Recent conversations on anti-money laundering controls, CFPB open banking ruling, and regulatory compliance risks directly connect to what modern banks must prioritize – strengthening their foundational risk management framework.
Earlier this year, Canada’s banking regulator, OSFI, ordered TD Bank to overhaul its risk controls after findings showed deficiencies in their regulatory compliance management (RCM) program, tied to anti-money laundering controls. This scrutiny intensified with investigations from both Canadian and U.S. regulators.
In a significant update, TD Bank agreed to pay over $3 billion in penalties as part of a plea deal that includes strict business limitations, such as an asset cap.
But this isn’t a TD specific challenge; Citigroup, for instance, was recently fined $136mn for similar failings in risk control and data management. These cases highlight a broader issue across the banking industry, serving as a wake-up call for institutions to reassess and strengthen their compliance and risk management frameworks.
The pressures of regulatory compliance are intensifying, with customer demands and technological shifts all reshaping commercial strategies. As banks push to innovate and offer more customer-centric services, they also have to meet higher standards of regulatory compliance or risk the consequences.
In the coming years, three key regulatory forces will heavily impact banks’ commercial strategies: open banking, digital resilience, and the regulation of artificial intelligence (AI).
Open Banking: A shift in control
One of the most transformative regulatory shifts affecting the industry is Open Banking. It shifts control by giving customers the power to manage their own financial data and share it with third parties, like fintechs and other financial institutions through standardized APIs. This model has already reshaped markets in places like Australia, where banks have had to pivot their strategies to accommodate this changed landscape.
With the latest CFPB 1033 ruling on Open Banking, the U.S. banking industry is no longer on the brink of transformation – it is happening now. This regulatory shift will force traditional banks to rapidly rethink their strategies, while fintechs and challenger banks, already well-versed in API-driven ecosystems, are positioned to gain a competitive edge.
The new rule, based on Section 1033 of the Dodd-Frank Act, requires banks to securely share consumer financial data across a broad range of products, including checking accounts, credit cards, and popular payment apps such as Apple Pay, Google Pay, and Venmo. The inclusion of these apps reflects their growing role in the financial ecosystem. As third-party platforms take on a more dominant role, concerns are rising over banks’ exposure to greater liability for fraud and data breaches linked to these fintech partners. This added layer of scrutiny could place significant demands on banks, requiring them to oversee third-party fintechs while managing the growing risks associated with handling large amounts of data. However, banks do have the option to limit access if a third party is deemed to present systemic risks.
As Deloitte’s 2024 Financial Markets Regulatory Outlook suggests, this regulatory shift demands urgent innovation, pushing banks to offer more personalized services to remain competitive.
The challenge for traditional institutions will be to deliver personalized, data-driven services that meet regulatory demands and maintain customer trust. Those that fail to adapt quickly risk losing relevance in a competitive environment with agile fintech players.
The importance of digital resilience
At the same time, the task of integrating digital resilience is perhaps even more significant. With increasing reliance on digital systems and third-party providers, regulatory bodies are enforcing stricter controls on banks to ensure operational resilience. The case of TD Bank, which Canada’s banking regulator ordered to overhaul its risk controls, exemplifies how important it is for banks to meet modern regulatory standards. The regulations demand that banks maintain their infrastructure and that third-party vendors meet stringent resilience standards.
For instance, in the European Union, the Digital Operational Resilience Act (DORA) goes beyond operational continuity, requiring financial institutions to prove their digital resilience, including in their partnerships with external vendors. This regulation is significant, as banks will now be held responsible for the digital resilience of their entire ecosystem—not just their in-house infrastructure.
There are growing requirements for vendors like Zafin, classified as important third parties, to have digital resilience in terms of support processes, data backup, data replication to another data center, etc. For banks, this means investing in their relationships with third-party providers and verifying they can withstand disruptions. Choosing partners who are well-prepared to meet regulatory requirements has never been more important, reducing the risk to the bank’s operations.
Artificial intelligence (AI) regulation
Banks are highly regulated, and their actions must be justified and explainable. This will remain true as AI becomes more embedded in core banking systems.
While AI presents enormous opportunities for innovation, it also brings risks. The potential for AI to make decisions that impact customers means that banks must carefully manage their AI model development and deployment to avoid unintended consequences. Customers need to be protected. AI in banking should go beyond efficiency and automation. It must operate within the bounds of regulatory frameworks emphasizing transparency and fairness.
Banks that fail to adopt AI with these principles in mind will likely encounter challenges as they compete in an increasingly customer-centric landscape. AI offers a tremendous opportunity for banks to rethink their products, processes, and customer relationships. But success in this new world will be determined not by how quickly banks adopt AI, but by how responsibly and ethically they use it.
The Chief Commercial Officer’s role in navigating regulatory changes
As regulatory changes prompt banks to reconsider their pricing strategies, our role as CCOs is central. We negotiate new pricing models, ensure they are fair, and reflect the risks involved. We must act as a strategic bridge between the regulatory landscape and commercial growth. This involves crafting models that balance customer interests with compliance. And even more, we must find ways to mitigate risk while ensuring that the entities taking higher risks are adequately regulated.
In the current environment, it’s not enough to respond to regulatory mandates; we have to anticipate them and use these shifts to drive competitive advantage. This requires structural changes in how pricing models are developed and managed, including a deep integration of risk management, transparency, and value creation.
At Zafin, we recognize the importance of these regulatory changes and the need for banks to adapt. Our role is to help banks navigate these regulatory changes and reduce the risk associated with modernization while improving transparency and fairness in banking. Our future-ready technology stack is designed to help financial institutions stay ahead of regulatory requirements, offering tools that enable seamless adaptation to customer needs and compliance maintenance.
