This article is part of Coenobium Advisors’ three-part series on technology risk governance, as featured on our video podcast, Risk Matters.
Participants in the financial services industry and their regulators are increasingly faced with the challenge of maintaining financial stability in the context of a rapidly developing technology landscape. Payments and other transactions are moving closer and closer to real-time. Cryptocurrencies and other crypto assets have officially moved inside the European regulatory perimeter and their underlying distributed ledger or blockchain technology is finding a range of both financial and non-financial uses. Artificial intelligence (AI) and particularly generative AI (GenAI) are beginning to transform interactions between banks and their customers.
As banks become more technology dependent, cyber threats and other technology-driven risks raise real financial stability concerns for regulators. But the genie has already been let out of the bottle and there is no putting it back. To remain competitive, banks must adopt, and adapt to, the new technologies and, faced with an ever-higher regulatory bar and higher security standards, must intelligently manage the related risks.
In our recent article, “Governance and Technology Risk in a Dynamic Global Environment,” we highlighted several of the new technology-based regulations being rolled out in the European Union. We emphasized that supervisory boards and management bodies of banks and other financial institutions are at the crossroads of technological change and transformation, heightened regulatory requirements for operational and technology risk (including information security and data privacy), and a dynamic, technology-driven risk landscape.
In this article, we consider the specific challenges and risks related to digitization, touching briefly on the most significant new regulations and outlining key risk and compliance strategies that are broadly applicable to most financial entities.
1. The Aim: Financial Stability
What is Financial Stability?
Financial stability is a core objective for regulators and supervisory authorities in both Europe and the US. While definitions may vary slightly, the concept typically refers to the ability of the financial system to function effectively and absorb shocks, ensuring continuous service to consumers and businesses.
In the European Union, financial stability is typically framed by institutions such as the European Central Bank (ECB), the European Systemic Risk Board (ESRB), and national central banks, as having the following key elements:
- Resilience to Shocks: The financial system must be able to withstand economic and financial shocks without significant disruption to financial intermediation (e.g., lending, payments, investment).
- Effective Functioning of Financial Markets: Markets should remain liquid and efficient, ensuring confidence and preventing panic or disorderly market conditions, recognizing that disruptions in the financial markets can affect confidence in the broader economy.
- Maintenance of Credit Flows: Banks, non-bank financial institutions, and capital markets should maintain credit flows to the real economy, ensuring businesses and consumers can access credit appropriately in normal and stressed conditions alike.
- Systemic Risk Mitigation: Systemic risks—especially those arising from interconnectedness among financial institutions, cross-border activities, and market behaviors—should be identified, monitored, and effectively mitigated.
Policy Coordination: The ECB and ESRB stress the importance of coordination between monetary policy, macroprudential policies, and fiscal policies to ensure overall financial stability.
The ESRB in particular is focused on preventing and mitigating systemic risks to financial stability and emphasizes the importance of macroprudential oversight to monitor risks that may arise at the systemic level, including interconnectedness, cyclical patterns, and non-bank financial intermediation. And while the ECB has traditionally defined financial stability as “a condition in which the financial system… can withstand shocks without major disruption in financial intermediation and in the effective allocation of savings to productive investment,”1 and in the past has concentrated more on prudential regulation and supervision of credit and market risks, in recent years its focus has shifted more and more towards operational risk and resilience, as evidenced by its most recent (2024 – 2026) strategic priorities. In part, this development reflects the new risk landscape that has emerged as a consequence of the application of new technologies and digital banking.
In the US, financial stability is overseen by the Financial Stability Oversight Council (FSOC) chaired by the Secretary of the Treasury, with voting members being the heads of key financial regulatory agencies including the Federal Reserve, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Securities and Exchange Commission (SEC), and the Consumer Finance Protection Bureau (CFPB), along with an appointed insurance industry representative. Similarly to the EU, the US authorities emphasize the importance of a resilient financial system that can withstand adverse economic and financial conditions. For example, the Federal Reserve considers financial stability to mean a situation in which “banks, other lenders, and financial markets are able to provide households, communities, and businesses with the financing they need to invest, grow, and participate in a well-functioning economy—and can do so without making the system more vulnerable to sharp downturns.”2 The FSOC, for its part, emphasizes the mitigation of systemic risks to ensure that systemically important financial institutions (SIFIs) and financial markets can withstand significant shocks.
As one would expect, there are a number of common themes across the European and US regulatory landscapes when it comes to financial stability, whose key elements typically include protection against systemic risks, continuity of critical financial functions, crisis prevention and management, and market discipline and transparency.
Current Risks to Financial Stability
While there are some regional variations in the specific risks to financial stability as currently prioritized by European and US financial regulatory and supervisory authorities, there is generally broad agreement in several key emerging areas. Among other things, these include the growing importance of geopolitical and climate-related financial risks, and increasingly the resilience of both the banking and non-bank financial sectors and the implications of cybersecurity threats. These risks are all highly interconnected, with the result that the incidence of any one of them has the potential to exacerbate the others and to lead to broader financial instability.
In particular, in both Europe and the US, concern has been growing over the recent confluence of geopolitical, cybersecurity and technology risks, which some fear has created a potentially dangerous negative feedback loop with worrying implications for the vulnerability of critical financial infrastructure, especially in a highly digitalized banking environment. In this context, it is important to understand the challenges represented by digitization, what the regulatory and supervisory reaction has been to them, and what the key implications are for banks as they develop and implement their digitization strategies.
2. The Challenge of Digitization
We see digitization as a set of overlapping trends, enabled by technology, that are changing the characteristics of financial activities and their related risk profiles in a variety of significant ways. If not managed properly, the risks associated with these trends can contribute to reduced operational resilience and heightened systemic risk, potentially undermining financial stability. Specifically:
Digitization reduces reaction times. Increasingly, payments are happening in real time. In Europe, instant payments through the Single European Payments Area (SEPA) infrastructure are gaining traction, and planning for the Digital Euro is well along the way. In the US, mechanisms like Venmo and Zelle for consumers and the Federal Reserve Bank’s FedNow for business are increasingly accepted as alternatives to card payments. Other transaction types, such as trading and settlement or credit underwriting, are going through similar transformations.
Even historically slower activities, such as customer onboarding and Know-Your-Customer (KYC) due diligence, are increasingly being carried out in near-real time through digital channels, employing services that leverage biometrics, distributed ledger technology (DLT), and real-time background checking. These technologies are turning completion times from days to minutes.
Fintechs are making heavy use of these and other such innovative technologies to disrupt and disintermediate traditional processes, and fintech partnerships with banks and other financial institutions are one of the primary vectors in the acceleration of transaction speed. As financial transactions approach real time, the interval available to detect and react to cyberattacks, fraud, or operational errors is becoming vanishingly small, and cases have emerged which suggest that regulated entities and their fintech partners have not always thoroughly anticipated how these risks would be controlled. Meanwhile, regulators continue to hold traditional regulated financial institutions, like banks, insurance companies and securities dealers, fully responsible for risks related to the services they provide, irrespective of how or from where they source them.
- Digitization may turn traditional financial products into crypto (or crypto-like) products. Cryptocurrency was born in the aftermath of the 2008 financial crisis as an alternative financial system designed to avoid the costs and the regulatory burdens of traditional finance. A decade and a half later, crypto technology is moving inside the regulatory perimeter, a development seen by many as essential to its continued acceptance.
While debate continues regarding the long-term value proposition of specific cryptocurrencies themselves, the finance industry is coming to embrace their underlying distributed-ledger technology as the way to transform potentially all financial products into cryptographically certified digital assets on public blockchains. Today, it is much more likely that many or even all traditional financial assets, including currencies, will eventually become digital assets through tokenization than it is that cryptocurrency-based assets and decentralized finance (DeFI) will altogether replace them and the robust regulatory infrastructure that surrounds them.
AI is a critical enabler for digitization. It is already true that many important financial activities happen today without human intervention. Models that satisfy most definitions of artificial intelligence are already authorized to approve many routine credit decisions and payments, while problematic cases (e.g., payments that generate fraud alerts) are funneled to human beings for approval or post-fact investigation. GenAI and large language models (LLMs) are greatly increasing the scope for this automation.
- Technologies verifying digital identities are evolving. It has long been appreciated that the safety and soundness of most financial transactions rely on good KYC. However, even the best KYC is rendered ineffective in situations in which institutions cannot reliably verify that a person or entity they are transacting with is who they claim to be. This poses challenges for both financial institutions and their supervisors, as fewer and fewer transactions involve human interactions between the bank and the customer. In response, digital solutions to confirm identity are increasingly necessary and are becoming more sophisticated and gaining wider use.
