APRA, ASIC and AI: Navigating Regulatory Expectations in Australian Financial Services

Australian financial services is the industry where AI governance obligations are most mature, most specific, and most immediately enforceable. APRA and ASIC have both moved beyond general statements about responsible AI into guidance that creates real expectations for regulated entities. For financial services firms, understanding these expectations isn't optional — it's a fundamental part of operating a compliant business.

APRA's Approach: Operational Resilience and Third-Party Risk

APRA's CPS 230, which came into full effect in 2025, is the most significant operational resilience standard ever issued in Australia. While not AI-specific, it has profound implications for how APRA-regulated entities (banks, insurers, superannuation funds) can use AI. The standard requires entities to identify and manage material service providers — a category that increasingly includes AI vendors. If an AI system is material to your operations, APRA expects you to have conducted due diligence on that vendor, have contractual protections in place, and have a plan for what happens if that AI system fails.

APRA has also been clear through supervisory activity that it expects boards and senior management to understand the AI systems their entities use — not just at a conceptual level, but including the specific risks those systems create. The 'black box' defence — 'we use the vendor's AI, we don't know exactly how it works' — is not consistent with CPS 230's requirements for operational risk management.

ASIC's Focus: Market Conduct and Consumer Outcomes

ASIC's AI concerns are concentrated on market conduct and consumer protection. The regulator has been increasingly focused on AI used in financial advice (both personal and general), credit decisions, insurance underwriting and claims, and product design and distribution. ASIC has signalled that the existing obligations under AFSL licensing — to act efficiently, honestly, and fairly — apply fully to AI-assisted processes. An AI system that produces systematically biased financial advice, or that makes discriminatory credit decisions, creates conduct risk for the licensee — not just for the AI vendor.

The Design and Distribution Obligations (DDO) framework adds another layer. Financial product issuers and distributors are already required to ensure their products reach the right consumers. When AI is used to personalise product recommendations or target marketing, the DDO obligations extend to ensuring the AI isn't systematically directing unsuitable products at vulnerable consumers.

What Regulated Entities Should Have in Place

A defensible AI governance framework for a financial services firm operating in 2026 should include: an AI inventory that documents every AI system used, its purpose, the vendor, and how it influences customer or market outcomes; a material service provider assessment under CPS 230 for any AI system that is material to operations; explainability documentation for AI used in credit, advice, or underwriting decisions, sufficient for both internal review and potential regulatory examination; a monitoring regime that detects when AI outputs drift from expected behaviour or produce discriminatory outcomes; and clear board-level accountability for AI risk, with senior management oversight of AI systems designated in the accountability map.

Financial services is where Australia's AI governance standards are most developed and most enforced. For firms in this sector, the question isn't whether to have an AI governance framework — it's whether the one you have is adequate. For firms in other sectors, financial services regulation is the clearest preview of where AI governance obligations are heading across the economy.