From the journal

APRA and ASIC Issue Joint Industry Letters on AI Risk and Cyber Resilience, April and May 2026

The Australian Prudential Regulation Authority published an open letter to all regulated entities on 30 April 2026 setting expectations for governance of AI and AI agents. The Australian Securities and Investments Commission followed with an 8 May 2026 letter to licensees calling for urgent action on cyber resilience against AI-enabled threats. Both regulators warn that existing prudential and operational risk standards already cover AI use and that supervisory action will follow identified gaps.

3 min read

The Australian Prudential Regulation Authority (APRA) published an open letter dated 30 April 2026 to all APRA-regulated entities. The letter sets observations and supervisory expectations for managing AI-related risk, including the use of AI agents in production. The Australian Securities and Investments Commission (ASIC) followed with an open letter dated 8 May 2026 to all Australian Financial Services licensees, credit licensees, and market participants. The ASIC letter calls for urgent action to strengthen cyber resilience against AI-enabled threats. Both letters are final supervisory communications. Both regulators announced that stronger supervisory and enforcement action will follow where boards and management fail to close identified gaps.

APRA's letter ties to its prudential standards CPS 230 on Operational Risk Management, CPS 234 on Information Security, CPS 220 on Risk Management, and CPS 510 on Governance. APRA states that those standards are sufficient legal hooks to govern AI deployment and AI agent use, without new instruments. The letter names four control gaps: missing model inventories, weak third-party model assurance, inadequate accountability mapping under CPS 510, and gaps in incident response for AI-related events. ASIC's letter ties to the Corporations Act 2001 obligations under section 912A on efficient, honest, and fair conduct, section 912A(1)(d) on adequate resources, and section 912A(1)(h) on adequate risk management. ASIC names eight control priorities: critical asset identification, access reviews, prompt patching, reduced attack surfaces, incident response plans, third-party risk management, defensive AI use, and ongoing supervision.

The letters reach Australian banks, insurers, superannuation trustees, AFSL holders, ACL holders, market operators, clearing and settlement participants, and registered managed investment scheme operators. Boards must approve AI use policies and confirm accountability under the Financial Accountability Regime (FAR). Operators must maintain a model inventory, evidence of pre-deployment testing, and run-time monitoring records. Third-party AI vendor contracts require new diligence on training data, model lineage, and incident notification. Cyber incident response plans must cover prompt injection, model theft, and deepfake-enabled social engineering.

Neither letter is a legislative instrument and neither imposes new obligations beyond the existing prudential and corporations rules. APRA flagged that CPS 230 applies in full to non-significant financial institutions from 1 July 2026 and that AI controls will be tested at that point. The Financial Accountability Regime extends to APRA-regulated insurers and superannuation trustees from 15 March 2025 and to authorised deposit-taking institutions from 14 March 2024. ASIC has flagged further guidance on AI in financial advice. Civil penalty exposure under section 1317G of the Corporations Act applies to identified breaches.

Licentium advises Australian financial services and crypto firms on AI governance, CPS 230 readiness, and ASIC cyber resilience programmes through a partner network. Contact us to discuss AI inventory builds, board policy drafting, or third-party vendor due diligence. Work we undertake includes APRA prudential reviews, FAR accountability mapping, AI risk policy drafting, AFSL compliance audits, cyber incident response planning, and model risk management.

Source: Australian Prudential Regulation Authority, "APRA Letter to Industry on Artificial Intelligence (AI)," 30 April 2026, https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai

The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.

AI Regulatory

More from the journal

See all

Ireland Publishes Regulation of Artificial Intelligence Bill 2026 to Implement EU AI Act

On 17 June 2026, the Irish Government published the Regulation of Artificial Intelligence Bill 2026, comprising 139 sections, 10 parts, and 4 schedules. The Bill establishes the domestic enforcement architecture for the EU AI Act in Ireland. It creates Oifig IS na hEireann, the AI Office of Ireland, as an independent statutory body. Sector regulators become Market Surveillance Authorities with enforcement powers, including fines up to 7 percent of global annual turnover.

FCA Publishes Final Cryptoasset Rules Setting UK Regime Effective October 2027

On 30 June 2026, the Financial Conduct Authority published five policy statements (PS26/9 through PS26/13) finalising the UK cryptoasset regulatory regime. The rules cover trading platforms, intermediaries, custodians, stablecoin issuers, and staking providers. Firms must obtain FCA authorisation before the 25 October 2027 go-live date. The authorisation gateway opens in September 2026. The legal basis is the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, passed on 4 February 2026.

Senator Warner Releases Discussion Draft of AI AGENT Act on 29 June 2026

On 29 June 2026, Senator Mark Warner (D-VA) released a discussion draft of the Artificial Intelligence Access, Gatekeeper Exchange, and Nondiscriminatory Transfer Act (AI AGENT Act). The draft would create a Federal Trade Commission registry of vetted AI agents and require agents accessing sensitive user data to act in users' best interests. Large online platforms would face a non-discrimination obligation for AI agent access. NIST would develop open technical standards for agent authentication.