Some of these (e.g., digital signing of documents or multifactor authentication) are well-established techniques, routinely used in both consumer and business banking. Other higher-tech solutions, such as biometric identification and privacy screening-and-protection devices, are entering the consumer market. Likewise, in the B2B market, the not-for-profit Global Legal Entity Identifier Foundation’s familiar Legal Entity Identifier (LEI) is being enhanced as a comparable identity verification tool for business entities through the recent introduction of the verifiable LEI, or vLEI. Nevertheless, a clear industry standard has yet to emerge, and when it comes to matters such as widespread adoption, integration, and interoperability, there appears to be still quite a long way to go.
- IT approaches are evolving to support digitization. The IT industry thrives on change. Distributed ledgers, crypto currencies, AI, and the global ubiquity of mobile devices are perhaps the key technological drivers of digitization, but these innovations are also forcing a wave of transformation in the way in which technology and technological processes are managed. IT applications, processing, and data are increasingly moving onto cloud platforms, while cyber security—both online and offline—is becoming even more critical; and the share of IT processes managed and delivered through third-party providers is growing, compared with the more traditional model of in-house IT departments. Banks’ operations, risk management, and governance all need to evolve in response to these developments and to the regulatory reaction they engender. According to one European banking supervisor:3
“It’s incumbent on institutions to be aware of the impact of digitalization, especially on their business model… Have they assessed the potential impact on the sustainability of their business model—meaning their future profitability in that context—and do their governance processes have appropriate line of sight into what those strategies are and what the execution capabilities are? Do their governance processes have appropriate information about the strategies that are being undertaken?”
Taken together, the breadth and pace of these changes require that many banks rethink their risk and control approach to technology. Specifically, they will need to balance the enablement and rapid deployment of new and innovative technologies that enhance competitiveness and cost efficiency with the ability to manage and control new, evolving, and often distributed risks in ways that meet increased regulatory requirements and supervisory expectations around consumer protections and financial stability. The same need to rethink the approach also applies to regulators and supervisors, who are in a position to leverage their experience and their unique perspective into emerging risk issues, in order to provide valuable guidance and to set industry standards.
3. A New Wave of Regulation for Digital Banking
Regulatory Developments
In our previous article, we noted the large body of recent financial and cross-industry regulation in the EU, bearing on IT risk governance for financial and non-financial entities alike. With respect to digital finance, the European Central Bank (ECB) has focused on several pieces of regulation as foundational:4
- The Digital Operational Resilience Act, or DORA, with its accompanying technical standards, provides a broad framework for information and communications technology (ICT) risk management and its supervision by regulators.
- The Markets in Crypto Assets (MiCA) regulation defines an EU-wide legal framework for the offering and trading of cryptocurrencies and other digital assets by established financial entities and crypto startups. It also sets out rules for crypto asset service providers applicable to both banks and non-banks offering such services.
- The Regulation on electronic identification and trust services for electronic transactions (eIDAS 2.0) establishes a framework for secure electronic identification and trust services for electronic transactions within the EU, facilitating cross-border recognition of electronic IDs. The regulation aims to enhance the security and efficiency of digital services, thereby fostering trust in electronic communications.
The Artificial Intelligence Act, or AI Act, lays out a risk-based framework that harmonizes rules for the marketing and/or deployment of AI systems across all industries. The AI act prohibits certain practices, with limited carve-outs for areas like defense and law enforcement; identifies certain AI systems as high risk and, subject to specific requirements, specifies transparency requirements for certain AI systems; addresses general purpose AI systems, such as large language models (LLMs); and sets out a supervisory approach and support for innovation.
The EU’s regulatory approach to digitization wisely recognizes that, in managing ICT risk, everything is connected to everything else. Digital operational resiliency requires effective cyber-risk management; but it also requires effective IT change management, IT capacity management, backup management, log management, data center disaster recovery and business continuity management, identity and access management, third-party risk management, and, critically, the maintenance of data repositories that accurately catalog the firm’s inventory of hardware, software, and information assets, along with their related configurations. DORA is largely concerned with these IT risk fundamentals, which are not only required for traditional IT and banking services, but which should also be considered a necessary foundation for supporting the new requirements of an institution’s strategy for crypto assets and AI. The EU also recognizes that there are many established frameworks that banks have selected and built upon and accepts that, as long as the basic regulatory requirements are met, there is no “one size fits all” approach.5
At the US federal level, there are parallels but with important differences. Much of DORA’s content has been addressed for depository institutions through interagency guidance, and in particular in the Federal Financial Institution Examination Council’s (FFIEC) longstanding and extensive IT Examination Handbook program.6 More limited guidance is also published by the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) for their registrants. The National Institute for Standards and Technology (NIST) publishes extensive information on general IT risk management, cloud, and cybersecurity, including advanced topics such as quantum-safe encryption.7 NIST standards are only binding on US federal agencies, but they are widely respected as reference sources throughout industry.
The US currently does not have an overarching legal and regulatory framework for crypto assets. Certain specific offerings have been approved: for example, in early 2024 eleven asset managers received permission to offer Exchange Traded Funds (ETFs) based on spot Bitcoin prices.8 In addition, regulators have generally allowed transactions involving the tokenization of traditional investment assets for distribution and trading through distributed ledger technology. Issuance and trading of cryptocurrencies, however, is problematic. The SEC and the CFTC have both brought court cases against various crypto firms and individuals, claiming these activities violate existing regulations for securities or futures. Many crypto startups are avoiding the US market and most traditional institutions have delayed entry until the regulatory situation is clarified. Various pieces of crypto legislation have been drafted and the industry is hoping for action at the end of the current presidential administration or early in the next.
With regard to AI, no comprehensive regulatory framework is on the horizon in the US. For banks, there is established guidance on model-risk management applicable to AI models, and NIST has released a voluntary AI-risk framework. There is also a US presidential order mandating certain types of reporting and testing by AI companies.9
Supervisory Developments
In addition to its regulatory framework mentioned above, DORA also establishes a comprehensive supervisory scheme that includes direct supervision of third parties designated as critical. It is against this backdrop that the ECB’s single supervisory mechanism (SSM) priorities for 2024 – 2026 include a focus on deficiencies in digital transformation strategies and operational resilience frameworks.
Among other things, European financial supervisors are concerned about questions such as the degree to which supervised institutions have “considered as part of their strategy whether or not to embark on digitalization, in which format have they done that, has that process been a robust one, and then do they have … execution capabilities to deliver on the strategic plan they’re adopting?” and about “drawing institutions’ attention … to the particulars of strategic planning, of adopting a strategy, of considering the risks—pros and cons of that strategy—of considering the investment in the execution capabilities that the institution needs to have to realize that strategy, and of continually calibrating that strategy to the changing market conditions as technology continues to evolve.”10
There is a related but separate concern regarding IT outsourcing and cyber-risk management, built on the findings of the late-2023 Supervisory Review and Evaluation Process (SREP). The ECB noted that supervised institutions reported a sharp increase in the number of cyber incidents in the first half of 2023, highlighting the banking sector’s “significant exposure” to cyber threats that are evolving in an era of increased geopolitical tensions and destructive attacks on critical infrastructure.
In the first half of 2024, the ECB conducted its first-ever system-wide cyber resilience stress test, involving 109 banks, to assess how they would respond to and recover from a severe but plausible cybersecurity incident.11 According to an ECB official familiar with the results:12
“It was an incredible learning exercise, certainly for us, but also for the institutions that we supervise, to identify key points in their own escalation processes and to harden those up; because in the case that there is a real event that takes place, they’re going to want to have those procedures extremely well tested and well organized so that recovery is something that can happen quite quickly.”
Given the scale and rapid pace of technological developments and the volume of new regulation, banks should recognize that their supervisors are also in the process of adapting to the new environment and that newly developed standards and the related supervisory practices will continue to evolve and are in many cases rather nuanced. As one example, MiCA exempts “fully decentralized” crypto-asset services from the regulatory requirements, but many observers view the definition of fully decentralized as being subject to interpretation. To avoid surprises in these and other emerging areas, banks should be prepared to consult closely with their supervisors and also with their trusted advisors.
In the years ahead, supervisors will continue to maintain their focus on technology-related risks, which can only rise as the industry expands into the crypto-asset markets under MiCA, as the next generations of advanced AI are deployed, as quantum computing techniques become a reality, and as other new and as-yet unforeseen technologies develop.
