APRA Chair John Lonsdale’s speech to the 2026 ABA Banking Conference

A call to arms amid rising geopolitical risk

Good morning. Thank you for the opportunity to address you again.

In the late fourth or early fifth century AD, the Roman writer Vegetius published a treatise on Roman warfare that became an influential military manual across Europe for more than a thousand years. The document, commonly known as “De re militari” (Concerning Military Matters), covered such topics as discipline, strategy and logistics.¹ Today its influence is still visible through a single sentence, which remains widely quoted. Translated from the original Latin, it’s usually paraphrased as: “If you want peace, prepare for war”.

As financial institutions and regulators, we neither wage war nor broker peace but we are unquestionably impacted by military conflicts and other geopolitical turmoil. We need to prepare for them.

Recent conflicts in the Middle East and eastern Europe have had substantial impacts on the Australian economy and financial system, especially in relation to fuel prices, inflation and interest rates. They are classic examples of geopolitical shocks, which also demonstrate why such risks are so difficult to prepare for, with both conflicts lasting much longer than initially expected.

Although Australia’s financial system has shown remarkable resilience through the geopolitical upheaval of the past decade, including armed conflicts, COVID and rising trade barriers, we cannot be complacent. Our intelligence agencies assess that the geopolitical environment is deteriorating rather than stabilising. Multiple, concurrent threats are now manifesting at scale – driven by intensifying strategic competition, more frequent grey-zone activity and mounting strain on the rules-based international order.

These challenges can amplify traditional financial and operational risks to financial stability. They also increase the potential for non-traditional risks such as disinformation and foreign interference. 

Against this backdrop, APRA will today write to all banks, insurers and superannuation trustees setting out minimum expectations for how they strengthen readiness for geopolitical shocks. Through our own supervisory engagements and the work of the Council of Financial Regulators’ (CFR) Geopolitical Risk Program, we have identified six key areas where we believe industry-wide uplift is required. 

Our intention is to ensure regulated entities better integrate geopolitical risk into governance, risk management and crisis preparedness practices so can navigate the most volatile international environment in decades. Our message is that if we want ongoing financial stability that contributes to the nation’s economic security, then we must be prepared for a crisis.

A strong defence

Preparing for difficult conditions is the essence of what we both do and enforce at APRA: building resilience during the good times that we can deploy when a downturn arrives or a major shock strikes. 

But a shock doesn’t have to become a crisis. As our latest System Risk Outlook report outlined last month, strong capital, liquidity and prudential safeguards mean our financial system is well-positioned to absorb shocks and continue providing critical services to households and businesses. Our banks continue to be able to raise capital and access offshore funding markets. The level of non-performing loans, while ticking up slightly, remains low by historical standards. Credit for home and business loans continues to grow healthily. Our defences have held firm.

Our financial system demonstrated similar resilience in response to Russia’s invasion of Ukraine, the Liberation Day tariffs, the global banking turmoil of early 2023 and the COVID pandemic. As the Bank of England’s Deputy Governor for Financial Stability, Sarah Breeden, observed recently, the entire global financial system has proved resilient in the face of a series of extraordinary shocks over the past six years – “and it is not an accident.”²

She was referring to the deliberate build-up of financial system resilience, particularly the Basel framework, in response to the damage wrought by the Global Financial Crisis. The world changes, however, and as the threat environment evolves, we need to make sure we’re not arming ourselves for the last war. 

The main challenges to financial safety that we see aren’t coming through traditional risks that have long been central to prudential regulation: capital, liquidity management and credit quality. On these core financial metrics, the resilience of our banking system is robust. 

The big challenges we see are coming in the form of non-financial and emerging risks such as geopolitical volatility, rapid technological innovation and operational risk management – which can all amplify traditional financial risks. It is in these areas that risk management across APRA-regulated industries is generally less mature.

Over the past seven years, APRA has introduced prudential standards on information security and operational risk. Both of these areas remain top priorities for APRA, and recent developments in frontier AI models, which have implications for cyber security, have also been at the forefront of our attention.

So has geopolitical risk. The threats we face aren’t confined to the potential for – and realisation of – armed conflict. There are downside risks to global economic growth from weaker trade, heightened policy uncertainty, and bouts of financial market volatility driven by geopolitical tensions. Scrutiny on the costs of financial sector regulation globally has increased against a backdrop of productivity concerns. There are emerging signs of regulatory fragmentation, which risks eroding the uplifts to financial resilience that have protected the financial system since the GFC.

Geopolitical unrest has been correlated with an increase in cyber-attacks, and we have seen a rise in malicious activity connected to the conflicts with both Russia and Iran. The concentration in third-party service providers throughout the technology supply chain can also amplify any shocks leading to a wider impact.

The key prudential challenge is that geopolitical shocks can be transmitted to the financial system quickly, broadly and through multiple channels.

