Site search
'In the eye of the storm': insurance regulatory risk 2025
'In the eye of the storm': insurance regulatory risk 2025

Key areas of regulatory focus

Enforcement against insurers remains one of ASIC's core 2025 enforcement priorities, which specifically calls out 'failures by insurers to deal fairly and in good faith with customers'.

This is a broader statement of purpose than in previous years—in which ASIC had called out specific issues such as 'claims handling' (2024) and 'failures by providers of general insurance to deliver on pricing promises to consumers' (2023). Rather than expecting any of these topics to come 'off the boil', we interpret ASIC's statement to signal focus on all of these areas and more.

Regulatory priorities throughout 2023 and 2024 have been defined by a focus on protecting consumers from harm, particularly following significant events such as natural disasters and large-scale data breaches. We expect to see this continue, as associated proceedings progress through the courts.

Claims handling and severe weather events

Claims handling by insurers has become a key focal point in the media and before parliamentary inquiries, as well as with insurers' main regulators. Following increasingly severe weather events, instances have emerged of physical damage being worsened by alleged claims-handling delays and insurers making unreasonable demands of policyholders. Relatedly, the majority of complaints received by AFCA in at least the last five years have related to some aspect of claims handling, whether it be delays, denials or concerns about the amounts paid.

In recent years, a series of substantive reports have outlined various alleged failures by insurers, with the industry responding quickly to bolster claims-handling capabilities:

ASIC Review on Home Insurance Claims Handling (June 2025)

Following its 2023 report, 'Navigating the Storm: ASIC's Review of Home Insurance Claims', ASIC found that insurers have since made progress to address various areas for improvement, but need to improve their oversight of independent experts, maintain adequate resourcing in the context of severe weather events and implement their claims-handling programs more consistently.

Flood Failure to Future Fairness: Report on the Inquiry into Insurers' Responses to 2022 Major Floods Claims (House of Representatives, Standing Committee on Economics, October 2024)

The final report from the Parliamentary Inquiry into the 2022 Floods in NSW and Queensland concluded that many people experienced communications delays, were involved in lengthy and adversarial disputes and were forced to grapple with overly complex technical questions. As a result, the report states that 'too many families and individuals were left behind', and insurers need to make 'systemic changes'.

Oversight of External Experts (General Insurance Code Governance Committee, August 2024

In its inquiry into the use of experts by insurers, the CGC found that external experts too frequently make recommendations beyond their expertise and that insurers provide insufficient guidance on the role of experts. Also highlighted by ASIC and the Parliamentary Inquiry, reliance on expert reports is a likely target for regulatory scrutiny, noting the significant role played by experts in claims arising from severe weather events.

Corporate Plan 2025–26 (APRA)

In its most recent Corporate Plan, APRA identified environmental developments as a key external driver for insurance risks, as the increased frequency and severity of climate events affects the affordability and accessibility of insurance. APRA also plans to release the results of its Insurance Climate Vulnerability Assessment in the first half of 2026, focusing on the impact of climate change on insurance affordability—an additional source of pressure for insurers to contend with in uplifting their claims-handling capabilities.

In April of this year, ASIC followed through on these warnings by commencing proceedings against Hollard Insurance Partners Limited (Hollard) in the Federal Court for alleged claims-handling failures following a severe weather event. ASIC alleges the insurer breached its duty of utmost good faith by reason of its delay in handling a Victorian couple's insurance claim in the aftermath of a major storm in October 2021. Hollard declined the claim in April 2023.

ASIC is seeking declarations and a civil penalty under the Insurance Contracts Act, stating in its media release that its intention is to 'send a clear message that delays of this magnitude are not acceptable and, in our view, are unlawful'.

Complaints handling

Deficiencies in customer complaints handling have also received significant regulatory attention since our last report. In many ways, this issue is tied in with broader regulatory concerns about claims handling, with levels of customer complaints being seen by regulators as a 'canary in the coal mine' for wider issues. Complaints against insurers rose by 50% in 2022-23 and by a further 5% and 17% in 2023-24 and 2024-25 respectively.1 After several years in which delayed claims handling was the most common issue raised in complaints, misleading product/service information became the most significant issue for complainants across 2024-25, account for 22% of all complaints.2

In December 2024, ASIC released its 'Cause for Complaint: Complaints Handling in General Insurance' Report following its review of eleven general insurers' compliance with Regulatory Guide 271 on Internal Dispute Resolution (IDR).3 This report found that insurers:

  • were not identifying and recording all complaints;
  • were failing to identify systemic issues;
  • had immature systems for handling and reporting of complaints; and
  • were failing, to varying degrees, to communicate with consumers in line with their obligations under RG 271.

 

The extent to which insurers were not meeting basic requirements of RG 271 was said by ASIC to be unacceptable given the IDR obligations had commenced in September 2021.

This report followed 'hot on the heels' of ASIC's earlier review into home insurance claims published in August 2023,4  which identified inadequate resourcing of internal complaints-handling mechanisms as a key issue.5 Elsewhere, ASIC suggested it is collecting further data on complaints handling, which might inform an increase in regulatory activity.6

Similar concerns also appear to be vexing ASIC in the context of life insurance, with ASIC sending a letter in August of this year to the CEOs of all ASIC-regulated life insurers, friendly societies and life insurance distributors. In that letter, ASIC noted (among other things) a significant increase in claims disputes across all channels, with dispute rates more than doubling since 2018. ASIC also signalled its position that complaints help indicate where systemic issues may be present and observed that many life insurers have limited information-sharing about complaints between internal teams and insufficient standards for analysing complaint trends and root causes.7 

Interestingly, we are yet to see the commencement of any enforcement proceedings concerning customer complaints handling in an insurance context. In the superannuation space, by contrast, ASIC commenced a proceeding in 2023 against Telstra Super alleging a breach of the 'efficiently, honestly and fairly' standard in relation to its handling of complaints. Judgment in that case is expected later this year, and the decision may well set a precedent that informs ASIC's consideration of further enforcement activity.

From an AI-perspective, we note that customer enquiries and complaints are widely seen as fertile ground for the adoption of AI-based tools. While this has real potential to streamline service delivery, including in the insurance sector, there are also significant associated risks. A key issue is likely to be the degree of transparency involved, especially around the use of AI decisions that affect customers and associated privacy concerns. In February 2025, the Australian Information Commissioner, Elizabeth Tydd, reiterated the importance of transparency in protecting rights where AI is deployed.8

Pricing promises

Another clear trend that continues to emerge from the filings data is regulatory activity enforcing pricing and other promises made by insurers, particularly in relation to agreed discounts and other entitlements that may not have been properly implemented or delivered to customers.

This trend reached its zenith for general insurers with the release of ASIC's 'When the Price is Not Right: Making Good on Insurance Pricing Promises' Report in June 2023 (Report 765).9 As a result of ASIC's call for general insurers to review their pricing practices, systems and controls to ensure consumers receive the full discounts they were promised, over $815 million was ultimately remediated to more than 5.6 million consumers.

While pricing promises has fallen off its pedestal as one of ASIC's standalone enforcement priorities in 2025, it is evident that this issue remains high on ASIC's agenda—as well as that of the ACCC—with regulatory filings since June 2023 including the following new proceedings:

 

ASIC v RACQ (commenced 22 September 2025)

ASIC alleges that between September 2019 and December 2024, RACQ issued more than 570,000 renewal documents to customers containing representations about a ‘last period premium’ amount that was false or misleading. It is alleged that in many cases, this amount was higher than what customers had paid (or were paying) after negotiating discounts or making a change to their policy that affected the premium, leading to a distorted view of how much their premium was actually increasing. The case is ongoing.

ACCC v Bupa (commenced 30 June 2025)

The ACCC has commenced proceedings against Bupa in the Federal Court, alleging Bupa breached the ACL by advising members incorrectly that they were not entitled to private health insurance benefits for their entire claim, further underscoring the need to communicate policy terms clearly. The ACCC and Bupa have jointly ask the court to order a total penalty of $35 million.

ASIC v QBE (commenced 22 October 2024)

ASIC has alleged that between July 2017 and September 2022, QBE made statements and sent renewal notices promising discounts on premiums for a range of general insurance products, including home, contents and car insurance, which some customers did not receive as a result of QBE’s pricing model. The case is ongoing.

ASIC v IAG (commenced 24 August 2023)

ASIC has commenced civil penalty proceedings in the Federal Court against IAG alleging it misled customers by using loyalty discounts to encourage them to renew their home insurance policies where their premiums may have been increased before the discounts were applied. The case is ongoing.  

