Financial Innovation in the Evolving Regulatory Environment: Responsibility Still Matters
The regulatory landscape is shifting dramatically.
With the changes in Washington, many financial institutions are seeing what
appears to be a green light for innovation and growth that was previously
constrained. While there may be truth to this, a fundamental question emerges: will
banks approach innovation responsibly?
Consider this question instead: would you still wear a seatbelt even if it was no longer legally required? Most of us would answer "yes" without hesitation, recognizing that seatbelts protect us regardless of enforcement.
The same principle applies to risk management and compliance in banking today. Without guardrails, innovation can become less beneficial and outright reckless for customers and even the profitability of the bank.
The Current Regulatory Reality
We’re witnessing unprecedented changes in the regulatory environment. Recent developments at the CFPB and other agencies signal a shift toward less prescriptive oversight. Some advisors have argued that we've moved from a 'no' environment to a 'yes' environment, and that now is the time to move forward swiftly.
Others are even warning that fintechs stand to win against banks in a post-CFBP environment. There is indeed an actual risk, where neobanks and fintechs come out on top. After all, they will have almost nothing standing int their way to developing new products.
However, there is a caveat: those who decide to ignore risk management and regulatory compliance will inevitably lose.
What Banks Are Focused On
Despite the shifting regulatory sands, our 2025 Third-Party Risk Management Survey reveals that financial institutions continue to prioritize risk management.
According to our research, 85% of financial institutions report moderate to high value from their third-party risk management programs – viewing them not merely as regulatory obligations but as strategic assets that strengthen operational resilience and reduce costs.
This isn't surprising. Financial institutions understand that regulatory risk represents only a small fraction of the total risk landscape they navigate daily. Cyber threats, strategic missteps, operational failures, and reputational damage remain constant concerns regardless of the regulatory climate.
Back to Basics: Knowledge as Protection
In conversations across the industry, I've also observed a noticeable trend toward fundamental risk management principles. With experienced examiners departing regulatory agencies (at least 800 people took early retirement offers at the OCC alone), institutions recognize that less-experienced examiners may bring different perspectives to supervision.
This has prompted many institutions to strengthen their baseline understanding of risk management frameworks. Much like learning defensive driving beyond just following speed limits, they're developing deeper knowledge of risk identification, measurement, monitoring and control – skills that serve them well regardless of who's enforcing the rules.
Strategic Risk in an Era of Innovation
One particularly misunderstood dimension is strategic risk – what happens when an institution moves too quickly, partners with the wrong vendors, or pursues priorities misaligned with capabilities or risk appetite. As Jonathan Gould noted during his nomination hearing, "The U.S. economy needs financial institutions to engage in prudent risk-taking."
Prudent is the operative word. Smart institutions don't fear risk; they understand it.
This perspective aligns with findings from our survey, where 61% of companies reported experiencing a third-party data breach or cyber incident in 2023. These breaches have risen 49% year over year since 2021, highlighting why third-party oversight remains crucial even in a more permissive regulatory environment.
What Banks Should Focus On Now
As financial institutions consider their approach to risk management in this new era, several priorities emerge:
1. Rethink Risk Assessment Methodologies
Too often, risk assessment becomes a mechanical exercise in scoring rather than substantive analysis. Focus on the fundamental questions: What could go wrong? How much damage would result? How confident are we in our controls?
Avoid what some call "the charade" of quantifying risk on vaguely defined scales that create an illusion of certainty. Instead, embrace meaningful risk dialogue that examines vulnerabilities honestly.
2. Embrace Technological Innovation in Risk Management
Modernizing risk management through artificial intelligence and automation isn't just about efficiency – it's about effectiveness. Our survey shows 85% of financial institutions now use specialized risk management technology rather than spreadsheets.
This evolution directly correlates with regulatory success. Over half of institutions relying on manual methods received audit findings requiring improvement, while those leveraging technology reported significantly fewer regulatory concerns.
3. Monitor Emerging Risks Proactively
The industry continues to evolve rapidly, including the emergence of AI. In fact, AI adoption ranked as the second-biggest third-party risk management concern for 2025 in our survey, behind only cybersecurity threats.
Forward-thinking institutions are already implementing AI-specific due diligence, with 59% of large banks incorporating AI usage language into contracts compared to just 28% of smaller institutions. This proactive stance will protect them regardless of regulatory requirements.
Looking Forward: Sustainable Innovation
The regulatory pendulum has swung throughout history, but institutions that maintain strong risk management fundamentals thrive regardless of the direction. In the current environment, we have an opportunity to refocus risk management on substantive risks rather than compliance theater.
As recently reported by The Financial Brand, the changes in Washington have created both challenges and opportunities for product development and innovation. Financial institutions now face decisions about how to proceed with new initiatives without the traditional regulatory guideposts.
The most successful institutions will avoid both extremes – neither abandoning risk management nor clinging to outdated approaches. Instead, they'll use this opportunity to reimagine how they identify, measure, monitor, and control risk in ways that support growth and innovation while protecting their customers and institutions.
In the end, the question isn't whether to wear the seatbelt of risk management, but how to design one that provides better protection while allowing greater freedom of movement. That's the challenge – and opportunity – of our current dilemma.