4. Implications for banks
To mitigate the risks that come with the business imperatives of digitization and to meet supervisory expectations, banks having a nexus with the EU market should consider several actions.
Review and update risk assessments related to digitization strategies.
Each bank’s digital strategy is unique and there is wide variation in risk frameworks, risk assessment methodologies, and supporting tools, such as governance, risk, and control systems. While some banks may have risk and controls assessment processes that are fully adequate to address the requirements of DORA, as well as their current strategies and plans related to crypto assets and AI, many others are still playing catch-up and have work to do.
Prior to DORA, EU regulators had not formally separated ICT risk management from operational risk, and the regulation includes many new requirements, including at a minimum an ICT risk management framework with certain mandated elements, in addition to requirements for cyber-penetration testing and the sound management of third-party risk. We encourage institutions to reassess their ICT risk management stance comprehensively, and to regularly perform periodic reviews and updates. In carrying out such reviews, they should start with frameworks and policies and should work their way down through procedures, automated and manual controls, reporting systems, and assurance coverage (e.g. compliance monitoring and internal and external audit functions) to determine what, if anything, needs remediation in order to achieve and maintain DORA compliance.
Furthermore, for banks planning or already engaged in crypto-asset activities and/or the use of AI, we recommend incorporating the strategy and near-term plans into their risk assessment procedures. Where products and services categorized as “crypto” come into play, the assessment should cover plans related to the primary focus areas of MiCA—i.e., crypto issuance and trading, stablecoins (including both asset-referenced tokens and e-money tokens), and the provision of crypto-asset services—but also to those areas related more generally to the usage of distributed ledger technology (e.g., for real-world asset tokenization or DeFI engagement). Regarding AI, it is notable that, while LLMs and GenAI may be relatively recent developments, the AI Act also covers more mature AI techniques, such as neural networks and machine learning.
Develop enhanced cyber and third-party risk management capabilities and processes.
For many banks, an updated technology risk assessment will reveal the need for enhanced capabilities and processes related to both cyber and third-party risk management. In prioritizing their plans, banks should be guided by their risk assessments and by the ECB’s published 2024 supervisory priorities.13 Industry progress in digital transformation and enhanced operational resilience make up one of the ECB’s primary focus areas. The ECB’s plans for reviews and on-site inspections (OSIs) cover the digitization business strategy, the related risk assessment, and the governance over execution, particularly within IT. Plans related to the operational resilience framework focus heavily on cyber- and third-party risk management, including reviews of DORA-mandated outsourcing registers, documentary and on-site reviews to identify vulnerabilities (including to ransomware attacks), and system-wide cyber-resilience stress testing.
As banks think through the particulars of their own needs and the complexities of their own situations–whether they are established institutions wrangling with legacy systems or neo-banks optimizing their networks of service providers—we suggest below several considerations related to cybersecurity, third-party risk, and the ways in which they interact with each other and with emergent technologies such as crypto products and AI.
Encryption for data-at-rest. As digitization progresses, the secure management of data and its encryption will be an area of increasing supervisory scrutiny for banks that have a material level of internal IT capability. Digital channels are a magnet for cyber criminals. Encryption of data in transit over the internet has become standard. The most serious breaches, however, often involve attackers who penetrate a data center and exploit its data repositories offline. Encryption-at-rest for all sensitive data within a bank’s data centers–a requirement in some jurisdictions–is increasingly becoming the expectation and is strongly recommended as a best practice.
- Common cloud pitfalls. Migration of workloads to public cloud, while potentially a way to improve security and resilience, can complicate cyber-risk management. The major cloud providers all take security very seriously, and their scale allows them to invest more in cyber equipment, software, and talent than many banks can do. On the downside, however, cloud utilization almost always generates additional copies of the bank’s data that must be protected. Connections between the bank and third-party providers for uploading and downloading data are often a weak link that have serious potential to result in breaches. Furthermore, the massive scale of the major cloud providers, and in particular their extended reach into critical infrastructure, creates very high-value targets that can attract the most dangerous of all cyber criminals: hostile state actors.
