The adoption of artificial intelligence (AI) could amplify risks in the financial sector, the Reserve Bank says, potentially hitting borrowers' ability to repay loans, and heightening cyber risks.
The Reserve Bank (RBNZ) says this in its latest Financial Stability Report, released on Wednesday.
"The adoption of AI could amplify risks in the financial sector. For example, relying on only a small number of third party AI providers could create dependencies and increase the risk that models produce biased, misleading, or fraudulent outputs."
"From a credit perspective, if AI leads to job losses in some sectors, more borrowers may struggle to pay their mortgages," the RBNZ says.
"From an operational resilience perspective, emerging frontier models, such as Anthropic’s Mythos, highlight how increasingly capable AI systems could materially amplify cyber risks from malicious actors."
The RBNZ says it expects deposit takers and insurers to have cyber‑security strategies and frameworks in place that address the cyber threats they face.
"We have issued Cyber Resilience Guidance to support this. We are actively monitoring the risks that Anthropic’s Mythos model may pose to the New Zealand financial sector and to our regulated entities, and are engaging with other domestic agencies and Trans‑Tasman counterparts to ensure continued alignment on risk assessments and policy responses," the RBNZ says.
Concerns have been raised about Anthropic's Claude Mythos, which the company says is highly adept at cyber-security and hacking tasks.
The RBNZ also says geopolitical tensions could increase the risk of cyberattacks and technology outages.
"While no material cyber impacts have been observed to date during the Middle East conflict, the sector’s reliance on cloud service providers was highlighted when infrastructure supporting these services was targeted. Cyberattacks consistently feature among the most prominent systemic risks identified in international surveys."
The RBNZ goes on to say cyber resilience and business continuity planning remain among its key supervisory priorities, reflecting a need to safeguard the stability and integrity of core financial services.
The 'one material cyber incident reported' was at the RBNZ's own ESAS
The prudential regulator says it also keeps an eye on how financial markets infrastructure (FMI) providers identify and manage cyber risks. FMIs enable payments clearing and settlement and securities transactions.
It notes that between April and September last year, one material cyber incident was reported. The incident was at the Exchange Settlement Account System (ESAS), NZ’s key high-value payment system used by banks and other financial organisations to settle transactions in real time. ESAS is owned and operated by the RBNZ.
"In the first quarter of the year, one of New Zealand’s domestic FMIs [ESAS] experienced an outage that disrupted services for all its participants, including one in Australia. This affected about $4.5 billion of transactions, which is approximately 15 percent of the $29.8 billion average daily balance, based on 2025 data."
"This interruption caused flow-on disruption in financial markets that affected at least three other FMIs, as participants faced delays in completing critical transactions. The entity immediately activated its incident response plans and the outage was resolved within three hours, highlighting the importance of strong operational resilience and effective contingency arrangements across FMIs," the RBNZ says.
It says standard incident management processes were successfully invoked at ESAS, with the problem resolved within three hours and all delayed transactions immediately processed.
"A comprehensive incident management report was completed and shared with all ESAS account holders," a RBNZ spokesman says.
APRA seeks 'step-change'
The RBNZ's comments about AI come after the Australian Prudential Regulation Authority (APRA) last week called for "a step-change" in how banks, insurers and superannuation trustees manage AI-related risks as the technology continues rapidly evolving.
This came via an APRA letter to industry on AI.
"APRA will apply its supervisory focus to entities’ AI adoption and manage the resulting risks. Where entities fail to adequately identify, manage or control AI risks in a manner proportionate to their size, scale and complexity, we will take stronger supervisory action and, where appropriate, pursue enforcement," the letter says.
'We're nowhere near letting AI loose on its own' - ANZ NZ CEO
Meanwhile Antonia Watson, ANZ New Zealand's CEO, told interest.co.nz last week that banks' chief information security officers work collaboratively with government, including the National Cyber Security Centre.
"So there's a lot of exchanging of information there. It's very clear what the steps are that you need to continue to take in order to make sure your cyber defences are as strong as possible," Watson says.
"In terms of AI in general, obviously we're all fiercely competing with each other and how you roll out AI can be one of those ways."
"I don't feel like we [banks] are or should be bleeding edge because our businesses rely on trust. We have a lot of very sensitive information," says Watson.
"But there's great use cases, you know, coding, agents that can help customers with inquiries, those sorts of things, and leave our staff to be dealing with some of the more complex stuff."
She says there are "some pretty strong risk mitigants and policies in place," with humans in the loop.
"So we're nowhere near letting AI loose on its own," Watson says.
*This article was first published in our email for paying subscribers early on Friday morning. See here for more details and how to subscribe.
We welcome your comments below. If you are not already registered, please register to comment
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.