
The financial services space should expect increased and more intense scrutiny of firms digital resilience this year.
In fact, regulators and watchdogs in Europe, the UK, the U.S. and elsewhere are likely to focus on contagion risks from dependencies on critical third parties, including technology providers, especially as AI adoption accelerates.
Contagion risks from non-bank financial institutions will also remain a focus. At least, that is according to a forecast by professional services giant Ernst & Young.
In a new report that was shared with QA Financial, Christopher Woolard, a partner in the financial services consulting section of EY, writes that banks and financial services firms face a fragmenting global landscape in 2025, which will come with intensifying scrutiny of firms’ plans for managing disruptive events.

“Geopolitical changes are leading to a fragmented regulatory landscape, increasing costs and complexity for international firms,” he wrote.
Woolard stressed that more and more regulators are concerned about firms’ resilience, third-party IT dependencies, and exposure to risks from non-bank financial institutions.
“Firms will face pressure to ensure good consumer outcomes, remediate weaknesses quickly, and demonstrate strong governance and risk management,” the London-based industry insider shared.
“The ground beneath the feet of banks and financial services firms is always shifting. However, the past year has seen a convergence of risk factors that together make the outlook for 2025 particularly uncertain,” he anticipated.
Scrutiny
Woolard, who is also EY’s regulatory lead and the firm’s UK FS consulting markets leader. sees that for many regulators and watchdogs around the world resilience will remain a priority this year.
In particular, the industry should expect increased scrutiny of third-party and non-bank risk exposures.
Among the external threats facing financial firms, he thinks regulators will focus on two areas in 2025.
Firstly, third-party and non-financial risk.
“The CrowdStrike outage in 2024, a major cybersecurity incident involving one of the leading providers of endpoint security solutions, brought the operational risks that firms face because of their technology dependencies into much sharper focus,” Woolard explained.
“This is especially the case where many firms depend on the same small group of providers,” he added.
There will also be increasing focus on non-bank financial institutions, which now account for almost half the assets in the global financial system.
“Regulators are concerned that concentrations of risk in these firms, some of which offer ‘bank-like’ products and services, could spill over into the regulated sector and destabilise systemically important institutions,” Woolard noted.
External threats
Woolard and his team see that regulators are more and more concerned about the financial sector’s resilience against vulnerabilities and external threats, often linked to their relationships with customers or suppliers.
“The financial sector’s technology dependency is creating more potential points of failure via firms’ relationships with unregulated third parties,” they stated in their report.
“These weaknesses can be exploited by bad actors or, as a major IT outage in July 2024 showed, can materialise for non-sinister reasons,” they added.
In addition, the share of financial services offered by firms that are partially or entirely unregulated continues to grow.
Regulators are concerned about the potential stability risks non-bank financial institutions pose to systemically important institutions, Woolard pointed out.
“Their response is usually to require regulated firms to address the risks introduced through their relationships with third parties, rather than seeking to regulate third parties directly.”
“The financial sector’s technology dependency is creating more potential points of failure via firms’ relationships with unregulated third parties.”
– Christopher Woolard
Heightened geopolitical tensions are resulting in more sanctions and asset freezes as governments move to block their adversaries’ access to the financial system, he stressed.
Several jurisdictions are updating their financial frameworks, leading to higher standards and regulatory expectations and drawing in new categories of firms, such as cryptoasset service providers.
Moreover, recent events, including ongoing conflicts, natural disasters and a global IT failure, have reinforced regulators’ focus on firms’ ability to withstand major operational disruptions, Woolard continued.
As a result, several jurisdictions have introduced new standards designed to strengthen firms’ management of operational risk.
“Firms need to understand their end-to-end process for delivering services and how that could be disrupted … regulators are especially focused on the additional risks introduced through the financial sector’s growing reliance on third-party technology companies, such as vendor and cyber risk,” Woolard wrote.
Their focus has sharpened since the CrowdStrike saga in July 2024.
“Although the impact was overcome relatively quickly, this incident renewed interest in upcoming regulation designed to address risks that originate outside the regulated ecosystem,” he added.
UK and Europe
In Europe, regulators in both the UK and EU are extending their oversight to the supply of critical services to the financial sector to mitigate the impact that disruption or failure of a third-party service provider could have on financial stability and adopting measures to boost cyber resilience.
Financial institutions subject to the new Digital Operational Resilience Act (DORA), which will come into force tomorrow, are aimed to prevent, withstand and recover from major ICT-related disruptions.
As well as establishing standards for financial institutions to follow, DORA provides a framework for overseeing critical ICT third-party providers, Woolard pointed out. New cyber resilience rules came into effect in October 2024.

In the UK, the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) are due to finalise their rules and supervisory expectations for the critical third-party regime (CTP), as reported by QA Financial recently.
“The regime, which will apply to third parties that are designated as CTPs by HM Treasury, is designed to manage financial stability risks caused by a small number of technology providers that serve multiple financial institutions,” Woolard explained.
Malicious actors
Finally, Woolard pointed out in his report that authorities worldwide are refining their regimes to protect the financial system against abuse by malicious actors.
In response to greater geopolitical tensions and technological advancement, they are addressing gaps and targeting higher-risk actors and activities, particularly the use of cryptoassets and alternative payment providers to evade sanctions.
For example, the Australian government has introduced a bill to update and expand its AML and CTF regime to additional high risk services including digital currencies and virtual asset providers.
Meanwhile, the EU has recently introduced an enhanced AML regime including establishing a new authority with direct supervisory responsibility for the riskiest financial institutions.
“This change is expected to significantly increase scrutiny of firms operating across the EU,” Woolard noted.
He thinks it is vital that banks and other financial services firms increase their investments in data analytics and aggregation capabilities to support identification and monitoring of material exposures and concentrations.
NEXT MONTH

DON’T MISS

QA FINANCIAL FORUM LONDON: RECAP
In September, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.
The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.
Please check our special post-conference flipbook by clicking here.
READ MORE
- Automation is rapidly taking hold of banks’ QA strategies
- ‘Let’s redefine what quality assurance means’, says QA Mentor CEO
- Deep Dive: why do most AI testing projects fail to scale?
- Leapwork co-founder warns ‘AI is not in a state we can rely on’
- Ozone API eyes Australian banks with ProductCloud deal
Become a QA Financial subscriber – for FREE
* Receive our weekly newsletter * Priority invitations to our Forum events