As we close in on the end of Q1, it is clear that the financial sector is grappling with a series of heightened risks. Most pressing are the political and geo-political shifts, the rise and rise of generative artificial intelligence and cybercrime, and the increase in scams and fraud. As these risks intersect with regulatory priorities, including an appetite for executive accountability, an increased interest in governance, and a low tolerance for failures to fix problems, we see 2025 as continuing to be a challenging year for the industry. In this environment, it is essential for entities to focus on those things that are within their control, and to really prioritise getting the basics right.

Political shifts

Big political changes are taking place around the world. With an activist new administration in Washington, new leadership in Germany and continuing war and unrest in Europe, Africa, and the Middle East, it feels as though global stability has never been more precarious. These sometimes-alarming geopolitical shifts are also driving economic and financial system risks and instability.

At the same time, the Trump administration appears to be pushing a deregulatory agenda in the financial sector, while dismantling consumer protections. Given the United States’ major role in the global financial sector, we can expect this to affect our local industry in as yet unknown ways. In addition, the global climate consensus is being undermined, while the tangible risks of climate change are becoming more evident every day.

Closer to home, an Australian election is expected any minute, and with it, at the very least changes in the Ministry, an array of election promises and heightened scrutiny of certain sectors, in particular superannuation.

Technological change running ahead of governance and risk management

Fear of being left behind, combined with optimism and excitement about the potential of generative AI can lead its use without adequate governance and risk management in place. As ASIC notes in the foreword to its Report 798 on AI – ‘put simply, some licensees are adopting AI more rapidly than their risk and governance arrangements are being updated to reflect the risks and challenges of AI’. We see this as being particularly likely where senior leadership is advocating for the use of AI. ASIC’s report focuses on consumer risk, but our experience suggests that in addition, not all business, prudential and regulatory risks have been adequately considered and accounted for. In some firms, well-meaning tech savvy staff are implementing AI solutions without the knowledge of the executive. Other firms do not have sufficient oversight of third-party models, raising concerns from an accountability perspective.

But AI is not the only realm where the environment continues to evolve. Cybersecurity is on everyone’s radar, but ensuring that cyber governance and risk management are sufficient is increasingly challenging. AI itself both generates increased risk of cyber-attack (via the AI or using AI) and is a valuable addition to the cybersecurity toolbox. Cyber risk and cybersecurity are also increasingly in the hands of third-party service providers. This creates an additional layer of risk that is not always well managed. As CPS230 comes into force it will be essential that these third party relationships are carefully managed.

Low regulatory tolerance for failure to remediate

On the regulatory side, we are seeing a generally low tolerance for failures to fix problems when they arise. This is both remediation in the sense of refunding customers, but more importantly, to identify and resolve the root causes of the issues that led to problems. This has been a trend building over the past few years and is exemplified by APRA’s court enforceable undertaking (‘CEU’) with Cbus super. Following a 2021 APRA review that identified the Cbus’s operational risk management framework was neither adequately implemented nor embedded, the CEU was sought prior to a root cause assessment, reflecting, in our view, a level of impatience from APRA at the failure of the trustee to fix the problems APRA had identified.

ASIC is also focused on member services in superannuation – listing it as a 2025 enforcement priority and evidenced by recent actions against Australian Super and Cbus. So much so, in fact, that in his recent speech, Joe Longo called the superannuation sector the current poster child for what can and does go wrong when governance fails, noting:

these are examples of not knowing your business. Not taking the time to be ‘plugged in’ and connected. At the heart of this issue is leadership that doesn’t have a grip on the fund’s data, systems and processes – and the customers who suffer for it.

A hunger for enforcement action under the financial accountability regime (FAR)

As FAR requirements come into effect for super and insurance, the regulators will be keen to demonstrate that these sweeping changes have teeth. These long-sought powers have come with controversy and push-back. Therefore, we expect that, especially with a pending election, the regulators will be keen to prove that these are valuable and effective laws. We would expect heightened scrutiny of any regulatory breaches to hold executives or directors responsible.

Heightened risk of fraud and scams

Scams are attracting significantly increased regulatory attention and the introduction of the Scams Prevention Framework sees increased obligations on the financial sector to prevent and address scams. With the uptick of vigilance in the banking sector, the Australian Financial Complaints Authority (AFCA) notes that there is increased likelihood of scams targeting superannuation. In addition, ASIC’s recent ‘Dear Trustee’ letter identifies weakness in fraud and scam practices in super. We can expect to see more vigilance from ASIC here, especially as more members move into the retirement phase, and as such trustees will need to put in place measures to prevent and respond to scams, regardless of whether super is designated as a sector for the Scams Prevention Act.

What are the consequences?

As major global and political risks rise in likelihood, more immediate, localised risks will appear relatively less important, and it is natural that focus could shift to the potentially world-altering events. These risks demand a level of resilience and anti-fragility – the ability to benefit from negative shocks – which will only be possible with the right foundations in place. APRA’s recent governance consultation paper heralds both an expanding regulatory focus on governance, and a useful roadmap to governance improvements that will both improve resilience and address the increased regulatory attention on the board.

However, it is crucial that among the chaos and noise that attention is not diverted from the more routine risks, those over which we have more control, both because managing the routine risks will contribute to the overall foundation and because proactively and effectively managing these everyday risks will ensure they don’t snowball into more diverting problems – including regulatory action.

Getting back to basics – really understanding your obligations, ensuring that controls are linked to risks and that risk management frameworks are well maintained, shifting away from a box-ticking mindset, embodying reasonable steps. Ensuring that complaints are taken seriously and addressed quickly, that risks to consumers are considered and mitigated. The sometimes boring, but essential day-to-day of risk management will ensure that the business is resilient to the bigger risks and changes that are simmering.

Rhizome can help. We work with firms across the financial sector to understand, prepare for, and manage risks across a number of domains.

Please reach out to us for more information.

This communication provides general information which is current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Rhizome Advisory Group Pty Ltd shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss of damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise).