Financial Services

The Financial services industry in the EU is undergoing an unprecedented regulatory transformation. A wave of new legislation, spanning from AI, data governance, cybersecurity, and operational resilience is not just reshaping compliance requirements but reedifying and reshaping risk management, operational resilience and business operations.

The AI Act, GDPR, the Data Act, the Cyber Resilience Act (CRA), and DORA (Digital Operational Resilience Act) are not isolated rules but part of a broader push toward a more transparent, secure, and accountable financial ecosystem. While individually impactful, their collective effect represents a seismic shift in how financial institutions must manage governance, risk, and compliance (GRC).

This evolving regulatory landscape presents both challenges and strategic opportunities. Institutions that proactively integrate these changes into their GRC models won’t just ensure compliance—they will build resilience, enhance trust, and gain a competitive edge in the AI-driven financial world.

Financial institutions have long leveraged AI for credit scoring, fraud detection, risk modelling, and algorithmic trading, the AI Act introduces specific obligations for these high-risk applications, including:

• Pre-market conformity assessments to ensure AI models meet regulatory standards before deployment.
• Continuous monitoring and bias prevention measures to mitigate unfair outcomes in AI-driven decisions.
• Transparency and explainability requirements, ensuring that AI-driven decisions in lending, insurance, and wealth management can be justified and audited.

For financial firms, this means embedding AI governance directly within their risk and compliance structures, ensuring AI models remain ethical, fair, and legally compliant. The AI Act however will not exist in isolation, it intersects with GDPR (General Data Protection Regulation) and the Data Act, particularly when financial institutions process personal or sensitive data for AI models.

GDPR remains the cornerstone of data protection, enforcing principles such as purpose limitation, data minimization, and individual rights over automated decisions. Financial institutions must ensure that AI-driven services comply with these principles while still leveraging large datasets for model training.

The Data Act, where applicable, will facilitate data sharing, aiming to increase innovation while ensuring fair access to financial data. This notwithstanding firms must navigate the tension between data portability, cloud switching, and privacy obligations also under GDPR. The challenge is to unlock the value of data while respecting data protection as well as privacy and security obligations, ensuring AI and other digital services and operations, remain robust, compliant and resilient, as the rise of cyber threats and digital operational risks has driven regulators to impose stricter cybersecurity and resilience requirements.

Two key regulations aside from the Cybersecurity Act, which will be shaping financial services in this domain are:

1. The Cyber Resilience Act (CRA), which mandates that digital products and services, including AI-driven platforms, be secure by design. This aligns with the AI Act’s emphasis on robust, risk-mitigated AI models.
2. DORA (Digital Operational Resilience Act), which imposes strict cybersecurity, third-party risk management, and incident reporting obligations on financial entities. AI systems used in trading, credit risk assessment, or fraud detection must be continuously monitored for vulnerabilities and security risks.

Together, these regulations aim to reinforce the need for a unified, proactive approach to operational risk management, ensuring AI and other digital financial tools are resilient against cyber threats and disruptions.

The challenge here for financial institutions is not merely one of compliance with individual regulations but integrating them into their daily operations and into a cohesive GRC strategy, which, should at least factor:

1. Strengthening AI & Data Governance

• Establishing AI Risk Committees to oversee regulatory alignment, ethical AI deployment, and bias prevention.
• Implementing explainability frameworks that meet both AI Act transparency requirements and GDPR’s fairness principles.
• Defining clear data governance structures, ensuring financial AI systems comply with GDPR, the Data Act, and AI Act requirements.
• Enhanced Cross boarder data policies and procedures.

2. Embedding Cyber Resilience into Compliance Strategies

• Aligning AI security with DORA and CRA mandates, ensuring AI-powered financial services meet cybersecurity and incident reporting requirements.
• Vetting third-party AI providers, ensuring they comply with both the AI Act and DORA’s strict outsourcing requirements.
• Conducting regular security audits and penetration testing to reinforce AI system resilience.

3. Modernizing Regulatory & Compliance Functions

• Leveraging Reg Tech (Regulatory Technology) solutions to automate compliance monitoring across AI, GDPR, DORA, and CRA.
• Strengthening board-level accountability, ensuring senior leadership understands and oversees AI and cybersecurity risks.
• Integrating AI and cybersecurity oversight within internal audit functions, providing continuous monitoring and compliance validation.
• The regulatory landscape for financial services is undergoing a fundamental reset, where AI compliance is just one piece of a larger, interconnected framework governing data, security, and operational resilience.

For financial institutions, these regulations may appear as compliance burdens, but they also present significant opportunities. For those willing to embed these regulatory changes into their core strategies, the future isn’t just about regulatory survival but being an active player in the reshaping of this industry. By embracing this shift holistically, financial institutions can turn compliance into a competitive advantage, ensuring they not only meet regulatory obligations but also drive innovation, enhance resilience, and build lasting customer trust.

Article by Dr Ian Gauci

This article was first published on timesofmalta.com on the 9th March 2025.

Photo: Shutterstock.com