Issue 14: Issue 14: APRA model-risk thematic, what to expect

What shipped

APRA confirms 2026 thematic review on model risk management

APRA confirmed its thematic review of model risk management practices, with a focus on machine learning and generative AI used in regulated entities.

Source →

ASIC publishes industry letter on AI in financial services

ASIC sent an industry letter to AFSL holders, reiterating that licensing and conduct obligations apply where AI features in product design, distribution, or advice.

Source →

RBA discussion paper on AI in financial stability lands

The Reserve Bank of Australia published a discussion paper examining the implications of widespread AI adoption for financial stability and operational resilience.

Source →

Four actions GRC practitioners can take this week.

This week is GRC and compliance again, with the APRA thematic review on the radar. The four actions assume you operate in or near a regulated entity covered by APRA prudential standards. Each takeaway produces an artefact you can table at your next risk committee.

One. Map every AI-driven model in your stack to a model-risk owner. If a foundation model touches a process and there is no named owner, that is the first finding APRA will write.

Two. Stand up a one-page model inventory if you do not have one. Model name, purpose, owner, validation status, last review date. Five rows is a defensible start.

Three. Run a tabletop exercise on one high-impact AI model. Walk through how you would respond if the model produced a materially incorrect output for a customer.

Four. Bring the RBA discussion paper to your operational risk committee. The paper is not regulation. It is the framing your prudential supervisor is reading.

The APRA thematic review will look for evidence that model risk is governed, inventoried, validated, and stress-tested. These four actions produce evidence in each of those four areas inside one cycle.

What APRA's 2026 model-risk thematic review is likely to look like.

Visual 1. Indicative APRA thematic review focal areas mapped against existing prudential and regulatory references. Sources: APRA published expectations, RBA discussion paper, ASIC industry letter. Indicative only.

Prompt of the week.

Setup: This prompt produces an APRA thematic-review readiness summary for a regulated entity. Paste your model inventory entries (de-identified), CPS 230 register references, and known governance owners. The model returns a readiness map, a board-ready summary, and a prioritised remediation list.

You are a GRC analyst supporting an APRA-regulated entity preparing for the 2026 model-risk thematic review. You support a Chief Risk Officer and a board risk committee. Inputs I will provide: - Model inventory entries (model name, purpose, type, owner, last validation date), de-identified where commercially sensitive. - CPS 230 register references for processes that depend on these models. - Known governance owners and their FAR responsibilities, where applicable. - Sector and any specific jurisdictional obligations beyond APRA prudential standards. Produce: 1. A readiness map across four lines: inventory completeness, validation rigour, accountability, and resilience, with a one-sentence assessment per line per model. 2. A one-page board-ready summary suitable for a non-technical risk committee, no longer than 350 words. 3. A prioritised remediation list of the top five actions, each with owner, artefact required, and suggested due date. Do not invent obligations the inputs do not mention. Where evidence is insufficient, rate amber and state what would be needed to move to green. Flag any item that appears to create a specific APRA, ASIC, or Privacy Act exposure.

How to use it: Paste an extract of your model inventory with AI-driven models flagged. Run the prompt. Compare the readiness map against your existing CPS 230 documentation. Use the prioritised remediation list as the input to your next quarterly risk plan.

Risk: Models can produce confident-sounding board summaries that conflict with the actual obligations on your specific licence or accreditation. Have your AFSL or banking licence owner sign off on the board summary before circulation. Treat the remediation list as a draft prioritisation, not a final commitment.