On 18 December 2025, the Australian Prudential Regulation Authority (APRA) announced a $50 million operational risk capital add-on for Bendigo and Adelaide Bank following the identification of significant deficiencies in its AML/CTF risk management framework.
This regulatory action was coordinated with AUSTRAC to jointly address weaknesses in Bendigo and Adelaide Bank’s money laundering risk management, non-financial risk management practices and risk culture.
The coordinated regulatory action also involves two other components:
1. APRA will require Bendigo Bank to undertake a root cause analysis to understand the extent of non-financial risk management issues at the bank, going beyond money laundering and terrorism financing. APRA expressed concern that these weaknesses were not isolated to anti-money laundering (AML) but existed across the bank's broader non-financial risk management framework.
2. AUSTRAC has commenced an enforcement investigation which will focus on whether Bendigo Bank has complied with its obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). No final enforcement decision has been announced.
What is APRA’s approach?
The regulatory action follows the findings of an independent review undertaken by Deloitte into suspected money laundering at a Bendigo Bank branch, which the bank self-reported to AUSTRAC.
The findings of a review of the Victorian branch revealed "significant deficiencies" in the bank's approach to identifying, mitigating, and managing money laundering and terrorism financing risk.
APRA has expressed concern that deficiencies may extend beyond AML/CTF compliance and reflect broader weaknesses in non-financial risk management and governance.
The capital add-on will remain in place until Bendigo Bank has completed remedial measures and addressed wider concerns to APRA’s satisfaction. These regulatory steps do not preclude further actions from being taken by the agencies in the future.
According to recent news reports Bendigo and Adelaide Bank have embarked on a remediation program to improve systems that prevent money laundering at a cost of between $70 million and $90 million over three years,
This action reinforces APRA’s increasing willingness to deploy capital overlays not merely traditional credit or market risk exposures, but as an enforcement mechanism to address governance failures and non-financial risk weaknesses and to modify risk culture.
What is APRA’s Capital Tool?
A capital add-on is typically a temporary supervisory requirement for an institution to hold additional regulatory capital until APRA is satisfied that identified risk and governance deficiencies have been remediated.
While capital add-ons have primarily been imposed on banks, APRA has signalled a willingness to deploy a capital overlay across insurance and superannuation sectors where systemic non-financial risk weaknesses arise. Notable examples include Medibank in respect of the cyber-attack in 2024 to address weaknesses identified in its information security environment and Allianz in 2019 to address risk issues raised in a risk governance self-assessment imposed by APRA.
In our assessment a capital add-on is an emerging component of APRA’s enforcement toolkit for moderating and addressing weaknesses in non-financial risk management, particularly:
risk governance and culture
operational risk controls
AML/CTF risk frameworks.
APRA continues to focus on the adequacy of risk management and board oversight. There is an increasing resolve by APRA to use its powers to regulate risk behaviour including through the imposition of licence conditions and application of additional capital requirements.
What is the purpose of this regulatory tool?
APRA’s rationale for utilising capital as an enforcement tool includes:
incentivise remediation: By increasing the temporary capital cost of doing business, this forces a financial institution to embed more rigorous risk controls and governance. In the case of Bendigo Bank the requirement to hold higher levels of regulatory capital, may restrict its capital flexibility and operate as a financial incentive to remediate identified prudential and regulatory deficiencies.
protect depositors or policyholders by supporting financial stability: It serves as an additional capital safety buffer during a period when governance weaknesses are being addressed and remediated.
Is APRA and AUSTRAC’s joint action a new trend?
The coordinated announcement in relation to Bendigo Bank reflects a closer alignment between APRA and AUSTRAC, particularly where prudential risk interfaces with AML/CTF compliance.
We expect a continuing trend of cross-agency engagement to deal with systemic operational and compliance risk where deficiencies threaten both prudential safety and regulatory compliance, particularly where regulatory objectives of each regulator converge.
Given:
AUSTRAC and other regulators are adopting a proactive and interventionist approach which is focussed on the digital economy.
recent legislative amendments have expanded AUSTRAC’s investigative and enforcement powers, facilitating a more interventionist regulatory environment (see our previous insight, AUSTRAC Cracks Down on Emerging Finance Sectors – New Powers).
we expect that AML/CTF frameworks will be subject to potential cross-agency regulatory responses including utilisation of prudential capital overlays as a supervisory lever to address broader governance, risk culture, and structural weaknesses in non-financial risk frameworks.
Is there a shift in APRA’s focus?
There is a continuing shift to a preventive enforcement philosophy with a supervisory focus on:
embedding extensive risk management capability within a financial institution
increasing accountability of boards and management for risk culture;
extending capital requirements beyond risk buffers and using them as prudential moderators and incentives for remediation of deficiencies in risk management frameworks.
Given APRA’s current focus on cybersecurity frameworks and weaknesses in the information security environment, we expect this may represent another area for an increasing use of the capital regulatory tool.
Are there consequences for regulated funds, banks and insurers?
This development affirms that AML/CTF deficiencies may result in prudential capital consequences. Boards and senior management should ensure that non-financial risk frameworks are demonstrably effective in practice, particularly in areas of AML/CTF compliance, operational risk and governance oversight.
Where material weaknesses exist, proactive remediation may reduce the risk of supervisory capital intervention.
This publication has been prepared for general guidance on matters of interest only and does not constitute professional legal advice. You should not act upon the information contained in this publication without obtaining specific professional legal advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication and to the extent permitted by law, Cowell Clarke does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting or refraining to act in relation on the information contained in this publication or for any decision based on it.