ASIC and APRA Just Fired a Warning Shot on AI Risk. Here's What Finance Teams Need to Understand.
Two of Australia's most important financial regulators issued significant warnings about AI risk within days of each other this week — and while both messages were directed primarily at banks, insurers, and superannuation funds, the implications extend well beyond the formal financial services sector.
On 8 May, ASIC published an urgent letter to the financial services industry warning about cyber risks from frontier AI systems, specifically referencing the potential for advanced AI capabilities to be weaponised by non-state actors at a speed regulators haven't previously had to contend with. Days earlier, APRA released findings from a targeted review of how AI is being deployed across its regulated entities — and the picture wasn't flattering.
For finance teams outside the regulated financial services sector — those working in NFP, NDIS, aged care, SME, and similar organisations — these warnings don't create a compliance obligation directly. But they do signal something important about the direction AI risk management is heading, and about the gaps that exist right now in how most organisations are using AI in their finance functions.
What ASIC Actually Said
ASIC Commissioner Simone Constant's letter to the financial sector focused on the pace of AI development and its implications for cyber risk. The specific concern was that risks previously considered to be on a longer horizon — advanced AI being used to execute or enable cyberattacks — could now materialise "incredibly quickly," with the potential for non-state actors to exploit frontier AI capabilities in ways that outpace existing defensive infrastructure.
The regulator acknowledged that preparedness varies significantly across the sector, and made clear that the expectation is meaningful progress — not just awareness. The framing was urgent in a way that ASIC communications rarely are.
What's notable is that ASIC's concern isn't primarily about AI making mistakes in financial calculations or producing unreliable outputs. It's about AI as an attack vector — the idea that sophisticated AI systems can be used to compromise financial infrastructure, manipulate data, or execute fraud at a scale and speed that human-operated approaches can't match. That's a different risk category from the one most finance teams are thinking about when they evaluate AI tools.
What APRA Found in Its Review
APRA's targeted supervisory review — conducted late last year across banks, insurers, and superannuation trustees — examined how AI was actually being deployed and governed in practice. The findings were released in May and identified four areas where practice is failing to keep pace with adoption.
Concentration risk. The most significant finding was that many regulated entities are leaning heavily on a single AI provider across multiple use cases — and showing meaningful gaps in contingency planning for what happens if that provider experiences an outage, changes its terms, or is compromised. Dependence on a single AI vendor for core operational processes is a risk that most organisations haven't formally assessed.
Governance gaps. APRA found that governance frameworks — the policies, ownership structures, and oversight mechanisms that should sit around AI use — are generally lagging behind the pace of adoption. Teams are using AI tools in production before the organisation has established who is responsible for monitoring outputs, managing model risk, or responding when something goes wrong.
Assurance failures. Related to governance: many entities couldn't demonstrate that they were actively verifying the accuracy and appropriateness of AI outputs in a structured way. Using AI to generate analysis and accepting the output without systematic review is a control gap — one that becomes more significant as the decisions informed by that analysis increase in materiality.
Operational resilience. APRA member Therese McCarthy Hockey noted that regulated entities needed to constantly adjust cyber practices to maintain resilience in a fast-moving threat environment. The implicit message: AI adoption without a corresponding uplift in cyber resilience is creating exposure that organisations aren't adequately accounting for.
|
4 areas
Where APRA found AI governance practice failing to keep pace with adoption: concentration risk, governance gaps, assurance failures, and operational resilience — all relevant well beyond the regulated financial services sector.
|
"Incredibly quickly"
ASIC's characterisation of how fast frontier AI risks can now materialise — a significant shift in the regulator's language compared to previous AI risk communications.
|
Why This Matters Beyond the Regulated Sector
APRA regulates banks, insurers, and superannuation funds. ASIC's letter was addressed to financial services licensees. Neither document creates a direct compliance obligation for an NDIS provider, an aged care organisation, or an SME using AI tools in their finance function.
But the risk categories APRA identified — concentration risk, governance gaps, assurance failures — aren't unique to regulated entities. They're characteristic of how AI is being adopted broadly. And the finance function is one of the areas where AI adoption has been fastest, because the tasks are well-defined, the efficiency gains are measurable, and the tools are increasingly accessible.
Consider how AI is typically being used in finance teams right now: drafting management commentary, summarising documents, analysing variance data, processing invoices, responding to internal queries. In most cases, this is happening without a governance framework — no formal policy on what data can be entered into AI tools, no structured review of AI outputs before they're used in decisions, no assessment of what happens if the AI provider the team depends on changes its service or is unavailable.
That's not a criticism of individual finance teams. It's a description of where adoption is outpacing governance almost universally. The APRA review findings in regulated financial services are simply a more formally documented version of what's happening across the broader economy.
What Finance Teams Should Be Asking Right Now
The regulator warnings don't require an immediate policy overhaul. But they do suggest a set of questions that finance teams using AI tools should be able to answer — and in most cases, can't yet.
What data is going into AI tools, and under what terms? The privacy note at the top of this post isn't decorative. When financial data, payroll records, or commercially sensitive information is entered into an AI tool, the terms governing how that data is handled vary significantly by provider and plan. Most finance teams haven't reviewed those terms. That's a data governance gap that doesn't require a regulator to tell you it's worth addressing.
Who is reviewing AI outputs before they inform decisions? If AI is being used to draft management commentary or produce variance analysis, who is checking those outputs and at what level of rigour? The answer "the person who prompted it" isn't sufficient if that person is accepting the output without meaningful review. Output review is a control. If it's not structured, it's not functioning as one.
What happens if the AI tool you depend on is unavailable? APRA's concentration risk finding applies at the organisational level, but it's equally relevant at the team level. If a significant portion of the finance function's weekly output depends on a single AI provider, what's the contingency? This isn't an argument against using AI tools. It's an argument for knowing what you'd do without them.
Is there organisational agreement on what AI should and shouldn't be used for? In most organisations, there isn't. Individual team members are making their own judgements about appropriate AI use, often without a shared framework. That's not sustainable as AI use becomes more embedded in core processes — and it's the exact governance gap APRA identified in its regulated population.
The Broader Signal
ASIC and APRA aren't issuing these warnings because AI adoption is going badly. They're issuing them because adoption is going quickly — and governance, risk management, and cyber resilience frameworks aren't keeping pace. That's the pattern with every significant technology shift, and AI is no different.
For finance teams, the takeaway isn't to slow down AI adoption. The tools are genuinely useful and the efficiency case is real. The takeaway is to make the adoption intentional — to have the conversations about data governance, output review, and provider dependency that most teams haven't had yet, before those gaps create a problem rather than after.
Regulators are starting to formalise their expectations. Organisations that have already addressed these questions will find compliance straightforward when the requirements arrive. Those that haven't will be doing it under pressure.
Using AI in Your Finance Function — But Not Sure if Your Governance Is Keeping Up?
PFL works with Australian NFP, NDIS, and SME organisations on AI automation in finance — including the governance frameworks that make AI adoption sustainable and defensible. If you're using AI tools in your finance team and want to make sure the foundations are right, let's talk.
Get in Touch with PFL →
Comments
Post a Comment