Compliance for Banks & ADIs
Authorised deposit-taking institutions regulated by APRA under the Banking Act 1959.
Published obligations that apply to banks & adis (20)
- criticalCWLTHComply with APRA CPS 220 (Risk Management)
APRA-regulated entities must have a comprehensive risk management framework.
- criticalCWLTHComply with APRA CPS 230 (Operational Risk Management)
APRA-regulated entities must manage operational risk including a comprehensive third-party / outsourcing register from 1 July 2025.
- criticalCWLTHComply with APRA CPS 234 (Information Security)
APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.
- criticalCWLTHComply with Design and Distribution Obligations (DDO)
Issuers and distributors of retail financial products must have a Target Market Determination (TMD) and distribute consistently with it.
- criticalCWLTHComply with Financial Accountability Regime (FAR) accountability obligations
Banking entities from 15 March 2024; insurers and super trustees from 15 March 2025.
- criticalCWLTHEnrol with AUSTRAC as a reporting entity
Tranche 2 entities must enrol with AUSTRAC by 29 July 2026.
- criticalCWLTHFAR deferred remuneration arrangements (40% deferral 4 years)
FAR accountable persons must have 40% of variable remuneration deferred 4 years.
- criticalCWLTHMaintain a written AML/CTF program
Every reporting entity needs a documented AML/CTF program — Part A risk + Part B systems.
- criticalCWLTHMajor banks must provide CDR Banking + Action Initiation (2026)
CDR Action Initiation lets accredited recipients initiate payments + actions on consumer behalf.
- criticalCWLTHReport cyber security incidents to ASD (SOCI)
Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.
- highCWLTHComply with CDR Banking (Open Banking) — major + non-major ADIs
Banking data holders must share consumer data with accredited recipients on consumer consent.
- highCWLTHComply with credit reporting obligations (Part IIIA Privacy Act)
Credit providers and CRBs must adhere to the CR Code on collection, use, disclosure, hardship and dispute resolution.
- highCWLTHConsumer Data Right (CDR) participant accreditation + compliance
Banking, energy and (soon) non-bank lending data sharing — accredited participants must comply with privacy safeguards.
- highCWLTHPre-2025 ban on unsolicited credit limit increase invitations
Credit card limit increase offers cannot be sent without prior written consent.
- highCWLTHRespond to hardship notices within statutory timeframe
Credit providers must consider hardship notices within 21 days under s 72 NCC.
- mediumCWLTHAdopt the Voluntary AI Safety Standard (DISR 2024)
10 voluntary guardrails for safe + responsible AI deployment; mandatory regime in development.
- mediumCWLTHBanking Executive Accountability Regime (BEAR) — pre-FAR
BEAR superseded by FAR for banks 15 March 2024; historical exposure remains.
- mediumCWLTHComply with the ePayments Code
Voluntary but industry-standard code covering electronic transaction terms, mistaken internet payments, and unauthorised transactions.
- mediumCWLTHEnergy Bill Relief Fund + state cost-of-living payments compliance
Retailers + suppliers administering federal/state energy bill relief must apply correctly + report.
- mediumCWLTHMandatory AI guardrails for high-risk AI (in development)
Australian Mandatory Guardrails for High Risk AI Settings — Treasury consultation in 2024/2025.