INSIGHT

ASIC and APRA announce strategic priorities for 2025-26

By Jaime McKenzie, Isabelle Guyot, Simun Soljo, Stephanie Malon, Victoria Eastwood, Andrew Burns, Julia Clemente, Michael O'Connor, Andrew Tolé, Joshua Fisher, Craig Evans, Katherine Polazzon, Matilda Winnell 4 September 2025

APRA ASIC Climate Change & Sustainability Competition, Consumer & Regulatory Cyber Data & Privacy Dealmakers & Investors Environmental, Social & Governance Finance, Banking & Debt Capital Financial Services General Counsel Private Capital Superannuation

What to expect over the next 12 months 12 min read

Each year, ASIC and APRA release their Corporate Plans, which identify the regulators' strategic priorities and projects. They provide an insight into where ASIC and APRA will direct their resources and enforcement and supervisory activity for the year ahead.

This year, key themes across the ASIC and APRA Corporate Plans and ASIC Enforcement and Regulatory Update include a focus on data, technology risks and strengthening cyber resilience, retirement outcomes and superannuation, climate-related financial risk and sustainable finance, protecting consumers, small businesses and investors and strengthening financial market integrity.

The Corporate Plans also provide insights into ASIC and APRA's enforcement approach for the year ahead, with ASIC reiterating its commitment to pursuing high penalties and sentences through the courts where necessary and APRA indicating it has a strong appetite to increase the intensity of its supervision and take formal enforcement action where appropriate.

In this Insight, we consider these key themes across the Corporate Plans, as well as ASIC's Enforcement and Regulatory Update, which we expect will inform both regulators' supervisory and enforcement agendas over the next year or so.

improving consumer outcomes, including in relation to lender responses to financial hardship, debt collection and scams
strengthening market disclosure and professional conduct
supporting better retirement outcomes and member services
strengthening operational digital and data resilience and safety
driving integrity and transparency across markets.

APRA has outlined its four strategic objectives:

maintaining financial and operational resilience
responding to significant and emerging risks
'getting the balance right' to ensure its regulation is 'efficient and proportionate'
improving its organisational effectiveness.

Common themes across both Corporate Plans include an ongoing focus on data, technology risks and strengthening cyber resilience, safeguarding retirement outcomes, climate-related financial risk and sustainable finance and strengthening integrity across financial markets. These themes are shaped by broader trends that intersect with the regulatory environment, including geopolitical volatility and uncertainty, technological advancements, Australia's ageing population, the energy transition and the rapid shift towards private market investment.

This year, both ASIC and APRA are also focused on achieving more efficient and effective regulation to support the Federal Government's agenda to drive increased productivity.

Enforcement approach

ASIC

In this year's Corporate Plan, ASIC reiterates its commitment to 'pursuing high penalties and sentences' through the courts.

ASIC's Enforcement and Regulatory Update identifies ASIC's key regulatory and enforcement activities in the first half of 2025. During that period, ASIC maintained an active enforcement agenda focusing on its recent and current enforcement priorities, including design and distribution obligations, misconduct exploiting superannuation savings, failures by insurers to deal fairly and in good faith with customers and business models designed to avoid consumer credit protections. ASIC secured six criminal convictions and $57.5m in civil penalties in that period.

APRA

APRA's Corporate Plan states that APRA retains a 'strong appetite' to 'increase the intensity of supervision' and to take formal enforcement action against entities or individuals where appropriate. This agenda is reflected in a relative uptick in APRA enforcement over the past year, which we expect will continue in the coming year.

APRA's supervisory priorities in its Corporate Plan support its strategic objectives and include strengthening crisis preparedness and resilience to operational risks by monitoring the implementation of Prudential Standard CPS 190 Recovery an Exit Planning, and Prudential Standard CPS 230 Operational Resilience (CPS 230), and heightened supervision on cyber resilience, improved outcomes for superannuation members, and climate risk.

