Top Regulatory Issues
Regulatory change emerged as a top issue on bankers’ minds, with 14% selecting this as the issue most likely to affect the financial industry. 2025 is poised to be a hot regulatory year with numerous recent developments.
Nearly three-quarters of financial professionals expressed concern about the Community Reinvestment Act (CRA). Financial crimes compliance was also at the top of the list with 74% reporting concern, likely due to recent updates to the AML Act of 2020 and increasing interest in AI.
Community Reinvestment Act (CRA)
Financial Crimes Compliance
Cloud-Based Banking Technologies
Cybersecurity Compliance
Building a Financial Services Ecosystem
Monetizing Data
Cryptocurrencies
UDAAP
CFPB’s Rule 1033
Community Reinvestment Act (CRA)
Concerned or Very Concerned
The Community Reinvestment Act (CRA) was modernized in October 2023, and banks continue adjusting to the new regulatory environment it creates.17 CRA updates include encouraging banks to expand banking services access in low- and moderate-income neighborhoods, adapting to technological advancements and tailoring CRA evaluations and data collection by bank demographics. Most requirements become applicable by 2026, so banks are focusing on this to ensure sufficient information for CRA reporting.
Very Concerned
Somewhat Concerned
Concerned nor Not Concerned
Not Very Concerned
Not at all Concerned
Financial Crimes Compliance
(AI, Analytics, Fraud Detection, BSA/AML Modernization)
Concerned or Very Concerned
The AML Act of 2020 touches upon using AI as a tool to enhance compliance capabilities for financial institutions. Regulatory bodies, including FinCEN and other federal agencies, recognize AI’s potential to strengthen AML/CFT efforts, particularly in monitoring transactions, assessing risk and detecting suspicious activities in real time.
In 2024, FinCEN announced a proposed rule to strengthen institutions’ AML/CFT programs by requiring that such programs be “effective, risk-based, and reasonably designed, enabling financial institutions to focus their resources and attention in a manner consistent with their risk profiles.”18
Very Concerned
Somewhat Concerned
Concerned nor Not Concerned
Not Very Concerned
Not at all Concerned
Cloud-Based Banking Technologies
Concerned or Very Concerned
Cloud-based banking technologies deliver a variety of benefits, including scalability and efficiency but regulatory implications exist as well. As banks partner with different providers for cloud-based technologies, prioritizing risk management, due diligence and compliance with regulatory requirements is key.
An FFIEC joint statement encourages financial institutions to engage in effective risk management around cloud computing and to understand “shared responsibilities between cloud service providers and their financial institution clients.”19
Very Concerned
Somewhat Concerned
Concerned nor Not Concerned
Not Very Concerned
Not at all Concerned
Cybersecurity Compliance
Concerned or Very Concerned
Bankers face ongoing cybersecurity challenges, especially as fraud and cyber threats remain top of mind. Focusing on cybersecurity compliance prepares banks to respond effectively to new and evolving threats—all while maintaining resiliency and compliance in an evolving regulatory environment. Preventative measures like ransomware self-assessment tools, cyber insurance and multi-factor authentication help institutions strengthen their security.
Very Concerned
Somewhat Concerned
Concerned nor Not Concerned
Not Very Concerned
Not at all Concerned
Building a Financial Services Ecosystem
(Fintech/Big Tech Partnerships, Third-Party Risk Management, Open Banking)
Concerned or Very Concerned
Creating a financial services ecosystem includes developments in open banking as data is shared between multiple entities. As banks develop their open banking strategies, risk management and governance should be their guiding pillars. Regulatory agencies expect institutions to have strong risk management and governance programs in place—including robust vendor due diligence processes—to build the structural framework of their cybersecurity and compliance programs. As open banking becomes more prevalent, banks must ensure that any third-party partners adhere to regulations and use customer data only for intended purposes.
Very Concerned
Somewhat Concerned
Concerned nor Not Concerned
Not Very Concerned
Not at all Concerned
Monetizing Data
(Product and Service Optimization, Revenue Maximization)
Concerned or Very Concerned
Banks can monetize data in various ways, including leveraging targeted advertising, engaging in personalized marketing or providing anonymized datasets to third-party organizations or researchers. However, institutions should approach this carefully by balancing data utilization with privacy considerations. A range of regulations from different agencies govern data use, whether for developing new products and services or for potential data resale. Adhering closely to these privacy standards and honoring customer preferences is essential for maintaining compliance and building trust with the customer base.
Very Concerned
Somewhat Concerned
Concerned nor Not Concerned
Not Very Concerned
Not at all Concerned
Cryptocurrencies
Concerned or Very Concerned
Due to headlines about crypto-enabled financial crime, the collapse of crypto firm FTX and subsequent revelations of fraudulent practices, this field remains a polarizing topic. Last year’s results indicated that 84% of bankers were concerned or very concerned about cryptocurrencies, so concern has dropped looking ahead to 2025. Banks should continue to keep an eye on crypto-related guidance from the FDIC, OCC and other entities.
Very Concerned
Somewhat Concerned
Concerned nor Not Concerned
Not Very Concerned
Not at all Concerned
UDAAP
(Fair Lending, Overdraft, Junk Fees)
Concerned or Very Concerned
The FDIC and CFPB continue to focus on Unfair, Deceptive, or Abusive Acts or Practices (UDAAP), particularly addressing Non-Sufficient Funds (NSF) fees and the CFPB’s concerns about “junk fees,” such as return deposit item fees. Over the past few years, CFPB’s reforms have resulted in $3.5 billion in annual savings on overdraft fees and an additional $2 billion in savings on non-sufficient funds fees.20
Very Concerned
Somewhat Concerned
Concerned nor Not Concerned
Not Very Concerned
Not at all Concerned
CFPB’s Rule 1033
(Open Banking)
Concerned or Very Concerned
In October 2024, the CFPB issued a final rule to implement section 1033 of the Consumer Financial Protection Act of 2010 to strengthen consumers’ financial data rights.21 Rule 1033 requires financial institutions and other data providers to help consumers access and share their data securely using application programming interfaces (APIs). The rule covers financial data housed at banks, credit unions and other financial institutions, as well as payments apps and digital wallets. As APIs become more important in our financial landscape, banks will likely be navigating new cybersecurity and privacy rules in the coming years.
Very Concerned
Somewhat Concerned
Concerned nor Not Concerned
Not Very Concerned
Not at all Concerned
Industry Insight
AI continues as a recurring theme in this year’s report, driven in part by the AML Act of 2020. AI improves efficiency by analyzing vast data sets, reducing false positives and streamlines compliance reporting, making it easier for financial institutions to meet BSA/AML requirements. However, institutions should keep in mind agencies will emphasize the need for transparency, auditability and data quality in AI models used for BSA/AML compliance.
While Rule 1033 only impacts banks with assets in excess of $850 million at this time, all banks should take note of this regulatory development. As consumers exercise more control over their data, they’re able to more easily partner with banks that provide personalized service and their desired products. Institutions that embrace open banking and develop strategies that meet regulations can more easily offer new products or services to meet customer needs without building them internally or relying on a single provider.