As we step into 2025, the regulatory landscape is changing radically. We are seeing a pronounced divergence in the level of regulatory intensity globally. The Trump administration is following through on its commitment to deregulation. In response to this regulatory laxness in the U.S., the European Union (EU) may adopt a more interventionist stance in its banking regulation in the interest of setting the regulatory bar in enhancing consumer protection, promoting stability and public trust in the financial systems, and championing sustainability. The UK is splitting the difference by balancing consumer protection against a reticence to dampen innovation and the opportunity for industrial development that is presented by AI and cryptocurrencies.

Here is a page from our 2025 Risk Previsory Report detailing the major non-financial risk regulations of the past few years and what we expect in 2025.

The continuing influx of new regulation and the shifting regulatory landscape is not just a matter of compliance, it is a driving force behind technological advancements in the financial sector. Despite loosening regulations in the US, global financial institutions (FIs) still must adapt to recent regulations like DORA, the AI Act, AML6 in the EU, and Economic Crime and Corporate Transparency Act (ECCTA), PSR Measure 3, and the AI regulation Bill in the UK. This article delves into three trends we see in how regulations are driving technology transformation in Financial Services.

Trend 1: Operationalizing Operational Resilience

The Digital Operational Resilience Act (DORA) officially came into full effect last month. For many large banks, the groundwork for compliance with DORA has been laid for quite some time. They have made strides in identifying critical business services, establishing robust testing regimes, and enhancing their third-party risk management (TPRM) strategies. However, the real test begins now, as organizations must demonstrate their operational resilience in practice. Interestingly, a recent survey revealed a shift in priorities among Risk and Compliance (R&C) executives, with operational resilience dropping from the top position in 2023 to fourth place in 2024. In contrast, during that same time frame, Banking Line executives elevated operational resilience to one of their top five priorities in 2024, after neglecting to include it in their top five priorities for 2023.

The responsibility for ensuring operational resilience now extends beyond second-line Risk executives and teams to first-line executives and operations. Boards and senior management are now required to attest to their banks' operational resilience, emphasizing a culture of accountability throughout the organization.

DORA also reflects a global trend in operational resilience regulations that require banks to scrutinize third-party risks more closely, particularly those associated with their IT partners. However, DORA is uniquely pioneering a new level of regulation, by extending direct regulatory oversight beyond banks, into these IT providers. They are establishing a direct oversight regime for "critical" Information and Communication Technology (ICT) providers by the European Supervisory Authorities (ESAs). This regulatory framework will compel IT providers to adapt significantly to meet the scrutiny that banks have long been accustomed to. They will now be responsible for reporting operational incidents, such as outages and cybersecurity breaches, while also adhering to enhanced cybersecurity requirements. Additionally, IT providers must bolster their TPRM capabilities to effectively manage risks associated with their own subcontractors and establish or enhance internal organizations to respond to regulatory inquiries.

Trend 2: Learning to Trust AI

Looking beyond DORA, we see the emergence of the EU’s AI Act, AI regulation bill in the UK, and various state-level laws in the U.S., particularly in California, all of which are set to drive technological transformation aimed at consumer protection. Companies will struggle to meet the extensive requirements of the AI Act, so as firms roll out their AI initiatives, engaging with regulators on an individual basis will be crucial. Financial institutions are increasingly leveraging AI's predictive capabilities, transitioning from rules-based systems to machine learning models. However, due to regulatory concerns, most banks are cautious about entirely replacing rules-based decision-making systems, opting instead to integrate machine learning models alongside existing frameworks.

Regulatory caution is notably slowing the adoption of AI, particularly generative AI (Gen AI), as banks remain hesitant to be the first to implement these technologies in core Risk and Compliance processes. Instead, we see more significant adoption occurring in ancillary processes.

3. Balancing Privacy and Information Sharing

The balance between privacy and information sharing is also evolving, especially in the context of combating financial crime. In the U.S., Section 314(b) of the Patriot Act permits banks to voluntarily exchange information on customers and transactions, fostering collaboration to combat financial crime. Conversely, European banks face challenges in utilizing data to enhance their AI models while adhering to stringent consumer privacy laws. The implementation of the General Data Protection Regulation (GDPR) has tilted the balance heavily towards privacy, as evidenced by the termination of the TMNL data-sharing initiative among the three largest Dutch banks due to privacy concerns. This situation underscores the tension between the need for data access to improve AI capabilities and the imperative to protect consumer privacy.

In response, regulatory bodies are crafting legislation that facilitates data sharing among banks while respecting privacy rights. The recent passage of the Anti-Money Laundering (AML) Directive 6, which includes Article 75, explicitly enables data sharing for anti-money laundering and countering the financing of terrorism (AML/CFT) purposes. This directive aims to provide banks with a robust legal framework for sharing information that can help identify and mitigate financial crime risks. Similarly, the UK's Economic Crime and Corporate Transparency Act (ECCTA), enacted in October 2023, enhances anti-money laundering powers and supports targeted information sharing to combat economic crime. These regulatory developments necessitate that banks invest in technology solutions capable of securely managing sensitive data while complying with privacy and regulatory requirements.

To navigate these complexities, banks are increasingly adopting technical solutions, such as anonymization technologies. Privacy-enhancing technologies (PETs), including federated learning and homomorphic encryption, allow banks to share data without compromising personally identifiable information. Industry organizations are exploring ways to implement PETs to facilitate data sharing among European banks and approach the level of data sharing seen in the U.S.

As the volume of regulations continues to surge, generative AI presents financial institutions with a transformative opportunity to manage the relentless influx of regulatory changes. Gen AI can streamline regulatory change management processes by interpreting new regulations, identifying applicable existing policies, drafting new policies to address compliance gaps, and mapping existing controls to new requirements. It can also automate the generation of regulatory reports and help deduplicate existing policy libraries, significantly enhancing operational efficiency in a highly regulated environment.

In conclusion, as we move further into 2025, the relationship between regulation and technology adoption will continue to shape the financial landscape. Organizations must remain vigilant in adapting to these evolving regulations while leveraging technological advancements to enhance their operational resilience and compliance capabilities. The ability to navigate this complex landscape will be crucial for financial institutions seeking to thrive in an increasingly regulated environment.