Insight,

AI & Virtual,

ASIC and APRA issue call to action on artificial intelligence

19 May 2026

Our People
|
Current site :      |  

Artificial intelligence (AI) has the potential to deliver significant benefits and opportunities, but rapid advances in AI also carry possible risks for financial services licensees, credit providers and APRA-regulated entities.

It is widely acknowledged that AI has the potential to drive efficiency and productivity gains. It can deliver customised information at a fraction of the original time and cost and spot patterns in data not immediately apparent to human review. This can support the fight against scams, fraud and cyber-attacks. However, AI is also changing the cyber threat landscape more broadly, given the possibility of AI identifying system weaknesses and enabling faster and more sophisticated attacks on IT systems.  The use of AI can also raise issues of data security and privacy, introduce bias into decision making and generate superficially plausible (but in fact hallucinatory) outputs.  For financial services and credit licensees, use of AI in delivery of services to consumers can generate a wide range of possible conduct-related risks. For prudentially regulated entities, weaknesses in AI strategy can raise operational risk and resiliency issues.

ASIC and APRA have both, in recent weeks, signalled their ongoing regulatory focus on AI and have issued twin calls to action to their regulated entities.  Below, we unpack some of the latest statements from the regulators. For further reading on the impact of AI on the financial services industry, read the Mallesons / Sapere co-authored 2025 report commissioned by the Australian Finance Industry Association.

ASIC’s Letter to Industry

In a Letter to Industry dated 8 May 2026, ASIC has urged all licensees and market participants to urgently strengthen cyber resilience in the face of the rapid evolution of the cyber threats posed by frontier AI models in particular.

ASIC emphasises the importance of swift and focused action, saying:

ASIC’s message is straightforward: do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business.  We are not calling for panic or reactive overreach. But we are calling for urgency, focus, and accountability.

While ASIC acknowledges that frontier AI models represent a step-change in capability, it emphasises that this does not change the fundamentals of good cyber risk management.  ASIC has called for a back-to-basics approach, reinforcing the importance of strong, end-to-end preparedness and drawing the link between cyber resilience and regulated entities’ core licensing obligations.

This echoes ASIC’s statements over the years as to the “principles based” nature of the regulatory regimes that it administers, and the need for these regimes to operate in a “technology neutral” way.

ASIC has provided a list of practical suggestions as to steps for licensees and market participants to take “now”, which include:

  • reassessing and refocusing cyber plans and confirming governance and decision-making frameworks
  • identifying and protecting critical assets and systems, and strengthening cyber security fundamentals
  • actively managing third party risks
  • preparing for incident response
  • using AI for defensive purposes

It has also directed licensees and market participants to table the Letter to Industry at board and risk governance committees, signalling the importance it attaches to ensuring that governance practices keep pace with the evolving cyber threat environment.  (For much more detail on this topic, see ASIC’s REP 798, published in October 2024.)

APRA’s Letter to Industry

APRA also issued a Letter to Industry on 30 April 2026, in which it reported its findings on AI adoption and prudential risks.  This followed targeted engagement with larger ADIs, insurers and superannuation trustees in late 2025.

APRA observed differing levels of maturity in use of AI, and examples of assurance practices failing to keep pace with the scale, speed and complexity of AI. It also observed an “overreliance on vendor presentations and summaries without sufficient examination of key AI risks”.

APRA has also signalled its expectation for Boards to:

  • maintain AI literacy to enable “effective challenge and oversight” and
  • oversee an AI strategy that aligns with the entity's risk appetite, supported by robust monitoring and reporting (including in relation to third party dependencies).

APRA’s Letter to Industry urges “prompt action” to address gaps in management of risks associated with AI. It outlined a series of steps that it expects regulated entities to take to manage risks associated with AI, including:

  • assessing the implications of AI for operational resilience and business continuity, with credible fallback processes being put in place to support critical operations
  • effective security controls and robust security testing
  • consistent governance arrangements, including “human involvement for high-risk decisions and accountability”
  • measures to manage third party and supplier risks, including active management of concentration risk
  • a range of assurance measures, including second line risk and continuous and proportionate monitoring

Like ASIC, APRA referred to its “principles based” prudential framework, which it describes as “technology and vendor agnostic”.  APRA has signalled that it is continuing to develop its forward plan regarding supervision of AI risks, and is considering whether further APRA policy action may be needed. 

