APRA
Australian Prudential Regulation Authority
Prudential regulator of banks (ADIs), insurers (general, life, private health), and superannuation funds. Sets and enforces CPS standards including CPS 234 (information security) and CPS 230 (operational risk).
17
Obligations enforced
7
Enforcement actions tracked
7
Scope topics
Obligations enforced by APRA (17)
- criticalCWLTHAnnual YFYS performance test (MySuper + Choice)
APRA annual performance test for MySuper products + (from 2024) Trustee Directed Products.
- criticalCWLTHComply with APRA CPS 220 (Risk Management)
APRA-regulated entities must have a comprehensive risk management framework.
- criticalCWLTHComply with APRA CPS 230 (Operational Risk Management)
APRA-regulated entities must manage operational risk including a comprehensive third-party / outsourcing register from 1 July 2025.
- criticalCWLTHComply with APRA CPS 234 (Information Security)
APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.
- criticalCWLTHComply with Financial Accountability Regime (FAR) accountability obligations
Banking entities from 15 March 2024; insurers and super trustees from 15 March 2025.
- criticalCWLTHComply with SIS Act trustee covenants
Super fund trustees owe statutory covenants of care, skill, diligence, best financial interests, and prudent investment.
- criticalCWLTHFAR deferred remuneration arrangements (40% deferral 4 years)
FAR accountable persons must have 40% of variable remuneration deferred 4 years.
- criticalCWLTHStronger Member Outcomes — APRA SPS 515
RSE licensees must annually assess member-outcomes performance + take action.
- highCWLTHComply with Private Health Insurance Act 2007 + APRA rules
Private health insurers regulated by APRA + PHIO; community rating, complaints + claims rules apply.
- highCWLTHComply with SPS 530 (Investment Governance) for APRA-regulated super funds
RSE licensees must have a documented investment governance framework.
- highCWLTHComply with Stored Value Facility rules (banking exception)
SVF providers must operate within APRA + Treasury rules on purchased payment facility regulation.
- highCWLTHMySuper authorisation for default super products
Default super contributions can only flow to APRA-authorised MySuper products.
- highCWLTHPayment Service Provider (PSP) licensing reform — implementation pending
Treasury reform of payments licensing to capture digital wallets + Buy Now Pay Later + stored value.
- highCWLTHPHI Prudential Standards (APRA)
Private health insurers must meet capital + governance standards.
- highCWLTHProcess super contributions and rollovers via SuperStream
All super contributions and rollovers must use SuperStream-compliant data + payment standards.
- highCWLTHStablecoin payments licensing — Treasury reforms (in scoping)
Treasury reforms scoping payment stablecoin licensing under PSP regime.
- mediumCWLTHBanking Executive Accountability Regime (BEAR) — pre-FAR
BEAR superseded by FAR for banks 15 March 2024; historical exposure remains.
Recent APRA enforcement
- regulatory implementation2025APRA CPS 230 in force from 1 July 2025
APRA's CPS 230 (Operational Risk Management) commenced 1 July 2025. Replaces CPS 231 + 232. Outsourcing + business continuity + operational risk management standards.
- review2024APRA + ASIC sustainability-labelled super product reviews 2024-2025
Joint APRA + ASIC reviews of sustainability-labelled super products throughout 2024-2025 identified misalignment between marketing + actual portfolio.
- macroprudential2024APRA credit growth caps + macroprudential limits
APRA periodic macroprudential interventions including interest rate buffers + investor lending limits.
- regulatory review2024APRA fine against Mercer (super governance)
APRA review concluded Mercer Super governance + risk management did not meet prudential expectations; required undertakings.
- capital directive2023APRA $250M additional capital — IAG (governance)
Following risk culture and governance weaknesses, APRA required IAG to hold an additional $250M operational risk capital.
- capital directive2023APRA increased IAG capital ($250M, 2023)
APRA imposed $250M additional capital following Royal Commission + risk culture concerns at IAG.
- capital directive2023APRA increase in Medibank capital requirements (CPS 234)
APRA imposed an additional $250 million capital adjustment on Medibank following the 2022 cyber incident.
Scope topics
Parent legislation
Source: regulator's own website. Rules Mate links and summarises — we don't republish full statutory text.