Combined forces

Last year, the Council of Financial Regulators strengthened its Geopolitical Risk Program, working with the country’s largest financial institutions to uplift geopolitical risk management. The insights APRA has gained from that work, as well as our supervisory interactions, have led us to conclude there are material gaps in the management of geopolitical risk across our regulated flock.

In particular:

• most entities are alert to geopolitical risk, but awareness has not always been matched by practical action;
• management too often remains focused on traditional risks, with less attention given to newer and emerging risks that could still have serious prudential consequences; and
• crisis exercises are not always strong enough to give boards and management confidence that the entity could withstand and respond effectively to a severe geopolitical shock. This leaves a gap in readiness at a time when the external environment is becoming more contested, more volatile and more consequential.

In response, today’s letter to entities will set out our minimum expectations for how boards and senior management strengthen readiness for geopolitical shocks.

It makes clear that we expect boards to satisfy themselves that geopolitical risk is reflected in strategy, risk appetite and oversight; that management is addressing material gaps against these expectations, with clear accountability and timelines for remediation; and that management is reporting on exposures, off-shore dependencies and service provider vulnerabilities to support effective challenge and timely action by the board.

Additionally, we’ve identified six key focus areas where we want to see entities uplift their monitoring and response capabilities when it comes to geopolitical risk. Some are ones you would entirely expect to see from a prudential regulator. For example, we want to see evidence of scenario analysis, capital and liquidity planning. We expect to see operational resilience embedded in risk management practices to support continuity of critical operations across a range of geopolitical scenarios. We also want to know that crisis response capabilities, including playbooks, plans and exercises, are established and maintained in a way that is proportionate to the institution’s risk profile.

But there are some non-traditional risks we are also calling out more forcefully than we have before. One is the risk of insider threats and foreign interference. This comes at a time when ASIO has warned that the threat of espionage is at “extreme levels”,³ and the Department of Home Affairs has warned Australia is the target of sophisticated and persistent foreign interference activities from a range of countries.⁴

Another is political risks. These include the need for financial institutions to rapidly implement sanctions, as we saw in the aftermath of Russia’s invasion of Ukraine. It also includes identifying overseas operations, assets or investments that might credibly be impacted by disruption, freezes, restrictions or loss of access.

Mindful of our commitment to getting the balance right between safety and efficiency, none of these expectations represent new prudential requirements. Rather we expect entities to manage geopolitical risk through APRA’s existing prudential framework, including prudential standards on governance, risk management, operational risk, resolution and recovery and exit planning. 

In the past, we’ve sometimes observed that smaller entities, including banks, believe they’re not big enough or sufficiently active internationally for geopolitical shocks to impact them. That is absolutely not the case, as the impacts on regional Australia from the recent spike in diesel prices illustrate. That said, our expectation is that these measures be applied proportionately based on each entity’s size, business model, and complexity.

We will soon write to a selected group of larger entities with heightened exposure to geopolitical shocks asking them to undertake targeted readiness assessments. These entities will come from banking, superannuation and insurance. The assessments will identify gaps against the minimum expectations in today’s letter, with a focus on crisis preparedness, personnel risks and political risks. We will then share the learnings with entities outside this group to maximise the industry-wide benefits.

Reconnaissance

One powerful tool that can help organisations prepare for a range of geopolitical scenarios is stress testing. The traditional method is to present participants with a hypothetical “severe but plausible scenario” and ask them to model the impacts and how they would mitigate them. Learnings can then be shared with non-participating institutions to maximise the benefits. 

This is how APRA conducts its annual ADI stress test. It’s also how the CFR conducted its first geopolitical scenario exercise last year, to identify gaps in readiness to a range of plausible geopolitical shocks. This exercise involved the five largest banks and other key financial system players.

Unsurprisingly, the CFR’s exercise confirmed that entities were far less prepared to manage emerging and non-financial risks than traditional financial risks. But it also revealed the commitment of the participating boards to develop system-wise resilience with deeper coordination between the business community and the public sector, including regulators and intelligence agencies. The ongoing support of senior leaders to drive initiatives that improve system-wide resilience remains critical, which is something we are making clear in our discussions with Chairs and boards.

As a result of the exercise, APRA-regulated institutions are advancing a wide range of actions such as enhancing security controls for insider risks, implementing payments back-up arrangements and testing crisis communication plans.

The exercise also helped APRA and CFR agencies build important connections – with other Government agencies such as the Department of Home Affairs and Office of National Intelligence; and with international peers, who are deeply engaged on this issue. 

Canada’s Office of the Superintendent of Financial Institutions has introduced explicit integration of foreign interference and national security risks into its prudential supervision. The Dutch Central Bank has a dedicated Geopolitical Fragmentation Program, which maps potential risk events, assesses their impact on financial stability, and prioritises targeted actions to address identified gaps. This includes a focus on vulnerabilities arising from digital dependency, third-party providers, and potential fragmentation of global financial and regulatory systems.

