What are the top risk for 2025 in the Financial Services sector?

This relates to the wide array of risks associated with geopolitics, conflicts or tensions between states, and the impacts on businesses, trade, security, and political relations.

Geopolitical risks in 2025 stem from multiple areas of concern internationally. These risks underscore the need for FS firms to enhance their geopolitical risk assessment capabilities and develop strategies to mitigate potential impacts. This is emphasised by the Bank of England's Systemic Risk Survey Results - 2024 H1 [2], which shows geopolitical risk as the most important according to respondents.

The change in government within the US may exacerbate the role of trade as a geopolitical battlefield, largely attributable to the imposition of high tariffs. This is of particular concern when looking at US-China relations and the impact on countries without free trade agreements [3]. Imposing tariffs can strain relationships with other countries, leading to diplomatic tensions and potentially impacting other areas of international cooperation. From a macroeconomic perspective, the geopolitical tension which exists today has the potential to cause commodity shortages due to globalisation, conflict and trade wars. As a result, the world is quickly reverting from unipolarity to multi-polarity. This shift has exacerbated existing conflicts, and the gradual breakdown of international order encourages the rise of individual power centres, which in turn fuels more acerbic politics.

Aside from the recent US election, FS firms must be ready for increased risk across multiple domains especially as studies predict growing tension and conflict across the globe [4]. Supply chains and operations across the Middle East, sub-Saharan Africa, South America and Southeast Asia in particular may be exposed to major disruption as a result. There is a clear link between geopolitical instability and regulatory instability, as quickly shifting and more immoderate governments overturn each other’s agendas. The risk of a spike in macroeconomic volatility as a result of this instability is high in 2025. This is reflected in interest rate unpredictability, leading to higher market volatility, for equity, credit, bonds and so forth. The effects of this heightened macroeconomic volatility could be far-reaching, and the ability to make successful business predictions and decisions is hindered, leading to vulnerabilities within the global financial ecosystem.

Another key risk dynamic to monitor is the trajectory of conflicts in the Middle East and Ukraine. Although currently unlikely, there is a potential risk that escalating attacks between Iran and Israel could lead to a broader regional conflict, possibly drawing in the Gulf States and the United States more directly [4]. Furthermore, the US' commitment to solving the conflict in Ukraine could lead to its leaders suffering from external pressure to agree to a 'ceasefire' due to the threat of losing support. This may lead to social unrest and further, it does not prevent authoritarian leaders from using military forces elsewhere to achieve their potential aims.

This year has seen greater regulatory focus around this risk, through the incorporation of escalating geopolitical tensions in supervisory stress test and scenario analysis, for example, the EIOPA's 2024 insurance stress test [5] and EBA's 2023 EU-wide stress test [6]. This further illustrates that regulators are eager to evaluate a firm's capacity to handle geopolitical stress and ensure robust frameworks are in place to mitigate risks effectively.  FS firms must ensure that they have identified the relevant channels through which geopolitical risks could affect their business/service offerings. Firms must monitor their exposure to these risks on a continuous basis, ensuring there is a process in place to prioritise and mitigate them.

Cybersecurity risk can be defined as ‘an effect of uncertainty on or within information and technology. Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information, data, or information systems and reflect the potential adverse impacts on organisational operations and assets, individuals, other organisations, and the Nation’. [7]

The increasing sophistication and frequency of cyber threats pose a significant concern for the financial sector, which is regularly targeted due to the sensitive information it handles. As these threats evolve, mitigation strategies must also improve, including more frequent employee training and advanced technology to detect threats. There is a pressing need for increased awareness and resources dedicated to managing cyber risk [8].

Cyberattacks are a significant concern, particularly because they are difficult to identify, measure, mitigate, and report due to many unknown factors. Smaller firms may struggle to have the necessary resources and sophisticated tools in place. Setting a risk appetite for cyber threats is also a challenge as significant cyber risks crystallise rarely but when they do happen, they can have serious effects.

The Cyber Resilience Testing Framework (CBEST) developed by the Bank of England in collaboration with the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), conducts an annual assessment to evaluate the cyber resilience of firms [9]. It promotes an intelligence-led penetration testing approach that mimics the actions of cyber-attacks intent on comprising an organisation's Important Business Services (IBS) and disrupting the technology assets, people and processes supporting those services. The Bank of England subsequently publishes the thematic findings from the assessment, pointing out areas of weakness that firms must work on. To keep pace with this annual assessment, FS firms must look to continuously develop and enhance their cyber resilience frameworks to avoid being penalised by the regulator.

