APRA Makes Geopolitical Risk Readiness a Supervisory Obligation

Australia’s prudential regulator has drawn a line. The Australian Prudential Regulation Authority (APRA), which oversees institutions managing approximately $9.8 trillion in assets belonging to depositors, policyholders and superannuation fund members, issued a formal letter to every regulated bank, insurer and superannuation fund on 17 June 2026 declaring that geopolitical risk readiness is now a supervisory obligation, not a discretionary exercise. The letter, titled “Strengthening readiness for geopolitical shocks,” does not introduce new prudential standards. It demands that existing frameworks, specifically CPS 220 (Risk Management), CPS 230 (Operational Resilience) and CPS 234 (Information Security), be applied with far greater rigour to threats including sanctions, trade restrictions, cyber campaigns, foreign interference and AI governance failures. The directive sits within the broader Council of Financial Regulators (CFR) work programme, which has flagged geopolitical unpreparedness as one of the Australian financial system’s most significant structural vulnerabilities. What follows explains what APRA is specifically requiring, which weaknesses regulators have identified across the industry, and what a targeted follow-up assessment for higher-exposure institutions will mean in practice.

Why APRA is acting now, and what has changed

This is not the first time APRA has raised geopolitical risk. The CFR formalised an inter-agency geopolitical risk work programme in December 2024, and through 2025 regulators focused on diagnosis and engagement with large institutions. The 2026 phase marks a deliberate shift: from raising awareness to setting enforceable minimum expectations, with supervisory consequences attached.

APRA Chair John Lonsdale has framed the escalation explicitly. Awareness alone is insufficient. Regulated entities must embed geopolitical risk into governance, risk management frameworks and crisis preparedness activities.

“The global environment is increasingly volatile and unpredictable.” — John Lonsdale, APRA Chair

The letter does not create new law. That is the point. APRA’s position is that the bar is already set within existing prudential standards, and institutions have not been meeting it. The regulatory posture has shifted from guidance to accountability, and the 2026-27 supervisory cycle is the mechanism through which that accountability will be enforced.

APRA’s geopolitical risk directive sits within a period of concentrated regulatory activity; the June 2026 letter coincides with APRA’s broader framework modernisation programme that includes CPS 230 amendments, the AT1 capital phase-out and the Basel III implementation cycle, reinforcing that the current supervisory intensity is structural rather than event-specific.

The six risk domains APRA now expects institutions to cover

APRA’s expectations span six domains, covering both non-financial and traditional financial risks. Detailed minimum expectations appear in Attachments A and B of the letter, signalling that this is a structured compliance document rather than a principles-only communication. Banks, insurers and superannuation funds are all in scope.

The breadth matters. This is not a cyber-only directive or a capital adequacy exercise. APRA expects institutions to treat disinformation campaigns with the same structural seriousness as funding withdrawal scenarios, and to anchor both within existing prudential obligations. The CFR defines geopolitical risk as encompassing international tensions, trade disruptions, sanctions, grey-zone activities and conflicts.

What geopolitical risk actually means for an Australian financial institution

The regulatory requirements sit on top of a specific economic reality. Australia is a mid-sized, trade-dependent economy with significant Asia-Pacific exposure, and those structural features create geopolitical risk channels that differ from larger, more domestically funded financial systems.

Three exposure channels matter most:

Australia’s offshore wholesale funding dependence and deep trade ties with Asia-Pacific partners create geopolitical transmission channels that standard domestic stress tests were not designed to fully capture, compounding the exposure picture that APRA has now formalised as a supervisory priority.

• Offshore wholesale funding reliance: Australian financial institutions depend on offshore wholesale markets for a material portion of their funding, making them directly exposed to funding shocks driven by geopolitical events
• Trade and sanctions exposure: Significant trade ties with Asia-Pacific partners mean that sanctions, trade disputes or diplomatic deterioration can affect credit quality, asset values and market access simultaneously
• Global technology provider dependence: Growing reliance on global technology providers and complex cross-border supply chains amplifies both cyber and operational risk during periods of geopolitical stress

APRA’s May 2026 System Risk Outlook notes that cyber threats are becoming more sophisticated and increasingly shaped by geopolitical developments, including via advanced AI. The CFR’s systemic risk programme uses scenario analysis for adverse geopolitical events, with a particular focus on payment system contingency capabilities.

How geopolitical shocks transmit into the financial system

The CFR’s use of the term “grey-zone activities” refers to actions by state or state-linked actors that fall below the threshold of armed conflict but are designed to destabilise. In a financial context, this includes disinformation campaigns that erode confidence in an institution’s stability. APRA and the CFR treat such campaigns as a financial stability risk, not merely a communications problem, because a confidence shock can trigger deposit withdrawals or counterparty reassessment regardless of whether the underlying institution is solvent.

The gaps regulators have identified, and why they describe them as structural

Through 2025 engagements, APRA and fellow CFR agencies documented five recurring weaknesses across the regulated population. These are described as structural rather than incidental, a characterisation that carries weight for how supervisors will assess remediation efforts.

