Three major regulatory frameworks are simultaneously in force or recently enacted for Australian and New Zealand banks, and none of them are approaching deadlines. They are current requirements. APRA’s Prudential Standard CPS 230 commenced on 1 July 2025, requiring all APRA-regulated entities to demonstrate operational resilience for critical business operations — including AI decisioning systems — with board-level documentation and governance. AUSTRAC’s most significant AML/CTF reform in two decades was enacted in March 2026, expanding transaction monitoring obligations substantially. And Australia’s Scams Prevention Framework is now legislated, creating specific bank liability for scam losses where adequate controls were not in place. A bank that cannot produce board-level documentation of how its fraud and credit AI systems operate, how they are overseen, and how they would be resilient under disruption is non-compliant with CPS 230 today. That is a different and more urgent position than any other market in this series faces.
The regulatory stack is unlike any other market
The convergence of CPS 230, the Scams Prevention Framework, and AUSTRAC reform is not coincidental — each framework addresses a different dimension of the same underlying problem. CPS 230 addresses operational resilience: can the AI system continue to function under stress, and does the board understand it well enough to oversee it meaningfully? The Scams Prevention Framework addresses detection adequacy: did the bank have real-time controls capable of preventing the scam, and if not, what is the liability consequence? AUSTRAC reform addresses monitoring scope: are the expanded transaction monitoring obligations being met with systems capable of detecting the typologies regulators now require?
Each framework, standing alone, would justify a fundamental review of AI decisioning infrastructure. Together, they create a compliance architecture with no gaps: an institution that has addressed one but not the other two faces simultaneous non-compliance on the remaining fronts.
APRA has been explicit about what CPS 230 requires of boards in the context of AI. The standard requires boards to identify, document, and test the operational resilience of all critical business services. Payments, deposit-taking, and customer functions are explicitly prescribed as critical operations for authorised deposit-taking institutions. An AI model operating as the decision engine for any of these functions must be documented to a standard that would survive a prudential review — which means the board must be able to demonstrate they understand how the model works, what it does when it produces unexpected outputs, and what the human oversight mechanism looks like in practice. APRA has stated directly that AI can assist but must never be an autopilot. Governance documentation is now a supervisory focus, not a formality.
The Scams Prevention Framework extends this logic to real-time detection. Australia’s New Payments Platform operates on irrevocable settlement — once a payment is authorised, the funds move and cannot be recovered from the receiving institution in the ordinary course. A bank that scores fraud decisions in batch, making its assessment after the payment has already been initiated, is making a prevention decision retrospectively. The SPF’s liability framework holds banks accountable for scam losses where adequate real-time controls were not in place. The architecture question — whether the bank’s fraud AI is operating at the point of payment initiation or after it — has become a direct liability question.
Fraud losses establish the scale of the problem — and the liability trajectory
Australia’s peak reported scam losses reached AUD 2.74 billion in 2023, according to the National Anti-Scam Centre’s Targeting Scams Report. The 2024 report recorded AUD 2.03 billion — a 25.9% reduction that reflects early Scams Prevention Framework measures and industry collaboration. The decline is real and should be acknowledged. It does not, however, reduce the regulatory and liability exposure that the SPF creates going forward.
The reason is structural. The 25.9% reduction was achieved before the SPF’s full liability framework came into force. Early measures — confirmation of payee systems, transaction delays, enhanced customer warnings — produced meaningful results. What the SPF now adds is an accountability mechanism: where a bank had inadequate controls and a customer suffered a scam loss, the liability consequences are specific and enforceable. The question shifts from whether losses are declining at the industry level to whether any individual institution’s controls would withstand scrutiny in a complaint before the Australian Financial Complaints Authority. ASIC’s 2024 review of anti-scam practices at smaller banks found that reviewed bank customers bore 96% of total scam losses over the 2022–2023 financial year, with reimbursement rates higher for customers who complained than for those who did not. That asymmetry reflects the absence of systematic controls, not the absence of good intentions.