The use of AI is predicted to escalate cyberattacks in 2025, and quantum computing could outmanoeuvre traditional security measures, necessitating greater resources for cybersecurity [10]. Regulatory pressure is also mounting, with the Digital Operational Resilience Act (DORA) set to take effect on January 17, 2025, in the EU, enhancing cybersecurity and operational resilience requirements for financial institutions [11]. Cyber risk is a key focus for regulators across the market, emphasising the need for firms to prioritise their cybersecurity measures.

Cyberattacks can disrupt critical financial services, leading to financial losses and reputational damage, making operational resilience a priority [12]. Additionally, increasing data privacy regulations require financial institutions to protect customer data against breaches or misuse, as failure to do so can result in hefty fines and loss of customer trust. As customers become more aware of data privacy issues, maintaining their trust is crucial. The demand for cyber insurance is rising, but obtaining it is becoming more challenging as insurers impose stricter standards for cybersecurity practices, including data encryption and incident response plans.

Financial crime risk refers to the potential for financial losses and legal consequences that organisations face due to risks relating to money laundering, terrorist financing sanctions breaches, fraud, bribery and corruption, market abuse and tax evasion.

In 2024, FS firms faced significant losses due to financial crime, from a monetary, reputational and regulatory perspective with more than $3.1 trillion in illicit funds flowing through the global financial system [13]. This highlights the staggering scale of financial crime operations.

Firms will continue to face financial crime threats in 2025. Due to the technological advancements that have occurred in recent years, the rise of digital, banking and financial services has created new opportunities for cybercriminals. Cyberattacks, including ransomware and phishing, are becoming more sophisticated, targeting sensitive financial data and disrupting operations. FS firms must guard against data breaches, ransomware, and other cyber threats. Traditional fraud, including identity theft and payment fraud, continues to evolve. The rise of digital transactions has made it easier for fraudsters to exploit vulnerabilities which can lead to significant financial losses and reputational damage [14].

This coupled with rising geopolitical tensions presents a major risk to FS firms and the system as a whole. Regulatory bodies continue to intensify their focus on financial crime leading to stricter compliance requirements and a strong of significant fines for breaches of money laundering and sanctions requirements.

Firms will continue to face higher risks of penalties and sanctions if they fail to adhere to Anti-Money Laundering (AML) and counter-terrorist financing (CFT) regulations as well as the ever-increasing array of sanctions requirements [15]. Furthermore, the Economic Crime and Corporate Transparency Act 2023 [16] brought into force a new offence from 1^st September 2024, meaning that firms must ensure they have in place reasonable preventative procedures to demonstrate they are seeking to prevent fraud conducted for the benefit of the organisation. This follows a similar approach to the requirements of the Bribery Act [17] and the tax evasion requirements put in place by the Criminal Finances Act [18].

Addressing the risks associated with financial crime will require a proactive approach, including investing in technologies to detect suspicious behaviour, enhancing compliance programs and fostering a culture of risk awareness within the organisation.

Generative AI risk refers to the potential for artificial intelligence systems to cause unintended consequences, including financial losses, biased outcomes, and security vulnerabilities, due to their complexity, data dependencies, and autonomous decision-making capabilities.

Artificial Intelligence (AI) is rapidly emerging as a significant risk for FS firms. AI adoption is widespread, for example, 75% of firms [19]  surveyed by the FCA and the Bank of England (BoE) are using AI for internal processes, customer support, cyber-attack mitigation, fraud detection, and money laundering prevention.  Additionally, AI is increasingly being used for credit risk assessments, algorithmic trading, and capital management. Therefore, as AI tools become more integrated into banking operations, the complexity and scale of these systems make it challenging to address risks retrospectively. We conducted a Q&A webinar in November which discussed how firms can navigate current risk management challenges including how firms can integrate AI effectively into their existing risk management frameworks.

AI differs from traditional modelling technologies in several ways which presents complexities and risks. Areas of particular concern include the lack of explainability in complex models which makes it difficult for humans to understand and spot errors. Furthermore, the automated nature of AI introduces the risk that key decisions are made without management’s agreement, which may undermine an entire risk framework.

In 2024, AI regulation saw significant developments. The European Union implemented the AI Act [20], the first comprehensive legal framework for AI, which sets out harmonised rules to ensure AI systems are safe, transparent, and respect fundamental rights. In the US, President Biden's administration issued a landmark Executive Order to manage AI risks [21]. In the UK, the Financial Policy Committee collaborates with the FCA and the government to monitor the rapid growth of AI and the challenges associated with addressing risks retrospectively once AI usage becomes systemic. In 2025, we can expect significant advancements and regulatory developments in AI. The European Union's AI Act is set to influence global standards, emphasising privacy, security, and responsible AI use. In the US, the new Trump administration may relax some AI regulations while increasing focus on AI export controls and competition with China.

To manage these risks, many organisations are greenlighting projects aimed at mitigating potential threats and optimising opportunities presented by AI, developing risk management approaches, and disseminating best practices across the industry. AI risk management should consider a wealth of factors, including the firm’s strategy, risk appetite, risk governance and the expertise within the firm.

