The Risk and Reg Edit: Summer 2025 edition

In this edition of the Risk and Reg Edit, we focus on how newer technologies are being used and their impact on the world of financial services risk and regulation – both as a source of risk, and as a tool for improvement, opportunity, and growth. What are the very latest developments in this space? How are they shaping the future? And what actions should Risk and Compliance leaders be taking?

Using advanced technology to redefine Financial Crime defences

While AI dominates today’s headlines, effective financial crime transformation isn’t about chasing the latest technology trends; it’s about integrating advanced capabilities into the heart of the operating model, whilst focusing on real-world impact.

Leading firms are moving away from treating technology as a side agenda in their fight against financial crime. As their risk functions embed technologies such as machine learning, network analytics, optical character recognition, and natural language processing across their entire financial crime framework, this is unlocking new levels of precision, agility, and efficiency.

Crucially, defining success, when discussing this open-ended topic, comes from deploying technology where it demonstrably identifies more risk or reduces operational burden. Across leading UK and global banks, this pragmatic approach has delivered a 2-4× uplift in suspicious activity detection and slashed false positives by 60 percent or more, freeing up key resources for higher-value investigative work. With the rapid acceleration of technology, detection rates and operational gains are likely to grow even further, while the broader, indirect benefits of these tools, such as improved customer trust and industry resilience, are only beginning to emerge.

Regulatory expectations are also rising swiftly. Authorities such as the FCA are moving from tolerance to explicit expectation, with model governance, explainability and lineage under increasing scrutiny. Firms that treat data and technology as foundational, rather than compliance afterthoughts, are pulling ahead, translating operational savings into fresh investment and talent.

Meanwhile, the data challenge is fast becoming a differentiator. The arrival of Smart Data schemes and Open Finance will accelerate secure data sharing. Those quick to adopt tactical data integration, through virtualisation, will turn data fragmentation into a competitive edge.

To translate these into outcomes, senior management should mandate piloting technology on targeted pain points, with clearly defined metrics for impact. They should prioritise pragmatic data integration and automated lineage over big-bang data programmes, to ensure robust model risk governance and explainability in every AI use-case. This must happen in tandem with upskilling teams through co-pilots and dynamic retraining to drive measurable productivity gains across operations.

In short, the future of financial crime defence is not about who shouts loudest about AI, but about deploying it with responsibility and clear purpose, upholding trust, protecting customers, and strengthening the integrity of the financial system.

Cyber security and Scenario planning

Cyber security is no longer a technical matter for IT departments – it’s a strategic priority across financial services. Financial institutions face growing external threats and increasing resilience requirements, with the UK’s Cyber Security and Resilience Bill signalling a further step-change in expectations. In parallel, regulatory frameworks such as the UK’s Operational Resilience regime and the EU’s Digital Operational Resilience Act (DORA) now also encourages firms to undertake rigorous scenario testing. Boards need to do more than just aim for compliance: embedding scenario testing into risk management frameworks demonstrates leadership on resilience, and enhances preparedness for attack.

Financial institutions use many forms of scenario testing, depending on resource availability and the maturity of their Operational Resilience programmes. These range from basic drills that test key processes to highly sophisticated no-notice simulations that stretch participants to their limits. Most often, testing involves desktop exercises using scenario-based discussions, and simulations that rehearse response and recovery within a limited timeframe.

Our experience suggests that the industry’s use of scenario testing is becoming more sophisticated, extensive and frequent. However, the limited involvement of third-party vendors is a relative area of weakness. To take their testing programmes to the next level, key steps for CROs to consider are:

• Including all outsourced activities in scope, identifying any friction points or decision-making gaps involving third parties
• Refreshing plans yearly and conducting tests regularly, evolving simulations in line with changes to tech and data infrastructure
• Involving key functions and stakeholders, encouraging board members to attend and testing their strategic thinking under pressure
• Including media and stakeholder reaction for greater realism – such as social media storms, customer complaints, and regulatory enquiries
• Identifying ambiguities and weaknesses that require remedial work, clarifying risk appetite, timelines, and decision-making authority where needed.

Strengthening cyber security and scenario testing in this way not only meets rising regulatory expectations, but it also builds lasting confidence in a firm’s operational resilience from the inside out.

AI and the future of Third-Party Risk Management

The pressure on financial institutions to master third-party risk management (TPRM) continues to climb. Both the operational resilience and TPRM specific requirements of UK regulators and the EU’s DORA have pushed up standards, and incidents like 2024’s CrowdStrike outage have forced TPRM up the resilience agenda.

As many firms’ risk functions aim to level-up their TPRM resources, AI has the potential to enhance the productivity and performance of TPRM. But how can risk functions make the most of this exciting technology?

To date, many financial institutions have not utilised the full range of AI use cases in TPRM. One obvious possibility is to streamline labour-intensive tasks such as documentation reviews. Other easy wins include using generative AI to enhance the efficiency of under-pressure risk teams.

More sophisticated ways to make TPRM faster and smarter with AI, include mapping the vulnerabilities of fourth and fifth parties to generate intuitive visual risk guides, and moving from periodic resilience tests to intelligence-led, real-time risk monitoring. Looking ahead, new solutions could support scenario-based incident response and testing, or use agentic AI for third-party reviews.

To leverage AI for TPRM, CROs should start by studying use cases, talking to vendors, and engaging with expert forums. It’s important not to overlook the basics, but CROs should also be open to AI’s potential to put TPRM on a more proactive footing. However, it’s important to remember that AI can create risks too. Getting the most out of AI depends on putting suitable guardrails around testing and implementation.