The Westpac AUSTRAC settlement in 2021 — AUD 1.3 billion, the largest corporate penalty in Australian history at the time — established the cost benchmark for AML programme failure in Australia. The specific failures cited were not the absence of a monitoring system but the inadequacy of one already in place: thresholds calibrated to defaults rather than the institution’s actual risk profile, insufficient documentation of alert investigations, and failure to detect patterns that were detectable with better models. AUSTRAC’s reform law significantly expands what needs to be monitored. The cost of running an inadequate system through that expanded obligation is not speculative — the Westpac settlement provides the reference point.
The CDR advantage is available but time-limited
Australia’s Consumer Data Right gives accredited institutions access to richer, consented transaction data for credit modelling. A bank with AI credit models capable of incorporating CDR data at origination will be underwriting with meaningfully better signal than one relying solely on bureau data — more complete income verification, more accurate expense assessment, and the ability to serve self-employed and thin-file applicants who represent a significant underserved segment in the Australian mortgage market, which is among the largest relative to GDP in the world.
The competitive advantage CDR enables in credit decisioning is not permanent — it exists while the capability gap between institutions is large. Institutions that build CDR-capable credit AI now accumulate outcome data on the additional applicant population they can serve, improving model quality continuously. Institutions that build it later face a quality gap that is a function of how long early movers have been learning. In Australian mortgage banking, where margin compression has been significant and broker channel competition is intense, the decision speed and accuracy advantage of governance-grade AI trained on CDR data is a meaningful source of differentiation.
The addressable value is $7.4 to $14.1 billion across ANZ banking
The value at stake across ANZ is smaller in absolute terms than North America, EMEA, or APAC — reflecting market size — but the regulatory specificity of the opportunity is higher. Every category in the table below has a direct regulatory driver that is already in force, not approaching.
| Decision type | Estimated annual value | Regulatory driver |
|---|---|---|
| NPP / PayID real-time fraud prevention | $1.8–3.2B | Scams Prevention Framework liability. NPP irrevocable settlement makes batch scoring structurally non-preventive. (ABA; National Anti-Scam Centre 2024) |
| AML programme efficiency | $2.1–3.8B | AUSTRAC reform significantly expands monitoring obligations. Westpac AUD 1.3B settlement establishes the cost of inadequate systems. (AUSTRAC; ABA, 2021) |
| Mortgage credit decisioning | $1.5–2.8B | Australian mortgage market among world’s largest relative to GDP. AI scoring improves broker and direct channel conversion. CDR data unlocks thin-file and self-employed segment. (Industry estimates) |
| Scam detection (SPF liability) | $1.2–2.5B | SPF creates specific bank liability for scam losses where adequate real-time controls were absent. Behavioural AI detection of social engineering is a direct liability-reduction mechanism. (SPF legislation; ASIC 2024) |
| CDR / Open Banking credit models | $0.8–1.8B | Consumer Data Right enables richer credit models trained on consented transaction data. Accuracy advantage over bureau-only models. (CDR framework) |
| Total | $7.4–14.1B | Ranges are order-of-magnitude estimates informed by publicly available regulatory and market data. |
Note that all five categories have active regulatory frameworks already in force or recently enacted. The value at stake is not contingent on future regulatory action — it is contingent on whether institutions have built the AI infrastructure to capture it.
Part 1 of 3.
Sources
Australian Prudential Regulation Authority. Prudential Standard CPS 230 Operational Risk Management. Effective 1 July 2025. National Anti-Scam Centre / ACCC. Targeting Scams Report 2023. 2024. National Anti-Scam Centre / ACCC. Targeting Scams Report 2024. March 2025. Australian Securities and Investments Commission. Anti-Scam Practices of Banks Outside the Four Major Banks. Media release 24-182MR, 2024. AUSTRAC. Anti-Money Laundering and Counter-Terrorism Financing Reform. Effective March 2026. Australian Government. Scams Prevention Framework legislation. Australian Banking Association. Westpac AUSTRAC Settlement. AUD 1.3 billion, 2021. Australian Government. Consumer Data Right / Open Banking framework.
