how Australian regulators — including APRA and ASIC — approach automated decision-making. The finding that automated systems can produce systematically unlawful outcomes at scale, and that organisations can fail to recognise or respond to those outcomes, has created a heightened sensitivity among Australian regulators to AI governance failures. This is observable in APRA's increasing focus on AI in supervisory conversations and ASIC's explicit statements about AI and conduct obligations.

May 2026 Update: APRA and ASIC Escalate AI Governance Expectations

In late April and early May 2026, both APRA and ASIC issued significant new AI-related guidance that materially raises the governance bar for Australian financial services firms.

APRA's 30 April 2026 industry letter represents APRA's first published, AI-specific expectations. Drawing on a late-2025 targeted review of large banks, insurers, and superannuation trustees, APRA found that governance, risk management, assurance, and operational resilience practices are not keeping pace with AI deployment. APRA now expects, at a minimum: formal frameworks and reporting lines for AI governance; ownership and accountability across the full AI lifecycle from design to decommissioning; an inventory of all AI tooling and use cases; human involvement and accountability for high-risk decisions; and structured staff training. APRA also flagged heavy vendor concentration as a material concern — many entities depend on a single AI provider with limited exit or substitution strategies, directly engaging CPS 230 requirements.

ASIC's 8 May 2026 open letter warns that frontier AI models have fundamentally changed the cyber threat landscape. Commissioner Simone Constant called on all AFS licensees and market participants to strengthen cyber resilience fundamentals immediately. ASIC reinforced this with its $2.5 million enforcement outcome against FIIG Securities Limited for cyber security failures — signalling that it will hold licensees accountable where cyber risk management falls short. ASIC expects boards to demand evidence of control effectiveness: test results, independent audit findings, and lessons from real incidents — not just management assurances.

Together, these letters describe two sides of the same risk: APRA focuses on how organisations adopt and govern AI internally, while ASIC focuses on how AI changes the external threat environment. Both require stronger governance, clearer accountability, and evidence that controls are actually working.