Backers, Not Blockers: How to Read ASIC’s Two Messages on AI in Three Weeks

In a three-week window, ASIC has sent Australian financial services two messages that look, on the surface, like they cancel each other out.

On 8 May, Commissioner Simone Constant told licensees the clock was at a minute to midnight on cyber resilience in the face of frontier AI. Slow down. Get the fundamentals right. Don’t move faster than your governance can keep up with.

On 21 May, ASIC Chair Joe Longo told a Tech Council of Australia audience in Sydney that Australia risks a lost generation of citizens with a lower standard of living if the country falls behind on fintech and AI. Speed up. Australia is in a global innovation race. ASIC wants to be backers, not blockers.

Two messages. Same regulator. Three weeks apart. Read separately, they sound contradictory. Read together, they describe the operating environment for Australian financial services for the next five years.

Here’s what they’re really saying, and what businesses on the Microsoft stack should do about it.

Key Takeaways

  • ASIC’s two May messages aren’t contradictory. They’re a single picture. Scale AI faster, and govern it properly. The combination is the point.
  • The DFCRC’s landscape review, published alongside Longo’s speech, shows Australia is advanced in BNPL regulation and real-time payments, but trails on insurance innovation, SME credit and digital wealth.
  • International benchmarks are stark. Lemonade automates 55% of claims end to end. Square Capital has originated more than US$18 billion in SME working capital loans. Betterment manages around US$65 billion at a quarter of the fees of human advisers.
  • Longo’s lost generation framing is a deliberate signal. ASIC wants to be a backer of innovation, but only where governance keeps up. The two May letters describe the floor and the ceiling of that approach.
  • For Australian businesses on Microsoft, both messages point to the same playbook. Use what’s in your tenant, govern it properly, and move on the highest-impact use cases first.
  • The gaps the DFCRC identified (insurance underwriting, SME credit, embedded finance, digital wealth, RegTech) map closely to capabilities already in Dynamics 365, Power Platform, Copilot Studio and Azure AI Foundry.
  • Boards now have explicit cover from ASIC to invest in AI more aggressively, paired with explicit accountability from APRA on how that investment is governed.
  • The organisations that read these two messages together, rather than picking one, will be the ones in the strongest position over the next five years.

 

The 8 May Message: Slow Down on Risk

ASIC’s 8 May letter was direct. Commissioner Simone Constant told all licensees and market participants that frontier AI models had materially shifted the cyber threat environment, and that existing controls would be tested more often and under more pressure. Twelve action points followed. Patching. Privileged access. Layered defences. Third-party risk. Incident response.

The letter’s framing was unambiguous. The time to act is now, not by reinventing your approach, but by ensuring the basics are robust, resourced and working effectively. Boards had to table it formally and could not delegate the question down.

Three weeks earlier, APRA’s 30 April letter had set out its first AI-specific expectations across governance, supplier risk, information security and assurance. Together those two letters told Australian financial services to mature its AI governance fast.

Anyone reading just those two documents would have come away with one message. Be careful. Get the controls right before you scale anything.

 

The 21 May Message: Speed Up on Innovation

Then came Longo’s speech. Speaking at the Tech Council of Australia in Sydney, the ASIC Chair launched the Digital Finance Cooperative Research Centre’s landscape review of Australian financial technology against six major jurisdictions. The framing wasn’t subtle.

Australia, Longo said, is in a global innovation race. Failing to keep up could mean Australians are poorer for it as a nation in the future. The phrase he used was lost generation. He wants ASIC to be backers, not blockers, of financial innovation.

The DFCRC report behind the speech laid out the data. Australia is in the advanced category in only two places. Buy-now-pay-later regulation, where the credit licensing regime that came into effect in June 2025 put Australia ahead of the UK and alongside the EU. And real-time payments, where the New Payments Platform processed more than 1.82 billion transactions in 2025.

Everywhere else, Australia is described as developing or emerging. Insurance innovation. SME credit. Digital wealth management. RegTech and SupTech maturity. The gap to the US, UK and Singapore is meaningful and growing.

 

Read Together, Not Apart

The instinct is to treat the two messages as if a business has to pick one. Either you protect yourself from risk (8 May) or you push for innovation (21 May). That’s not what ASIC is saying.

