Mackay Chapman January 2026 APRA Update
In this month’s APRA update:
- APRA places Diversa under tighter licence controls
- AUSTRAC & APRA step in at Bendigo Bank after AML red flags
- Netwealth agrees to enforceable undertaking
- APRA consults on CPS 230 changes for emerging service providers
- New tiering proposal aims to ease burden on small banks
Full breakdowns below.
APRA places Diversa under tighter licence controls
APRA has imposed new licence conditions on Diversa Trustees Limited after identifying significant cracks in how it vets and oversees investment options on its superannuation platforms.
Diversa, which oversees 10 RSEs with about 291,000 member accounts and more than $15 billion in funds under management, was found to have light-touch onboarding practices, patchy due diligence, and weak ongoing monitoring of investment options.
Under the conditions taking effect immediately, Diversa must:
- Appoint an independent reviewer to examine investment menus and governance arrangements
- Build and execute a remediation plan and provide APRA with assurance it works in practice
- Reassess whether certain menu options remain appropriate
- Stop onboarding high-risk options unless enhanced checks are completed and an accountable person certifies the decision is in members’ best financial interests
Rather than treating investment selection as an administrative exercise, APRA is signalling it expects trustees to actively curate menus and justify every decision that affects member money.
The regulator has indicated it will be watching Diversa’s progress closely and expects uplift, not simply box-ticking.
AUSTRAC & APRA step in at Bendigo Bank after AML red flags
APRA and AUSTRAC have taken coordinated action against Bendigo and Adelaide Bank after a Deloitte-commissioned review uncovered serious shortcomings in the bank’s money laundering and terrorism financing controls.
The review followed a suspected laundering incident at a branch that Bendigo Bank reported to AUSTRAC, but regulators now suspect the issues run much deeper than a single location.
APRA has ordered Bendigo Bank to undertake a root-and-branch analysis of its non-financial risk management and hold an extra $50 million in operational risk capital while gaps are being identified and fixed.
AUSTRAC has launched a separate enforcement investigation into whether the bank has complied with its obligations under the AML/CTF Act.
Although Bendigo Bank is well capitalised and financially sound, regulators have raised concerns that poor controls and weak risk culture could be embedded across its broader operations.
Both agencies have signalled that further action is on the table depending on what investigations uncover.
Netwealth agrees to enforceable undertaking
APRA has accepted a court-enforceable undertaking from Netwealth Superannuation Services after uncovering material weaknesses in how the trustee selects, oversees and governs platform investment options.
Netwealth manages more than $40 billion for roughly 115,000 members, and was one of the trustees examined in APRA’s recent thematic review of platform super funds.
The regulator found gaps in due diligence when adding investment options, inadequate triggers and escalation processes for poor performance or risk issues, and conflicts linked to outsourcing services to related-party provider Netwealth Investments..
ASIC has launched separate proceedings under the Corporations Act and has entered its own undertaking requiring remediation tied to First Guardian products, with both regulators coordinating their responses.
Members expect trustees to act as gatekeepers, not just distributors of investment options.
APRA consults on CPS 230 changes for emerging service providers
APRA has kicked off consultation on targeted tweaks to CPS 230, its new operational risk and outsourcing framework, after feedback from industry that the standard needs more flexibility for non-traditional service providers (think fintechs, digital platforms and other third-party partners that don’t fit the classic outsourcing mould).
The proposed changes are aimed at smoothing compliance ahead of CPS 230 going live on 1 July 2026, reducing unnecessary admin while making sure regulated entities still manage operational risks properly.
Submissions are open until 30 January 2026, with APRA expecting to finalise adjustments before the start date.
New tiering proposal aims to ease burden on small banks
APRA has opened consultation on a plan to formally reshape its banking prudential framework into three tiers, a move aimed at easing compliance for smaller banks and sharpening expectations for the country’s biggest players.
Right now, banks are split into significant and non-significant categories. APRA’s proposal adds a new ‘Most Significant Financial Institution’ tier for banks with more than $300 billion in assets (currently the four majors and Macquarie).
The middle tier would capture all other significant banks (with the threshold lifted to $30b), while everyone else would fall into the non-significant group.
Under the proposal:
- Non-SFIs would get extra time to implement new rules
- Banks could transition between tiers with a minimum 12-month adjustment period
- Prudential requirements would be scaled more deliberately to size, scope and complexity
APRA says the overhaul is designed to spur competition, reduce unnecessary regulatory drag and give institutions clearer signals about what level of expectation applies to them.
The consultation runs for three months, with final changes expected in 2026.
The contents of this article and any linked articles do not constitute legal advice, are not intended to be a substitute for legal advice, and should not be relied upon as such. They are designed and intended as general information in summary form, current at publication, for general informational purposes only. You should seek legal or other professional advice concerning any particular legal matters you or your organisation may have.
.jpg)