• Armin Warda, EMEA FSI technology lead at Red Hat


• 11.09.2025 10:45 am
#BankingSector #Regulation

Regulatory requirements such as the EU’s Digital Operational Resilience Act (DORA) underscore the need for financial institutions to improve their resilience to very real threats such as cyberattacks, system failures and other operational risks. A primary challenge here is how banks can not only meet regulatory requirements, but also remain competitive with innovations and attractive product portfolios. The answer lies in the right combination of new processes and the use of advanced technology. In particular, the integration of hybrid cloud computing and AI is necessary to meet growing customer expectations for state-of-the-art digital solutions. For banks, however, in most cases this means breaking completely new ground in order to keep pace with changing requirements.

Technology as a driver and a challenge

The rapid progress within the tech world undoubtedly also means a paradigm shift for the banking sector. For example, in contrast to traditional transactions, real-time payments require 365/24/7 availability, which financial service providers must not only ensure technically, but also secure from a regulatory perspective. The EU has new and revised regulations in the pipeline, such as PSD3/PSR (Payment Services Directive) and FiDA (Financial Data Access), which emphasize open banking and financial data sharing, but also put more responsibilities on banks regarding fraud handling. With the shift from batch processing of payments to real-time payments, fraud detection becomes more challenging: this cannot be accomplished without increased automation. 

Here, AI plays a growing role – for example, to detect cases of fraud and money laundering more quickly, but also to improve customer service. Another central pillar of modern banking infrastructures is a hybrid or multi-cloud strategy, the use of which has also increased significantly in recent years. This provides numerous important advantages such as higher system reliability and transparency, which are increasingly vital aspects in view of the DORA requirements, as well as helping to reduce dependencies on individual providers and thus reduce cloud concentration risk.

Real-time payments are not the only technological innovation in the banking and payments industries. Some traditional banks are entering the crypto custody business for speculative cryptocurrencies such as Bitcoin which was mainly the domain of fintech companies. Digital currencies, such as stablecoins backed by the U.S. dollar or the euro, are now regulated in the EU by MiCAR (Markets in Crypto-Assets Regulation) and in the U.S. by the GENIUS act, and are beginning to disrupt the established wholesale and cross-border payments schemes. When the European Central Bank eventually launches the digital euro, shifts in digital retail payments will occur. Currently, these payments are dominated by credit and debit cards and app payments from non-European providers. Digital currencies and crypto assets use new technologies, such as tokenization and distributed ledger technology (DLT), that create the need – and opportunity – to address resilience in new ways. 

The concept of “resilience by design” represents an important solution: as early as the development stage of new systems, banks should factor in possible disruptions and incorporate appropriate preventative measures into the architecture. Scenario tests and risk analyses play a decisive role here in order to realistically assess the effects of disruptions and proactively develop countermeasures.

AI as a game changer

Artificial intelligence has already led to a paradigm shift across all industries, and the banking sector is no exception. AI-based tools promise enormous benefits and new use cases that help banks to comply with legal regulations and uncover weaknesses. These solutions also create real added value in areas such as process optimization, problem solving or fraud detection. They can therefore not only contribute to compliance with regulations such as DORA, but also improve operational efficiency.

Nevertheless, the introduction of AI comes with a number of new risks and regulations, such as the EU’s AI Act, that banks need to be aware of from the outset. In addition to the large amount of high-quality data needed, fine-tuning models in line with legal requirements makes the rapid development of precise and reliable systems more difficult. Specialized processes that train language models with specific data and in dedicated regulatory frameworks for their areas of application help address the need for efficient implementation. It must also be ensured that AI models work transparently and comprehensibly so that banks can explain what and how data has been used. Data that is used for training or fine-tuning of AI models has to be preprocessed. For example, copyrighted or otherwise unsuitable material has to be scrubbed from the data sets. The best practice is to implement automated data processing pipelines that can be audited and log their actions. These pipelines should also version their inputs and outputs and be able to reproduce results. Open source enhances transparency, helping enterprises retain control over AI decision-making. The transparency provided by open source is a major advantage for enterprises using it, alongside its ability to generate rapid innovation. 

Confidential computing is an emerging technology providing in-memory encryption of data in-use – in addition to best-practices of storage encryption of data at-rest and network encryption of data in-transit. Confidential computing enables workloads that are processing extremely sensitive or valuable data to be moved to public clouds. Examples of such workloads in the financial services industry are AI training, crypto custody and digital currencies.

When processing encrypted data in the cloud, hold-your-own-key (HYOK) is essential: encryption keys are not stored in the cloud and are not visible to the cloud provider, but are held by the customer. HYOK together with remote attestation of systems, which is another component of confidential computing, and is provided by the open source project Trustee, enables verifiable trustworthiness of computing environments that you do not physically control. 

As well as cloud environments, confidential computing can also fortify the security and resilience of on-premise processing of extremely sensitive or valuable data by reducing the attack surface.

Besides security, the cost of scaling AI usage – in particular the cost of AI inferencing at large scale when more applications are becoming AI-enabled – is an increasing concern among the mature AI adopters, while other banks might still be struggling with bringing AI use-cases from proof of concept (PoC) to production. Shareholders and other stakeholders are increasingly demanding evidence for return on investment (ROI) of AI use cases. 

Readjusting the balance of cloud and on-premise infrastructure for different AI use cases and different phases of AI engineering is key to cost optimization. Banks should ensure that AI model training, fine-tuning, validation and inferencing can be moved between cloud and on-premise environments, to satisfy cost, data sovereignty and resilience requirements.

However, it is not just the technology itself that is important, but the way in which the financial sector uses it. Banks that manage to simultaneously drive technological innovation and build the necessary resilience will not only meet regulatory requirements, but also strengthen their competitiveness in an increasingly digital market.

Lack of documentation and static structures

Firms need to level-up their flexibility and organizational maturity in order to adapt to the new requirements. This is often the core problem: many financial institutions work with outdated processes that are not only inefficient but also poorly documented. These factors make it difficult to identify risks and react quickly to threats.

In addition, rigid organizational structures hinder the necessary agility. Collaboration between IT, risk management and business units is often fragmented. These structures not only lead to inefficient decision-making, but also make it difficult to implement urgently needed new resilience strategies. Without clear insights into critical business processes and dependencies on third-party providers, banks cannot make informed decisions.

Innovative approaches: collaboration and iteration

One central aspect must precede all considerations and solutions: resilience is not a static goal, but rather an ongoing process. Those who rely on close cooperation and constant iteration among all involved parties create a foundation for sustainable success. This foundation requires not only new technologies, but also a cultural rethink.

Creating cross-functional teams has proven to be a strategically important first step. By fostering close collaboration among IT, risk management, and other specialist departments, banks can ensure that all relevant perspectives are incorporated into the decision-making process. In practice, this means establishing agile governance structures, conducting continuous resilience tests, and incorporating feedback loops to enable rapid adaptation to regulatory and technological changes. These actions improve decision quality and promote a deeper understanding of each other's needs. Another key is realistic test procedures: regularly running through possible scenarios paves the way for the efficient identification of weak points and improves the ability to react.

Resilience is a cultural change and an essential component of successful corporate strategies. Banks that continuously improve their processes, embrace new technologies, and promote cross-departmental collaboration will overcome operational challenges and exploit the enormous potential of the increasingly digital financial sector.