← All posts
APRA · CPS 230 · EU AI Act

Reading APRA's May 1 letter as an Australian fintech CTO

What you need to ship before 2 August 2026.

Hani Koshaji · 15 May 2026 · 12 min read

Reading APRA's May 1 Letter as an Australian Fintech CTO — What You Need to Ship Before 2 August

On 1 May 2026, APRA published a letter to every regulated entity in Australia. Most boards will skim it, nod, and add "AI governance" to the agenda for next quarter's risk committee. If you read it carefully — and I mean the actual document, not a consultant's summary — it's not a vague request to do better. It's a countdown. 2 August 2026 is when the EU AI Act's main enforcement provisions kick in, and CPS 230 has been binding since July 2025. APRA is telling you those two instruments exist, your current controls don't meet them, and the next communication after this one will not be a letter. This post is what you should actually ship before then.


What APRA Actually Said

APRA's letter isn't long, but it's dense. The regulator spent late 2025 conducting targeted supervisory reviews across large banks, insurers, and superannuation trustees. The summary of what they found is not flattering.

The central finding, stated plainly in APRA's letter: governance, risk management, assurance, and operational resilience practices are failing to keep pace with the scale, speed, and complexity of AI adoption. Not slightly behind. Failing to keep pace. Those words are load-bearing.

The specific failure modes APRA called out are worth internalising:

On governance: Entities are treating AI risk as "just another technology risk," which misses the distinct characteristics of AI — probabilistic outputs, adaptive behaviour, inherent bias risks, and the opacity of foundation models they didn't train. The governance frameworks exist on paper; they are not operationalised. Policies aren't linked to specific systems. Ownership and accountability across the AI lifecycle (design → deployment → monitoring → decommissioning) are unclear. And critically: nobody has an inventory of what AI is actually running in production.

On boards: APRA found boards "still developing the technical literacy required for effective challenge and oversight" — leaning heavily on vendor presentations rather than independent assessments. The letter expects boards to maintain enough understanding to set strategic direction and provide genuine challenge, not just rubber-stamp management presentations.

On information security: Identity and access management hasn't been updated for non-human actors (i.e., AI agents). Prompt injection, data leakage, insecure integrations, and manipulation of autonomous agents are all listed as observed attack pathways. The letter specifically calls out "shadow AI" — staff using enterprise AI tools outside approved control frameworks — as a persistent problem, and notes that reliance on after-the-fact detective controls instead of preventive technical restrictions is inadequate.

On assurance: APRA found fragmented approaches across operational risk, cyber, data governance, model risk, change control, privacy, and procurement. The problem isn't just that assurance is weak; it's that point-in-time, sample-based methods are structurally unsuitable for probabilistic systems that learn, adapt, and degrade continuously. Internal audit functions, they note, lack the specialist skills to assess agentic behaviour and automated decision-making.

On third-party and supplier risk: Heavy concentration on single providers, no tested exit strategies, contractual arrangements that lag actual practice, and opacity in upstream dependencies (foundation models, training data, fourth-party services embedded in software platforms).

As FinTech Global reported, APRA explicitly stated it is not proposing new requirements at this stage. The expectation is that entities manage AI risks under existing prudential standards — CPS 230, CPS 234 (information security), and the governance standards. The phrase "meaningful progress" and "significant improvement" appear multiple times. Those aren't aspirational. They're the threshold for avoiding a remediation notice.


The CPS 230 + EU AI Act + ISO 42001 Stack

Three regimes are converging right now, and your auditor is going to ask about all three. Understanding how they interact is the prerequisite for building controls that satisfy any of them.

CPS 230 has been binding since 1 July 2025. It replaced CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management), consolidating them into a single, broader operational risk framework. Crucially, it brought AI agents and third-party AI services explicitly into scope — if an AI system supports a critical operation, you need a credible fallback process (§44–58), and your service provider management obligations (§59–71) now cover AI vendors. The Clifford Chance analysis of CPS 230's influence on AI strategies is worth reading: APRA's requirements for risk identification, assessment, and management create the enforcement hook for every gap the May 1 letter describes. CPS 230 §22–71 is where your controls need to live.

The EU AI Act entered into force in August 2024, and most of the substantive provisions start applying on 2 August 2026. If you're an AU fintech offering services into the EU — lending, BNPL, super access for expats, insurance — you are caught. The Act imposes risk classification requirements, documentation obligations, human oversight mandates (Art. 14), transparency requirements (Art. 50), and for high-risk systems, specific technical robustness and accuracy requirements (Art. 9, 12). Enforcement sits with national competent authorities in each EU member state, but the liability is on the provider of the AI system. That may be you, depending on how your EU partnerships are structured.

