Issue 1 | 6 May 2026

THE BANK'S VIEW

The question that keeps coming up in governance reviews is not about the AI your institution built. It is about the AI your vendors built and quietly embedded into tools you have been using for years.

Last month I watched a compliance team present their AI system inventory to a review panel. It was thorough. Twelve systems, properly documented, accountability mapped. The panel asked one question: "Does this include the AI inside your core platform's anomaly detection module?" The room went quiet.

That module had been live for three years. Nobody had included it because nobody had built it - the vendor had. That is the gap that will catch institutions out between now and 1 July.

When we assess a vendor, we are not just looking at what they deliver. We are looking at what decision-making capability sits inside their product. If a vendor's platform scores a transaction, flags a customer, or routes a workflow using a model - that model is part of your operational risk profile. CPS 230 does not distinguish between AI you commissioned and AI that came bundled in a licence agreement.

The practical implication for compliance teams: go back to your material service provider register and ask a different question of each vendor. Not "do you use AI?" but "does your product make or influence any decisions that affect our customers or operations?" The answer will be yes more often than you expect.

For technology companies serving regulated institutions, this is the question your bank clients are now preparing to ask you formally. If you cannot answer it cleanly - with documentation, not a verbal assurance - you are a risk item on someone's register. The vendors who arrive at that conversation with a clear inventory of their embedded AI, mapped to the functions it performs, will close contract renewals faster than those who do not.

The 1 July deadline is 65 days away. The vendor contract transition clock has been running since 1 July 2025 - or since your last renewal date, whichever came first.

REGULATORY UPDATE

APRA's CPS 230 Operational Risk Management requires regulated entities to identify and manage risks from all material service providers. The standard came into force 1 July 2025 for significant financial institutions. Non-SFIs face a final deadline of 1 July 2026 for remaining business continuity and scenario analysis requirements. APRA finalised targeted amendments to CPS 230 on 30 April 2026 for non-traditional service providers - including stock exchanges, payment schemes and clearing facilities - where contractual compliance is not practicable. All technology vendors serving regulated institutions remain fully in scope. All existing vendor contracts must comply with CPS 230 by the earlier of 1 July 2026 or the next renewal date.

THE BRIDGE

If you want the framework banks use to prepare for an AI governance review - including a 20-question checklist and 2026 regulatory deadline calendar - the APRA AI Governance Review Preparation System is available at the product page.

SHARE PROMPT

If this was useful, the web version is at theinsidebrief.com. Forward that, not this email.

logo

Subscribe to The Inside Brief to read the rest

Become a paid subscriber to access The Bank's View analysis, Today's Action, The Red Flag and The Take - every Wednesday.

Upgrade

Keep Reading

© 2026 The Inside Brief.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv