What you need to know to simplify and strengthen your compliance operations
You don’t need another conference to tell you the regulatory landscape is shifting. But one message from the 2025 ABA Risk & Compliance Conference came through loud and clear: compliance as we know it is no longer enough.
If you couldn’t attend, consider this your debrief. Below are five themes that stood out, not as trends, but as red flags waving in plain sight. For banking professionals managing risk, oversight, and compliance: now’s the time to tighten your grip on what’s coming next.
1. AI isn’t Emerging. It’s Embedded
…and regulators know it.
From AI-driven credit models to automated fraud detection, banks are already integrating artificial intelligence across operations. But many haven’t formalized an AI governance strategy, and that’s a risk in itself.
Why it matters
Regulators are no longer asking if you use AI. They’re asking how you govern it. Do you know your AI risk appetite? Have you stress-tested your models for bias?
What to do
Build or refine your AI governance framework, including policies, third-party oversight, and explainability standards.
2. Compliance can’t Keep Waiting on “Final Rules”
With rule reversals (CRA), new mandates (Section 1033), and litigation delays (1071), regulatory change is both constant and uncertain. What’s worse? Many banks are still waiting for clarity before taking action.
Why it matters
Waiting is no longer safe. Regulatory timelines may shift, but expectations are already forming.
What to do
Design a flexible change management process that allows your team to plan in advance and pivot quickly without overburdening operations.
3. FinTech Partnerships Are Risk Multipliers If You’re Not in Control
Banking-as-a-Service and FinTech integrations continue to expand, but oversight often lags behind. And that’s dangerous.
Why it matters
Regulators expect your bank to own the risk, even if the service is outsourced.
What to do
Conduct thorough pre-onboarding due diligence, embed continuous monitoring practices, and understand the AI tools your partners are using, especially those not disclosed upfront.
4. Natural Disasters Are Now Credit Events
Disaster-driven events aren’t future concerns. They’re already here, already disrupting credit portfolios, and already creating downstream risks, from liquidity strain to reputational fallout.
Why it matters
Despite disaster planning, most banks still end up reacting, not leading.
What to do
Expand your credit risk assessment framework to include geographic vulnerability, climate stress testing, and contingency controls beyond insurance.
5. Your Risk Culture Might Look Good on Paper…But Is It Real?
Talk of “tone from the top” is everywhere, but sessions on conduct risk and culture exposed a gap: most banks still fail to translate ethics into operational behavior.
Why it matters
A strong risk culture isn’t what you say. It’s what you track, measure, and reinforce at all levels.
What to do
Align compliance programs with the customer lens (especially around UDAAP), and implement conduct metrics that tie back to real incentives and outcomes.
The risk landscape is louder, faster, and far more integrated than ever before. The banks that will thrive aren’t the ones with the longest policies but the ones with the clearest foresight.
If your compliance strategy still feels comfortable, it’s probably outdated.