ISO 42001 is the voluntary AI management system standard. Your auditor will use it as their test framework regardless of whether you've formally adopted it, because it's the closest thing to an auditable control library that covers AI-specific risks. It maps reasonably cleanly onto CPS 230: §6 (planning and risk assessment) → CPS 230 §22–43; §8 (operational controls) → CPS 230 §44–71; §9 (performance evaluation) → the assurance expectations in APRA's letter; §10 (improvement) → the continuous monitoring gap APRA flagged.

The practical implication: if you build your controls to satisfy CPS 230 §22–71 with ISO 42001 as your control library, you will be in a defensible position against both APRA and EU AI Act obligations. This is the crosswalk that matters.


What "Meaningful Progress" Actually Looks Like — Six Things to Ship in 90 Days

Here is what you need to build. Not what you need to document — what you need to build, and then document. The distinction matters.

1. An Agent Inventory

You cannot govern what you haven't named. Most AU fintechs I've spoken to have no structured inventory of what AI agents are running in production. They have Confluence pages. They have Slack threads. They have a spreadsheet someone started in Q3 2024 that's 60% complete.

APRA's minimum expectations explicitly include "an inventory of AI tooling and AI use cases." This is the baseline, not a stretch goal.

Your inventory needs to be machine-readable, version-controlled in git, and reviewed quarterly. The minimum fields:

agent_id,agent_name,owner,environment,model_provider,model_name,tool_list,data_access,customer_facing,criticality,deployed_date,last_reviewed
AGT-001,loan-eligibility-screener,credit-risk@,prod,Anthropic,claude-opus-4,["bureau_api","internal_crm"],["PII","credit_history"],true,high,2025-09-12,2026-04-01
AGT-002,fraud-alert-triage,fraud-ops@,prod,OpenAI,gpt-4o,["transaction_db","alert_queue"],["transaction_history"],false,high,2025-11-03,2026-03-15
AGT-003,policy-doc-summariser,legal@,prod,Anthropic,claude-sonnet-4,["confluence_api"],["internal_docs"],false,medium,2026-01-20,2026-04-01

If you can't fill out this CSV for every agent in production by the end of this week, you have a discovery problem before you have a governance problem. Start there.

2. A Written Policy Per Agent Class

The system prompt is not a policy. I cannot stress this enough. A system prompt is an instruction to a model; it is not an auditable control. APRA wants to see governance frameworks with "clear roles, risk appetite statements, and regular risk assessments." Your auditor wants to see something they can version-compare against a production incident.

What this looks like in practice is a structured policy document — YAML or JSON-Logic — that specifies for each agent class:

agent_class: loan-decisioning
version: "2.1.0"
effective_date: "2026-04-01"
owner: "credit-risk@yourbank.com.au"
approved_by: "CRO"

allowed_tools:
  - bureau_api
  - internal_crm_read_only
  - decision_log_write

disallowed_tools:
  - email_send
  - external_http
  - file_system_write

allowed_data_classifications:
  - PII_tier_2
  - credit_history

prohibited_destinations:
  - any external endpoint not in approved_api_registry

operational_limits:
  max_decisions_per_hour: 500
  max_credit_limit_auto_approve: 15000
  escalation_threshold_confidence: 0.75

escalation_rules:
  - condition: "confidence < 0.75 OR requested_limit > 15000"
    action: "queue_for_human_review"
  - condition: "bureau_api_failure"
    action: "suspend_and_alert"

review_cycle: quarterly
audit_log_retention_days: 2555  # 7 years per ASIC requirements

This document lives in git, has a PR history, and is signed off by your CRO or equivalent. When your auditor asks "what is the policy for your loan decisioning agent," you hand them a URL to a git commit, not a PowerPoint.

3. Runtime Enforcement, Not Prompt-Scanning

This is where most implementations fail, and it's where APRA's expectation diverges sharply from what most vendors are selling.

Prompt scanning — inspecting inputs and outputs for policy violations — is not a control in any framework that matters. It's not a control because:

  1. The model sits between the prompt scanner and the tool call. The model can be manipulated into producing compliant-looking outputs that lead to non-compliant actions.
  2. Prompt scanners produce false negatives at a rate that makes them unsuitable as primary controls for high-stakes systems.
  3. They don't produce the tamper-evident, action-level audit trail that CPS 230 §22 and EU AI Act Art. 12 require.

