When an AI system declines a loan, prices a policy or flags a claim, the legal duty to the customer does not move to the algorithm or the vendor. Australia's obligations are technology-neutral, and under the Financial Accountability Regime a named person still owns the call.
- Liability does not transfer to the algorithm. When an AI system declines a loan, prices a policy or flags a claim, the legal obligation to the customer stays exactly where it always sat: with the licensed entity and the people running it.
- Australia's financial-services obligations are technology-neutral. The duty to act "efficiently, honestly and fairly", responsible lending, and the design and distribution rules all apply whether a human or a model made the call. "The computer decided" is not a defence.
- Inside the firm, the Financial Accountability Regime now puts a named person against senior decisions. Outside it, AFCA can still order the firm to compensate a customer harmed by an automated decision.
- Robodebt is the cautionary tale. It was a government scheme, not a regulated financial firm, but it showed what happens when automated decisions run at scale without accountability: a Royal Commission, an unlawful finding, and a settlement of roughly $1.8 billion.
"When the system declined that customer and it turned out to be wrong, my honest first thought was that the model did it, not us. Then our lawyer asked a quieter question: whose name is on the obligation?" That pause is the whole article. For a moment the algorithm felt like a place to put the responsibility. It is not one, and the sooner a leadership team feels that clearly, the safer its AI programme becomes.
Here is the answer in one line. In Australian financial services, accountability for a decision does not move to the software that made it, or to the vendor that built the software. It stays with the licensed entity and, increasingly, with the named executive responsible for that area. APRA's April 2026 AI letter pressed entities to ensure "human involvement for high-risk decisions and accountability" precisely because the law gives them nowhere else to put it.
Does a customer's right change because an algorithm made the decision?
No, and that is the point most AI business cases quietly skip. The obligations are written to be technology-neutral, so they bind the outcome regardless of how it was produced. An Australian Financial Services licensee must, under section 912A of the Corporations Act, do all things necessary to ensure its services are provided "efficiently, honestly and fairly" (the exact statutory phrase, and a civil penalty provision since 2019). A credit licensee must still assess that a loan is "not unsuitable" for the borrower under the responsible lending rules, which remain in force today. Product issuers still owe the design and distribution obligations, which require a Target Market Determination (a written statement of the customers a product is actually meant for). None of these duties contain an exception that begins "unless an AI did it".
ASIC has said as much directly. In its October 2024 report on AI use by licensees, the conduct regulator stressed that "existing consumer protection provisions, director duties and licensee obligations put the onus on institutions" to govern how they use new technology, and its chair Joe Longo noted that licensees must weigh their existing obligations when they deploy AI. The framework, in ASIC's words, is technology-neutral. The duty is the same; only the machinery behind it has changed.
Who actually carries the liability inside the firm?
A person, by name, and that is newer than many boards have absorbed. The Financial Accountability Regime (FAR), administered jointly by APRA and ASIC, took effect for banking in March 2024 and for insurance and superannuation in March 2025. It requires entities to map senior responsibilities to specific "accountable persons", who carry personal obligations, can have part of their pay deferred against good conduct, and can face civil penalties or disqualification. A regulated decision made by an AI system falls inside someone's accountability statement the moment it goes live.
This is why "we bought it from a reputable vendor" offers so little shelter. You can outsource the building of a model. You cannot outsource the obligation that attaches to the decision it makes. The vendor is not the licensee. The vendor did not sign the accountability statement. If a customer is harmed, the regulator and the dispute body both look to the firm, and the firm looks to the person who owned the decision.
| The comfortable belief | The actual position |
|---|---|
| "The model declined the loan, not us" | Your responsible lending and section 912A duties are unchanged; the outcome is the firm's |
| "The vendor built the system" | The licensee carries the onus; the obligation does not transfer to a supplier (ASIC) |
| "It was an automated decision" | AFCA can still investigate and order the firm to compensate the customer |
| "No one person is responsible for an algorithm" | Under FAR, a named accountable person owns the area the decision sits in |
Know where your AI liability actually lands, before a customer does
The clearest protection is a map of every AI-influenced decision, the obligation it touches, and the named person who owns it. We build that accountability map with boards and executive teams.
