How CROs can navigate 2025’s regulatory crossroads

For Chief Risk Officers (CROs), 2025 represents one of the most challenging operating environments in over a decade. A convergence of regulatory deadlines, accelerating technological disruption, and shifting geopolitical dynamics is creating unprecedented pressure on risk functions. Regulators worldwide are demanding not only stronger controls but also demonstrable resilience, ensuring that critical business services can continue in the face of disruption.

This shift marks a decisive move beyond traditional risk management toward an integrated approach that balances compliance, operational agility, and strategic foresight.

Some of the main regulatory initiatives in play include:

Operational resilience rules

In Q1 this year, policies across major jurisdictions came into effect mandating that regulated organisations delivering critical business services demonstrate their ability to stay within defined impact tolerances. In the UK, the Bank of England, Financial Conduct Authority (FCA), and Prudential Regulatory Authority (PRA) set the deadline for 31^st March, 2025. This move to enforce comprehensive operational resilience frameworks requires extensive mapping and testing of business services and significant investment in resilient operations.

In addition, the implementation of a Smarter Regulatory Framework (SRF) represents a key development in how UK financial services institutions will be regulated to achieve resilience aligned to international standards.

“Resilience is important but doesn’t mean we can’t be proportionate,” remarked an Executive Director of a European central bank during RiskMinds International 2024.

DORA & CTP regime

The European Union's Digital Operational Resilience Act (DORA), whose compliance deadline was 17^th January 2025, focuses on enhancing digital and cyber resilience across the financial sector. DORA mandates robust ICT risk management, streamlined incident reporting, rigorous resilience testing, and effective management of third-party ICT risks. Its broad scope integrates various risk disciplines, including crisis management, business continuity, and operational risk.

Alongside this, at the start of 2025 the UK introduced the Critical Third Parties Regime, an equivalent regime that extends the oversight of UK financial regulators to cover critical third party (CTP) service providers to the financial sector. Like DORA, it aims to increase the operational resilience of financial services firms and financial market infrastructure.

Basel 3.1 finalisation

The implementation of revised operational risk frameworks and capital buffers now requires banks to hold higher levels of regulatory capital, moving away from internal models to standardised assessments. And while Basel 3.1 is not exclusively focused on operational risk, the introduction of output floors, new credit and market risk models, and enhanced data validation rules all have direct implications for operational processes and controls.

Moreover, its various stages of implementation across different regions, such as Europe (via Capital Requirements Regulation 3 or ‘CRR 3’), Canada, Australia, Singapore, and Hong Kong, necessitate a re-evaluation of reporting infrastructures. In January 2025, the PRA announced that, in consultation with HMT, the implementation date for the Basel 3.1 standards would be delayed to 1 January 2027 to allow time for greater clarity around plans for implementation in the US.

As one principal economist at a US central bank institution told delegates at RiskMinds International 2024: “Basel should be rolled out, but getting to a level playing field is still some time off.”

Non-bank and private markets

Supervisors are extending oversight to non-bank financial institutions and private credit markets. Improved data transparency and risk monitoring for these sectors are in development, reflecting concerns about “bank-like” products outside traditional sectors.

The UK’s Prudential Regulation Authority has sought to widen the scope of CCR with a general set of guidelines to address any bank counterparties. The focus of the Pillar 2A review covers key areas including qualitative requirements for CCR; credit concentration risk; IT sufficiency and data quality; settlement risk and collateral management.

Regulators are increasingly emphasising the importance of robust data management and transparent reporting. There is a growing demand for real-time data and better control over data flows across risk, finance, and compliance functions. This is evident in requirements such as the machine-readable XBRL format for Pillar 3 disclosures under CRR 3 in Europe, which aims to harmonise data collection and reporting.

Increased fragmentation, increased complexity

Even though these initiatives are all aimed at improving resilience, regulators face significant challenges in keeping pace with an increasingly complex risk environment. This is requiring regulators to focus their sights on emerging threats, led principally by rapid innovations in AI technology, which have implications for model accuracy (bias, poor data, hallucinations) as well as cybersecurity hygiene; i.e. growing sophistication of ID fraud, deep fake profiles etc.

However, while the emerging threat posed by AI is significant, it is the increasing divergence of global regulatory frameworks that presents the most critical challenge. As noted by the Bank of England, this could lead to high compliance costs and operational complexity for cross-border firms in respect to how operational risk and capital standards are implemented. Trying to align market risk frameworks globally is hugely complex when, for example, there are delays in implementing the Fundamental Review of the Trading Book (FRTB).

Increasingly, CROs recognise the need to invest in automated rules mapping to best operate at scale across multiple jurisdictions. At RiskMinds International 2024, CROs noted that at a high level, principals in regulations may look similar but the devil is in the details. For example, under the CRD IV rules in Basel 3.1, the risk weight of a portfolio of assets can differ by 50% from a European interpretation versus a UK interpretation.

Data privacy requires operational agility

Similarly, varying approaches to digital assets and central bank digital currencies (CBDCs) across jurisdictions are further impacting interoperability and cross-border payments. Not to mention the fact that from region to region, and even state to state, regulators are taking a different approach to AI regulation.

Rules on data privacy in Europe are likely to be similar in South Korea as it prepares to introduce the AI Basic Act in 2026, which will follow a similar risk-based tiered approach under the EU AI Act. However, by contrast, Singapore and Hong Kong are introducing more soft-law guidelines and principles to foster innovation while managing risks. In the US, the introduction of the California Consumer Privacy Act in 2019 created an increased compliance burden on businesses that collect personal information. As White & Case wrote recently, a total of 20 individual states have now passed comprehensive data privacy laws due to a lack of a single comprehensive data privacy law at the federal level.

Having the operational framework that can handle such fragmentation and allow financial organisations to manage local risks without significantly impacting costs is set to become even more challenging because the reality is, there is no immediate sign of a globally consistent regulatory approach to AI and more broadly, data privacy.

Conclusion

For CROs, the message is clear: resilience is no longer a siloed compliance exercise, but a multi-jurisdictional, technology-driven imperative. From DORA to Basel 3.1, from CTP oversight to AI governance, the regulatory trajectory is converging on one demand: robust, data-driven, future-ready risk management. Those that invest early in operational agility and cross-border compliance infrastructures will not only withstand regulatory shocks but also gain strategic advantage in a volatile financial world.

Take a deep dive into the risk regulatory landscape for 2025 and beyond at the Global Risk Regulatory Summit - part of RiskMinds International.