Current legal and regulatory tools

The rapid advancement and adoption of AI can engage a broad range of existing legal and regulatory obligations.  Many of these, such as privacy laws, directors’ duties and corporate governance obligations apply to companies generally and are not specific to entities regulated by ASIC or APRA. However, ASIC and APRA have additional legal and regulatory tools at their disposal in relation to their regulated entities, which may be engaged by use of AI or associated cyber risks. You can read more of our insights into AI, governance, data and privacy issues here.

For ASIC, the core licensing obligations remain a key touchpoint. 

In terms of AI adoption, where AI replaces or augments human oversight, questions may arise as to whether licensees have adequate risk management systems, technological and human resources in respect of licensed activities.  In this respect, there are parallels between use of AI and any other major “outsourcing” arrangement which touches on provision of credit or financial services.

In terms of cyber risk, standards such as “efficiently, honestly and fairly” (EHF) have provided fertile ground for recent claims by ASIC including as a basis for action against licensees in relation to cyber-related issues. ASIC’s recent successful cyber-security related enforcement actions against FIIG and RI Advice are two examples of cases where cyber-related incidents have led to findings (where liability was admitted) of breach of EHF and other general licensing obligations. You can listen to our EHF experts unpack the standards’ recent application here.

The use of AI to generate “advice” to consumers also raises possible regulatory risks. So too does the use of AI to provide other consumer-facing communications, or in processes which otherwise influence the licensee’s decision-making process in dealings with consumers in relation to credit or financial products. 

Possible pitfalls may include the risk of unfairly biased or discriminatory treatment of consumers (again, potentially supporting arguments as to breach of EHF obligations, or perhaps even unconscionable conduct), or AI “hallucinations” amounting to misleading or deceptive conduct. AI related vulnerabilities also have the potential to heighten the risk of exposure to scams, and should be assessed as part of licensees’ obligations in relation to scam prevention. On the other hand, it remains to be seen whether regulators will expect AI to be harnessed in scam prevention, where this is suggested by a licensee’s reasonable steps obligations under the Scam Prevention Framework. You can read our deep dive into the Scam Prevention Framework here.

For APRA-regulated entities, the use of AI raises a suite of other regulatory considerations. 

Failings associated with cyber security or use of AI could provide the grounds for an allegation of breach of general conduct obligations on accountable entities and accountable persons under FAR. Consider, for example, the FAR obligations to take reasonable steps to prevent matters from arising that would “adversely affect the prudential standing or prudential reputation of the accountable entity”. For further governance insights, see Mallesons’ Governance Hub.

Cyber or AI vulnerabilities could also support the exercise of APRA’s general powers under the industry-specific legislation that it administers. For example, matters posing risk to depositors could, if sufficiently serious, support the use of enforcement powers under the Banking Act.  It could also give rise to breaches of various prudential standards.

Use of AI and cyber-related vulnerabilities clearly fall within the domain of “non-financial risk”, which has been a key focus of APRA particularly in the context of CPS 230 (Operational Risk).  As highlighted by the references in APRA’s Letter to Industry to third party supplier risk and protection of critical operations, APRA continues to emphasise that CPS 230 applies to risks arising from the use of AI as with any other material operational risk.  APRA-regulated entities will also need to continue to demonstrate compliance with CPS 234 (Information Security) in the context of the changing cyber threat landscape, in addition to other general prudential standards such as CPS 220 (Risk Management).

With the current suite of powers at their disposal, ASIC and APRA are already well equipped to take enforcement action in relation to AI and cyber related issues.  It is evident from both regulators’ latest remarks to industry that existing core obligations apply at a principles based level to the latest developments in AI.  However, we expect the regulators to continue to actively monitor this space to assess whether additional changes to policy settings, or further powers, are needed to provide for adequate supervision.

How we can help

Mallesons’ multidisciplinary financial services team, in collaboration with our tech and data team, is well placed to support clients navigating the AI landscape. Our regulatory, technology, governance and disputes experts are working at the forefront of developments in this space. 

We would be delighted to discuss these developments with you.

Categories

Key Contacts

Show MoreShow Less
Latest Thinking
Insight
Bendel: Commissioner ‘A loan’ in view that UPE was a loan for Division 7A purposes
The long-awaited High Court decision in Bendel has arrived!

12 June 2026

Insight
Queensland goes all in on critical minerals: Key changes under the SDPWO Amendment Bill 2026
Queensland has fired the legislative starting gun in the race for critical minerals investment.

05 June 2026

Insight
The forfeiture rule and superannuation death benefits: emerging issues for trustees
While the forfeiture rule is a longstanding position in law, its application to superannuation is not always clear.

05 June 2026

Explore Latest Thinking
Our People
Media Centre
About Us
Contact Us
Explore Our Expertise
Explore insights

Advertising and Targeting Cookies