The Compliance Playbook: Navigating the Financial Services Industry’s Compliance Priorities in 2025

To no one’s surprise, artificial intelligence (AI) is at the top of our list of compliance priorities. Seldom has a technology had such a pervasive impact on compliance risks. From fraud and deepfakes, anti-money laundering (AML) and sanctions, consumer protection, data privacy and operational resilience, AI is fundamentally changing how the financial sector operates. Given its potential, 41% of financial services firms surveyed in 2024 report that they are expecting to spend more than 10% of their digital budgets on gen AI alone.^[1]

Different countries have taken distinctly different approaches to AI governance. These approaches, however, share one common objective:  to reduce the risks of AI while allowing the industry to optimise its potential for enhancing both internal operations and customer engagement. In promulgating their expectations, global regulators are leveraging the core principles for AI as defined by the Organisation for Economic Co-operation and Development (OECD) and endorsed by the G20. These principles include respect for human rights, sustainability, transparency, and strong risk management. The risk-based approach being deployed by regulators, as set forth in the EU AI Act for example, seeks to address proportionally the perceived risks that specific AI systems pose to core values like privacy, non-discrimination, transparency, and security.

We expect to see financial services regulators develop specific rules, requirements, and guidance to ensure that their current regulatory frameworks enable them adequately to manage the risks posed by AI. Given the broad impact of AI, these regulatory requirements may be substantial and tailored to the needs of a number of regulators in each country. Maintaining some degree of global alignment would be welcomed by the financial services industry, but may be challenging to achieve given the considerable benefits of being seen as AI-friendly and an innovation frontrunner.

The inclusion of financial crime on our list should not be a surprise since we have included it every year. Apart from the continued proliferation of new regulatory requirements and expectations, this year’s inclusion was spurred not only from attention-grabbing AML enforcement actions in North America, the U.K., European Union and Asia-Pacific and the continuing pressure on the industry to deal with an increasingly complex and dynamic environment for sanctions and export controls compliance, but also by heightened concerns about fraud.

Study after study shows a consistent rise in fraud across the financial services industry, with warnings from many fronts, including a recent advisory from the Financial Crimes Enforcement Network (FinCEN), that artificial intelligence will heighten fraud risk. The increase in consumer fraud has also led to debates about who should suffer the losses– the consumer, the financial institution, or possibly the technology platform used to promote the scam. In the UK, this debate led to a new rule requiring payment service providers to reimburse consumers for up to £85,000 in authorised push payment (APP) fraud, i.e., frauds perpetrated when individuals are deceived into sending payments under false pretenses

While many of the AML enforcement actions reminded us of the need to focus on the basics – customer due diligence/enhanced due diligence, risk assessment, comprehensive and timely transaction monitoring, adequate staffing and training, independent testing, management and board reporting, and a culture of compliance – the reality is that the industry will continue to lose pace with the bad guys (money launderers,  sanction evaders, and fraudsters) unless and until it makes better use of advanced technologies, such as machine learning (ML) and AI, and predictive analytics to identify potential financial crime.

As digital transformation continues to drive business innovation and operational efficiency, the importance of data privacy and protection remains in the forefront. Financial services regulators continue to take action and fine institutions for inadequate control when their responses to a cyberattack or significant data breach are inadequate.

The increasing frequency and sophistication of data breaches, including through the malicious use of AI, underscores the necessity for robust data protection measures. For example, generative AI tools enable attackers to make smarter, more personalised approaches and mean that deepfake attacks will become increasingly prevalent. Combatting such attacks may come down to a combination of more and continuing education awareness programmes and use of AI to identify suspicious activity.

With the growing use of AI and ML in data management, regulators are paying closer attention to the privacy implications of these technologies. Modern privacy laws emphasise consumer rights, such as accessing, correcting, and deleting personal data. Protecting these rights is becoming more robust, with new requirements expanding on existing frameworks to give consumers greater control over their data. We expect regulators to increase their focus on consumer rights and consumer protection issues arising from data breaches.

Regulators globally continue to implement regulatory changes and programmes of work to ensure that financial institutions meet the resilience challenges of a digital age.

The most significant business disruption of 2024 was undoubtedly caused by the cybersecurity company CrowdStrike when a  software update created widespread problems with computers running Microsoft Windows operating software.  As a result, roughly 8.5 million systems crashed and were unable to properly restart in what has been called the largest outage in the history of information technology. Regulators were keenly interested in what happened and how affected companies dealt with the problem, bringing even more scrutiny on third-party risk management programs (discussed in more detail below).

2024 has been the year of DORA (the EU’s Digital Operational Resilience Act). Its implementation deadline of January 2025 means that affected financial institutions have been busy implementing the many changes relating to its key requirements.^[2] Due to the inclusion of intragroup outsourcing arrangements within the coverage of DORA, many global financial institutions are finding that their operational resilience group policies need to be updated.

The financial sector increasingly relies on third parties for technology and other services, allowing it to embrace innovation and improve efficiency. Management and oversight of increasingly complex third-party arrangements is a growing challenge. In addition, large parts of the sector rely on a small number of third parties for key services. The impact of disruption to these services (e.g., the CrowdStrike incident) could spread through the financial system and threaten financial stability and market integrity or trigger a loss in confidence. This concentration is most notable in technology and cloud computing, where the dominance of a few Big Tech firms makes it challenging for individual financial services, particularly smaller institutions, to negotiate terms. As a result, exercising the oversight expected by regulators or demanding information or changes are more difficult to accomplish.

Increasing risk awareness is driving some regulators, e.g., in Europe and the UK, to designate these significant third parties as critical third-party providers, bringing them into the regulatory perimeter. In the U.S., the Bank Service Company Act (BSCA) has for a long time allowed prudential bank regulators significant authority to oversee and regulate the activities of service companies that provide services to banks. We expect to see an increase in focus on financial services regulators that directly regulate firms and are critical to the operational resilience of the overall financial system. While individual firms remain responsible for operational resilience, we expect to see the regulators taking action to drive greater operational resilience measures from the technology and critical non- technology third party providers.

A growing list of egregious failings by financial services companies for mis-selling financial products, misleading or mistreating groups of consumers and taking advantage of the information asymmetry that exists between firms and retail consumers has contributed to many regulators taking increasingly significant action to protect retail consumers. In the U.S., the Consumer Financial Protection Bureau (CFPB), which is expected to be reined in under the incoming administration, has pursued an aggressive agenda of consumer protection, targeting both traditional financial institutions as well as other providers of consumer services. Regulators, such as the U.K.’s Financial Conduct Authority, have imposed new “Consumer Duty” requirements which require financial institutions to act to deliver good outcomes for retail clients. This outcomes-based requirement imposes an output-led standard rather than an internal process-led approach that has historically been used. In Australia, a number of consumer protection initiatives – including new scam protection laws, legislation focused on consumer protection on online platforms, and new draft crypto guidelines – highlight the priority placed by Australian legislators and regulators on consumer protection. Protecting consumers in the digital marketplace is also a high priority in Canada. We expect to see a continued focus from other regulators globally on consumer protection and mis-selling concerns.

2025 is also likely to bring greater scrutiny on how customers in financial difficulty and vulnerable customers are treated; how products are developed, tested and governed; and whether retail customers receive value from the products they buy. Disclosure of information to customers can no longer be considered sufficient – assessing whether customers understand such material also needs to be evidenced and assessed.

Financial institutions continue to grapple with optimising their compliance functions. Related to the Resourcing topic below, many institutions approach optimisation as a cost-cutting exercise. But asking an overstretched compliance function to do more with less is not optimisation. Those institutions that take this narrow view will ultimately fall short of meeting their compliance obligations and will spend even more money to make matters right. Compliance optimisation is about enhancing the overall effectiveness, efficiency, sustainability, and competitive edge of the compliance function. Any proposed changes to the compliance function should be viewed through each of these four lenses.

Effective compliance management requires investment in people. Far too often, as evidenced in regulatory enforcement actions, financial institutions bow to cost pressures and compliance departments, like other cost centers, become targets for cost savings. But even institutions that don’t succumb to this ill-advised strategy often face challenges in recruiting, training and retaining the talent needed to be effective.

Solving this challenge requires thoughtful consideration of compliance options, some creativity and the right environment. For example, institutions could make better use of technology to perform routine tasks and/or co-source or outsource some people-intensive tasks, freeing up internal staff to focus on strategy and decision-making. Management could also broaden recruiting efforts to consider people with non-traditional backgrounds who have an interest in and can be trained on compliance requirements; this could involve partnering with local colleges and universities to identify promising candidates and offering internships. Most importantly, institutions need to demonstrate a strong culture of compliance and provide career paths for compliance professionals if they expect to attract and retain qualified talent.