top of page

The new regulatory reality Down Under

  • Writer: David Houghton
    David Houghton
  • 9 hours ago
  • 9 min read

How data governance and AI can transform Australian financial services risk management — and why your consultants may not be equipped to help

Australia's financial services sector is operating in a materially different regulatory environment to even five years ago. The post Royal Commission era has been characterised by higher enforcement intensity, greater expectations of demonstrable governance, and a growing emphasis on operational resilience and third‑party risk. The days of simply outsourcing risk are behind us.

 

The question for every CRO and CDO is not just whether their data governance is fit for purpose — it's whether the advisers helping them build it have kept pace with the same transformation.

 

Smart institutions are discovering that excellence in data governance and data/information observability isn’t just about avoiding breaches and penalties, it’s about enabling faster, evidence led risk decisions and building sustainable competitive advantage in the AI era.


A Decade and a half of transformation

The past 15 years have fundamentally reshaped Australia’s financial services regulatory landscape. With both the Australian Prudential Regulatory Authority (APRA) and the Australian Securities and Investment Commission (ASIC) being empowered to become enforcers and not just an overseers. Headlined by the single most significant structural change to emerge from the Royal Commission. Individual accountability at the executive level.

 

From the post‑Global Financial Crisis foundations, through the watershed moment of the Royal Commission, to today’s operational resilience and enforcement focus. Firms face an unprecedented convergence of regulatory requirements, and an opportunity for those who get data governance and data observability right from the start.

 

What has changed most is not simply the volume of regulation, but the expectation of proof: regulators increasingly expect firms to demonstrate, not merely assert, effective governance, oversight, and outcomes.


ASIC's expanded regulatory toolkit

The Royal Commission didn’t just expose misconduct; it triggered a fundamental rewrite of ASICs powers. Since 2019, five successive waves of legislation have transformed the regulator from a disclosure-focused watchdog into a genuinely interventionist enforcement body.

 

Penalties got teeth. The 2019 Penalties Act increased maximum prison terms to 15 years for serious offences and, critically, made breaches of core AFS licensee obligations civilly actionable for the first time. Prior to this, ASIC had no penalty power for many of the exact misconduct the Royal Commission exposed.

 

Intervention before harm. ASIC gained a Product Intervention Power and Design and Distribution Obligations, allowing it to act on harmful products before consumers are damaged — a deliberate move away from the old model of relying on disclosure and waiting for complaints.

 

Conduct standards tightened. The Hayne Response Act (2020) banned unsolicited product selling, made insurance claims handling a regulated financial service, created enforceable industry code provisions, and overhauled breach reporting — giving ASIC earlier and broader visibility of compliance failures across the sector.

 

Superannuation brought inside the tent. ASIC's jurisdiction over superannuation trustee conduct was formally expanded, enabling direct enforcement action against trustees for breaches of their statutory covenants.

 

Markets infrastructure. The 2024 Financial Market Infrastructure Act extended ASIC's oversight and rule-making powers over clearing and settlement facilities, closing a long-standing gap in systemic risk oversight.

 

Alongside the legislation, ASIC formally adopted its "why not litigate?" enforcement posture — requiring staff to justify not pursuing court action, rather than the reverse. The penalty data since 2019 suggests that shift is now well and truly operational.


Australian Security and Investment Commission (ASIC): Enforcement intensity is up

ASIC's post Royal Commission enforcement posture has translated into significant, and measurable, increases in investigations and enforcement activity.

 

In the year immediately following the Royal Commission (July 2018 – June 2019), ASIC recorded:

 

  • a 20% increase in the total number of enforcement investigations,

  • a 51% increase in investigations involving the big six financial services firms (or their officers or subsidiaries), and

  • a 216% increase in wealth management investigations [3].

 

ASIC's enforcement outcomes reporting also shows that civil penalties and enforcement actions are increasing. For the period 1 July to 31 December 2025, ASIC reported:

 

  • $349.8m in civil penalties imposed by the courts,

  • 23 civil proceedings commenced,

  • 22 infringement notices totalling $6.9m,

  • 123 new investigations commenced (with 205 ongoing at period end),

  • 61 individuals removed or restricted from providing financial services or credit, and

  • 16 individuals disqualified from directing companies [4].

 

ASIC's own reporting also supports a longer view of civil penalties over time. Over the four-year period 2022–2025, ASIC civil penalties imposed by the courts increased by 83.4%, representing a net increase of $185.2 million in absolute terms. [3].

