AI governance for banks, insurers, and wealth firms under APRA, ASIC, and FAR.

ASIC reviewed 624 AI use cases across 23 licensees and found governance gaps at nearly every organisation. With APRA CPS 230 now in force and the Financial Accountability Regime imposing personal liability on executives, the work to close those gaps cannot wait.

Run the free AI risk calculator

Built for

Boards & risk committees · Chief risk officers · Accountable persons under FAR · Model risk & compliance teams · Internal audit

We work against: APRA CPS 230 / APRA CPG 234 / ASIC REP 798 / Financial Accountability Regime / Privacy Act 1988 / Consumer Data Right / ISO/IEC 42001

What a financial services engagement delivers.

Full engagement methodology

Model inventory & risk tiering

A documented register of every AI and machine learning model across credit, fraud, AML, and pricing, risk-tiered by materiality and customer impact.

CPS 230 controls mapped

Operational risk controls, material service provider register entries, and business continuity arrangements aligned to the standard.

FAR accountability statements

AI accountability mapped to named accountable persons, with the reasonable-steps evidence the regime expects.

REP 798 evidence pack

Documented answers to ASIC's 11 self-assessment questions, sized for board, internal audit, or regulator review.

Four pressures already on the financial services board agenda.

AI adoption in financial services is accelerating faster than governance maturity. ASIC, APRA, and the Australian Government have closed in on regulatory expectations, and the consequences for organisations that fall behind range from enforcement action to personal liability for executives.

01

In force

APRA CPS 230 treats AI as operational risk.

APRA CPS 230 requires regulated entities to identify, assess, and manage operational risks, including those introduced by AI systems. Material AI service providers must be registered, monitored, and subject to contractual protections. Fourth-party risk from AI supply chains is now in scope. Organisations that rely on third-party AI for critical operations must demonstrate resilience under this standard.
Build a CPS 230-aligned framework
02

Published Oct 2024

ASIC REP 798 exposed governance gaps across the sector.

ASIC's "Beware the Gap" report reviewed 624 AI use cases across 23 AFS and credit licensees. Nearly half lacked fairness and bias policies. Generative AI governance was less mature than predictive AI oversight. ASIC published 11 self-assessment questions every licensee must now be prepared to answer, and inadequate third-party AI vendor due diligence was identified as a sector-wide weakness.
Close the REP 798 gap
03

In force

The Financial Accountability Regime makes AI personal.

FAR creates personal liability for directors and senior executives at ADIs, insurers, and superannuation trustees, with penalties up to $1.565 million for individuals and $210 million for corporations. AI governance failures that harm customers or create systemic risk trigger FAR accountability. Accountable persons must demonstrate they took reasonable steps to ensure AI systems operate appropriately, with accountability mapped to each material use case.
Map FAR accountability for AI
04

Dec 2026

Privacy Act ADM transparency reaches financial decisions.

From 10 December 2026, APP entities that use automated decision-making in decisions affecting individuals must disclose the kinds of personal information used and the decisions made. For financial services, that captures credit decisioning, fraud flags, pricing, and underwriting. CDR obligations add governance requirements for how AI systems access and use customer banking data.
Prepare for the December 2026 deadline

The AI use cases regulators look at first.

ASIC catalogued 624 use cases across just 23 licensees. Each application carries specific governance requirements tied to compliance obligations, consumer fairness, and risk management standards.

01

Credit decisioning

NCCP · Responsible lending

02

Fraud detection

CPS 230 critical ops

03

Customer onboarding & KYC

AUSTRAC · AML/CTF

04

Claims processing

GICOP · AFCA

05

AML & transaction monitoring

AUSTRAC

06

Algorithmic trading & investment AI

ASIC market integrity

07

AI-driven advice & robo-advice

AFSL · Best interests

08

Customer segmentation & pricing

Anti-discrimination · DDO

Each subsector carries a distinct governance load.

Banking, insurance, wealth management, and superannuation each face overlapping but distinct prudential, conduct, and licensing obligations. Engagements are scoped against the obligations that apply to your licence.

Banking & ADIs

APRA · ASIC · AUSTRAC

Australian banks are among the most advanced AI adopters globally, with models deployed across credit decisioning, fraud detection, customer service, and AML. CPS 230 compliance is immediate, FAR personal liability is in effect, and CDR obligations apply for AI systems accessing Open Banking data. Model risk frameworks must address credit decision explainability under consumer credit laws, real-time fraud detection governance, and AML model validation requirements.

Insurance

APRA · ASIC · GICOP

Australian insurers are deploying AI across claims processing, underwriting automation, fraud detection, and catastrophe response. FAR extended to insurers from March 2025, and 88% of auto insurers are using or exploring AI models. Governance has to address algorithmic bias in claims outcomes, proxy variable analysis in underwriting, and human-in-the-loop requirements for claims decisions. See the insurance page for the full pattern.

Wealth management

AFSL · Best interests

Wealth firms using AI for portfolio construction, client segmentation, and advisory services face AFSL obligations that shape how models can be deployed. The boundary between general and personal advice is the critical governance concern. Engagements address AFSL requirements, conflicts of interest, and client best interests obligations for AI-driven recommendation engines and investment model validation.

Superannuation

SPS 530 · SIS Act

Australian super funds are scaling AI integration for member services, investment management, and compliance operations. FAR extended to superannuation trustees from March 2025. SPS 530 investment governance, member best interests duty, robo-advice boundaries, and long-horizon investment model validation define the engagement scope. See the superannuation page for the full treatment.

Tracks built for APRA-regulated entities.

Three tracks sized for financial services, each tied to a documented evidence pack. Engagements typically run six to twelve weeks with phased milestones so the business sees value early.

Track A

Governance & strategy

Operating models, committee structures, FAR accountability mapping, and board reporting. Designed around APRA prudential standards and ASIC conduct obligations.

Track B

Risk & assurance

CPS 230-aligned risk taxonomies, REP 798 gap analysis, independent model validation, and material service provider register support for AI vendors.

Track C

Compliance & advisory

Ongoing alignment with APRA, ASIC, AUSTRAC, and the OAIC. Board education on FAR, EU AI Act readiness for offshore operations, and standing advisory support.

Start with the calculator. Then map your obligations.

The AI Risk Calculator gives you a baseline view against EU AI Act and ISO 42001 lenses in under five minutes. From there we can map your AI inventory against APRA CPS 230, ASIC REP 798, FAR, and the Privacy Act, and outline the work needed to close any gaps.

Run the free calculator