• Awareness not translating into action: Geopolitical risk is widely recognised but is not being consistently embedded in risk management, contingency planning or scenario analysis
• Board-level capability gaps on technology and AI: Many boards lack the technical knowledge required to effectively scrutinise technology-related risks, including those associated with artificial intelligence
• Inadequate crisis and scenario exercises: Current exercises are often insufficient to assure boards that an entity could withstand a severe geopolitical disruption
• Third-party and offshore dependency risk: Concentration in critical offshore service providers has been flagged as a systemic focus area for 2026 under CPS 230
• Personnel and disinformation risks: Insider threats and reputational shocks triggered by information operations remain insufficiently covered in existing frameworks

“AI is being adopted faster than governance capabilities are maturing.” — APRA

The AI governance finding is particularly pointed. APRA has stated that many boards do not have the expertise to oversee AI-related and technology risks at the standard now expected. With AI adoption accelerating across financial services, the gap between capability and obligation is widening, not narrowing.

For boards and executives wanting to understand the specific cases already on APRA’s record, our dedicated guide to APRA’s documented AI governance failures covers a superannuation fund that misclassified vulnerable members and a general insurer whose AI pricing model lacked independent validation, along with the director liability implications that make these failures a personal accountability issue for board members.

Larger institutions will face a bespoke supervisory examination on geopolitical readiness

The 17 June 2026 letter went to every APRA-regulated entity. A separate, more consequential tier sits above it. Larger institutions with elevated geopolitical exposure will receive a follow-up communication from APRA, anticipated in the near term, initiating a bespoke readiness assessment.

This is not a self-assessment exercise. The targeted assessments have been incorporated into APRA’s 2026-27 supervisory plans across the banking, insurance and superannuation sectors, and assessors will arrive with an existing knowledge base. The CFR has been engaging large institutions with heightened exposure through its inter-agency work programme since late 2024, progressing through scenario analysis and payment system contingency work throughout 2025.

The targeted assessment will involve deep dives across four areas:

APRA’s own May 2026 stress testing programme confirmed that Australian banks and insurers hold strong capital and liquidity buffers, but the same assessment documented how geopolitical stress scenarios transmit into funding costs and asset values through commodity demand, trade terms and wholesale credit spread widening rather than through direct conflict exposure.

1. Crisis management frameworks and board-level decision-making capabilities
2. Funding resilience under geopolitical stress scenarios
3. Sanctions and compliance frameworks
4. Third-party arrangements and offshore dependency management

Where vulnerabilities are judged material, APRA has signalled it is prepared to impose capital, liquidity, governance or remediation requirements. The distinction between the general letter and the targeted tier is the difference between being told to prepare and being examined on whether preparation is adequate.

What boards and executives need to do before supervisors arrive

The regulatory expectations translate into three priority areas, ordered by the sequence in which supervisors are likely to assess them.

Governance and risk framework

Geopolitical risk must be explicitly incorporated into the risk taxonomy, risk appetite statement and board-level reporting. This means identifying specific transmission channels (funding, credit, markets, operations, reputation) and analysing how each could be affected by a geopolitical event. Qualitative acknowledgement in risk registers is no longer sufficient.

Board and executive capability

The documented gap between AI adoption speed and governance maturity requires targeted action. Boards need training and, where necessary, recruitment to lift capability on technology, cyber and geopolitical dynamics to the standard APRA has now signalled. This is an area where supervisors have explicitly flagged inadequacy.

Stress testing, resilience and crisis preparedness

Stress testing must include specific geopolitical scenarios: sanctions imposition, market closure, abrupt funding withdrawal and payment system disruption. Generic adverse macro scenarios do not meet the bar. Crisis simulations must genuinely test board-level decision-making under geopolitical triggers, and CPS 230 anchors the requirements for third-party and operational resilience improvements, including addressing concentration risk in offshore service providers.

The CPS 230 operational resilience requirements set binding obligations for how regulated entities must identify, manage and test their capacity to maintain critical operations through severe disruptions, including those triggered by geopolitical events such as sanctions imposition or abrupt market closure.

The personnel and disinformation dimension is commonly overlooked. Insider-risk, information security and reputational risk frameworks need to account for politically motivated interference, an area the CFR has specifically included within its definition of geopolitical risk.

This article is for informational purposes only and should not be considered financial advice. Investors should conduct their own research and consult with financial professionals before making investment decisions.

The regulatory direction of travel is clear: geopolitical preparedness is becoming a baseline expectation

APRA’s letter marks the shift from voluntary awareness to enforceable minimum expectations, with the 2026-27 supervisory cycle as the near-term accountability mechanism. Australia’s position as a trade-exposed, offshore-funded economy means geopolitical risk is not a tail risk that institutions can manage lightly. Regulators have formally elevated it to a mainstream financial stability concern. Institutions that fall short face targeted supervisory action, potential capital or remediation requirements, and the reputational consequences of being identified as inadequately prepared.