Cloud technical architectures are typically designed to secure each customer’s data independently within separate “containers,” but breaches that penetrate across user organizations have nevertheless occurred.14 Banks working with cloud providers should be clear, relationship-by-relationship, on the delineation of operational responsibilities between their internal IT resources and their cloud providers. And as highlighted in a recent discussion on our Risk Matters podcast, they should also have in place clear escalation procedures related to cyber breaches, including among other things a plan for when and how to disconnect from (and reconnect to) systemic institutions in order to prevent the spread of cyber contagion.
Crypto asset keys. Banks entering the crypto asset space should take special care to understand a host of new technology concerns dictated by their specific strategies and to implement commensurate security controls. This industry segment has been plagued by cyberattacks for multiple reasons that reflect a fundamental tension between the benefits of a single “source of truth” (i.e., the distributed ledger governed by transparent smart contracts) and the attendant security implications that go along with that arrangement. The fundamental source of risk is that crypto assets are encryption keys that prove ownership of and provide access to value stored on a distributed ledger. Loss or destruction of the key is equivalent to the loss of the asset itself. All but the largest banks will likely rely on specialized third parties to manage the generation and safe custody of crypto asset keys, and the potential impact of this risk, as well as the potential costs of its mitigation, needs to be carefully evaluated.
High-risk AI models and systems. The AI Act’s formal designation of high-risk systems in the financial sector calls out two areas: 1) credit scoring and underwriting, and 2) risk assessments and pricing for life- and health-insurance underwriting. While this may seem comfortingly narrow for the time being, we urge banks to take a broader view of what is likely to be considered high risk, as we see this as an area of likely evolution in the regulatory and supervisory framework over time. Particularly in areas where AI models are making decisions or giving any sort of advice or guidance to consumers or investors, there may be high-risk compliance consequences at play, even in the absence of technical violations of the AI Act as it exists in its current form. Another noteworthy point in this regard is that supervisors expect institutions utilizing AI models and systems in high-risk applications to have appropriate guardrails in place to ensure they are conversant with the methodologies used and that, even when AI models are insourced from third-party providers, there is a clear line of sight and adequate human testing involved, rather than just “Black Box” outcomes.15
- IT oversight of third-party technology providers. When cloud or traditional third-party vendors operate an application for business use, it is common for the bank’s line of business executives to oversee the relationship management. In such situations, responsibility for managing the related risks can emerge as a critical gap, and it is essential to ensure proper oversight of the related cyber and other IT risks, either through in-house IT or by qualified staff on the business team, with proper accountability and governance through the risk management framework.
Recent experience has shown that the drivers of digitization increasingly tend to shift the mix of a bank’s cyber and IT risks from in-house IT management towards third-party management, sometimes very dramatically. We urge clients to review the characteristics of their own risk profiles and to consider whether changes to the coverage model, resource allocations, and the stature within the organization of their third-party/vendor management teams are needed to effectively manage their cyber, IT and related operational risks going forward.
Make technology part of the solution, or “What’s in a handshake?”
The challenges presented by digitalization are complex, interdependent, and rapidly evolving. In circumstances such as these, we believe that banks will need to make intelligent use of technology to enhance their control environments and to keep pace with the increasing speed of financial transactions. For example, while GenAI models are already being used by cybercriminals to generate and send phishing emails that are more credible than traditional phishing mails written by hackers, GenAI and more traditional machine learning models are also being used to counter them. Similarly, due to the anonymous nature of crypto transactions, cryptocurrencies have long been a haven for money laundering, sanctions violations, and ransomware payments. In response, blockchain analytics firms have emerged with advanced tools and services that enable banks, regulators, and law enforcement agencies to trace crypto transactions, leading to arrests and significant recoveries of assets. GenAI is also improving regulatory technology solutions that combat financial crime in traditional markets.
One of the most effective ways to thwart cybercrime and cyberattacks is for banks to be able to reliably and consistently verify and authenticate the identities of the parties to each and every electronic interaction they engage in, whether it be a financial transaction or a simple exchange of data. In other words, they must begin to move in the direction of not only KYC, but KYP (“Know Your Partner”). In the context of interconnected technology systems, the concept of a “handshake” is relevant in this regard.
Typically, a handshake refers to the initial communication, or negotiation, between two systems to establish a connection or to exchange data securely. A successful handshake establishes an authenticated foundation for ongoing interaction between the parties, ensuring that they recognize one other, that they agree on protocols, and that the channel of communication is secure. Handshakes are particularly critical in the financial services industry, due to the sensitive nature of the data and the complex relationships between banks, third-party providers, and other financial or non-financial entities.
