Geopolitical risk has moved from boardroom talking point to supervised prudential category: APRA set out minimum expectations requiring every bank, insurer and superannuation fund it oversees to embed geopolitical risk into governance, scenario analysis, operational resilience and capital planning. The regulator supervises institutions holding approximately $9.8 trillion in assets across banks, insurers and superannuation funds. The measure carries immediate supervisory weight, tethered to existing standards rather than a new consultation process, with targeted assessments due in the coming financial year.
Six Minimum Areas, One Existing Standard: How APRA Avoided a New Rule
APRA’s minimum expectations are not new prudential requirements; they apply existing standards to better integrate geopolitical risk into governance, risk management and crisis preparedness. By anchoring the framework to CPS 230 — the operational risk management standard that took effect on the first day of July in the prior financial year — APRA bypassed a formal consultation period while still placing enforceable expectations on regulated entities. Insurers and superannuation funds face the same obligations as banks under this sweep.
The letter sets out six minimum expectation areas: enterprise risk, operational resilience, personnel, political, financial resilience, and crisis preparedness. The inclusion of a discrete personnel pillar is the most distinctive element. APRA defines geopolitical risk as the potential for adverse impacts on the financial system from international tension, including trade restrictions, sanctions, grey-zone activities and conflicts — a definition that explicitly encompasses insider threats and foreign interference vectors rarely codified at peer regulators. That framing places responsibility on boards not just to monitor macro-level tensions but to assess workforce exposure.
APRA expects boards to ensure geopolitical risk is reflected in strategy, risk appetite and board oversight. The regulator’s corporate plan already flagged that boards lack the technical understanding needed for technology risk oversight, particularly regarding artificial intelligence and overseas third-party reliance — a gap that has direct geopolitical dimensions when supply chains run through jurisdictions subject to sanctions or grey-zone pressure. This connects to a broader pattern of board-level accountability concerns APRA has signalled across sectors, including its calls for a step-change in AI risk governance across the insurance sector.
Awareness Versus Action: What the Majority Acknowledgement Gap Reveals
The regulatory trigger for the letter is visible in the data. Approximately 70% of APRA-regulated entities had identified geopolitical risk as a key business risk over the next two years. That figure, drawn from Reserve Bank of Australia monitoring, sounds reassuring until set against APRA Chair John Lonsdale’s direct challenge: “Awareness is not enough. We need to see APRA-regulated entities integrate geopolitical risk” into actual governance practices. The remaining minority of entities — those that have not yet flagged geopolitical risk at all — represents a supervisory red flag heading into the upcoming targeted assessment cycle.
The stress-testing dimension is equally concrete. APRA’s System Risk Outlook confirmed that APRA is conducting a stress test with the five largest banks in coordination with the Reserve Bank of New Zealand, examining resilience amid prolonged geopolitical instability with a major energy supply shock, elevated oil prices, sharp unemployment rise, and significant property price declines. The test parameters read as a direct proxy for Australia’s Indo-Pacific exposure scenarios. Common Equity Tier 1 ratios remain well above regulatory minimums and higher than at the onset of the COVID-19 pandemic, but the test is designed to locate the boundary of that buffer under concentrated stress.
For insurers, the capital planning requirement adds a forward-looking layer absent from most current enterprise risk management frameworks. Linking scenario analysis outputs to capital and liquidity planning — not merely to qualitative risk registers — is the operational shift APRA is demanding. For context on how similar capital realignment pressures are reshaping regional insurer strategies, the Hong Kong revision of insurance capital rules illustrates how regulators are increasingly using capital frameworks as a policy lever beyond pure solvency protection.
EIOPA’s Dashboard vs. APRA’s Mandated Integration: Two Models of Supervisory Response
The contrast with European practice illuminates what makes the APRA letter structurally significant. EIOPA’s insurance risk dashboard assessed 94 insurance groups and 2,092 solo insurance undertakings, finding risks in the European insurance sector stable at a medium level. Somewhat higher inflation expectations, combined with persistent geopolitical tensions, continue to shape the macroeconomic environment, the European supervisor noted — language that flags awareness without mandating specific entity-level responses. EIOPA’s dashboard approach is diagnostic; APRA’s letter is prescriptive.
At the global level, the IAIS framing sits between the two. The IAIS 2025 Global Insurance Market Report identified trade tensions, sanctions, divergent monetary policies and market fragmentation as contributing to financial market volatility for the global insurance sector. The IAIS also found that insurance sector systemic risk scores remain significantly lower than those of the banking sector despite ongoing geopolitical uncertainties — a relative comfort that APRA’s letter implicitly challenges by treating insurers as equally exposed to geopolitical transmission vectors as banks. APRA’s inclusion of superannuation funds in the same obligation set is also notable: Australian superannuation funds hold approximately 30% of banks’ short-term debt and equity directly, rising to 40% including indirect claims via investment funds, making them a systemic amplifier in any geopolitical stress scenario.
Operational Consequences for Insurers: Board Declarations, Targeted Assessments and Personnel Protocols
For general insurers and life insurers operating in Australia, the practical compliance calendar tightens immediately. The annual Risk Management Declaration — already required under CPS 220 — must now explicitly address whether geopolitical risk has been integrated into the risk appetite framework, capital stress scenarios and operational resilience plans. Boards that have historically treated geopolitical risk as a qualitative footnote in their ERM documentation will need to demonstrate quantified scenario outputs and crisis preparedness protocols before their next declaration cycle.
The personnel risk expectation is operationally novel. Insurers with significant offshore operations, outsourced claims processing in geopolitically sensitive jurisdictions, or dual-national executive teams will need to assess exposure to foreign interference risk and document mitigation controls at board level. This expectation has no direct parallel in the EIOPA or IAIS frameworks and reflects Australia’s specific geopolitical context in the Indo-Pacific. The broader pattern of regulatory escalation around conduct and personnel accountability visible in the Japan Prudential Life FSA probe and the IAG-Greensill trade credit settlement suggests regulators globally are raising the accountability standard for decisions made under conditions of elevated uncertainty.
APRA Chair Lonsdale has set the benchmark explicitly: “Sustaining that resilience will require ongoing investment in strong risk management across the system.” For insurers, that investment now carries a defined supervisory taxonomy — six expectation areas, board-level accountability, an annual declaration and an upcoming assessment window. The question is not whether geopolitical risk will be assessed, but whether insurers’ governance frameworks are ready to demonstrate integration when the assessment arrives. Meanwhile, Swiss Re’s recent results — where war reserves reached a substantial level — offer a market signal of how quickly geopolitical exposures can crystallise on the balance sheet of even the best-capitalised reinsurers.
Mini-FAQ
Does APRA’s geopolitical risk letter create new prudential standards for insurers?
What is distinctive about APRA’s personnel risk expectation compared with EIOPA or IAIS approaches?
How many APRA-regulated entities currently recognise geopolitical risk as a key business risk?
Sources
- APRA — Strengthening readiness for geopolitical shocks
- APRA — Minimum expectations to strengthen industry readiness for geopolitical risk
- APRA — System risk outlook
- Reserve Bank of Australia — Geopolitical risk and financial stability
- EIOPA — Insurance risk dashboard: overall stability amid geopolitical uncertainty
- IAIS — Global insurance market report: geoeconomic fragmentation and supervisory priorities
- APRA — Corporate plan