Data, technology risks and strengthening cyber resilience

Unsurprisingly, APRA and ASIC will continue to focus on technological risks during 2025-26. Both regulators recognise that, while technology allows for greater efficiency and benefits in the financial sector, it simultaneously leads to greater risk to entities, and consequently all stakeholders, including investors and consumers. ASIC expressly mentions it will take enforcement action in this space when needed to protect investors and consumers, which comes as no surprise given its increasing cyber-related enforcement activity (read about ASIC's latest cyber enforcement proceedings against Fortnum in our Insight.

Three main regulatory themes for 2025-26 emerge from the corporate plans:

Cyber resilience: APRA and ASIC will look to assess and improve the cyber resilience and preparedness of their regulated entities, including a focus on incident response. APRA plans to initially focus on superannuation trustees, insurers and smaller ADIs and will examine how super funds have responded to the concerns outlined in its letter: Information Security Obligations and Critical Authentication Controls (June 2025). APRA also noted the importance of ongoing improvement of government incident response protocols and engagement with industry in relation to cyber incidents, including information-sharing arrangements.
Use of artificial intelligence (AI): both regulators will continue to engage and support entities in the responsible adoption of AI, with a particular focus on AI governance. APRA plans to undertake targeted supervisory engagements to understand emerging practices and potential risks associated.
Systemic / operational vulnerabilities and supply chain risk: the continuing importance of ongoing management of operational vulnerabilities and supply chain risk (particularly for cyber-related vulnerabilities), is evident in the regulators' focus areas. We expect this to continue to be a focus area, particularly with the implementation of CPS 230.

Retirement outcomes and superannuation

Both Corporate Plans highlight the critical role of the superannuation sector in safeguarding Australians' financial futures, with APRA observing that there are $4.1 trillion in assets under management as of March 2025—equivalent to approximately 150% of Australia’s GDP.

To that end, in collaboration with ASIC, APRA identified several challenges for the superannuation sector as it increases its regulatory focus on superannuation trustees to improve member outcomes:

an ageing population: nearly 5 million super accounts are held by individuals aged over 60, with another 3.9 million expected to reach that milestone within the next decade. This demographic shift, along with the Government's finding in its Retirement Income Review that a high proportion of superannuation benefits stay unspent over the retirement phase, highlights the need for improving outcomes for members in retirement.
interconnected risks: the growing integration of super funds with broader financial systems increases the potential for vulnerabilities to spread across sectors, necessitating tighter oversight.
governance and risk management: as funds navigate increasingly sophisticated investment landscapes and heightened member expectations, APRA continues to call for stronger governance frameworks and operational risk practices.

Similar to interconnected risks, both ASIC and APRA have commented on their intentions to enhance data-sharing, which may yield further opportunities for surveillance and enforcement action for both regulators. This cross sharing of information (eg through reporting obligations under FAR and breach reporting) will likely strengthen their ability to consider overall compliance with applicable duties.

Separately, ASIC states that Australians’ faith in superannuation trustees has been tested in recent times by ASIC's court proceedings against two super funds over their claims-handling practices, as well as what it considers to be superannuation trustees' weak scam and fraud practices and poor handling of death benefit claims.

To address these challenges effectively, APRA’s and ASIC's Corporate Plans outline key initiatives aimed at enhancing superannuation member outcomes:

Retirement income strategies: APRA and ASIC will release a 'pulse check' report in early 2025-26 to assess how trustees are implementing the retirement income covenant. ASIC will also continue its deep dive into retirement-focused member communications, decision-making processes and guidance tools delivered by trustees to monitor implementation of the retirement income covenant. This initiative will coincide with Treasury's consultations on its Guidance on best practice principles for superannuation retirement income solutions consultation paper and its Retirement Reporting Framework: Increasing transparency for members consultation paper. See our Insight on the Treasury consultation here.
Governance standards: in the second half of 2025-26, APRA plans to consult on draft standards and guidance to update core governance requirements. We expect this will include a review of Prudential Standard SPS 510 Governance and Prudential Practice Guide - SPG 510 – Governance.
Prudential Standard CPS 230 Operational Resilience (CPS 230): APRA’s supervision program will initially focus on the largest entities (significant financial institutions), including through targeted prudential reviews of some entities. See our guide on CPS 230.
Expenditure oversight: stricter supervision of fund-level expenditure will be rolled out to ensure trustees act in their members’ best financial interests. Over the next 12 months, APRA will undertake targeted assessments of expenditure data and, where deficiencies are identified, trustees will be required to make improvements. We expect this supervisory focus will include a particular focus on how superannuation trustees are complying with the newly introduced Prudential Standard SPS 515 Strategic Planning and Member Outcomes. To date, we have seen an increase in supervisory action as it relates to prudential standards, particularly in respect of member expenditure. See our Insight on SPS 515.
Prudential Standard CPS 190 Recovery and Exit Planning: superannuation trustees will be required to formally submit their recovery and exit plans to APRA, which will review these plans and provide feedback where appropriate. See our Insight on CPS 190.
Investment governance: APRA is reviewing platform products to evaluate how trustees manage investment options through due diligence, monitoring processes and strategic planning. Its findings will be shared with the superannuation industry, highlighting areas where enhancements are expected.
Data transparency: collaborating with Treasury, APRA is developing a retirement reporting framework set to launch in 2027. Additionally, retirement product data will be integrated into the Comprehensive Product Performance Package by 2026 to provide greater transparency regarding product effectiveness.
Member services: ASIC will begin the next phase of its multi-year member services review focusing on how trustees use complaints data to identify and address systemic issues.
High-risk super switching: ASIC will review superannuation trustee practices to understand the steps they have taken to disrupt the high-risk super switching model.
Internal dispute resolution (IDR): ASIC will review how licensees, including superannuation trustees, comply with their obligations to report complaints, IDR processes and outcomes to ASIC.

Climate-related financial risk and sustainable finance

Climate-related financial risks

In its Corporate Plan, APRA identifies environmental developments—including the increase in frequency and severity of climate events—as a key external driver of risk to APRA's prudential objectives. APRA's focus is on addressing climate change-related financial risk in the insurance industry, whilst noting that rising insurance costs causing declining insurance cover among borrowers may lead to greater climate-risk exposure for banks.

To address these risks, APRA states it will release the results of its Climate Vulnerability Assessment for the general insurance sector in the second half of 2025-26. The Climate Vulnerability Assessment involved Australia's five largest general insurers, and is intended to provide governments, insurers, policyholders and the broader community with a greater understanding of how insurance affordability can be expected to evolve in response to climate change over the medium term.

In its Corporate Plan, ASIC states it will adopt a regulatory and enforcement action focus on complaints-handling by insurers following severe weather events, as well as greenwashing, despite its ongoing commitment to supporting businesses in the transition to mandatory sustainability reporting requirements.

Greenwashing

ASIC's Enforcement and Regulatory Update confirms that greenwashing and misleading conduct involving ESG claims remains one of its top enforcement priorities. ASIC refers to Information Sheet 271 How to avoid greenwashing when offering or promoting sustainability-related products (INFO 271) for more information on how to avoid greenwashing when offering or promoting sustainability-related products, and warns it will continue to take action against perceived greenwashing misconduct.

This continued focus on greenwashing is reiterated in ASIC's Corporate Plan. See our Insights on Information Sheet 271 here, how to mitigate greenwashing risk here and the greenwashing and bluewashing risks section of our Guide for Boards on ESG Governance and Reporting here.

Mandatory sustainability reporting

ASIC's Enforcement and Regulatory Update reinforces that it is committed to supporting business with sustainability reporting obligations following the Government's introduction of mandatory sustainability reporting requirements for large businesses and financial institutions which came into effect on 1 January 2025.

ASIC has published Regulatory Guide 280 Sustainability Reporting (RG 280), which provides guidance on the preparation of sustainability reports, disclosing sustainability-related financial information outside of sustainability reports and ASIC's administration of the sustainability reporting requirements.

Whilst ASIC's focus is currently on supporting business to meet the new sustainability reporting requirements, this is likely to precede a focus on supervision and enforcement. ASIC states in its Corporate Plan it will take a 'pragmatic and proportionate' approach to supervision and enforcement where necessary. For practical guidance on how businesses and organisations can navigate the new sustainability reporting obligations and RG 280, see our Insight. You can also read our Insight that offers a broader background on the new climate-related financial disclosures regime generally.

Protecting consumers, small businesses and investors

A key area of ongoing strategic focus for ASIC, which is emphasised in its Corporate Plan, is improving consumer outcomes, with a focus on credit and financial hardship, dispute resolution, scams, insurance and trusted financial education through ASIC's Moneysmart.

With the aim of disrupting scams, ASIC indicates it will continue to work with Treasury and other regulators to implement the Scams Prevention Framework reforms, and will support the work of the ACCC's National Anti-Scam Centre and other domestic and international counterparts. Investment scams remain a particular area of focus, with ASIC removing over 14,000 scam websites since mid-2023 and securing asset freezes for entities such as Falcon Capital Ltd to safeguard investor funds.

In its Enforcement and Regulatory Update, ASIC outlines significant actions taken in the first half of 2025 to protect consumers, small businesses and investors. It highlights enforcement priorities aimed at mitigating financial harm and addressing misconduct across various sectors. During that period, ASIC's consumer protection measures include tackling predatory lending practices, scams and misleading conduct. From a supervisory perspective, ASIC also launched a review into the motor vehicle finance sector, with the aim of driving better outcomes for consumers borrowing money to purchase a car. With insights from the review to be published later in 2025, this will be an area to watch.

Between January and June 2025, in furtherance of its current focus on failures by insurers to deal fairly and in good faith with customers, ASIC pursued a range of insurers over alleged serious compliance failures. Reflecting its current focus on misconduct impacting small businesses and their creditors, ASIC also addressed corporate collapses by prosecuting directors for statutory breaches such as insolvent trading and the failure to maintain proper records. ASIC has issued reminders about financial management obligations and engaged in initiatives to assist businesses amid ongoing economic challenges.

Strengthening financial market integrity

One of the key strategic focuses identified in ASIC's Corporate Plan is driving regulatory reform to ensure 'stability, fairness and transparency' of capital markets and 'stable, secure and resilient market infrastructure'. Areas of focus include financial reporting and director misconduct.

It also highlights ASIC's ongoing focus on private capital. ASIC has said it is currently conducting surveillance of retail and wholesale private credit and equity funds with a focus on governance, valuation practices, liquidity, conflicts of interest, fees, disclosure and distribution. The result of this could include issuing supplementary guidance and/or engaging in further targeted surveillance. This is aligned with ASIC's previous statements to the market on the topic (see our Insights here and here).

ASIC's Enforcement and Regulatory Update demonstrates its emphasis on supporting financial market integrity, with a particular focus on pursuing allegations of insider trading and market manipulation. In the first half of 2025, key activities included:

investigations and interventions into insider trading, market rigging and dealing in proceeds of crime resulting in criminal prosecutions.
the commencement of civil penalty proceedings against Delta Power & Energy for alleged electricity futures market manipulation.
ASIC exercising its new competition powers by requiring the ASX to provide its clearing and settlement services in a 'transparent and fair' basis.

During that period, corporate governance and risk management were also an area of focus, with ASIC commencing proceedings against company directors in the gaming and blockchain industries for breaches of their duties, as well as enforcement action in respect of alleged false and misleading statements to the ASX.