By Andrew Cooke
On 30 April 2026, the Australian Prudential Regulation Authority (APRA) wrote to every bank, insurer and superannuation fund in the country. The message: fix artificial intelligence governance or face enforcement action.
Most legal practitioners who noticed that letter read it as someone else’s problem. APRA regulates financial institutions, not law firms. The letter was not addressed to them.
That reading is understandable. It is also producing a blind spot that creates professional liability exposure across three distinct aspects of legal practice – and it does not require an APRA licence to trigger.
ASIC moved first
What makes the situation more urgent is that the conduct regulator got there before APRA.
In October 2024, the Australian Securities and Investments Commission (ASIC) published REP 798, titled Beware the Gap: Governance Arrangements in the Face of AI Innovation. The finding: financial services licensees are deploying AI faster than they are building governance to match. ASIC was not describing distant risks. It cited an AI model used in credit risk scoring that nobody in the organisation could explain – a black box making consequential decisions, signed off by people who did not understand what it was doing.
ASIC’s warning to directors was precise. The obligation to act “efficiently, honestly and fairly” under the Corporations Act 2001 (Cth) is technology-neutral. It applies to AI systems exactly as it applies to human advisers. ASIC’s 2025–26 Corporate Plan placed AI governance among its top supervision priorities. ASIC has since described 2026 as a “Year of Accountability,” with explicit intent to pursue civil penalties and criminal referrals against directors who fail to exercise independent judgement over material risks.
AI is a material risk. The Year of Accountability has already started.
How two regulators become one problem
APRA and ASIC do not operate in isolation. They share a statutory Memorandum of Understanding, jointly administer the Financial Accountability Regime Act 2023 (Cth) and are required by law to notify each other of suspected breaches.
The historical pattern matters. APRA administered the Banking Executive Accountability Regime alone from 2018. By 2024 it had become the Financial Accountability Regime – jointly administered, with ASIC holding the conduct enforcement lever over individual directors and executives. APRA sets the governance standard. ASIC converts it into personal accountability. That pattern is now repeating on AI governance.
For any director of an Australian Financial Services Licence holder, a regime-covered entity or an organisation whose AI systems affect consumers, both lenses are already active.
Three exposure points for legal practitioners
The exposure lands across three aspects of legal practice simultaneously, and most practitioners are tracking none of them.
As board advisers. Legal practitioners advising on director obligations, AI governance or corporate strategy are helping clients navigate a standard they may not fully understand themselves. Advisers who cannot explain the APRA–ASIC mechanism – or who have not assessed whether a client’s AI governance would withstand ASIC scrutiny – are operating in a gap between what their advice covers and what the regulatory environment now requires.
As directors. Many WA legal practitioners sit on boards in a professional capacity. Section 180 of the Corporations Act 2001 imposes a duty of care and diligence requiring directors to inform themselves with sufficient depth to exercise independent judgement on material matters. Receiving a management report that says “AI is being used responsibly” is not the same as being able to demonstrate adequate oversight. ASIC is explicit: “I did not know the algorithm did that” is not a legal defence for a director in 2026.
As principals of law firms. Law firms using AI in document review, research, contract analysis or practice management are operating systems that touch client work. The Law Council of Australia has clarified that the duty of competence extends to supervising AI output as it does to supervising a junior solicitor. A further unresolved question: whether legal professional privilege extends to client data processed through third-party AI platforms. Most firms have not worked through it.
The window is closing
The Privacy Act 1988 (Cth), as amended from 10 December 2026, adds a further obligation. Organisations using AI to make substantially automated decisions that significantly affect individuals must disclose this in their privacy policy. Legal practices using AI-assisted tools in employment, financial advice or other individual-affecting contexts may be in scope. Many do not yet know whether they are.
None of this requires a law firm to become technically literate in machine learning. It requires three things: knowing what AI is doing in the practice, having a named person accountable if something goes wrong, and being able to demonstrate both on short notice.
Most practices cannot do any of the three.
Conclusion
APRA’s April 2026 letter was addressed to banks and insurers. The professional conduct obligations it reflects are not confined to those entities. Legal practitioners advising boards, sitting on boards or running practices that use AI tools have their own accountability to discharge – one that existing professional body guidance does not yet fully address.
Three questions frame where most practices stand today: What AI are we using in client-facing work? Who is accountable if an AI-generated output causes harm? And if a regulator or a court asked for our governance documentation tomorrow, what would we give them?
The window for answering those questions calmly – before a regulator, a client complaint or a court inquiry forces the answer – is getting shorter.