Read together, the two messages describe a single operating environment. The regulators have set both a floor and a ceiling. The floor is governance. AI use cases, supplier risk, model monitoring, cyber resilience and board accountability must mature to handle what’s now in production. The ceiling is ambition. Australian businesses need to scale AI faster than they currently are, or the country falls behind in a way that affects everyday standards of living.

That’s not a contradiction. It’s the actual operating brief.

And it’s a brief that puts most Australian financial services organisations in an awkward middle position. The DFCRC report shows Australia behind on insurance innovation, SME credit and digital wealth. APRA and ASIC’s earlier letters show governance also lagging deployment. So the message isn’t pick one. The message is fix both at once.

 

What the DFCRC Report Actually Says

The DFCRC report is worth reading in full, but four observations stand out for businesses on the Microsoft stack.

Insurance is where the AI gap is starkest

Lemonade, the US insurtech, automated roughly 55% of claims end to end as of December 2024, with 96% of first notices of loss handled by its claims bot without human intervention. Simple claims settle in under three seconds. Most Australian insurers are nowhere near this level of automation, and the DFCRC explicitly notes that the gap to the US and UK is widening.

SME credit is moving onto platforms, not into banks

Square Capital, now part of Block, had originated more than US$18 billion in cumulative working capital loans to merchants by mid-2025, based on transaction data flowing through the Square payments platform. Shopify Capital, Amazon Lending and PayPal Working Capital operate similar models. In Australia, this kind of embedded SME lending barely exists yet. The DFCRC sees this as one of the largest near-term opportunities.

Digital wealth is scaling at a fraction of traditional fees

Betterment, the US robo-advisory platform, had around US$65 billion in assets under management by early 2025, charging 0.25% annually against the 1.0 to 1.5% typically charged by traditional advisers. Longo’s specific point in the speech: Australian adviser numbers would need to more than double by 2055 to maintain current coverage. Without scaled digital advice, that maths doesn’t work.

RegTech is moving from financial crime to broader supervisory analytics

Singapore’s FEAT principles and Veritas toolkit, and the UK’s Financial Conduct Authority Digital Sandbox, give firms and regulators practical tools for AI validation and cross-market testing. Australia’s RegTech activity is concentrated in AML and transaction monitoring, with much less maturity in model validation, supervisory analytics and broader compliance automation.

The pattern across all four gaps is the same. The technology is mature. The regulatory frameworks elsewhere are clearer. Australian businesses have the infrastructure to compete but, by and large, aren’t using it at the scale international comparators are.

 

Where the Microsoft Stack Does the Work

Most Australian financial services organisations are running their AI investment through Microsoft. Copilot, Copilot Studio agents, Dynamics 365, Power Platform automations, Azure AI Foundry, Sentinel and Defender for security. The capability is in the tenant. The question is whether it’s being used.

Mapped against the DFCRC’s four gaps, the platform tooling is largely sufficient to start closing them.

Insurance automation

Power Platform and Copilot Studio handle the workflow automation, document extraction and conversational interface layers that underpin claims triage and underwriting automation. Azure AI Foundry sits underneath for model orchestration, evaluation and observability. Dynamics 365 Customer Service provides the case management surface. None of this is exotic. The work is in scoping the use case properly, building the right governance around it, and being honest about which claims types are ready for high-automation handling and which aren’t.

Embedded SME finance

Dynamics 365 Finance and Business Central, combined with Power Platform for surface-level integration into customer ecosystems, give Australian lenders the foundation to build embedded credit experiences. The 2026 Wave 1 release introduced the Payables Agent in Business Central as a worked example of how agent-based finance automation looks. The harder work is on the data side. Building the transaction data flows and risk models that make platform-based lending work.

Digital wealth

Copilot Studio agents, paired with Dynamics 365 Customer Insights and Power Platform automations, give wealth managers the building blocks for scaled, personalised digital advice. The constraint here isn’t the platform. It’s regulatory clarity on the boundary between general guidance and personal advice, and the Consumer Data Right’s limited coverage of investment and superannuation data.

RegTech and AI validation

Azure AI Foundry, Microsoft Purview and Microsoft Sentinel together cover model validation, data governance, observability and AI-specific security monitoring. This is also where the 8 May ASIC letter and the 21 May Longo speech most clearly converge. The same tooling that lets you scale AI also lets you govern it. The two messages aren’t separate workstreams in your tenant. They’re the same workstream.

 

So What Should You Actually Do?

