The following is a guest editorial courtesy of Eric Odotei, Group Head of Regulatory Reporting at Finalto. Finalto delivers best-in-class pricing, execution and prime broker solutions across multiple assets, including CFDs on Equities, Indices, Commodities, Cryptos and rolling spot FX, Precious and Base Metals, and bespoke products such as NDFs.

Cyber intelligence agencies of the ‘Five Eyes’ countries – Australia, Canada, New Zealand, the UK and the US – have taken the unusual step of issuing a joint statement warning that unprecedentedly powerful new AI models ‘capable of taking down governments and businesses’ are only months away. The statement acknowledged that these models will ultimately aid cyber-defensive capabilities, while also accelerating “the speed, scale, and sophistication of cyber threats”.

In short, the AI arms race is not just a contest between developers or global powers. it is also a race to build defensive capabilities that can keep pace with rapidly expanding offensive ones; capabilities that will soon be widely available even to relatively unsophisticated actors.

As the Five Eyes statement suggests, these technologies pose urgent questions of state security and corporate integrity. But the challenge extends well beyond the rarified heights of GCHQ or the NSA. At the financial services coalface, there are signs that regulators are already moving more quickly and decisively, potentially in response to a growing assumption among bad actors that advancing technology lowers barriers to entry and increases their chances of getting away with it.

New systematic risks

Increasingly, regulators are concerned not only with firm-specific failures but also with systemic vulnerabilities arising from shared technology, cloud providers, AI platforms, and digital infrastructure. This shift is reflected in DORA, the FCA’s operational resilience agenda, and growing international concern over critical third-party and concentration risks.

A striking recent example is the FCA’s decision to impose requirements on Euro Exchange Securities UK Limited to cease operations due to “significant risks of financial crime”.

The intervention was driven not by isolated lapses, but by “systemic weaknesses in the firm’s financial crime framework and safeguarding arrangements, alongside its ownership and governance”.

That is a high bar. But as technology evolves, the more relevant question might be whether other firms, those that would not consider themselves systemically weak, can be confident in the resilience of their own structures. As offensive capabilities scale rapidly and regulatory expectations evolve in parallel, weaknesses that might once have been contained (or tolerated) are more likely to be exposed as interconnected points of failure.

In that environment, the issue is less about avoiding obvious lapses, and more about whether firms can maintain structural integrity under increasing pressure. What were once one or two overlooked vulnerabilities may now be enough to reveal deeper, system-wide fragility.

More bark, more bite?

New regulatory frameworks such as DORA, the EU AI Act, and MiCA suggest that regulators are moving beyond traditional compliance and towards active oversight of technology, operational resilience, and digital innovation.

Then there’s the more basic fact that any technology that makes workflow more efficient can also make malfeasance easier. There’s a lingering assumption that complexity itself offers cover, that risks can be obscured within systems that few people fully understand.

In that environment, it is not unreasonable to expect regulators to try to get ahead of the problem, taking a more direct, less tolerant approach. The recent coordinated action against unauthorised “finfluencers” is one indication of that, and unlikely to be the last.

More broadly, regulatory activity across Europe points in the same direction: wider crackdowns, applied across a broader set of firms, with penalties that are both larger and more frequent.

At the same time, the picture is complicated by a more traditional constraint. In some jurisdictions, authorities are also grappling with legal frameworks that are struggling to keep pace with the way financial crime is actually conducted, such as Swiss financial prosecutors who worry they are being hampered by outdated rules.

We are plausibly heading for a more ‘no-nonsense regulatory vibe’, where lawmakers prioritise getting financial crime legislation fit for modern purposes, and regulators attempt to wield the full weight of their powers.

Opportunity under pressure

Technology is advancing quickly. Lawmakers and regulators are pushing to keep up. Financial services firms risk being caught in a kind of pincer. As offensive capabilities scale up, regulators’ tolerance for weak points gets narrower.

The upshot may simply be that there’s less room for error. What may have been patchable weak points before may not become systemic issue or be considered severe lapses.

Firms may need to stop treating cyber risk, financial crime, AI governance, operational resilience, and digital assets as separate issues. Regulators increasingly view them as interconnected components of a firm’s overall risk framework.

Boards should be asking whether their governance, controls, and operating models are capable of adapting to AI-driven threats and increasingly complex technology dependencies, rather than simply assessing current compliance requirements.

This isn’t a question that should be asked lightly. Firms that underestimate either jaw of the pincer risk discovering their fragility the hard way. In this environment, there may be fewer opportunities to learn from your mistakes.

But the pressure may also prove clarifying. Precisely because AI-driven risk is systemic and accelerating, and the regulatory environment is more uncompromising, it could induce firms to build genuine resilience rather than patch isolated weaknesses. Being caught in the pincer can be uncomfortable, but it may also be an opportunity.

All opinions, news, research, analysis, prices or other information is provided as general market commentary and not as investment advice and all potential results discussed are not guaranteed to be achieved. The information may have been derived from publicly available sources, company reports, personal research, or surveys. Past performance is not indicative of future performance. Trading carries risk of capital loss. Service available to professional clients only.