Supervisory review last year shows information security practices not keeping pace with expanded use of AI
Australia's prudential watchdog is asking banks, insurers, and superannuation trustees for a "significant improvement" in how they manage artificial intelligence amid emerging financial and operational vulnerabilities.
The Australian Prudential Regulation Authority (APRA) wrote a letter to its registered entities outlining their expectations for how they should be addressing AI-related risks.
"While we are not proposing to introduce additional requirements at this stage, we expect to see a significant improvement in how entities are closing the gaps between the power of the technology they are using and their ability to monitor and control it," said APRA Member Therese McCarthy Hockey in a statement.
In the letter, APRA said it expects boards at a minimum to:
- maintain sufficient understanding and literacy with respect to AI in order to set strategic direction and provide effective challenge and oversight
- oversee an AI strategy which is consistent with the entity's risk appetite and tolerance settings, supported by effective monitoring and reporting (including for third-party dependencies), with clearly defined triggers aligned to resilience objectives to enable timely action when not operating as expected.
AI management not keeping pace
These expectations come after APRA's targeted supervisory review late last year looked into how AI was being deployed and governed.
"APRA found that, while AI is being actively adopted by all the entities we engaged with, there are differing levels of maturity across functions such as governance, risk management and operational resilience," the letter read.
"In addition, assurance practices are not keeping pace with the scale, speed and complexity of AI."
According to APRA, while there is strong interest and pursuit of AI's potential benefits on productivity, efficiency, and customer experience, many boards are still developing the technical literacy required to provide effective challenge on AI-related risks and oversight.
"APRA also noted an overreliance on vendor presentations and summaries without sufficient examination of key AI risks such as unpredictable model behaviour and the impact on critical operations," the letter read.
'We cannot be blind to the risks'
Hockey said the findings emphasise their expectations for how entities should be managing AI-related risks in alignment with prudential standards in areas such as information security, operational risk management, governance, and data risk.
"The AI revolution presents tremendous opportunities for banks, insurers and superannuation trustees to deliver improved efficiency and enhanced customer services. We are already beginning to see these benefits materialise," the APRA member said.
"But we cannot be blind to the risks of such powerful technology – whether in our own hands or the hands of those with malign intent."
APRA is currently engaging with government agencies, entities and peer regulators to assess the implications of technological advancements to ensure the safety of Australia's financial system, according to Hockey.
The prudential regulator is also finalising a plan with regards to supervision of AI risks, with the agency to continue monitoring the use of AI to assess whether further policy action may be needed.
