APRA Urges Finance Sector to Sharpen AI Risk Oversight
APRA called on banks, insurers, and superannuation trustees to urgently improve AI risk governance.
Why it matters: Financial institutions face accelerating regulatory expectations as AI moves from experimentation to core operations. Legal and compliance teams must revisit oversight, board literacy, and supplier management to meet looming standards.
- APRA issued an industry-wide letter on 30 April 2026 urging a 'step change' in AI risk controls.
- The regulator found governance and oversight lacking as AI is rollout expands across customer-facing and operational functions.
- Boards often lack the technical literacy to effectively challenge and supervise AI use.
- Concentration risk and insufficient third-party contingency plans pose growing threats.
The Australian Prudential Regulation Authority (APRA) has issued an urgent call for banks, insurers, and superannuation trustees to bolster AI-related risk management and governance. In its 30 April 2026 industry letter, APRA warned that the rapid pace of AI adoption is outstripping the finance sector’s current controls and oversight capabilities.
- APRA’s late 2025 review found significant gaps: many boards lack the technical expertise to oversee AI effectively, and risk frameworks are not keeping pace with AI’s operational complexity or its growing presence in customer services.
- The regulator highlighted "heightened concentration risk," with some institutions relying on a single provider for multiple AI solutions and lacking robust contingency planning for vendor outages or failures.
- Key risk areas include operational resilience, cybersecurity, privacy, and procurement—AI introduces new vulnerabilities and amplifies existing ones, according to APRA.
“We are already beginning to see these benefits materialise. But we cannot be blind to the risks of such powerful technology – whether in our own hands or the hands of those with malign intent," APRA Member Therese McCarthy Hockey reminded the sector.
While APRA has stopped short of new formal requirements, its letter sets out clear expectations. Boards are expected to build sufficient AI literacy and to actively challenge and oversee management’s approach. Institutions must strengthen governance frameworks, supplier mapping, and information security measures, adopting global standards for assurance.
Legal and compliance officers should note APRA’s emphasis on integrated, cross-domain controls, and on maintaining visibility over the full AI supply chain—including dependencies on third- and fourth-party providers.
"We expect to see a significant improvement in how entities are closing the gaps between the power of the technology they are using and their ability to monitor and control it," McCarthy Hockey cautioned.
By the numbers:
- $9.8 trillion — assets held by APRA-regulated institutions for Australians
- 30 April 2026 — date APRA issued its industry-wide AI governance call