Compliance training solutions and CPD courses for banking and financial workplaces.

The Australian Prudential Regulation Authority (APRA) has called for a step-change in how banks, insurers and superannuation trustees manage AI-related risks as the technology continues to rapidly evolve.

In a letter to industry published today, APRA warned that governance, risk management, assurance and operational resilience practices are not keeping pace with the scale, speed, and complexity of AI adoption.

The letter outlines the findings of a targeted supervisory review APRA undertook late last year across all its regulated industries examining how AI was being deployed and governed. The review noted that the expanded use of advanced AI is introducing a range of new financial and operational vulnerabilities for entities, but that information security practices are struggling to keep up with the pace of change.

It also warns that frontier AI models such as Anthropic’s Claude Mythos, which could enhance the discovery of vulnerabilities by bad actors, are expected to further increase the probability, speed and scale of cyber attacks.

Other key observations include:

• AI use is accelerating across all APRA-regulated industries with entities moving from experimentation towards more operationally embedded and customer-facing applications. However, governance arrangements have not matured at the same pace.
• Boards have strong interest for AI’s potential benefits but many lack the technical literacy required to provide effective challenge to management on AI related risks and oversight.
• Heightened concentration risk was noted with some entities heavily dependent on a single provider for multiple AI use cases and gaps in contingency planning.
• AI functionality is often embedded within broader software platforms or developer tooling, reducing transparency over where and how models are trained, updated or constrained and limiting entities’ ability to completely assess and manage risks.
• AI risks can cut across multiple domains, such as operational resilience, cyber and information security, privacy and procurement. Existing change and assurance management approaches are often fragmented and may not effectively provide sufficient assurance for AI.

APRA Member Therese McCarthy Hockey said regulated entities needed to constantly adjust cyber practices to lift resilience and protect assets in a fast-moving threat environment.

“The AI revolution presents tremendous opportunities for banks, insurers and superannuation trustees to deliver improved efficiency and enhanced customer services. We are already beginning to see these benefits materialise. But we cannot be blind to the risks of such powerful technology – whether in our own hands or the hands of those with malign intent.

“What we’ve observed from our supervisory engagement is that while AI adoption is continuing apace, the systems and processes required to safely govern its use aren’t keeping up. Likewise, the speed at which entities can identify and patch vulnerabilities needs to operate much faster, commensurate with the AI-accelerated threat.

“The findings outlined in today’s letter emphasise our expectations for how entities should be managing these risks in alignment with our prudential standards in areas such as information security, operational risk management, governance and data risk.

“While we are not proposing to introduce additional requirements at this stage, we expect to see a significant improvement in how entities are closing the gaps between the power of the technology they are using and their ability to monitor and control it.

“In the meantime, APRA will continue engaging with government agencies, entities and peer regulators, domestically and overseas, to assess the implications of these technological advancements to ensure the ongoing safety and resilience of the financial system.”

Today’s letter to industry is available on the APRA website at: APRA Letter to Industry on Artificial Intelligence (AI).

The Australian Prudential Regulation Authority (APRA) has finalised targeted amendments to prudential standard CPS 230 Operational Risk Management, prudential practice guide CPG 230, and the corresponding Material Service Provider Register template.

The amendments introduce limited exemptions from specific contractual requirements in CPS 230 for material arrangements with certain categories of non-traditional service providers (NTSPs), like central banks and clearing and settlement facilities, where contractual compliance is not practicable.

Developed in response to industry feedback, these changes aim to provide targeted, administratively efficient solutions for regulated entities that maintain material arrangements with NTSPs, while preserving the core objectives of operational risk management.

The amendments will come into effect on 1 July 2026. The full letter to industry and the detailed changes are available on the APRA website at: Operational risk management

ASIC and the Australian Accounting Standards Board (AASB) will host a series of free in-person workshops in May to help companies prepare for the new mandatory sustainability reporting requirements.

The workshops provide a practical starting point for smaller and mid-size companies at the start of their sustainability reporting journey, particularly those preparing to commence reporting for financial years commencing on or after 1 July 2026.

They will be most relevant for preparers, finance teams and directors of entities.

This follows the release of ASIC’s Sustainability reporting educational modules on the core concepts underpinning the sustainability reporting requirements.

The requirements are part of ASIC’s efforts to support report preparers and advisors to build their understanding of sustainability concepts and to improve investor decision making.

Workshops will be held across Melbourne, Brisbane, Sydney and Perth, and will be delivered by the University of Technology Sydney (UTS).

