The Risk and Reg Edit: Winter 24/25 edition

Read on for our experts' views on:

• Geopolitics and macroeconomics
• A shifting conduct agenda
• AI and data
• Tackling economic crime
• Operational resilience
• ESG risks
• Culture and DEI
• The future of the risk function

Geo-politics and macroeconomics: Navigating global uncertainty

In 2024, we highlighted the wars in Ukraine and the Middle East. Tragically, the same conflicts persist in 2025, supplemented by growing military tensions in the South China Sea and political turmoil in South Korea.

We also highlighted the uncertainty arising from 2024’s many elections, as 3.7 billion people voted in over 70 countries including the US, UK, France, and India. The results revealed widespread voter disenchantment with governing parties, pointing to further political unpredictability, and in 2025 we’ll see the effects of last year’s elections coming home to roost. Financial institutions should prepare for a dynamic and evolving policy landscape.

This environment presents opportunities for strategic adaptation and innovation. While inflation has moderated from its recent peaks, the prospects for global growth and prices remain uncertain – and are complicated by talk of trade wars. As indebtedness, credit risks, and liquidity risks continue to evolve, financial institutions can leverage their expertise to manage these challenges effectively. However, the impact of fiscal and monetary policy on yields, margins, and impairments, remain less predictable. Scenario planning and dynamic interest rate risk modelling will be critical to preparing for unpredictability and maintaining strategic flexibility during the year ahead.

A shifting conduct agenda: Customer treatment remains the biggest priority

In 2024 we saw the UK Consumer Duty fully enter into force, and conduct regulation remains a key item on CROs’ agendas. We’re moving from the implementation phase into an era of enforcement, with a growing onus on firms to demonstrate good customer outcomes.

The UK Financial Conduct Authority’s (FCA) work plan shows that it will maintain its focus on fair value, and we expect the regulator to issue further guidance to firms after studying the next set of board reports. Nor will there be a let-up in the number of regulatory reviews requiring industry input. The FCA is seeking engagement over its plans to streamline the Handbook, its Review of firms’ approaches to vulnerable customers, and the Pure Protection Market Study.

2025’s conduct activity will also be affected by the new UK Government’s regulatory goals. The Treasury has asked regulators to increase their focus on economic growth, although it’s unclear whether this amounts to a request for deregulation. Priorities mentioned in the Chancellor’s Mansion House speech included a removing the certification regime from the Senior Managers and Certification Regime (SMCR), reform to the redress system, and the National Payments Vision.

The Government and the FCA seem well aligned in some areas – such as the importance of treating vulnerable customers fairly – but there is also scope for conflicting political and regulatory priorities to increase compliance burdens. In a fluid environment, firms that can optimise the efficiency and impact of their risk and compliance functions stand to gain a valuable competitive edge.

AI and data: Connected risks

Last year, we highlighted AI’s potential to sharpen efficiency and innovation, while stressing the importance of robust risk management frameworks for this exceptional technology. Fast forward to 2025, and AI adoption has galloped ahead. According to the Bank of England 75 percent of financial firms are using AI in some way - including for risk management tasks like detecting data breaches - and Generative AI is being widely used to enhance productivity.

This environment is keeping the risks of AI at the forefront of CROs’ minds. One 2024 study of US annual reports found that no fewer than 56 percent of Fortune 500 companies cited AI as a risk factor. In part, this is about AI’s potential to turbo-charge cybercrime. The misuse of data is also a particular concern; during H1 2024 fraudsters misusing data perpetrated £570m in reported thefts in the UK. Worldwide, the average total cost of every data breach grew to $4.45 million in 2023. .

More broadly, AI’s reliance on large data sets for training creates an obvious potential conflict with financial institutions’ duty to safeguard personal and proprietary data. The dominance of the AI landscape by a handful of providers is also boosting concentration risk.

This year will be another landmark year for AI in finance, as more firms roll out the technology to customer-facing and decision-making functions. Strong data governance and safeguards are paramount if firms are to derive lasting value from their adoption of AI.

Tackling economic crime: A continued focus

Fraud and economic crime have not only remained major risks for financial institutions since last year’s Edit; if anything, they have grown and accelerated.

In part, this stems from the increasing regulatory burden on financial firms, illustrated by the FCA’s Dear CEO letter from March 2024 on anti-money laundering failings, and the introduction of the new Failure to Prevent Fraud offence in September 2024. However, it also reflects the overall scale of UK fraud, which continues to grow.

The amendment of Payment Service Regulation, making reimbursement mandatory for almost all forms of APP fraud, illustrates this paradox. APP reimbursement has increased the pressure on financial firms to detect and prevent financial crime, but it does little to thwart the rising tide of financial crime, the total cost of which has been estimated at £38bn per year.