Authentication and Security. A handshake ensures that both parties (e.g., a bank and an IT provider) authenticate each other before any sensitive data exchanges occur. This could involve verifying digital certificates, encryption protocols, or other security measures. For banks dealing with third-party IT providers or other entities, the handshake process ensures that connections are made securely and only with trusted partners, mitigating risks such as data breaches, unauthorized access, or fraudulent activities.
Data Integrity and Encryption. During a handshake, protocols (e.g., determining encryption standards, hashing algorithms, and session keys) are often established to ensure data integrity and secure communication. When a bank communicates with a third-party provider (e.g., for cloud storage or payment processing), a handshake can ensure that the data transmitted between systems is encrypted and cannot be tampered with during transit.
API Handshakes in Open Banking. In open banking systems, where banks and financial institutions open their data to third-party providers through APIs, handshakes occur at multiple levels. This ensures that the APIs can interact securely with external applications. In the EU, financial entities are required to adhere to strict standards (e.g., PSD2) to ensure that secure handshakes are employed when sharing customer data with third-party providers. As banks increasingly partner with non-financial entities such as fintech companies, payment processors, or digital identity providers, secure handshakes are critical to ensuring that these different entities can safely exchange data and services.
In an increasingly digital world and an environment of near-instant payment processing times, we believe that significantly greater automation of broader compliance and risk controls, including identity authentication, across the back office is a key requirement for banks. Elsewhere, it has been suggested that GenAI shows great promise as an enabling technology for enhanced control automation.16 We encourage banks with AI pilot programs to incorporate control automation objectives within their project plans, and as part of that, we further recommend that they consider ways in which to intelligently integrate identity authentication and trust services—for both individuals and business customers, as well as for third-party intermediaries—into their digital banking operational controls.
5. Conclusion
Digitization offers enormous benefits to consumers and business customers and, ultimately, to the financial entities that are nimble enough to provide competitive services and manage the related risks. Customer onboarding, payments transactions, trades, settlements, and lending decisions are all moving faster. Banks must adapt to a world of real-time transactions, must prepare to incorporate crypto-like, tokenization, and distributed ledger technology into their product sets, and must learn to use AI—not only to gain competitiveness and customer service advantages, but to enhance the speed and automation of their critical operational risk controls.
To keep pace with these rapid developments, banks will increasingly broaden their scope of activities and rely on a larger number of non-traditional partners—cloud service providers, fintechs, and crypto-asset service providers (including blockchain analytics firms that support crypto-risk management capabilities), to name but a few. To manage these new challenges, a compliance-by-design approach can offer a way to systematically embed controls and assurance within processes and products through state-of-the-art technology, and AI can be an enabler, helping to orchestrate an intelligent response to the complexity these multidimensional trends represent.
In this new landscape, there is a need for enhanced process and security efficiency utilizing embedded and automated digital trust solutions, which can not only assist banks in enhancing their risk management capabilities and improving their operating efficiency, but which can also support the goal of regulators and supervisors in maintaining stability, safety and soundness throughout the financial system.
6. How Coenobium Advisors can help
With an international team of highly experienced senior subject-matter experts, and a diverse network of technology partners, we are available to help banks at every stage of their digitization journey, as well as with core elements of their risk management and mitigation strategies, such as ICT risk, cyber risk, third-party risk, crypto-asset risk, and AI risk, including:
- Risk strategy development in support of the digital business strategy;
- Risk governance and policy development and enhancement;
- Digitization risk and control self-assessments;
- Process and control design or remediation;
- Governance and policy review, development, and implementation to support digitization and its sub-components;
- Horizon scanning/regulatory monitoring;
- Supervisory exam preparation and regulatory response support;
Independent reviews of third-party providers’ operational resilience.
For more information, or to discuss the contents of this article with one of our experts, contact us at: contact@coenobiumadvisors.com.