The control has to live outside the model and evaluate every tool call, synchronously, before the tool executes. It needs to:

  • Evaluate the proposed tool call against the agent's written policy (see item 2 above)
  • Allow, deny, or escalate based on policy logic — not heuristics
  • Log every decision with a unique event ID, timestamp, agent ID, tool name, policy version, decision, and the hash of the decision payload
  • Produce logs that are cryptographically tamper-evident (more on this below)

If your enforcement lives inside the model's context window, it's not an enforcement mechanism — it's a suggestion.

4. A Kill Switch You've Actually Drilled

CPS 230 §44–58 covers business continuity. Your AI agents are now in scope for that section. If an AI agent supports a critical operation and fails — due to model degradation, a prompt injection attack, a third-party API outage, or unexpected agentic behaviour — you need a documented, tested fallback.

"Kill switch" is a simplification. What you actually need is:

  • A per-agent circuit breaker that can be triggered manually or automatically (anomaly threshold exceeded, model provider outage, etc.)
  • A fallback process for each agent (human queue, rule-based system, suspend with notification) — documented, not improvised
  • A quarterly drill, with a written test report: what was triggered, what fired, what broke, what was fixed
  • Evidence that the drill happened (calendar invite, attendee list, test log, remediation items)

The drill is not optional. APRA wants evidence of testing, not evidence of planning. "We have a BCP" is the wrong answer. "Here is the BCP test report from 14 March 2026 and here are the three remediation items it generated" is the right answer.

5. An Audit Trail Your Auditor Can Verify in 10 Minutes

The APRA letter flags assurance as the biggest gap. The specific failure mode is reliance on point-in-time, sample-based methods. What replaces that is continuous, structured logging that an auditor can independently verify.

"Independently verify" is the operative phrase. Your auditor does not trust your monitoring dashboard. They want a file they can take offline and verify against a published specification.

The minimum viable approach is a hash-chained log file: each log entry includes a SHA-256 hash of the previous entry, so any insertion, deletion, or modification to the log breaks the chain. The auditor downloads the file, runs a single script, and gets a pass/fail on chain integrity.

import hashlib, json, time

def append_log_entry(log_file: str, prev_hash: str, event: dict) -> str:
    entry = {
        "event_id": event["id"],
        "timestamp": time.time_ns(),
        "agent_id": event["agent_id"],
        "tool_name": event["tool"],
        "decision": event["decision"],
        "policy_version": event["policy_version"],
        "prev_hash": prev_hash,
    }
    entry_bytes = json.dumps(entry, sort_keys=True).encode()
    entry["entry_hash"] = hashlib.sha256(entry_bytes).hexdigest()
    with open(log_file, "a") as f:
        f.write(json.dumps(entry) + "\n")
    return entry["entry_hash"]

This is five extra lines of logic per log write. There is no excuse for not having it. The EU AI Act Art. 12 and CPS 230 §22 both require records that demonstrate the control system was operating as intended at specific points in time. A hash chain is the simplest mechanism that satisfies both.

For higher-assurance requirements, append the hash to an immutable log service or a blockchain anchor — but start with hash chaining. It's auditable, it's simple, and it's defensible.

6. Evidence Mappings to the Frameworks Your Auditors Already Use

This is the item that most technical teams resist and most compliance teams don't know how to build. Do it anyway.

Your auditor is going to arrive with a questionnaire. It will reference SOC 2 criteria (CC1–9), CPS 230 sections, and possibly EU AI Act articles. If your answer to every question is "we have a policy," you will not pass. The answer that passes is: "Control X satisfies CPS 230 §42, EU AI Act Art. 9, and SOC 2 CC7.2 — here is the evidence artefact."

The evidence mapping is a spreadsheet (or a YAML file in git, if you want to be rigorous) with columns:

Control Description CPS 230 EU AI Act SOC 2 ISO 42001 Evidence Artefact
Agent Inventory Complete register of AI agents §22, §59 Art. 9 CC1.2, CC6.1 §6.1.2 agent_inventory.csv @ git hash abc123
Runtime Policy Enforcement Tool-call gate with policy eval §22, §30 Art. 9, 14 CC7.2, CC8.1 §8.4 Enforcement engine v2.1.0, test report 2026-04-01
Kill Switch Drill Quarterly BCP test for AI agents §44–58 Art. 9 CC9.1 §8.5 BCP test report 2026-03-14
Tamper-Evident Audit Log Hash-chained event log §22, §42 Art. 12, 50 CC7.2 §9.1 audit.log + verification script
Third-Party AI Inventory AI provider mapping §59–71 Art. 9 CC9.2 §6.1.2 supplier_ai_register.csv
Continuous Monitoring Model drift and anomaly alerting §38, §42 Art. 9, 12 CC7.1 §9.1 Monitoring runbook + alert history

The mapping is the deliverable. The controls are bullets under it. When your external auditor or APRA examiner asks for evidence, you hand them the mapping, and the mapping points to artefacts they can independently verify. This is the difference between an audit that takes 10 minutes and one that takes three weeks and generates a findings report.


