March 2026
CPS 230
APRA
APRA Thematic Review Finds 40% of Entities Have Incomplete Critical Operations Registers
APRA's CPS 230 readiness thematic review across ADIs and insurers found significant gaps. 40% of reviewed entities have incomplete critical operations registers, and many have not yet defined tolerance levels for key operations. APRA has issued supervisory letters requiring remediation plans before the July 2025 effective date.
Impact: All APRA-regulated entities should assess their CPS 230 readiness immediately. Entities without completed critical operations registers and tolerance levels face enhanced supervisory attention and potential capital charges.
March 2026
APRA
APRA Issues Record CPS 234 Supervisory Letters in Q1 2026
APRA has issued more CPS 234 supervisory letters in Q1 2026 than in all of 2024, signalling intensified focus on information security following the Medibank breach ($250M capital charge). Multi-factor authentication coverage and third-party security assessments are the top areas of concern.
Impact: Entities should review MFA coverage across all access points (especially VPN and remote access), verify third-party security assessment quality, and ensure 72-hour notification processes are documented and tested.
March 2026
APRA
FAR Accountability Map Reviews Begin for Insurers and Super Trustees
Following FAR commencement for insurers and super trustees on 15 March 2025, APRA has begun reviewing accountability maps and statements. Early findings: statements are too vague ("responsible for risk" is not acceptable), maps don't match actual decision-making structures, and shared responsibilities lack clear boundaries.
Impact: Review accountability statements for specificity. Each statement should name specific prudential standards, processes, and reporting lines. Ensure the accountability map reflects reality, not just the org chart.
March 2026
AUSTRAC
Reform
AML/CTF Tranche 2 Rules Finalised — New Obligations from 31 March 2026
AUSTRAC has finalised the new AML/CTF Rules, the most significant reform since the Act's commencement. Key changes: simplified program structure (single integrated program), enhanced beneficial ownership identification, new proliferation financing screening obligations. Existing entities must comply from 31 March 2026; Tranche 2 entities (real estate, lawyers, accountants) from 1 July 2026.
Impact: All reporting entities must update their AML/CTF programs to the new structure. Compliance officer notification to AUSTRAC due by 30 May 2026. Review beneficial ownership identification procedures and implement proliferation financing screening.
March 2026
Privacy
Reform
Privacy Act Statutory Tort Legislation Introduced to Parliament
The Attorney-General has introduced legislation for a statutory tort for serious invasion of privacy, implementing one of the 116 Privacy Act Review recommendations. If passed, individuals will be able to sue organisations directly for privacy breaches — creating a new litigation channel beyond OAIC complaints.
Impact: Financial institutions face a new litigation risk. Privacy by design becomes essential — not just compliant, but defensible in court. Review data handling practices, consent mechanisms, and data retention policies.
February 2026
ASIC
ASIC Issues 15 DDO Stop Orders in Q4 2025 — Largest Quarterly Count
ASIC issued 15 stop orders under the Design and Distribution Obligations in Q4 2025, the highest quarterly count since DDO commenced in October 2021. Products stopped include insurance products with inadequate target market determinations, superannuation investment options, and financial advice fee arrangements.
Impact: Review all target market determinations for specificity and ensure distribution monitoring is capturing complaints and out-of-target dealings. ASIC is not slowing down on DDO enforcement.
January 2026
APRA
CPS 511 Remuneration Standard Now Effective for Non-SFIs
CPS 511 (Remuneration) became effective for non-SFIs on 1 January 2026, extending comprehensive remuneration governance requirements beyond the major banks and insurers. All APRA-regulated entities must now have Board-approved remuneration frameworks with risk-adjusted variable pay and non-financial performance measures.
Impact: Non-SFIs must ensure their remuneration framework is CPS 511 compliant. Key requirement: where non-financial measures show significant failures, variable remuneration must be reduced to zero regardless of financial performance.
December 2025
APRA
Medibank Capital Charge Under Review — Remediation Progress Assessed
APRA is reviewing Medibank's $250M capital charge following the insurer's submission of a comprehensive CPS 234 remediation program. The review will assess whether MFA has been deployed across all access points, third-party security assessments have been completed, and the 72-hour notification process has been tested.
Impact: Demonstrates that capital charges can be reduced through demonstrable remediation. Entities with existing capital charges should prioritise systematic remediation with evidence acceptable to APRA.
November 2025
AUSTRAC
AUSTRAC Enforcement Review: $2.6 Billion in Penalties Since 2018
AUSTRAC's enforcement track record since 2018: Westpac ($1.3B), CBA ($700M), Crown ($450M), Star ($100M), SkyCity ($67M). Total: $2.617B. AUSTRAC has signalled continued enforcement focus on transaction monitoring adequacy and customer identification failures.
Impact: AML/CTF compliance is not optional. Every major enforcement action involved systemic failures in automated monitoring or reporting. Test your transaction monitoring rules regularly.