APRA Executive Director of Cross-industry Risk Chris Gower – speech to RMA CRO Conference 2025

Key points

Good morning and thank you for the invitation to speak here today.

Today I want to talk about risk, which seems appropriate for a gathering of chief risk officers and other risk professionals. 

As Australia’s financial safety regulator, APRA is also in the risk management business. If you look through our prudential standards, you will find no shortage of risks we require our regulated entities to address. Core examples of these include credit and liquidity risk for banks, insurance risk for insurers, investment governance in superannuation, and for all industries, operational and cyber risk. 

The risks we’re ultimately protecting against are threats to the safety of Australians’ bank deposits or superannuation savings, or that insurers might not have the financial means to pay policyholders’ claims. At the system level, we seek to prevent the build-up of financial risk that could cause severe economic harm, damaging international confidence in the Australian financial system and our ability to attract the capital that households and businesses need to grow and invest.

APRA’s central purpose of protecting financial safety and stability doesn’t change, but how we achieve it does evolve. Our Corporate Plan, published every August, outlines APRA’s strategic priorities over the next four years as well as our policy and supervision priorities for the coming 12 to 18 months. As the operating environment changes, so – necessarily – do our areas of focus.

Our latest plan, released a fortnight ago, has been forged in an uncertain and volatile operating environment. Australia’s financial system might well be strong and stable, but the global economic and geopolitical outlook is anything but. When we consider potential shocks to the financial system that meet the definition of “severe but plausible”, a disconcerting number of scenarios could come to mind. 

At the same time, our plan has been developed amidst increased focus, here and internationally, on the costs of regulation and the need to ensure regulatory requirements do not unduly constrain competition, efficiency and investment. That issue remains front and centre in the national conversation in the wake of the Government’s recent economic reform roundtables aimed at supporting productivity.

To this end, APRA has sought in its latest Corporate Plan to strike a balance – uncompromising on the measures that protect the hard-won financial stability on which Australia’s prosperity depends, including leaning into areas of emerging risk; but also identifying opportunities for better balanced regulation to help support competition and efficiency where it’s safe to do so.

In the time I have today before taking questions, I’d like to run through APRA’s assessment of the current financial risk landscape and how our latest Corporate Plan balances keeping our financial system safe and resilient but also efficient and competitive.

Overview

So, what is APRA seeing as we look across the operating environment and risk landscape?

Internationally, there continues to be significant geopolitical uncertainty, with ongoing conflicts, great power rivalries and global trade policies in flux. Australia’s open economy and the deep global interconnections in our financial system mean overseas shocks can transmit to Australia via a range of channels. For example, Russia’s invasion of Ukraine pushed up commodity prices and helped to fuel the spike in inflation that required sharp interest rate rises to bring under control. Financial service providers and other Australian businesses also had to implement sanctions at short notice. 

Geopolitical unrest has also correlated with an increase in cyber-attacks. In May this year, the Australian Signals Directorate was one of several national cyber security agencies globally to call out publicly that politically motivated attacks can have a spillover onto financial services providers¹. Similar comments a little over a month ago by ASIO Director General Mike Burgess described “relentless” cyber espionage by foreign intelligence services, with the potential to cause enormous financial harm to individual companies and the Australian economy².

Several other technological trends potentially increase the impacts of cyber-attacks on the financial system. One is the ability of bad actors to harness artificial intelligence to increase their penetration, including the use of deep fake voice and video technologies. Another is the ever-greater reliance of financial institutions and their customers on digital technologies. Not only does this create more opportunities for cyber adversaries, but it would also amplify the community impact of any of these technology systems failing.

APRA also sees an increased reliance by banks, insurers and super funds on service providers to deliver essential services. These third parties are often used by cyber adversaries as a backdoor to hit their primary target, as we saw in the case of the recent Qantas data breach. In financial services, as in many other industries, multiple companies often rely on the same third-party service providers, creating the potential for a cyber-attack or technology failure to spread across an industry. For example, a ransomware attack on a cloud IT service provider in the United States two years ago caused simultaneous outages at 60 American credit unions³.

Domestically, while the global outlook presents downside risks, growth in the Australian economy is expected to pick up slightly in the next year. Unemployment remains low and inflation has eased. Lower interest rates should help homeowners more easily meet their repayments, alongside savings buffers and prepayments. It also increases borrowing capacity for new borrowers. Lending standards remain sound, but housing is a key potential vulnerability for the Australian financial system as our banking system has more exposure to residential mortgages than comparable economies. Housing price growth has moderated but is already starting to pick up, especially where housing supply remains constrained, and household debt-to-income remains high relative to history and by international standards.

