In May 2026, APRA and ASIC issued a formal joint letter to all regulated entities warning that existing regulatory obligations already cover AI use. The letter made clear that AI models must be treated as material risk, third-party AI vendors are the licensee's responsibility, and explainability is not optional. This was not a consultation — it was a formal notice that enforcement is coming.
In May 2026, something unusual landed in the inboxes of every APRA-regulated entity and Australian Financial Services licensee. A joint letter. From both regulators. At the same time. About the same thing.
APRA and ASIC don't issue joint communications casually. When both of Australia's financial regulators decide to write to the same audience on the same day about the same risk, it's because they have seen enough to know the industry needs a formal warning. The subject line was artificial intelligence. The message was unmistakable: your existing obligations already cover your AI use, and we expect you to demonstrate compliance.
What the Letter Actually Said
The letter didn't propose new rules. It didn't ask for feedback. It stated, in plain regulatory language, that the obligations already imposed by the Banking Act, the Insurance Act, the Superannuation Industry Supervision Act, and the Corporations Act apply to AI systems in exactly the same way they apply to any other system that affects customers, capital, or risk.
Four specific expectations were set out.
First, AI models must be treated like any other material risk. This means documented controls, independent testing, and board-level oversight. You wouldn't deploy a new financial product without a risk assessment. You shouldn't deploy an AI model that makes or influences decisions about that product without one either. The model is the product now, or at least a component of it, and it gets the same governance treatment.
Second, third-party AI providers are your responsibility. If you buy an AI tool from a vendor and deploy it in a way that affects customers, you own the outcome. The vendor's compliance is not your compliance. The vendor's contractual promises are not your due diligence. If the model produces a biased result, or makes an unexplainable decision, or handles personal data in a way that breaches the Privacy Act, the regulator doesn't chase the vendor. They chase you.
Third, explainability is not optional. You must be able to explain, in terms that a customer can understand, how an AI system reached a decision that affected them. Not the mathematics. The reasoning. If you cannot do this, the regulator's position is that you should not be using that system for decisions that matter. The burden of explainability rests with the deploying entity, not the AI vendor.
Fourth, data governance extends to AI training data. What went into the model is as important as what comes out. If the training data contains biases, the model's outputs will reflect those biases. If the training data was collected without proper consent, the model's use may itself be a privacy breach. Firms need to understand the provenance, composition, and limitations of the data that powers their AI — not just the model's performance metrics.
Why This Letter Matters More Than Most
Regulatory warning letters follow a pattern. First comes the industry review. ASIC's REP 798 in November 2024 was the review — it found the gap. Then comes the formal notice. This joint letter is the notice — it tells the industry the gap exists and that existing obligations apply. Then comes the enforcement.
Nobody gets fined for ignoring a warning letter on day one. But when an AI-related incident occurs — a biased credit decision, an unexplained insurance denial, a privacy breach through a vendor's model — the letter becomes evidence. It shows the regulator told the industry what was expected, and the entity chose not to act. That's not a defence. That's an aggravating factor.
The letter is also significant because of who signed it. APRA regulates prudential risk. ASIC regulates market conduct and consumer protection. AI cuts across both. A model that makes biased lending decisions is both a consumer harm problem (ASIC) and a risk management problem (APRA). A vendor whose AI handles customer data in ways that breach privacy is both a conduct problem and an operational risk problem. The joint letter signals that both regulators see AI as within their mandate, and both expect action.
What the Industry Is Getting Wrong
In the conversations we have with regulated entities, a few misconceptions keep surfacing.
The first is that AI governance is a technology problem. It isn't. It's a governance problem that happens to involve technology. The same frameworks that apply to outsourcing, third-party risk, and operational risk apply to AI. You don't need a data science degree to ask whether a vendor has tested their model for bias, or whether your firm can explain a decision to a customer, or whether the board has visibility of AI deployments. Those are governance questions, and they should be answered by governance people.
The second misconception is that the vendor's assurances are enough. They're not. A vendor's privacy policy is not your privacy compliance. A vendor's security certification is not your security posture. A vendor's claim that their model is "fair and unbiased" is not your bias testing. The regulator holds you responsible for verifying the vendor's claims, not for accepting them.
The third is that this can wait. The joint letter makes clear that existing obligations apply now. Not when AIDA passes. Not when the Privacy Act amendments take effect in December 2026. Now. If your AI governance is a "future work" item on the risk register, you are already behind.
What to Do This Quarter
If you received the joint letter and haven't acted on it, here's the minimum viable response.
First, find out what AI is actually running in your organisation. Not what you think is running. What's actually running. Ask every business unit what AI tools they've adopted in the last two years. The meeting summariser your legal team installed. The customer sentiment analyser your contact centre turned on. The resume screener your HR department is trialling. Most regulated entities we speak to discover AI deployments they didn't know existed.
Second, audit the vendors. Not a questionnaire. Not a sales call. An independent assessment of the vendor's model, training data, bias testing, data handling, and governance practices. You need documented evidence that the AI you've deployed meets the standards the regulators expect. "The vendor said so" is not documented evidence.
Third, put AI on the board agenda. Not as a briefing. As a standing governance item. The board doesn't need to understand neural networks. It needs to understand what AI is being used for, what risks it creates, and what controls are in place. Those are the same questions the board asks about any material risk.
Between the Letter and the Fine
Joint regulatory letters are the space between "you should know better" and "now we're going to do something about it." The firms that act in that space will be ready when enforcement begins. The firms that don't will discover that the gap between a warning and a fine is measured in months, not years.
Book a scoping call to discuss how an independent AI vendor audit addresses the expectations set out in the APRA/ASIC joint letter.
Frequently asked questions
What did the APRA and ASIC joint letter say about AI?
The letter stated that existing regulatory obligations already cover AI use. Regulated entities must treat AI models as material risk, take responsibility for third-party AI vendors, and ensure AI decisions are explainable. It was a formal notice, not a consultation.
Who received the APRA ASIC AI warning letter?
The joint letter was sent to all APRA-regulated entities and Australian Financial Services licensees.
What happens if we ignore the APRA ASIC AI warning?
Joint regulatory letters precede enforcement. While ignoring the letter won't trigger an immediate fine, if an AI-related incident occurs, the letter becomes evidence that the entity was warned and chose not to act.
How should regulated entities respond to the APRA ASIC AI letter?
Entities should audit their AI vendors, document AI governance controls, ensure board-level oversight of AI risk, and be able to demonstrate explainability of AI-driven decisions.