To attend a workshop, please register your interest by clicking on the relevant link below.

Event details:

More information about the modules and workshops is available on ASIC’s website:

• ASIC and AASB team up to help smaller companies get ready for sustainability reporting (news item)
• Sustainability reporting educational modules.

Over the last two months, the following enforcement outcomes were recorded:

Federal Court dismisses ASIC’s continuous disclosure case against Nuix

The Federal Court has dismissed ASIC’s case against intelligence software provider, Nuix Limited (Nuix).

The Court found Nuix did not breach its continuous disclosure obligations and did not mislead investors when reaffirming its financial forecasts in early 2021, following its initial public offering (IPO) in December 2020.

The Court also dismissed ASIC’s claims against the Nuix board for alleged breaches of their directors’ duties by failing to take reasonable steps to prevent Nuix from making misleading statements and breaching its continuous disclosure obligations.

For further detail and the judgment read the media release.

Former Big Un chief executive officer pleads guilty in insider trading case

Richard Evans (formerly Evertz), the former chief executive officer of collapsed ASX-listed technology company Big Un Limited (Big Un), has pleaded guilty to one charge of communicating inside information in the Sydney District Court.

Mr Evans communicated inside information about Big Un to a shareholder around 10 January 2017, when he ought reasonably to have known the shareholder would be likely to trade Big Un shares and options.

The trial has been vacated with a sentencing hearing set down for 21 August 2026.

The matter is being prosecuted by the Office of the Director of Public Prosecutions (Cth) (CDPP) following a referral from ASIC.

Since 2009, 46 people have been criminally convicted of insider trading following ASIC investigations, including senior executives and company chairs.

Read the supporting media release.

Binance Australia Derivatives ordered to pay $10 million penalty for onboarding failures

The Federal Court ordered Oztures Trading Pty Ltd (trading as Binance Australia Derivatives) (Binance) to pay a $10 million pecuniary penalty after misclassifying more than 85% of its Australian client base over a nine-month period, resulting in more than $12 million in losses and fees.

Binance is part of the Binance Group, the operator of the world’s largest digital crypto exchange by trading volume.

In a Statement of Agreed Facts, Binance admitted it exposed 524 retail investors to high-risk crypto derivative products without the required consumer protections between July 2022 to April 2023, due to their misclassification as wholesale clients.

The penalty comes in addition to approximately $13.1 million in compensation paid to the affected clients, which ASIC oversaw in 2023 (23-298MR).

Read the accompanying media release.

Supreme Court orders Macquarie Securities to pay $35 million penalty in short sale misreporting case

In March, the New South Wales Supreme Court ordered Macquarie Securities (Australia) Limited (MSAL) to pay a $35 million penalty for multiple systems-related failures that caused the misreporting of tens of millions of short sales over several years.

The Court also found that MSAL engaged in misleading conduct in relation to its misreporting.

MSAL failed to correctly report at least 73 million short sales between 11 December 2009 and 14 February 2024. It is estimated that between 298 million and 1.5 billion short sales were misreported during that period.

Short sale data plays a critical role in informing investors, regulators and governments about market sentiment and potential investment risks.

For further detail on the case and the Court’s orders, read the media release.

Clearing entities should familiarise themselves with ASIC’s remade over-the-counter (OTC) derivative clearing rules. While the changes are minor, the updated rules now apply.

ASIC has remade the ASIC Derivative Transaction Rules (Clearing), replacing the 2015 Clearing Rules, with a new 2026 version with only minor updates; ASIC Derivative Transaction Rules (Clearing) 2026 (2026 Clearing Rules). Minor amendments have also been made to the ASIC Derivative Trade Repository Rules 2023 (DTRRs).

The remade rules continue to support Australia’s central clearing framework for certain OTC interest rate derivative transactions and are largely unchanged from the existing settings.

The remake follows consultation under Simple Consultation 33 Proposed remake of the ASIC Derivative Transaction Rules (Clearing) 2015 (CS 33), and focuses on keeping the rules current and fit for purpose. Most changes are administrative in nature and do not alter existing clearing obligations or introduce new compliance requirements for clearing entities.

One small policy refinement has been made. An existing exception for clearing derivatives has been extended so it now applies to all post‑trade risk-reduction exercises, rather than being limited to multilateral portfolio compression activities. This change provides greater clarity and consistency for participants using these risk‑reducing processes.