Notes
- European Central Bank. Financial Stability Review. Frankfurt: European Central Bank, May 2015. p.4. https://www.ecb.europa.eu/pub/pdf/other/financialstabilityreview201505.en.pdf. ↩︎
- From the website of the Board of Governors of the Federal Reserve System. What is Financial Stability? https://www.federalreserve.gov/financial-stability/what-is-financial-stability.htm (December 17, 2021). ↩︎
- Coenobium Advisors, Risk Matters podcast, Episode 2: “Digitization & Supervision,” October 4, 2024. ↩︎
- See: https://www.ecb.europa.eu/pub/pdf/scpops/ecb.op351~c46b57f061.en.pdf ↩︎
- See, for example, para. 47: Regulation (EU) 2022/2554 of the European Parliament and of the Council (14 December 2022). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554. ↩︎
- See: https://ithandbook.ffiec.gov/ ↩︎
- For IT risk, see: https://csrc.nist.gov/Projects/risk-management. For cybersecurity, see: https://www.nist.gov/cyberframework. For cloud, see: https://csrc.nist.gov/pubs/sp/800/144/final. For quantum safe cryptography, see: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards#:~:text=%E2%80%94%20The%20U.S.%20Department%20of%20Commerce’s,cyberattacks%20from%20a%20quantum%20computer. ↩︎
- See: https://www.sec.gov/newsroom/speeches-statements/gensler-statement-spot-bitcoin-011023. ↩︎
- For NIST, see: https://www.nist.gov/itl/ai-risk-management-framework. For model risk management in banking see: https://www.federalreserve.gov/supervisionreg/srletters/sr1107a1.pdf, For NIST, see: https://www.nist.gov/itl/ai-risk-management-framework. For the US executive order on AI, see: https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/. ↩︎
- Coenobium Advisors, Risk Matters podcast, op. cit. ↩︎
- For SSM priorities, see: https://www.bankingsupervision.europa.eu/banking/priorities/html/ssm.supervisory_priorities202312~a15d5d36ab.en.html#:~:text=The%20number%20of,heightened%20geopolitical%20tensions. For the 2023 SREP, see: https://www.bankingsupervision.europa.eu/banking/srep/2023/html/ssm.srep202312_aggregatedresults2023.en.html. For cyber resilience stress testing, see: https://www.bankingsupervision.europa.eu/press/pr/date/2024/html/ssm.pr240726~06d5776a02.en.html. ↩︎
- Coenobium Advisors, Risk Matters podcast, op. cit. ↩︎
- For the ECB’s strategic priorities, see: https://www.bankingsupervision.europa.eu/banking/priorities/html/ssm.supervisory_priorities202312~a15d5d36ab.en.html ↩︎
- See: https://www.dhs.gov/news/2024/04/02/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer ↩︎
- Coenobium Advisors, Risk Matters podcast, op. cit. ↩︎
- Strecker, Ray. “Focus on Third-Party Risk and Generative AI to Improve Operational Risk Management.” Ludwig Advisors. August 19, 2024. ↩︎
About the Authors

Senior Advisor | New York, USA
rstrecker@coenobiumadvisors.com

Chairman of the Board | Stockholm, Sweden
cnorgren@coenobiumadvisors.com

Chief Operating Officer | Athens, Greece
ldrobinson@coenobiumadvisors.com
Ray works with clients at the intersection of regulation, risk, and technology. His current areas of focus include AI governance and risk management, risk data governance, cloud adoption, cryptocurrency regulation, operational risk management, and large-scale risk and compliance planning and execution. He has a broad background in IT consulting for financial institutions and has led practices at IBM, Promontory, Tata Consultancy, Dell, Virtusa, and AMS (now CGI).
Claes is an economist, former head of the Swedish FSA, Deputy Governor of the Swedish Central Bank and Auditor General. He was also a member of the Basel Committee on Banking Supervision, chaired the Banking Advisory Committee of the European Union, and was President of the Financial Action Task Force (FATF). He has worked with numerous clients in the private and public sectors in the EU and in the Middle East, advising them on governance, regulatory and compliance matters, and supporting and evaluating the operating frameworks of central banks and supervisory authorities in several countries. Claes previously worked as a consultant and Managing Director & Head of the Nordics practice at Promontory Financial Group from 2015 until 2024.
Damian has more than 35 years of experience in the financial services and consulting industries. He previously held senior roles with the international banking division of the American Express Company in the US and Europe, and was a senior consultant with Promontory Financial Group. For the last 15+ years has advised banks and regulatory authorities in Europe and the Middle East on governance, risk and compliance matters.
For more information, or to discuss the contents of this article with one of our experts, contact us at: contact@coenobiumadvisors.com.