The Trifecta Financial Services Must Get Right: GenAI, Compliance and Security

As savvy financial startups offer customers new options, what will be the competitive X factor for more traditional banking, insurance and investment institutions??

Generative artificial intelligence (GenAI), and its symbiotic relationship with risk and compliance, tops the list. It’s no secret GenAI is a rapid growth sector – McKinsey expects GenAI to add $4.4 trillion to the global economy each year.?

Welcome to the AI Economy.

?

GenAI is Taking Root in Finance

According to an article published by McKinsey & Co.: “In the next five years, generative AI could fundamentally change financial institutions’ risk management by automating, accelerating, and enhancing everything from compliance to climate risk control.” It goes on to say that GenAI will be the “catalyst for the next wave of productivity gains.”?

No doubt chief compliance officers (CCOs) and chief regulatory officers (CROs) have GenAI squarely in their line of sight.

For financial services firms, GenAI can streamline compliance and regulation by analyzing a vast amount of data quickly. This is where the customer experience can truly be transformed. For example, how many times does an agent answer the same question? What if GenAI guided people in the early stages of compliance, leaving more complex issues to be sorted out by knowledgeable people?

According to the report, key areas where GenAI can be applied include: regulatory compliance, financial crime prevention, credit risk assessment, modeling and data analytics, cybersecurity, climate risk management. It also says that GenAI applications in risk and compliance fall into three main categories:?

• Virtual expert: Answers questions using long-form documents and unstructured data
• Manual process automation: Performs time-consuming tasks
• Code acceleration: Updates, translates, or writes new code

In the future, we might even see GenAI supporting “risk intelligence centers that serve all lines of defense (LODs): business and operations, the compliance and risk functions, and audits” for things like automated reporting and improved risk transparency. Such a hub could help risk managers make insight-drive decisions faster.

?

Compliance is Centerstage in Finance

Microsoft ’s article entitled “How Financial Firms are Strengthening Cyber Resilience in a New Regulatory Environment” points out that the “severity of cyberattacks has grown exponentially in the past decade, with nation-states and criminal organizations frequently targeting the financial services sector, sometimes to devastating effect.”?

The good news is that regulations are gaining ground! Microsoft’s article includes the latest progress on cybersecurity regulations like DORA (Digital Operational Resilience Act) introduced by the European Union and a United States Department of the Treasury report that assesses cloud adoption in financial services, among others. These regulations are shaping compliance standards and best practices as we speak.

I agree with Microsoft’s position that we need to think beyond the perimeter. It seems like common sense, but it’s not the way we thought of security when I first entered the tech field years ago. On-prem was the purview.?

Right alongside new regulations come the need by financial institutions to look at threats coming from anywhere and everywhere. Of course, one of the top security concerns I hear about from CCOs and CROs is the cloud. How safe is the data? How vulnerable is our network? Microsoft Cloud ’s Penetration Testing Rules of Engagement allows customers to extensively test their security in the cloud. Microsoft Defender for Cloud offers a full lifecycle approach to security to compliance, development and operations (DevOps), external attack surface management (EASM) insights, security operations (SecOps) and permissions.

?

Security is a Rule in Finance

I’ve written a lot about cybersecurity over the past year. There’s a reason. Cyber criminals are getting smarter: They have new tools, new methodologies, new attack vectors.?

When we talk about trustworthy, responsible AI, help people understand what is required.

Herein lies the biggest challenge. CCOs and CROs are clear about compliance regulations, how they relate to daily operations and how they differ from country to country. Yet, they may not fully understand GenAI. Technologists don’t fully understand the intricacies of compliance. Yet, they know cybersecurity.?

This is the most important gap compliance leaders are tasked to close. Success depends on table talk – so each understands the other’s world. Today’s information may be obsolete tomorrow so ideation on a regular basis is a must.?

A blanket policy prohibiting people from using GenAI will come up short for financial firms. People will use it in the “shadows.” Just as research is inconclusive about the real impact of the “Say No to Drugs” campaign during the 1980s, I believe that giving guidance around GenAI is a better alternative.?

?

Financial Services, Start Here

According to the McKinsey report, banks should start with three to five high-priority use cases, executed in three to six months, followed by impact assessment. Know the pain points you are solving with GenAI. Understand and mitigate novel risks associated with GenAI, bringing on the necessary talent who understands how GenAI fits with your company’s dynamics. Expect operating model changes as needed and measure how GenAI is helping people perform more efficiently, creatively and strategically.

As financial services firms strengthen cyber resilience in a new regulatory environment, look for companies like Microsoft that don’t use data input to train the AI model. Microsoft Copilot, for example, offers a setting for users to make their data private.

Lastly, here’s a little extra gift just for you for reading my newsletter. If you’re looking to heighten your security in 2025, Microsoft and Experian(R) teamed up to create Microsoft Defender’s Identity Theft Monitoring. This is more than just security software. Microsoft Defender protects identities, data and devices from online threats – and comes with coverage of up to $1 million for identity theft-related causes. The latter will most likely be something we see more of as security solutions promise and deliver more in future days.

?

?