What This Looks Like for an OpenClaw Fleet Specifically

If you're running OpenClaw fleets internally — and a significant chunk of AU mid-market is, based on what I'm seeing in production environments and what FleetDM's detection tooling has been flagging — you have a specific compliance surface that most governance frameworks haven't caught up with yet.

Each claw in an OpenClaw fleet is an individual "agent" under CPS 230 §59–71 (service provider management, because OpenClaw calls external model APIs) and §30–43 (operational risk from automated processes). The Wired piece on OpenClaw's autonomous behaviour captures what practitioners have known for a while: these agents have broad tool access, persist across sessions, and can take consequential actions — credit card management, file system access, email — with no deterministic enforcement layer between the model decision and the tool execution.

Your only deterministic enforcement point is the before_tool_call hook:

async def before_tool_call(agent_id: str, tool: str, args: dict) -> dict:
    policy = load_policy(agent_id)           # version-controlled YAML
    decision = policy.evaluate(tool, args)   # allow / deny / escalate
    log_entry(agent_id, tool, args, decision) # tamper-evident
    if decision != "allow":
        raise PolicyViolation(f"{tool} denied: {decision.reason}")
    return args

If you're not intercepting at this layer — if your "control" is a system prompt instruction saying "don't do bad things" — you do not have a control. You have a hope.


The Hard Part Isn't the Controls. It's the Evidence.

The reason most AU fintechs aren't ready for what's coming isn't that they lack controls. It's that they lack the evidence chain that ties a control to a specific event in production.

A SOC 2 report says "we have a policy." CPS 230 — and increasingly APRA's examination practice — wants something different: "show me that the policy fired on event ID 47829 at 03:14 on 2 March, and show me the cryptographic proof you're not making this up."

This is a genuinely different standard of evidence, and most companies will get caught flat-footed.

Here's what typically happens: a company builds a governance framework, documents their policies, runs a point-in-time audit, and gets a clean report. Six months later, something goes wrong — a model produces a biased output, an agent makes an unauthorised API call, a third-party model provider changes their model without notice. The incident investigation then discovers that the logging was incomplete, the policy wasn't actually enforced at runtime (it was a prompt instruction, not a gate), and the audit trail doesn't show what the model was doing at the time of the incident.

At that point, you don't have a governance problem. You have an evidence problem. And an evidence problem in front of APRA, post-incident, is much worse than a control gap caught in a routine examination.

The six things above are designed to close the gap between "we have policies" and "we can prove, cryptographically, that those policies were enforced in production, at this specific event, at this specific time." That's the bar. It's not unreasonable — it's what every serious financial services regulator in the world is moving toward as AI systems become operationally embedded.

The assurance capability you need is not a dashboard. It's a verifiable record: structured logs, hash chains, policy version references, and an evidence mapping that lets an auditor or examiner walk from a specific production event back to the control that was supposed to govern it.


I've been building exactly this layer — AgentGuard — because it's the gap I hit running my own production OpenClaw fleet. If you want the evidence pack (evidence mapping templates, policy YAML schemas, audit log specification), it's at agentguard.tech/compliance.


The Clock

79 days from today to 2 August 2026.

APRA's 1 May letter is the last polite warning. It told you what they found, what they expect, and what standards they're measuring you against. The next communication comes with a remediation order, and remediation orders are public. Ship the six things above. Document the evidence. Make sure your audit log is verifiable by someone who doesn't work for you. If you get to 2 August with an agent inventory, written policies in git, runtime enforcement with a tamper-evident log, a drilled kill switch, and a framework evidence mapping — you are not perfect, but you are defensible. That's the standard. Be defensible.

The layer I built for this exact problem

AgentGuard is the runtime governance layer for production AI agents. CPS 230 evidence on Day 1, EU AI Act and ISO 42001 mappings included. Built by an Australian fintech operator running an 18-agent OpenClaw fleet in production.