AI governance for Australian insurance, APRA (Australian Prudential Regulation Authority), ASIC (Australian Securities and Investments Commission), and OAIC (Office of the Australian Information Commissioner)
Australian insurers deploy AI across underwriting, pricing, claims processing, fraud detection, customer service, and risk modelling. Three regulators have jurisdiction: APRA (prudential supervision of general and life insurers), ASIC (market conduct and consumer protection), and OAIC (privacy). Each brings distinct requirements that AI governance must satisfy simultaneously.
APRA expectations
CPS 230 (Operational Risk Management, effective 1 July 2025) applies to APRA-regulated insurers. AI vendors are material service providers subject to contractual and governance requirements. CPS 234 (Information Security) applies to AI systems processing information assets. APRA's 30 April 2026 letter identified four AI governance gaps across all APRA-regulated entities: AI inventory and lifecycle management; IAM for non-human actors; continuous validation; and board-level AI risk reporting. These expectations apply equally to insurers.
SPS 220 (Risk Management) requires insurers to maintain comprehensive risk management frameworks that now must address AI risk. SPS 232 (Data Risk Management) applies to data used in AI systems.
ASIC expectations
ASIC REP 798 (2024) assessed AI governance across financial services licensees, finding significant gaps. General insurance and life insurance licensees were included. ASIC expects: AI governance frameworks proportionate to risk; consumer outcome testing for AI pricing and claims decisions; disclosure where AI materially affects consumer outcomes; fair treatment obligations under the Insurance Contracts Act 1984 and unfair contract terms provisions. The Insurance Contracts Act Section 13 duty of utmost good faith applies to AI-mediated interactions with policyholders.
OAIC and Privacy Act
The Privacy Act ADM transparency obligation (effective 10 December 2026) will require insurers to disclose automated decision-making to individuals. APPs 3, 5, 6, and 11 already apply to AI processing personal information in insurance. DPIA equivalent assessments are recommended for high-risk AI deployments. The OAIC has investigated AI-related privacy complaints and can impose penalties.
Insurance-specific AI governance concerns
Pricing algorithms. AI pricing that uses proxy variables for protected attributes (age, disability, location as proxy for ethnicity) creates anti-discrimination risk under the Disability Discrimination Act 1992 and other federal and state anti-discrimination legislation, even where insurance exemptions apply.
Claims automation. AI-driven claims assessment must preserve policyholder rights to fair assessment and internal dispute resolution. AFCA (Australian Financial Complaints Authority) can review AI-driven claims decisions.
Fraud detection. AI fraud detection producing false positives creates wrongful denial risk and potential breach of good faith obligations.
Primary sources: APRA · ASIC · OAIC
Related reading
- APRA and ASIC: What Australian Financial Services Firms Need to Know About AI Regulation
- AI Governance in Australian Financial Services: The Complete Regulatory Guide
- What APRA Actually Expects on AI Governance: A Practical Guide for Australian Financial Institutions
- APRA CPS 230 and AI: Operational Resilience Obligations for Australian Financial Institutions