Regulatory Radar
From AI to AML, regulation is no longer background noise — it defines how financial institutions operate and grow. Compliance leaders now face three pressing questions: What has changed? How much time do we have? How do we prepare?
The AI Act took effect in August 2024 and sets a risk-based classification of AI systems. By July 2027, financial institutions using AI in areas such as credit scoring, underwriting, or fraud detection must comply with strict transparency, governance, and auditability requirements. A key step will be assessing whether you fall under the Act as an AI “provider” or only as a user.
Highly relevant for: creditworthiness assessment, risk scoring, fraud detection, and pricing in life and health insurance.
–
High-risk systems using AI technology face extensive documentation, testing, and audit requirements.
–
Transparency, explainability, human oversight, risk and data quality management are now regulatory priorities.
–
Data protection is under tighter scrutiny, especially for personal data.
–
AI in customer interfaces (chatbots, call support, etc.) must be declared and controlled.
–
Increased compliance obligations may lead to higher operational and audit costs.
1
Map all AI use cases and classify them by risk.
2
Assess your role — are you an AI “provider” under the Act?
3
Build governance, oversight, and human-in-the-loop structures for high-risk models.
4
Strengthen data quality and protection frameworks.
5
Prepare for audits, documentation demands, and external regulatory reviews.
–
AI governance design and implementation.
–
Independent AI model testing, validation, and audit support.
–
Data governance and quality control design.
–
Advisory on risk classification and regulatory interpretation.
Did you find these insights useful? Let us know what you’d like us to cover next time. Click on subscribe to receive the next Trask RegTech Radar, coming in 3 months.
The Insurance Recovery and Resolution Directive (IRRD) entered into force in January 2025. By January 2027, insurers must have tested and up-to-date Recovery and Resolution Plans (RRPs), covering both critical operations and ICT dependencies. Boards are directly accountable for demonstrating operational continuity and resilience.
Highly relevant for: insurers and reinsurance groups operating cross-border, where coordination and portability of operations are under regulatory scrutiny.
–
Mandatory RRPs will become a standard across the EU.
–
Boards carry direct responsibility for governance and ICT resilience, subject to regulatory review.
–
Supervisors gain broad powers, from portfolio transfers to bail-in and bridge entity creation.
–
Cross-border insurers face heightened demands for coordination of recovery and resolution.
–
Greater emphasis on critical ICT functions, continuity, and readiness testing.
1
Identify critical functions and ICT dependencies.
2
Design and regularly update RRPs, aligned with governance and operational resilience frameworks.
3
Run crisis scenarios and stress tests, including ICT continuity and cyber risks.
4
Integrate recovery planning with cyber risk and DORA requirements.
–
Gap analysis of ICT security, incident response, and continuity controls.
–
Mapping of critical digital assets, systems, and third-party dependencies.
–
Strengthening operational resilience of ICT infrastructure.
–
Scenario-based testing and tabletop exercises for resolution and ICT failures.
–
Advisory on incorporating cyber incidents into resolution planning.
In June 2024, the EU adopted a comprehensive AML reform package, consisting of the AMLA Regulation (establishing the new Anti-Money Laundering Authority), the directly applicable AMLR, and AMLD6. Together, these measures harmonise supervision and enforcement across the EU. Transposition deadline: 10 July 2027.
Highly relevant for: banks, insurers, investment firms, and crypto-asset providers.
–
AMLA will directly supervise high-risk firms, raising the bar for compliance and cross-border cooperation.
–
Customer due diligence (CDD), beneficial ownership, and transaction monitoring obligations expand significantly.
–
Crypto assets fall firmly under scope, with AML obligations extended to digital finance.
–
Supervisory authorities and FIUs gain stronger coordination and enforcement powers.
–
Heightened expectations for IT governance, documentation, and auditing.
1
Review internal AML policies and IT systems for AMLR alignment.
2
Strengthen controls on beneficial ownership and high-risk countries.
3
Upgrade monitoring and transaction screening to meet expanded requirements.
4
Prepare for direct supervision and technical standards set by AMLA.
–
Independent review of IT systems supporting AML controls (CDD, monitoring, screening).
–
Implementation advisory for AMLA reporting and new technical standards.
–
Cybersecurity risk management for sensitive AML data.
–
Scenario-based testing and resilience exercises against AML system compromise.
The revised PSD3 (directive) and the new PSR (regulation), expected to apply mid of 2027 (PSD3), resp. by the end of 2027 (PSR)., introduce a harmonised EU framework for payments. The reforms target fraud prevention, stronger authentication, and clearer liability rules, while extending supervisory powers across Member States.
–
Liability for authorised push payment (APP) fraud shifts to providers, including impersonation scams.
–
Refund deadlines for fraud victims are extended from 10 to 15 business days.
–
Banks and PSPs must upgrade fraud prevention systems and customer verification (onboarding, consent management, IBAN/name checks).
–
API standardisation and stronger customer authentication become mandatory.
–
Supervisory enforcement and cross-border cooperation intensify.
1
Assess exposure to APP fraud and redesign onboarding and verification flows.
2
Budget for IT and fraud management upgrades.
3
Align fraud frameworks, customer consent, and reporting with PSD3/PSR obligations.
–
PSD3/PSR compliance gap analysis and fraud risk assessments.
–
Advisory on customer onboarding, authentication, and consent processes.
–
Delivery of advanced anti-fraud solutions (e.g. SAS) and integration support.
The SEPA Instant Payment Regulation (IPR), adopted in February 2024, introduces mandatory Verification of Payee (systemic IBAN/name checks) for all PSPs handling SEPA payments in countries where national currency is not the euro. Implementation deadline in countries where national currency is not the euro: 9 July 2027.
–
IBAN/name checks will become a regulatory requirement across SEPA, standard and instant payments.
–
Customer experience will be harmonised through EPC CX guidelines.
–
Fraud detection and prevention expectations rise as instant payments scale up.
1
Prepare early for large-scale IBAN/name checks across payment flows.
2
Ensure interoperability and compliance with EPC customer experience standards.
3
Modernise IT and API architectures for consistent Verification of Payee integration.
–
Implementation of Verification of Payee in partnership with Banfico.
–
Modernisation of payment system architectures for compliance and efficiency.
–
Advisory and testing to ensure interoperability and resilience.
