APRA Enforcement Update 2026: Capital Charges, Directions, and What They Mean for Your Entity

Updated March 2026 | 10 min read | Regulatory Intelligence

APRA's enforcement approach has fundamentally shifted in the last three years. Capital charges are the new normal. Directions are more frequent. And with FAR now in force, individual executives face personal consequences. Here's what every compliance officer needs to know.

GoComply tracks all APRA enforcement actions in its AI chatbot. Ask "What are APRA's enforcement powers?" or "What happened to Medibank?" and get instant answers with clause references. Try free.

The Enforcement Landscape: By the Numbers

Regulator	Total Penalties (2018-2026)	Largest Single Action	Trend
AUSTRAC	$2.617 billion	Westpac $1.3B (2020)	Billion-dollar penalties for systemic failures
APRA	$600M+ in capital charges	Medibank $250M (2022)	Capital charges replacing soft enforcement
ASIC	$300M+ in penalties	Westpac $113M (2022)	DDO stop orders, responsible lending focus
OAIC	$50M+	Facebook $50M (2023)	New maximum penalties in use

APRA's Enforcement Toolkit

Understanding how APRA enforces compliance is essential for every regulated entity. APRA's powers come from the Banking Act 1959 (s11CA), Insurance Act 1973 (s49A), and SIS Act 1993:

1. Capital Charges (The Nuclear Option)

APRA can require entities to hold additional capital as a consequence of compliance failures. This is APRA's most powerful tool because:

Capital charges are immediate — they take effect when APRA directs
The capital is locked — it can't be used for lending, investment, or dividends
They hit the balance sheet — directly reducing return on equity
They signal to the market — investors and analysts take notice

Recent capital charges:

Medibank (2022): $250M — CPS 234 information security failure after 9.7M customer breach
Bendigo Bank: $50M — compliance deficiencies across multiple standards
Multiple ADIs (2024-25): Enhanced capital requirements for entities with CPS 230 readiness gaps

2. Directions (s11CA Banking Act)

APRA can direct an entity to:

Comply with specific prudential requirements
Not accept new deposits or issue new policies
Remove a director or senior manager
Appoint an auditor or independent reviewer
Restrict dividends
Take any other action APRA considers necessary

3. Enhanced Supervisory Oversight

Before formal enforcement, APRA intensifies supervisory engagement:

More frequent on-site reviews
Thematic reviews of specific standards (e.g., CPS 230 readiness)
Requirement for independent expert reviews
Regular reporting to APRA on remediation progress

4. FAR Disqualification (New)

Under the Financial Accountability Regime, APRA can now disqualify individual executives from being accountable persons. This is personal — it's not a fine the company pays, it's a career-ending consequence for the individual.

What APRA Is Watching in 2026

CPS 230 Readiness

With CPS 230 effective 1 July 2025, APRA has been conducting thematic reviews of entity readiness since late 2024. Areas of focus:

Critical operations registers: Do entities know what their critical operations are?
Tolerance levels: Are tolerance levels specific and measurable (RTO, RPO, minimum service)?
BCP testing: Have entities tested with severe but plausible scenarios?
Service provider management: Are material service providers identified and agreements compliant?
Board oversight: Can the Board demonstrate they have approved tolerance levels and reviewed testing results?

CPS 234 Cyber Resilience

Following the Medibank, Optus, and MediSecure breaches, APRA has intensified focus on:

Multi-factor authentication coverage (the Medibank gap)
Third-party security assessment quality
Control testing program adequacy
72-hour notification compliance

FAR Implementation Quality

APRA is reviewing FAR implementation at ADIs (effective since March 2024) and insurers/super (since March 2025):

Are accountability statements specific enough?
Are there gaps in responsibility allocation?
Do accountability maps reflect reality?
Are remuneration frameworks aligned with FAR obligations?

Lessons from Enforcement Cases

Lesson 1: Automated Systems Must Be Tested (Westpac)

Westpac's $1.3B penalty resulted from automated IFTI reporting failures that went undetected for years. The system upgrade disrupted reporting, but nobody tested whether reporting was still working after the change.

Action: Every time a system changes (upgrade, migration, new vendor), re-test compliance controls. Under CPS 230, this is now a formal requirement.

Lesson 2: New Products Need Compliance Assessment (CBA)

CBA's Intelligent Deposit Machines were deployed for customer experience without adequate AML/CTF controls. 53,750 threshold transaction reports were missed.

Action: Every new product, channel, or technology must have a compliance risk assessment before launch. CPS 230 explicitly requires entities to assess operational risk impacts of business decisions.

Lesson 3: Capital Charges Hit Harder Than Fines (Medibank)

A $250M capital charge is not a one-time cost — it's ongoing. That capital can't be deployed until APRA is satisfied the deficiency is remediated. The annual opportunity cost (lost lending income, reduced ROE) can exceed the charge itself.

Action: Invest in compliance proactively. $2M spent on CPS 234 controls is cheaper than $250M locked up in a capital charge.

Lesson 4: Personal Accountability Changes Behaviour (FAR)

Since FAR commenced, APRA has reported increased board engagement on compliance topics. Directors are asking harder questions. CROs are getting larger budgets. The threat of personal disqualification and civil penalties is working as intended.

Action: Ensure every accountable person understands their FAR obligations. Use accountability statements to create clarity, not just tick a regulatory box.

What to Do Now

Assess your CPS 230 readiness. If you're an SFI, full compliance is required July 2025. If non-SFI, BCP requirements apply July 2026. Use the free CPS 230 checklist.
Test your CPS 234 controls. MFA coverage, third-party security, incident response. If you can't pass a penetration test, APRA will find out.
Review your FAR accountability statements. Are they specific enough? Are there gaps? Use GoComply to research the requirements.
Brief your Board. Directors need to understand the enforcement landscape — capital charges, FAR disqualification, and their personal obligations.
Build enforcement awareness into training. Every compliance team member should know the Westpac, CBA, Medibank, and Crown cases. The CPS 230 Masterclass covers all of them.

Stay ahead of APRA enforcement

GoComply tracks enforcement actions and regulatory changes across 37 Australian regulations.

Ask about any enforcement case free

This article reflects publicly available enforcement information as of March 2026. GoComply chatbot covers APRA enforcement powers and case history.