 

Implication: enforcement outcomes are increasingly material, and the ability to respond quickly with defensible evidence is a strategic capability, not just an administrative task.


Australian Prudential Regulation Authority (APRA): Supervision and enforcement posture is explicit

APRA has been clear about its posture: it retains a strong appetite to increase supervision intensity where it sees inadequate risk management practices, and to take formal enforcement action where there is clear accountability for breaches of the law [1].

 

This matters because APRA's expectations increasingly translate into requirements for:

 

  • clearer accountability,

  • stronger control design and operation,

  • better monitoring and testing, and

  • faster, more reliable evidence production.


CPS 230: When Operational Risk became everyone's problem

If there is one regulatory development that has fundamentally changed how APRA-regulated entities must think about operational risk, it is Prudential Standard CPS 230. It didn't introduce an entirely new concept, operational resilience has long been an expectation, but it did make the rules explicit, enforceable, and considerably harder to ignore.

 

What changed, and when:

CPS 230 came into force on 1 July 2025. For entities with pre-existing service provider contracts already in place, some transitional concessions can apply, until 1st July 2026. In practice, this means the compliance clock is already ticking for institutions and for some, it may have already run out.

 

The material service provider register:

One of CPS 230's most operationally significant requirements is the material service provider register. Entities must submit this register to APRA annually. Importantly, the standard prescribes a minimum floor of what must be classified as material. regardless of internal risk appetite or commercial preference, providers of risk management, core technology services, and internal audit are automatically classified as material service providers. APRA also retains the power to direct an entity to classify any arrangement as material, leaving limited room for creative scoping.

 

For many institutions, this will require an honest audit of arrangements that have historically sat below the governance radar.

 

Due Diligence is now a documented process:

Before entering, or making material changes, entities must undertake formal due diligence. This means a structured selection process and a documented assessment of the provider's capability to deliver. It is not sufficient to rely on an incumbent relationship or commercial familiarity. The assessment must be evidenced. Notification obligations add further process weight.

 

Entities must notify APRA:

 -          Within 20 business days of entering into or materially changing any arrangement that supports a critical operation; and

-          Prior to entering any material offshoring arrangement — or when significant changes are proposed, including where data or personnel will be located offshore.

 

The offshoring notification requirement in particular reflects APRA's growing concern about concentration risk and data sovereignty in outsourced operating models.

 

Internal audit has skin in the game:

Perhaps the most underappreciated element of CPS 230 is the role it assigns to internal audit. The internal audit function must review any proposed material arrangement where a critical operation is being outsourced, before it is executed. It must also report regularly to the Board or Board Audit Committee on whether service provider arrangements comply with the entity's own service provider management policy.

 

This elevates internal audit from a retrospective assurance function to an active participant in governance decisions, a shift that has significant implications for resourcing, independence, and the timing of audit involvement in commercial processes.

 

The bottom line:

CPS 230 is not a policy exercise that can be satisfied by updating a document and filing it away. It demands operationalised governance; live registers, evidenced due diligence, structured notification workflows, and board-level reporting. With particular intensity around critical operations and offshore arrangements. Institutions that treat it as a compliance checklist are likely to find themselves the subject of APRA's growing appetite for formal enforcement action.

 

Beyond any single regulation: why data governance is now a regulatory capability

It's tempting to treat each regulatory initiative as a separate compliance project. But the common thread across APRA and ASIC expectations is consistent:

 

Can we produce reliable evidence—quickly—about what we did, why we did it, and what happened as a result?

 

If the answer is "not without a scramble", the issue is rarely a lack of policy. It's usually a lack of governed, observable information.


The Data Governance and Data Observability foundations

A robust approach has two complementary components:


Data Governance (accountability and control)

  • Clear ownership and decision rights

  • Consistent definitions and classifications

  • Policies and standards that are operationalised (not just documented)

  • Evidence that controls are designed and operating


Data/Information Observability (instrumentation and evidence)

  • Monitoring and testing of controls (explicitly required under CPS 230 for operational risk controls) [2]

  • Traceability: what changed, where, when, and why

  • Issue detection and remediation workflows

  • Audit‑ready evidence capture

 

APRA’s CPS 230 standard makes the need for this very explicit by requiring effective internal controls, monitoring and remediation for operational risks [2]. But the same capability supports ASIC‑facing obligations too, because enforcement outcomes often turn on whether a firm can evidence governance, oversight, and action.

 

BearingNode's Data & Information Observability (D/I o11y) framework operationalises both layers, from ownership and control design through to monitoring, traceability, and audit-ready evidence capture. As it leverages all operating model elements by design.


Unstructured data: the hidden compliance and enforcement asset

A large proportion of "regulatory evidence" is unstructured: policies, procedures, incident reports, audit workpapers, vendor packs, meeting notes, emails, and service management tickets.

 

Where AI can help:

 AI can reduce manual effort in handling unstructured information—particularly for summarisation and metadata extraction, when used with appropriate governance and controls.

 

BearingNode applies AI capability through Jana — our Team Member & AI Consultant — focused on summarisation, extraction, and evidence triage, with human oversight and auditability embedded throughout. Jana is trained on 25 years of financial services Data & Analytics expertise, ensuring outputs are grounded in domain-specific institutional knowledge rather than generic inference.


Practical steps: a regulatory‑ready data programme (APRA + ASIC aligned)

1) Build an enforcement‑ready evidence model

  • Define what evidence you need to demonstrate governance, decisions, and outcomes.

  • Map evidence to key risk and compliance processes (incidents, complaints, remediation, third‑party oversight).

2) Create a single view of investigations, issues, and remediation

  • Link incidents/issues to controls, owners, and actions.

  • Ensure you can show monitoring and testing of controls (explicitly required under CPS 230) [2].

3) Strengthen unstructured data governance

  • Classify and retain key artefacts (policies, approvals, incident packs, remediation evidence).

  • Make retrieval fast and repeatable for audits, investigations, and regulator engagement.

4) Instrument observability

  • Implement monitoring, thresholds, and escalation paths.

  • Ensure remediation is tracked to closure with clear accountability.

5) Apply AI safely

  • Start with low‑risk use cases: summarisation, extraction, triage.

  • Ensure human oversight and auditability.


Conclusion: regulatory excellence is now a data & information capability

ASICs post Royal Commission enforcement trajectory shows a sustained uplift in investigations and civil penalty activity, including record outcomes in 2025. APRAs stated posture and CPS 230 requirements reinforce that operational risk management, controls, monitoring, and resilience must be demonstrable—not assumed.

 

The organisations that win in this environment will be those that build a regulatory‑ready data capability: governed, observable, and able to produce evidence at speed.

 

Consulting has changed. The regulatory environment now demands advisers who combine deep domain expertise with genuine data and AI capability, not generalists retrofitting AI onto legacy models. The firms that build regulatory ready data capability fastest will define the competitive landscape in financial services. The question is who helps them do it?


About BearingNode: We help organisations navigate the complexity of modern data ecosystems through our comprehensive Data & Information Observability framework. Our approach combines deep technical expertise with practical business focus to transform data chaos into strategic clarity. To learn more about how D/I o11y can help your organisation move from data firehose to strategic wisdom, visit bearingnode.com or contact us at marketing@bearingnode.com

 

About the author: David Houghton is a Strategic technology & governance leader with over 18 years of experience architecting governance, risk, and compliance (GRC) frameworks and driving digital transformations across global financial services.

 

Currently a Senior Consultant at BearingNode Ltd (UK) and their representative in the APAC region. David specialises in the intersection of traditional GRC and emerging AI/ML risk profiles. David is passionate about helping organisations navigate the AI era through BearingNode’s comprehensive Data & Information Observability framework , D/I o11y.

 

Beyond his professional expertise, David enjoys competitive ocean swimming and an enthusiast for the slower arts of sourdough baking and tending his vegetable garden. He most enjoys the results of his garden and kitchen when cooking great food for his friends and family.

 

Connect with David on LinkedIn or learn more about BearingNode's approach to data, analytics and AI transformation at BearingNode.


References

-          APRA, Corporate Plan 2024–25 and Corporate Plan 2025–26 (enforcement posture statement) [1].

-          APRA, Prudential Standard CPS 230 Operational Risk Management (July 2025) [2].

-          ASIC, ASIC's Approach to Enforcement After the Royal Commission (speech), 30 August 2019 [3].

-          ASIC, Summary of Enforcement Outcomes: July to December 2025 [4].

-          ASIC enforcement activity summary table (civil penalties year‑on‑year 2022–2025) [5].

 

bottom of page