If you’re already on Microsoft and running production AI

Both messages apply directly. Audit your AI use cases against APRA’s four observation areas (governance, security, supplier risk and assurance) and make sure the controls are real, not just documented. Then run a parallel exercise against the DFCRC’s four gaps. Where in your business could AI move the dial fastest, and what’s stopping you? In most cases, the answer isn’t capability. It’s prioritisation and operating model.

If you’re early in your AI journey

Longo’s lost generation framing isn’t an instruction to deploy AI everywhere immediately. It’s a signal that doing nothing is now a strategic risk, where six months ago it was a defensible position. Start with one or two use cases that map to the DFCRC’s identified gaps, build them with governance in place from day one, and use the experience to inform a broader roadmap.

If you’re a board member or executive sponsor

The two messages give you explicit regulatory cover for two parallel investments. More aggressive AI scaling on the innovation side, and meaningful uplift in AI governance maturity on the resilience side. They’re not competing budget lines. They’re the same investment seen from two angles, and Longo’s speech makes clear that under-investing on either is now a board-level risk.

If you supply services to Australian financial services

Your clients are about to ask harder questions about both. How does your AI use case investment compare to international benchmarks, and how do your controls compare to what APRA’s now expecting? Being ahead of those questions is going to matter more in the next twelve months than it did in the last twelve.

 

Two Messages, One Choice

ASIC has rarely sent two messages in three weeks that, on first read, seem to contradict each other. The temptation will be to pick one and ignore the other. Most organisations will gravitate toward whichever message matches what they were already planning to do.

The opportunity is in reading both. The organisations that scale AI fast and govern it properly are the ones that will be in the strongest position over the next five years. Not because they’ve optimised for either regulator, but because they’re building the operating model that the next decade of Australian financial services requires.

That’s what Longo’s lost generation framing is really pointing at. Not a warning about technology, but a question about whether Australian businesses are willing to move at the pace the global market is now setting.

If you’d like to talk through how to read these two messages in the context of your own AI roadmap, your Microsoft stack, or your board’s risk appetite, get in touch with our team.

 

FAQs

What did Joe Longo say on 21 May 2026?

Speaking at the Tech Council of Australia in Sydney, ASIC Chair Joe Longo launched the Digital Finance Cooperative Research Centre’s landscape review of financial technology innovation across major jurisdictions. He said Australia is in a global innovation race, that failing to keep up risks a lost generation of Australians with a lower standard of living, and that ASIC wants to be backers, not blockers, of financial innovation.

Isn’t that the opposite of what ASIC said on 8 May?

On the surface, yes. The 8 May letter from Commissioner Simone Constant called for urgent cyber resilience uplift in light of frontier AI threats. Read together, the two messages set both a floor (governance must mature) and a ceiling (innovation must accelerate). They describe a single operating environment rather than competing priorities.

What is the DFCRC landscape review?

It’s a comparative analysis of financial technology innovation across seven jurisdictions, published 21 May. It assesses Australia’s position in consumer and SME credit, insurance, payments, wealth management, and RegTech against the US, UK, EU, Singapore, Hong Kong, Canada and Switzerland.

Where does Australia lead?

Two areas. Buy-now-pay-later regulation, where Australia’s credit licensing regime (effective June 2025) places it ahead of the UK and alongside the EU. And real-time payments, where the New Payments Platform processed over 1.82 billion transactions in 2025.

Where does Australia trail?

Most other areas. Insurance innovation (AI-driven underwriting and claims), SME credit (embedded lending through digital platforms), digital wealth (robo-advice and personalised planning), and RegTech maturity beyond AML and transaction monitoring.

What’s the practical signal for businesses?

Scale AI faster than you currently are, and govern it more rigorously than you currently are. The two May messages aren’t competing demands, they’re the operating brief for the next five years.

How does Microsoft’s platform fit in?

The Microsoft stack already provides the capability needed to close most of the gaps the DFCRC identified, including AI-driven claims processing, embedded finance, scaled digital advice and model validation. The work is in scoping the right use cases, building governance from day one, and being honest about prioritisation.

How does 365 Mechanix help?

We work with organisations across Australian and New Zealand financial services to turn Microsoft capability into practical, governed AI deployments. That means mapping platform tooling to regulator expectations, building the right control environment, and prioritising the use cases that close the gaps the regulators are now pointing at. If any of this is on your radar, get in touch.