Book your Strategy SessionWhat happens when automated decisions go wrong at scale?
Australia already has its answer, and it is a sobering one. The Robodebt scheme used automated income-averaging to raise welfare debts against hundreds of thousands of people. A word of care on the comparison: Robodebt was a Commonwealth government scheme, not an APRA or ASIC regulated financial firm, so it sets no precedent that binds a bank or insurer. As a cautionary tale about automated decisions made without proper accountability, though, it has no equal here. The 2023 Royal Commission found the scheme unlawful, calling it "a crude and cruel mechanism, neither fair nor legal", and the associated class action settled for roughly $1.8 billion.
The lesson that does transfer is about scale and speed. A human error harms one customer at a time. A flawed automated decision harms everyone it touches, at once, often before anyone notices the pattern. For a regulated firm, that is where a single model defect becomes a remediation programme, an AFCA caseload, and a FAR question about who was watching. The Australian Human Rights Commission made the same warning in its 2021 work on technology, that algorithmic bias can produce decisions that are unfair or even unlawful, which is why fairness in a model is a legal matter and not only an ethical one.
There is no field on an accountability statement marked "the model did it". The decision becomes yours the moment you deploy the system that makes it.
What does accountable AI decision-making look like?
It looks like a decision a human can still own, explain and undo. The direction of travel is clear: from December 2026, reforms to the Privacy Act will require organisations to disclose where a computer program makes or substantially helps make decisions that significantly affect someone, with loan decisions named as an example. Internationally the bar is firmer still. Europe's GDPR gives individuals a right "not to be subject to a decision based solely on automated processing" where it significantly affects them, and the EU AI Act requires that high-risk systems "can be effectively overseen by natural persons". The common thread is a human who remains answerable.
- Keep a human in the loop for high-risk decisions. Credit, claims, advice and anything that materially affects a customer needs a person able to review and override, not a rubber stamp after the fact.
- Be able to explain the decision. If you cannot say in plain words why the system reached an outcome, you cannot defend it to a customer, to AFCA, or to a court.
- Give the customer a way to contest it. A clear, human route to challenge an automated decision is fast becoming both an expectation and, in places, a right.
- Test for unfair and biased outcomes. Check that the model does not disadvantage protected groups, because an unfair outcome is a legal exposure regardless of intent.
- Name the owner. Tie every material AI-influenced decision to an accountable person, in the language of your FAR map, so responsibility never falls into the gap between the business and the vendor.
The reassuring version of all this is that the duty was never really about the technology. It was always about the customer in front of you and whether they were treated fairly. AI changes how the decision is produced, not who answers for it. There is no field on an accountability statement marked "the model did it". The decision becomes yours the moment you deploy the system that makes it, and a firm that designs for that truth has very little to fear from it.
This is the fourth piece in a series on APRA's AI letter. The others cover what APRA expects of your board, why your existing risk framework already governs AI, and how to handle single-vendor concentration risk.
Frequently asked questions
If an AI system makes a wrong decision, can we blame the vendor?
Does a customer have a right to challenge an automated decision in Australia?
What does the Financial Accountability Regime mean for AI decisions?
- Corporations Act 2001 (Cth), s 912A, "efficiently, honestly and fairly"
- ASIC, RG 209 Credit licensing: Responsible lending conduct
- ASIC, REP 798 Beware the gap: Governance arrangements in the face of AI innovation, 2024
- APRA, Financial Accountability Regime (banking 2024; insurance and superannuation 2025)
- Royal Commission into the Robodebt Scheme, Report, 2023
- GDPR Article 22, automated individual decision-making (international contrast)

About the author
British technology futurist, AI keynote speaker and advisor. Thirty years across enterprise technology and AI strategy, helping leaders navigate the future of work. The futurist who died.