The Australian Prudential Regulation Authority (APRA) issued a letter to industry on artificial intelligence on 30 April 2026. The letter is supervisory guidance to all APRA-regulated entities. It is not a new prudential standard. APRA based the letter on a targeted thematic review of selected large banks, insurers, and superannuation trustees conducted in late 2025. APRA expects entities to act on the letter immediately.
The letter draws on the existing APRA prudential standards CPS 220 (Risk Management), CPS 230 (Operational Risk Management), CPS 234 (Information Security), and the operational resilience expectations under CPS 230 effective 1 July 2025. APRA names four weakness areas. First, governance. Boards and senior management often treat AI as another technology system, missing model behaviour, bias risk, and ethical implications. Second, cyber security. AI adoption widens the attack surface and increases attack frequency. Third, supplier risk. Many entities depend on a single AI provider for multiple use cases without mapping third-party and fourth-party concentration. Fourth, assurance. Sample-based, point-in-time audits do not fit probabilistic AI models. Internal audit functions lack specialist AI skills. APRA will escalate to supervisory and, where appropriate, enforcement action where weaknesses persist.
Authorised deposit-taking institutions, life and general insurers, private health insurers, and registrable superannuation entities must align AI governance with CPS 220 and CPS 230. AI vendors selling to APRA-regulated entities face downstream contract pressure on supply chain transparency, exit rights, and concentration disclosure. Internal audit and risk teams must invest in AI-specific assurance capability. Boards and accountable persons under the Financial Accountability Regime carry direct responsibility for AI risk oversight. Cloud and foundation model providers selling to Australian financial institutions must support customer concentration mapping under CPS 230.
The letter sets no fixed deadline for remediation. APRA signals it will probe AI risk through ordinary supervisory engagements and the next round of CPS 230 reviews. There is no transitional period and no safe harbor. Smaller entities are scoped proportionately to their size and complexity. The letter does not displace concurrent obligations under the Privacy Act 1988 or the Australian Consumer Law, which the OAIC and the ACCC continue to enforce.
Licentium advises Australian financial institutions, AI vendors selling into APRA-regulated customers, and Boards on AI governance uplift, working with a partner network of Australian financial services counsel. Work we undertake includes CPS 220 and CPS 230 alignment, AI risk taxonomy design, third-party concentration mapping, AI internal audit programs, Board paper drafting, model risk governance, and accountable person documentation. Contact us for an APRA readiness scope.
Source: Australian Prudential Regulation Authority, Letter to industry on Artificial Intelligence (AI), 30 April 2026, https://www.apra.gov.au/apra-letter-to-industry-on-artificial-intelligence-ai
The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.