Countries in Europe and north Asia where geopolitical risks have a far greater potential to be existential have gone further still. Finland⁵, which borders Russia, and Taiwan⁶, for example, have both incorporated financial resilience into national plans aligned with the doctrine of Total Defence. This approach recognises that geo-political risks cut across all parts of society and therefore require preparedness by not only governments and militaries, but business and even households. 

Self-reliance

Something else international regulators and central banks are keenly attuned to are rising levels of public debt. The IMF projects public debt-to-GDP ratios across advanced economies will increase further over coming years⁷, reflecting a range of structural pressures on budgets such as higher defence spending and ageing populations. Governments in these more indebted countries may have reduced capacity to spend their economies out of financial trouble should the need arrive – as they did during the GFC.

This brings me back to the subject of financial resilience – the traditional terrain of the prudential regulator. 

In coming weeks, APRA will publish the full findings of our first System Risk Stress Test, which examines linkages between banking and superannuation. Unlike our traditional industry-based stress tests, the System Risk Stress Test examines how connections between different sectors could amplify or dampen risks.

The exercise highlighted the resilience of our financial system to market and liquidity shocks, including the constructive role the superannuation sector can play as a stabilising force for the banking sector. It also identified system vulnerabilities, such as those related to concentration and common dependencies, that could amplify stress events.

Another interesting aspect is that it revealed a range of expectations across banks and superannuation funds regarding the role of public sector response in severe stress. While such measures can play an important role in stabilising the system, no entity’s crisis response plan should hinge on getting financial support from the government.

The twin pillars of financial resilience in banking are capital and liquidity. Although our capital standards are famously “unquestionably strong”, our liquidity framework, while adequate, has not kept pace with international peers.

In March, we announced plans to consult on changes to our bank liquidity and capital frameworks. For liquidity, we will be proposing an uplift for the largest banks to bring their frameworks more in line with international practice. For smaller banks, we are proposing changes that should marginally reduce liquidity costs for entities with stable funding profiles. In relation to capital, we will propose targeted changes to risk weights for some forms of corporate lending, which we expect to support lending and investment. 

Our plan is to commence the consultation on credit risk shortly – by the end of this month. As announced in March, we intend to consult on liquidity risk and market risk capital during the next 12 months. APRA will work closely with government and other agencies to implement these reforms, including on covered bond limits. Taken together, the reforms are expected to be cost neutral and strengthen the financial resilience of Australian banks, while supporting lending to productive sectors of our economy.

Through our engagement with banks and the ABA, we know there is considerable interest in regulatory developments overseas, especially in the United States, and how that is playing into APRA’s thinking. 

APRA continues to assess our capital settings against international peers, including how this interacts with policy proposals on capital. While APRA is most definitely considering impacts of the US proposals on Australia, there are fundamental differences in our approach to capital. This is in part driven by differences in our jurisdictions, such as APRA's commitment to "unquestionably strong" capital and the nature of our financial system.

As I outlined in my last speech in March, certain features of Australia’s geography, economy and financial system leave us vulnerable to global shocks: a banking system reliant on overseas markets for funding; a trade-exposed, open economy; a relatively small population by global standards; a concentrated banking industry that is uniquely exposed among comparable countries to residential mortgages; and a superannuation sector with billions of dollars of members’ savings invested overseas.

At a time of rising global instability, APRA does not intend to leave Australia’s financial system without adequate financial and operational defences for these uncertain times.

Forewarned is forearmed

In a country that’s gone more than three decades without a deep recession and where the last significant bank failure was in 1991, it’s easy to think this is Australia’s default economic state. 

Although the strength and stability of Australia’s financial system, built up over decades, gives us confidence about our ability to withstand adversity, this can’t be taken for granted. As a mid-size trade-exposed economy, Australia will always be impacted by what happens in the rest of the world – and right now the rest of the world is becoming more volatile, unpredictable and dangerous. 

As scenarios that might once have been farfetched become plausible or even realised, entities must enhance their understanding of what’s happening in the world and where they might be vulnerable. They also need to take action to address those vulnerabilities, shore up their defences and strengthen their preparedness for future geopolitical shocks.

In Vegetius’s ancient martial manual, the adage that preparing for war is the best means of maintaining peace was recognition that a strong military deters adversaries. For banks – and for regulators – a greater readiness to combat geopolitical risks will not deter adverse events from happening. Rather, being forewarned will help ensure we are forearmed.

Footnotes

1. Vegetius | Late Roman, Military Treatise, Strategist | Britannica

2. This time is different? Speech by Sarah Breeden | Bank of England 

3. The Cost of Espionage Report July 2025.pdf

4. Countering Foreign Interference in Australia

5. Total Defence in Comparative Perspective: Lessons from Finland, Sweden, Switzerland, and Singapore - Institute for Security and Development Policy

6. Building Taiwan's Resilience: Insights into Taiwan’s Civilian Resilience Against Acts of War | RAND

7. World Economic Outlook, April 2026: Global Economy in the Shadow of War