We see much more besides, but those are some of the key risks and trends that have helped to shape the policy and supervision priorities in our 2025-26 Corporate Plan.
The Plan is built around four pillars: 

• Maintaining financial and operational resilience;
   
• Responding to significant and emerging risks;
   
• Getting the regulatory balance right; and
   
• Improving our organisational effectiveness.

You’ll be pleased to hear that I don’t intend to run through the entire document, but I’d like to focus on some key call outs.

Maintaining financial and operational resilience

There is a reason that “maintaining financial and operational resilience” is the first listed strategic objective in this, and every, APRA Corporate Plan. Our most fundamental purpose is ensuring that Australia’s banks, insurers and superannuation trustees retain the financial and operational strength to continue delivering essential financial services to support the community under all reasonable circumstances. 

It's also the easiest objective to take for granted, especially in a country like Australia where major financial failures have been – blessedly – few and far between. A strong, stable and well-regulated financial system lays the platform for a nation’s prosperity. Consider that Australia’s record 29 years of uninterrupted economic growth spanning from 1991 to 2020 managed to encompass both the Asian Financial Crisis of 1997 and the Global Financial Crisis a decade later. 

Trust in the Australian financial system isn’t just a local commodity. It’s recognised internationally. In a recent national risk assessment for the Australian banking sector, S&P Ratings observed that:

“A highly effective institutional framework reduces risks faced by Australian banks. We consider the country's prudential regulatory standards and supervision to be among the strongest globally, and broadly similar to those in Singapore, Hong Kong, and Canada.”

As a mid-size economy reliant on overseas markets for capital and funding, that ringing international endorsement should not be taken for granted. 

Alongside our ongoing supervisory activities monitoring financial viability, capital adequacy and other financial risks, we will this year finalise revisions to the bank capital framework to phase out Additional Tier 1 capital instruments over coming years. We will also engage with industry on potential revisions to the bank liquidity framework, as we continue to ensure this keeps pace with the risk landscape and future shape of financial services. Both these measures are intended to enhance the financial resilience of the banking sector in the event of a future banking crisis.

Operational risk management has become increasingly important to prudential considerations as financial services grow more interconnected and more reliant on technologies and third-party service providers. In July, CPS 230, our first prudential standard focused on operational risk management, came into force. Over the next year, our focus will be assessing how effectively entities are meeting these new obligations which are designed to ensure they safeguard the resilience of their operations and are well prepared to respond to disruptions. 

Straddling both financial and operational resilience is governance. Put simply, well-governed institutions are more resilient in times of stress, while poor governance can create weakness that leads to misconduct, losses and failures. Having released eight proposals in March to strengthen governance across all APRA-regulated industries, we have had more submissions to the consultation than any other in recent memory and held more than 50 meetings and roundtables involving over 150 stakeholder organisations. We continue to reflect on the feedback we’ve received and are looking to provide an interim update on the consultation in the next few months.

Responding to significant and emerging risks

In the area of “responding to significant and emerging risks”, it will be no surprise that a top priority for us is to strengthen the cyber resilience of the institutions we supervise. 

Our prudential standard on information security, CPS 234, has been in force since 2019. While we have observed much progress since then, the pace of improvement has been slower than expected or required, especially given the worsening threat landscape and the clear expectations of the community that their data and funds are protected. APRA has repeatedly made clear to industry that appropriate investment in cyber preparedness is non-negotiable. 

A key example of such investment is for financial institutions to have strong authentication controls commensurate with the evolving threat environment. Recent credential stuffing attacks showed that many super funds weren’t meeting the expected standards, especially when it comes to protecting sensitive member data and high-risk transactions. APRA's June letter reinforced to funds our expectations around information security and robust authentication controls and we are now working through the adequacy of responses from relevant funds. 

In relation to AI, APRA will step up our monitoring of the emerging risks by reviewing practices across some larger institutions, including the appropriateness of risk management and oversight. We remain of the view that our existing regulatory framework is sufficient to capture the use of AI by banks, insurers and super funds, and have no new regulations planned. However, such is the speed with which AI adoption is progressing we must keep a close eye on developments and an open mind about what is needed to protect the community and financial stability. 

At the system level, APRA is coordinating with fellow regulators to build readiness to respond to potential geopolitical risks. Alongside our peers on the Council of Financial Regulators (CFR), we have developed a dedicated geopolitical risk workplan focused on strengthening the preparedness of the financial system to a range of “severe but plausible” scenarios. Such scenarios could transmit risks to Australian financial institutions via traditional channels, such as credit, liquidity or market impacts, operational events that ultimately lead to financial impacts, or through less traditional routes, such as sanctions enforcement or foreign interference via malicious insiders. Giving due regard to these wider vulnerabilities will be an important part of risk management for financial institutions going forward and something APRA will include in our routine supervisory engagements. 

The risks highlighted above play out in a financial system that is increasingly interconnected and the final initiative I want to mention here is APRA’s first system stress test. This hypothetical exercise is examining risks to financial stability arising from linkages between the banking and superannuation sectors. We presented participating banks and super funds with the inaugural test scenario in April, featuring significant financial markets disruption, including volatility in foreign exchange rates, and an operational risk component. The stress experienced by banks and super funds under the scenario, and their response to managing it, will help us explore the impacts of liquidity stress in banking and super, and how their actions may amplify shocks to the financial system. We are currently working through the first phase results on which we expect to have initial findings this year, before undertaking a second phase of the exercise.

Getting the balance right

Perhaps the most notable change to this year’s Corporate Plan is the inclusion of the third strategic objective: “getting the balance right”. At one level, this is business as usual for APRA. Our framework is proportionate, with fewer and less onerous requirements for small and less systemically important entities. And we have long balanced our primary objective of financial safety alongside other considerations such as competition and efficiency.

Over recent years, we’ve undertaken a range of actions to increase proportionality and reduce regulatory burden. For example, last year we reduced our policy consultations by more than half. We’ve ceased multiple data collections, streamlined reporting requirements and modernised the prudential architecture to make it easier to understand and simpler to navigate.

However, we have never called out this aspect of our work as a major strategic objective quite so explicitly before. 

Its elevation in our latest Corporate Plan reflects the scrutiny on the costs of regulation that, driven by stubbornly low productivity growth, has been an increasing focus in recent years. As the RBA noted in its most recent quarterly monetary policy statement, “lower productivity growth means slower growth in business revenues, household incomes and ultimately demand”⁴, which act as a handbrake on economic growth and wage rises.  This is reflective of a broader global trend, which has led to examples of deregulatory agendas of varying degrees across many economies. 

In July, APRA was one of many regulators that received a letter from the Federal Treasurer asking us to identify specific, measurable actions to reduce regulatory compliance costs without compromising standards. Our response outlined a wide range of measures we believe will reduce burden for the financial sector and help to free up capital for other productive purposes.  Some of these are actions that APRA committed to as part of the CFR review into small and medium-sized banks.

They include:

• simplifying our bank licensing regime, which we think will cut in half the time taken for the licensing process and put new entrants on a stronger footing to become sustainable;
   
• providing greater clarity on our supervisory expectations around banks’ capital requirements related to specific risks and what actions are needed to lower them; 
   
• introducing a third tier into our proportionality framework for banks;
   
• reducing capital requirements for annuity products and promoting access to cost-effective reinsurance for general insurers; and
   
• removing outdated or duplicative rules from our governance prudential standards.

We have also committed to working further with industry to identify possible additional options to reduce the data reporting burden. That includes addressing the overlap in reporting obligations that apply under APRA’s prudential framework and the statutory requirements under the Financial Accountability Regime (FAR), on which we are engaging with Treasury and the Australian Securities and Investment Commission. 

While none of the measures in isolation will be a silver bullet for the country’s productivity challenges, cumulatively we believe they will make a material difference to supporting efficiency, competition and innovation in our regulated industries without creating unacceptable risks to financial stability. 

Staying a step ahead

One thing those of us in the risk management game know all too well is that it’s very rare a risk can be completely eliminated. Nor is that outcome necessarily desirable. The only way banks can avoid credit risk, for example, is not to lend. The only way a super fund can remove investment risk is not to invest. Eliminating cyber risk would mean getting rid of computers! 

For the financial system to function and support the economy, we need our banks, insurers and super funds to take risk, backed by a strong risk management framework. APRA does not expect the institutions we regulate to eliminate the risk of a trade war, housing market crash or major natural disaster. But we do expect them to understand the risks they face, anticipate emerging ones and be prepared to mitigate both.

As we strive to find the right balance for regulation in the period ahead, it never harms to look to the lessons of the past, including of course the global financial crisis itself, as well as the list of other smaller financial services events that have happened since. While 2008 was a long time ago now, it’s worth remembering why financial regulations internationally were strengthened in the aftermath of the GFC. Lax financial regulation and supervision across multiple countries enabled lenders and property developers to speculate on housing in the belief that prices would keep rising indefinitely and therefore they couldn’t lose. But lose they did, at enormous cost to themselves as well as millions of other households and businesses that bore no responsibility for the crisis. 

Amidst a national push to kickstart productivity and economic growth, APRA’s latest Corporate Plan strikes a balance between preserving hard-won financial stability, while also enabling competition, efficiency and innovation. We are committed to identifying more ways to increase the proportionality of our framework, remove unnecessary or duplicative rules and reduce the overall burden on industry. At the same time, as risks in the operating environment continue to evolve, we must not endanger the system resilience that has been very intentionally built-up, and which underpins confidence in the Australian financial system.