APRA and ASIC: What Australian Financial Services Firms Need to Know About AI Regulation

The dual regulator challenge for Australian financial services AI

Australian banks, insurers, and superannuation funds operate under a dual regulatory architecture that creates layered AI governance obligations. APRA regulates prudential soundness — the financial and operational resilience of regulated entities. ASIC regulates market conduct — how entities treat customers, manage conflicts, and represent their products and services. Both regulators have existing powers that apply to AI, and both have signalled expectations that AI governance should be integrated into entity governance frameworks, not treated as a separate technology matter.

APRA's AI governance expectations

CPS 230 — Operational Risk Management: APRA's operational risk management standard, which took effect in 2025, directly applies to AI systems used in material business activities. CPS 230 requires that entities identify, assess, and manage operational risks associated with technology, including AI. Entities must maintain adequate controls, test business continuity, and manage third-party technology service providers — relevant to AI providers and model vendors.

CPG 234 — Information Security: APRA's information security prudential guidance applies to AI systems as information technology. The guidance's requirements for asset management, access controls, incident management, and third-party assessments all have direct application to AI systems. An AI model is an information asset and should be treated as such under CPG 234.

CPS 220 — Risk Management: APRA's risk management standard requires that entities have a comprehensive risk management framework covering all material risks, including emerging risks. AI risk is an emerging risk that APRA expects to see identified, assessed, and managed in entity risk frameworks. Board and senior management accountability for AI risk flows from CPS 220's accountability requirements.

Model risk management: APRA's supervisory focus on model risk has extended from traditional statistical models to AI/ML models. APRA expects that existing model risk management frameworks — validation, documentation, monitoring, and escalation — apply to machine learning models. Most existing MRM frameworks have significant gaps when applied to the interpretability and distribution drift challenges that machine learning models present.

ASIC's AI conduct expectations

Responsible lending obligations: AI-driven credit assessment, document verification, and loan decisioning must comply with the responsible lending obligations in the National Consumer Credit Protection Act. ASIC has made clear that the use of AI does not alter the substance of these obligations — lenders remain responsible for reasonable inquiries and verification regardless of whether the process is automated.

Best interests duty (financial advice): AI-assisted financial advice or advice-adjacent digital tools must comply with the best interests duty in the Corporations Act. ASIC's guidance on digital advice makes clear that the duty applies regardless of the degree of automation.

RG 271 — Internal Dispute Resolution: ASIC's IDR regulatory guide requires that complaints about AI-driven decisions be handled in the same way as complaints about human decisions. Organisations cannot use automation as a basis for denying complaints processes or providing inadequate explanations for adverse decisions.

The Robodebt effect on Australian AI governance

The Robodebt Royal Commission findings have had a material effect on how Australian regulators — including APRA and ASIC — approach automated decision-making. The finding that automated systems can produce systematically unlawful outcomes at scale, and that organisations can fail to recognise or respond to those outcomes, has created a heightened sensitivity among Australian regulators to AI governance failures. This is observable in APRA's increasing focus on AI in supervisory conversations and ASIC's explicit statements about AI and conduct obligations.