Addressing vulnerability with agentic AI

Financial customers in vulnerable circumstances have been a key focus of regulators in recent years.

The FCA’s review of the treatment of vulnerable customers (VCs) in March 2025 found room for real improvement, but the challenge now is to go beyond identification and consistently provide all consumers, including those who are vulnerable, with appropriate support.

Vulnerability comes in many different forms, and intelligent, flexible approaches are needed if firms are to provide targeted, timely interventions.

This is where agentic AI, subject to appropriate oversight, can be a potential gamechanger. Agentic tools have proven potential to help firms deliver good outcomes for vulnerable customers by prompting, initiating, and supporting appropriate interventions. This includes:

• Identifying and analysing priority customers early, including different types of vulnerability
• Suggesting mitigations in real time, monitoring conversations, and providing live guidance that enables staff to make the right interventions
• Delivering follow-up steps, such as personalised communications, or providing proactive coaching to elevate staff skills
• Providing a single, automated overview of customer interventions and interactions – demonstrating that firms are meeting their responsibilities.

Agentic AI is not the whole solution, given the sophistication of customer needs and the requirement to train agents securely using appropriate data sets. But the potential rewards for customers and firms are great. With the right safeguards and implementation, agentic AI has the potential to transform outcomes at scale, consistently and reliably.

Quantum computing in financial services

Investment in quantum computing (QC) continues to grow, and financial regulators are stepping up their focus on this new technology. QC uses the behaviour of sub-atomic particles to perform calculations vastly faster than current computers. The potential gains are huge, but QC also threatens to make today’s commercial encryption obsolete – putting data protection, secure communications, and digital verification at risk.

The FCA’s forthcoming guidelines on QC will be mandatory reading for financial firms. We expect the guidelines to stress the upsides in areas like efficiency and analytics, alongside potential dangers such as black box risk, third-party exposure, and market disruption. Above all, the FCA is likely to emphasise the vital need to develop post-quantum cryptography (PQC) solutions.

The National Cyber Security Centre’s (NCSC’s) guidance of March 2025, which sets out indicative timelines for regulators and other institutions, provides a likely baseline here. The NCSC’s key milestones include developing an initial migration plan by 2028, carrying out high-priority migration by 2031, and completing PQC migration by 2035. Detailed planning for PQC may not yet be feasible, but financial leaders need to begin grappling with this immense challenge. To get on the front foot, CROs can:

• Stay on top of the latest developments, engaging with technology vendors on their plans for PQC
• Begin compiling a full asset register that maps current use of encryption
• Develop QC working groups or teams, building awareness among senior stakeholders
• Engage actively with the topic, for example, with a brief public statement of intentions
• Begin preparing for future regulations that will mandate migration to PQC.

Quantum computing is not just a technological evolution; it’s a strategic imperative. Financial firms must act now to understand their impact, mitigate emerging risks, and prepare for regulatory shifts. Early engagement and proactive planning will be essential to safeguard digital infrastructure and maintain trust in the quantum era.

Stablecoins

A few years ago, most national regulators and financial firms saw cryptoassets, including private coins such as Bitcoin, as highly risky assets with limited upside. The association with criminal activities, including money laundering and hacking, also prevented many from involving themselves in the market. This has changed dramatically in recent years, heavily influenced by President Donald Trump, who has tilted the US in a strongly pro-crypto direction.

The main asset that has benefitted from the recent changes in regime are stablecoins – digital tokens whose value is tied to an underlying asset, usually the US dollar. Adoption is growing rapidly; the total market value of stablecoins in circulation rose from $1bn in 2019, to $10bn in 2020, to over $250bn today. Stablecoins have become the acceptable face of crypto, and a valuable bridge between digital finance with the world of traditional finance. The fact 99 percent of stablecoins are tied to the dollar has meant many in the US see the expansion of stablecoins as a way of increasing the demand for the dollar and US treasuries.

The combination of the GENIUS and Clarity Acts provides a US-wide framework for the oversight of issuers, either via financial regulators (for bank issuers) or the OCC (for non-bank issuers). The Markets in Crypto-Assets (MiCA) regulation establishes EU regulation of stablecoins and other cryptocurrencies, and the UK’s FCA is due to finalise its approach in 2026. Common regulatory requirements include issuer licenses, full backing by good quality liquid assets, convertibility at par, segregation of reserves, and transparent reserve reporting. But the novelty of stablecoins means questions remain unanswered over potential systemic risks, such as a ‘run’ of redemptions on a stablecoin issuer.

Mainstream financial institutions are increasingly interested in the opportunities that stablecoins provide for issuance, trading, and payments, with some countries leading the way in this area. However, rapid growth and innovation also create potential risks. Firms must be alert to the requirements of regulation and potential hazards, such as volatility or fraud. Against this background, CROs should consider:

• Engaging with supervisors such as the FCA over the future form and requirements of stablecoin regulation in the UK
• Monitoring regulatory and commercial developments in the US, such as the forthcoming STABLE Act and the performance of stablecoin issuer Circle after its recent IPO
• Assessing the wider, long-term implications of stablecoins for financial services and financial systems.

Stablecoins are transitioning from fringe crypto instruments to mainstream financial tools. As adoption accelerates, CROs should proactively engage with regulators, track developments like the STABLE Act and Circle’s IPO, and evaluate the long-term impact on financial systems. Strategic foresight and regulatory alignment will be key to navigating this fast-evolving space.

People trust us because of our deep knowledge of the regulatory system. Our experience working with regulators, banks, insurers, building societies, and others means we’ll give you advice that works in the real world. If you’d like to discuss any of these issues in depth with our experts, you can do so here.