The UK’s updated economic crime strategy sets out how more systematic methods could achieve long-term reductions in overall levels of fraud. Institutions can begin taking steps towards this holistic approach by engaging with regulators, partnering with tech providers, and sharing data with their peers. In the short-term, technology can also help firms to achieve quick-wins in the fight against economic crime - especially when combined with an agile, risk-based approach to pro-actively identifying and mitigating potential threats.

Operational resilience: Staying within tolerance and navigating global rules

In one of our most accurate predictions, last year’s Edit identified technology supply chains as a threat to resilience. The CrowdStrike outage of July 2024 was a reminder of the concentrated risks created by reliance on a handful of software and cloud providers. Although the immediate hit to the financial industry was limited, the event led to widespread economic disruption and billions of dollars in insurance claims.

Resilience remains a major priority in 2025, with the growing difficulty of obtaining insurance against state-sponsored cyber-attacks acting as one indication of the evolving threat environment.

CROs are working to address growing resilience threats by mapping dependencies, patching vulnerabilities, and rehearsing incident responses. They also face a heightened set of regulatory expectations. In the UK, firms must show they have met the Operational Resilience expectations of the FCA and PRA by March, including new incident reporting requirements. They will also need to respond to FCA consultations on key topics such as Critical Third Parties.

For firms operating in the EU, Digital Operation Resilience Act’s (DORA’s) entry into force imposes a similar-but-different set of compliance requirements. DORA brings critical third parties within the scope of regulation for the first time, and applies onerous requirements for incident reporting, data registers, and dependency mapping. Implementation requires an ongoing multi-year effort. Mapping commonalities and differences with other resilience frameworks will be key to achieving compliance and strengthening enterprise-wide resilience – boosting efficiency and reliability.

ESG risks: Stalled regulatory pressure, long term risks remain

The increasingly politicised debate over environmental, social and governance-based investing framework (ESG), illustrated by the departure of several major US banks from the Net Zero Banking Alliance (NZBA), is slowing financial momentum towards net zero - with corresponding effects on the profitability of different business lines. That could encourage CROs to view ESG risks as falling. In reality, they continue to evolve in a complex and unpredictable fashion.

First, regulators in the UK and Europe remain highly engaged with the physical threats and stranding risks that arise from climate change and ESG factors, and are maintaining their focus on the effective management of ESG risks.

Second, the polarisation of the ESG debate promises to increase, not decrease, the reputational risks associated with ESG-related decisions. This includes allegations of greenwashing from environmental campaigners, as well as ‘anti-ESG’ activism by a range of sceptical lobbyists.

Most fundamentally, the underlying dangers of climate change continue to climb. The largest insurance companies suffered $10.6bn of climate-attributed losses in 2024, and extreme events such as the Los Angeles wildfires will have a growing financial impact on insurers, lenders, and investors. ESG risks may be changing shape, but they aren’t going away.

Culture and DEI: Down but not out

Last year, we highlighted regulators’ increasing focus on non-financial misconduct as an area of risk that financial institutions could not afford to overlook. While bigger and faster-moving risks have pushed this topic down the CRO agenda over the past year, the need for firms to measure and manage intangible principles, such as inclusivity and equity, remains vitally important.

While the FCA has indicated that it won’t be prioritising the data collection suggested in its Diversity consultation of September 2023, it remains committed to its proposals on non-financial misconduct. Events like the closure of Odey Asset Management are a reminder of the importance of culture and training, the need for robust misconduct frameworks, and the value of effective crisis management.

CROs still cannot afford to ignore culture, DEI, and other related drivers of reputational risk in 2025.

The future of the risk function: Prioritising resources

As in last year’s Edit, we end our look at the risk horizon for the year ahead by discussing the outlook for the risk function itself.

Across the financial industry, tightening profitability means that we continue to see risk and compliance functions being asked to do more with similar - or less – resources. It therefore remains crucial for CROs to automate high-volume processes where possible, and to use risk-based insights and intelligence to prioritise the allocation of resources.

We also expect to see an acceleration in CROs’ efforts to integrate risk and compliance functions more closely with front line teams - improving organisational responsiveness and innovation. As the pace of finance speeds up and firms increase their use of delegated decision-making, it’s more vital than ever for risk functions to make themselves valued strategic partners of their host businesses. 

People trust us because of our deep knowledge of the regulatory system. Our experience working with regulators, banks, insurers, building societies, and others means we’ll give you advice that works in the real world. If you’d like to discuss any of the below issues in depth with our experts, get in touch now.