ASIC has also made a related amendment to ASIC Derivative Trade Repository Rules (Amendment) Instrument 2026/52 (Instrument 2026/52). This update makes minor consequential changes to references and definitions to reflect amendments to the Corporations Act 2001 following amendments made by the Treasury Laws Amendment (2023 Law Improvement Package No. 1) Act 2023.

For more information about the 2026 Clearing Rules, read the Explanatory Statement and visit ASIC’s central clearing of OTC derivatives webpage.

Further information about the DTRRs is available in the Explanatory Statement to Instrument 2026/52 and on ASIC’s derivative trade repositories webpage.

The Australian Prudential Regulation Authority (APRA) has released a consultation package on the transition of life insurance data collections from Direct to APRA (D2A) to APRA Connect. APRA proposes to update the reporting standards to ensure consistency with other collections in APRA Connect.

Written submissions are due by 3 July 2026.

The consultation package and the letter to industry can be viewed on APRA’s website at:

• Letter to Industry
• Consultation page

eSafety and the Office of the Australian Information Commissioner (OAIC) will work together under a new agreement to jointly ensure Australians’ privacy and safety online.

A Memorandum of Understanding (MOU) between the two regulators builds on existing collaboration, reflecting the imperative for coordinated regulatory responses to a growing number of issues where privacy and online safety intersect.

That includes age assurance requirements that are now mandatory under Australia’s online industry codes and standards– external site – designed to protect children from abuse and harmful or age-inappropriate material – and ensuring age-restricted platforms comply with their Social Media Minimum Age obligations.

eSafety Commissioner Julie Inman Grant said the MOU would promote cohesive regulatory efforts to help keep Australians safe online, including formalising communication pathways between regulators on issues where privacy and online safety intersect.

“Both regulators have always recognised that combatting certain harms requires privacy and safety to go hand in hand. For example, at eSafety we knew from the outset our implementation of the Social Media Minimum Age would need to recognise important rights, including the right to privacy,” Ms Inman Grant said.

“Our commitment to continue working collaboratively with the OAIC gives formal recognition to that principle and sets out how we will balance and promote privacy and safety for everyone.

“It comes at an important time, when the proliferation of new technologies like artificial intelligence is amplifying risks and we are increasingly requiring industry to deploy age-assurance technologies that meet their regulatory obligations and respect privacy in the Australian context,” Ms Inman Grant said.

Australian Information Commissioner Elizabeth Tydd said the MOU will advance the work led by the Privacy Commissioner, Carly Kind and assist the OAIC in monitoring and responding to emerging online privacy risks, and to deliver on both agencies’ statutory functions as set out in the Online Safety Act.

“This Memorandum of Understanding is a testament to the power of collaboration between our two agencies,” Ms Tydd said.

“By sharing information and expertise, we amplify our ability to address privacy and safety challenges in the digital landscape.

“With this memorandum, we’re not only formalising cooperation, but building a foundation where privacy protections and online safety initiatives can better address specific harms side by side, ensuring Australians can be protected when interacting online.”

Find our more about the Memorandum of Understanding (MOU).

Government released draft legislation to regulate the cash distribution sector to ensure it continues to serve the needs of Australians.

This is about strengthening the cash distribution system, which is essential for the many Australians and businesses that rely on cash.

It builds on our changes that make it mandatory for fuel and grocery retailers to accept cash, so Australians can continue to pay cash for essentials if they want to.

Although digital payments continue to grow, cash remains critical, especially for regional communities, and plays a vital role during emergencies and outages.

As cash use declines, the sector has become more concentrated and costly to operate. A regulatory framework is needed to ensure the system continues to operate in the public interest.

Data released this week by the Reserve Bank shows that around 15 per cent of in‑person payments are made in cash, and around half of Australians use cash each week.

The cash distribution framework will establish:

• a mechanism for the ACCC to oversee these critical services through fair, reasonable and transparent standard terms, and service‑level standards that support access to cash for all Australians
• crisis preparedness and resolution powers to protect continuity of critical services
• requirements for designated providers to negotiate with customers in good faith.

The framework is designed to support access to cash nationwide, promote fair and transparent commercial arrangements, and strengthen the resilience of a system that remains essential for many Australians.

The draft legislation has been informed by recommendations from the Council of Financial Regulators and the Australian Competition and Consumer Commission. Their report, following public consultation in 2025, is available on the CFR website.

The Government invites submissions on the exposure draft legislation, available on the Treasury website with consultation closing on 13 May 2026.