APRA sharpens oversight, flags tech and geopolitical risks

APRA has intensified its supervision of superannuation trustees, insurers and banks as geopolitical instability, rapid artificial intelligence (AI) adoption and growing complexity in global markets reshape the financial risk environment.

In its latest System Risk Outlook, the prudential regulator said Australia's financial system remained resilient and well positioned to withstand "severe but plausible" shocks. This includes a deep global recession, higher funding costs and major operational disruptions.

However, APRA warned heightened uncertainty globally required stronger vigilance and more robust risk management practices across regulated entities.

APRA chair John Lonsdale said strong capital positions, liquidity buffers and prudential safeguards meant the financial system could continue supporting households and businesses even if economic conditions deteriorated.

"Sustaining that resilience, however, will require ongoing investment in strong risk management across the system," Lonsdale said.

APRA identified AI governance, cybersecurity and geopolitical volatility as key areas of supervisory focus, noting AI adoption in banking, insurance and superannuation was accelerating faster than many organisations' ability to manage associated risks.

The regulator said increasingly sophisticated cyber threats, including those enabled by advanced AI models, were adding to operational risk concerns. APRA recently reinforced its expectations around AI governance and risk management in a letter to the industry.

The report also highlighted growing international risk in private credit markets. While Australia's domestic private credit sector remains relatively small, APRA said local institutions could face spillover risks through offshore exposures and interconnected markets.

The heightened focus on operational resilience follows APRA's recent finalisation of targeted amendments to prudential standard CPS 230 Operational Risk Management, which comes to effect 1 July 2026.

The amendments introduce limited exemptions from certain contractual obligations for arrangements with non-traditional service providers where strict compliance is not practical, including government agencies, payment system operator's and financial market infrastructure providers.

APRA said the changes were designed to respond to industry feedback while preserving the core objectives of operational risk management.

Despite the exemptions, the regulator stressed entities remain responsible for actively managing operational risks tied to outsourced third-party service arrangements.

APRA said it would continue assessing how regulated entities are preparing for downside scenarios linked to overseas conflicts, market volatility and technology driven risks, while pushing further improvements in cyber resilience and governance standards.