 

While Report 765 has likely focused insurers' attention on the general accuracy of pricing statements, there are a few additional categories of representations that may see an increased focus in the years ahead:

  • The first is where insurance policy terms are vague or unclear (which can attract allegations of misleading or deceptive conduct as well as alleged violations of the unfair contract terms regime). In this regard, AFCA has observed a 365% rise in complaints relating to misleading policy information from 2023-24 to 2024-25, which it attributes to a rise in complaints regarding add-on insurance.10 These complaints are said to relate to unfair sales practices, poor product design, inadequate disclosure and instances of misrepresentation or undue pressure. There is something of a tension faced by insurers in trying to 'thread the needle' between regulatory expectations that they express policy terms in an 'everyday' or 'plain English' manner (thereby making policy wordings more accessible) and running the risk of misdescription or overreach. This came to the fore most clearly in ASIC v Auto & General Insurance Company Limited, in which policyholders were asked to tell their insurer if 'anything' changed in their home and contents. While ASIC was ultimately unsuccessful, both at trial and on appeal, this remains an area for insurers to watch carefully.
  • A second is 'greenwashing' and 'bluewashing' representations, with misleading or deceptive conduct involving ESG claims an ongoing enforcement priority for ASIC in 2025.11 While ASIC has been particularly active in this space in pursuing superannuation and investment funds, there has not yet been any greenwashing enforcement against the insurance sector. The risk is likely to be particularly heightened in the setting of green underwriting commitments like net zero, or for definitive statements about the kinds of risks or projects underwritten, especially where they are seen to lack a reasonable basis.

 

Cyber risk

We are yet to see cyber-related enforcement activity against an insurer in the Australian market. However, following increased regulatory scrutiny of superannuation funds—particularly in respect of their cyber-security preparedness and record keeping and destruction practices, in light of a series of targeted cyber incidents in March and April of this year—we expect regulators will continue to expand their focus on the insurance sector.

With APRA's Operational Risk Management Prudential Standard (CPS 230) coming into effect in July of this year, the insurance sector is the subject of significant compliance uplifts, with APRA now expecting insurers to be engaged in each of the following activities:

  • establishing business continuity plans(s) that outline the organisation's approach to maintaining critical business operations through disruptions;12
  • conducting comprehensive risk assessments before providing material services to another party to ensure ongoing compliance with requisite prudential obligations;13
  • designing, implementing and embedding internal controls to mitigate operational risk (and regularly reviewing such controls at a frequency commensurate to the risk);14 and
  • maintaining a comprehensive service provider management policy to manage supply-chain risks.15

In the particular context of cyber risk, APRA has highlighted the importance of:16

  • having a clear understanding of the control environment—noting that entities that understood the environment, particularly payment processes, were better equipped to respond to a cyber incident by swiftly disrupting transactions and recovering funds;
  • improving preparedness for an incident through a well-developed, regularly exercised incident response plan;
  • implementing robust authentication controls, undertaking self-assessments of information controls and ensuring multi-factor authentication (or equivalent protections) are in place for high-risk activities;17 and
  • being prepared for a prolonged recovery phase in the aftermath of an incident.

While the CPS 230 regime is still in its infancy, APRA's Corporate Plan for 2025-26 clarifies that the regulator will be seeking to monitor implementation as part of its supervisory priorities aimed at strengthening resilience to operational risks.18 Similarly, strengthening digital and data resilience was identified as a key strategic priority in ASIC's 2025-26 Corporate Plan.19

AI risk

The insurance industry has historically been an early adopter of AI, with various applications already in place or under consideration to assess risk, develop pricing models, detect and prevent fraud, engage with customers and enhance internal business processes.

Unlike other jurisdictions, Australia is yet to enact AI-specific legislation. The EU's Artificial Intelligence Act came into effect in June last year and prohibits certain systems that may be applicable to insurers, such as 'social scoring' that evaluates or classifies individuals or groups based on social behaviour and subsequently causes unfavourable treatment. Further, in the US, the National Association of Insurance Commissioners' model bulletin—'Use of Artificial Intelligence Systems by Insurers'—outlines various expectations as to how insurers will govern the use of AI (with 24 US states now having adopted the bulletin).20

Nevertheless, in Australia there are a number of technology-neutral, principles-based instruments applicable to the insurance sector that can be applied to the adoption and use of AI. These include:

  • CPS 230 and its associated governance and compliance requirements to ensure organisations have the capabilities to manage operational risk, including in relation to AI.
  • The application of anti-discrimination laws,21 with the Australian Human Rights Commission publishing practical guidance for insurers on mitigating the risks of discrimination in an AI context, particularly where algorithmic decision-making may perpetuate biases from underlying data sets in the context of pricing and underwriting decisions.22
  • The Australian Government's Voluntary AI Safety Standard,23   which was published in September 2024 and consists of 10 voluntary guardrails for how Australian organisations should safely and responsibly use and innovate with AI. These guardrails cover requirements from testing AI models to establishing risk management processes within an organisation. We expect Australian regulators will increasingly look to these standards when enforcing existing principles and risk based regulatory obligations in connection with AI harms.  

In July this year, ASIC Chair, Joe Longo, reiterated ASIC's position that sufficient legal and regulatory tools already exist in the AI space and will be actively enforced by ASIC, especially in order to protect consumers against the poor use of AI.24 ASIC has also highlighted concerns around a 'governance gap' among AFS and credit licensees and has specifically called out the need to see clear AI strategies, policies and procedures, with AI included in risk appetite statements.25

Similarly, the ACCC has highlighted its concerns over the potential for consumers to be misled by AI-generated output, noting the risk of preventing informed decision making.26

Lastly, the OAIC has been vocal about its expectation that organisations apply the Privacy Act to all AI systems. The OAIC is focused on ensuring organisations are transparent about their use of AI in a manner that affects individuals or ingests or processes their personal information and is exploring ways to regulate this. Insurers will need to ensure their privacy policies reflect whether they are using AI for automated decision-making purposes by the end of 2026.27

Footnotes

  1. AFCA, Annual Review 2024-25: General Insurance Complaints  

  2. AFCA, Annual Review 2024-25: General Insurance Complaints  

  3. ASIC, Report 802: Cause for complaint: Complaints handling in general insurance (December 2024)

  4. ASIC, Report 768: Navigating the storm: ASIC's review of home insurance claims (August 2023)  

  5. Ibid 32-33  

  6. Alan Kirkland, 'The expectation gap: Remarks to the Insurance Council of Australia 2024 Annual Conference' (Speech, October 2024)  

  7. dear-ceo-letter-improving-the-direct-sale-of-life-insurance.pdf  

  8. Artificial Intelligence, Law and Society conference | OAIC  

  9. REP 765 When the price is not right: Making good on insurance pricing promises | ASIC  

  10. AFCA, Annual Review 2023-24: General Insurance Complaints  

  11. ASIC, Report REP 812 ASIC enforcement and regulatory update: January to June 2025

  12. Prudential Standard CPS 230 (Operational Risk Management), paragraphs 16(2) and 34

  13. Prudential Standard CPS 230 (Operational Risk Management), paragraph 28

  14. Prudential Standard CPS 230 (Operational Risk Management), paragraphs 29 and 30

  15. Prudential Standard CPS 230 (Operational Risk Management), paragraph 47

  16. APRA, "APRA releases notes on Superannuation Industry Roundtable from July 2025 follow cyber incidents" (11 August 2025)  

  17. APRA, "APRA reinforces expectations on authentication controls in superannuation sector" (10 June 2025)  

  18. APRA Corporate Plan 2025-26 | APRA

  19. Refer to our Insight Article for more information on ASIC and APRA's Corporate Plans  

  20. Implementation of NAIC Model Bulletin: Use of Artificial Intelligence Systems by Insurers

  21. For example, Federal anti-discrimination laws include the Age Discrimination Act 2004, the Australian Human Rights Commission Act 1986, the Disability Discrimination Act 1992, the Racial Discrimination Act 1975 and the Sex Discrimination Act 1984. State anti-discrimination laws include the Anti-Discrimination Act 1977

  22. Australian Human Rights Commission, Guidance Resource: Artificial intelligence and discrimination in insurance pricing and underwriting

  23. Australian Government, Voluntary AI Safety Standard | Department of Industry Science and Resources (5 September 2024).

  24. ASIC Corporate Plan 2025-26  

  25. Report REP 798 Beware the gap: Governance arrangements in the face of AI innovation  

  26. Digital Platform Services Inquiry final report - March 2025 | ACCC  

  27. Chapter 1: APP 1 Open and transparent management of personal information | OAIC