From the journal

APRA letter to industry on AI risk management and governance, 30 April 2026

On 30 April 2026 the Australian Prudential Regulation Authority issued a letter to all regulated entities setting expectations on AI risk management. The letter follows a targeted thematic review of selected large banks, insurers, and superannuation trustees in late 2025. APRA names four weak areas: governance, cyber security, supplier risk, and assurance. Where entities fail, APRA will escalate to supervisory and enforcement action.

3 min read

The Australian Prudential Regulation Authority (APRA) issued a letter to industry on artificial intelligence on 30 April 2026. The letter is supervisory guidance to all APRA-regulated entities. It is not a new prudential standard. APRA based the letter on a targeted thematic review of selected large banks, insurers, and superannuation trustees conducted in late 2025. APRA expects entities to act on the letter immediately.

The letter draws on the existing APRA prudential standards CPS 220 (Risk Management), CPS 230 (Operational Risk Management), CPS 234 (Information Security), and the operational resilience expectations under CPS 230 effective 1 July 2025. APRA names four weakness areas. First, governance. Boards and senior management often treat AI as another technology system, missing model behaviour, bias risk, and ethical implications. Second, cyber security. AI adoption widens the attack surface and increases attack frequency. Third, supplier risk. Many entities depend on a single AI provider for multiple use cases without mapping third-party and fourth-party concentration. Fourth, assurance. Sample-based, point-in-time audits do not fit probabilistic AI models. Internal audit functions lack specialist AI skills. APRA will escalate to supervisory and, where appropriate, enforcement action where weaknesses persist.

Authorised deposit-taking institutions, life and general insurers, private health insurers, and registrable superannuation entities must align AI governance with CPS 220 and CPS 230. AI vendors selling to APRA-regulated entities face downstream contract pressure on supply chain transparency, exit rights, and concentration disclosure. Internal audit and risk teams must invest in AI-specific assurance capability. Boards and accountable persons under the Financial Accountability Regime carry direct responsibility for AI risk oversight. Cloud and foundation model providers selling to Australian financial institutions must support customer concentration mapping under CPS 230.

The letter sets no fixed deadline for remediation. APRA signals it will probe AI risk through ordinary supervisory engagements and the next round of CPS 230 reviews. There is no transitional period and no safe harbor. Smaller entities are scoped proportionately to their size and complexity. The letter does not displace concurrent obligations under the Privacy Act 1988 or the Australian Consumer Law, which the OAIC and the ACCC continue to enforce.

Licentium advises Australian financial institutions, AI vendors selling into APRA-regulated customers, and Boards on AI governance uplift, working with a partner network of Australian financial services counsel. Work we undertake includes CPS 220 and CPS 230 alignment, AI risk taxonomy design, third-party concentration mapping, AI internal audit programs, Board paper drafting, model risk governance, and accountable person documentation. Contact us for an APRA readiness scope.

Source: Australian Prudential Regulation Authority, Letter to industry on Artificial Intelligence (AI), 30 April 2026, https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai

The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.

AI Regulatory

More from the journal

See all

EU Council Formally Adopts AI Omnibus, Extending High-Risk AI Deadlines to December 2027

On 29 June 2026, the Council of the European Union formally adopted the AI Omnibus regulation, completing co-legislative passage following the European Parliament's plenary vote on 16 June 2026. The regulation amends Regulation (EU) 2024/1689 to extend compliance deadlines for high-risk AI systems, introduce new prohibited AI practices, and establish a transitional watermarking period for systems already on the market. The act enters into force on the third day after publication in the Official Journal.

FCA Finalises UK Cryptoasset Regime Rules, Authorisation Window Opens 30 September 2026

On 30 June 2026, the Financial Conduct Authority published five policy statements setting out final rules for the full range of regulated cryptoasset activities in the UK. The rules cover admissions and disclosures, market abuse, stablecoin issuance, prudential requirements, and FCA Handbook application. Firms must apply for authorisation between 30 September 2026 and 28 February 2027 to retain access to transitional provisions until the regime takes full effect on 25 October 2027.

European Commission Publishes Code of Practice on Marking and Labelling AI-Generated Content, June 2026

On 10 June 2026, the European Commission published the Code of Practice on Marking and Labelling of AI-Generated Content. The Code supports compliance with Article 50(2) and (4) of Regulation (EU) 2024/1689 and sets technical marking standards aligned with C2PA specifications. Adherence is voluntary, but the Code establishes the benchmark against which providers and deployers of generative AI systems will be assessed from the 2 August 2026 Article 50 compliance date.