Climate risk refers to the potential negative effects of climate change on the environment, businesses, and society, including both physical and transition risks. Sustainability risk encompasses the potential negative impacts on the environment, society and the economy due to unsustainable practices.

In 2024, significant climate events, including devastating floods in Spain, a powerful hurricane in Florida, and severe wildfires in Chile, occurred. On average, natural disasters cause approximately $250 billion [22] in damages per year. Additionally, annual global insured losses, adjusted for inflation, have consistently exceeded $100 billion [23] over the last few years. The floods in Spain, killing over 200 people, are estimated to have caused economic damages of around €10 billion [24]. Spain was not the only country to suffer from devastating floods this year as Bangladesh experienced severe flooding across the monsoon season this past August. The floods, exacerbated by rising sea levels, displaced millions of people, destroyed homes and severely affected agriculture [25]. Furthermore, Hurricane Milton in Florida resulted in insured losses between $20 billion and $40 billion. [26] These events highlight the escalating physical risks posed by climate change, with financial losses for banks and insurers reaching unprecedented levels. 

Regulatory frameworks are evolving to address these risks. In the UK, the PRA will update its Supervisory Statement (SS) 3/19 in Q1 2025, incorporating best practices and new regulatory insights on the management of climate-related financial risks. [27] The UK’s Sustainability Disclosure Requirements (SDR), implemented in 2024, require asset managers and banks to align with stringent sustainability criteria by 2025 [28]. This regulatory push aims to combat greenwashing and ensure financial products genuinely support sustainability goals. Furthermore, the European Union (EU) has implemented new regulations, such as EU 2024/1787, which set strict limits on methane emissions from fossil fuel operations. [29] The International Financial Reporting Standards (IFRS) S2 standard, mandating climate-related disclosures, has been adopted globally, enhancing transparency and accountability.

To support these regulatory efforts, authorities are utilising the latest climate scenarios, such as the NGFS  (Network for Greening the Financial System) Phase V scenarios, which highlight increasing physical risks and higher peak temperatures. [30] These scenarios underscore the critical need for banks to enhance their climate risk management strategies. The new damage function (which is fit to aggregate sectoral and location-specific damage estimates that are extrapolated to a global scale [31]) offers a more detailed assessment of economic impacts, projecting higher climate change losses.

The consequences of climate risk for FS firms in 2025 are profound. Increased frequency and severity of climate events will likely lead to higher insurance claims and greater financial instability. Banks will face heightened credit risks as borrowers in affected areas struggle to repay loans due to increased insurance premiums for individuals for instance. Additionally, regulatory pressures will require significant investments in climate risk management and reporting systems. At the Conference of the Parties 29 (COP29), held in Baku, Azerbaijan, discussions focused on financing the climate transition, with estimates suggesting that annual investments of $1.6 to $3.8 trillion are needed until 2050 to meet the objectives of the Paris Agreement [32]. These factors collectively emphasise the urgent need for robust climate risk strategies and substantial investments to safeguard financial stability and ensure compliance with evolving regulations.

This relates to a firm’s ability to prevent, adapt, respond, and recover from operational disruptions. 

Over the past year, there has been a heightened regulatory focus on operational resilience. This is evident from the extensive regulatory guidance and requirements issued, including the upcoming March 2025 deadline set by the PRA for Important Business Services and impact tolerances [33]. SS1/21 details the regulators' expectations for firms' operational resilience frameworks to be tested and deemed fit for purpose in identifying, assessing, and monitoring the vulnerabilities of their critical functions. Additionally, a recent PRA publication (PS16/24) focuses on the operational resilience of critical third parties (CTPs) in the UK financial sector [34].

The CrowdStrike incident that occurred in July of this year, underscored the vulnerabilities associated with third-party party software. Organisations relying on CrowdStrike’s services experienced significant disruptions, highlighting the critical role of managing third-party risks [35]. FS firms will need to ensure that their CTP providers comply with the new resilience standards outlined in PS16/24, necessitating more rigorous due diligence and continuous monitoring. Furthermore, firms must strengthen their risk management frameworks to address potential disruptions from CTPs. This involves identifying critical services, mapping dependencies and conducting regular resilience testing, which ties back to the necessity for FS firms to identify any vulnerabilities in their business.

The need for development is further driven by the PRA’s plan to conduct a life insurance stress test in 2025 [36], the completion of the EBA's cyber resilience test [37] and the introduction of the Digital Operational Resilience Act (DORA). Effective from January 2025, DORA aims to ensure the financial sector's resilience against severe operational disruptions and ICT-related incidents, emphasising governance, third-party risk, incident reporting, resilience testing and information sharing [38].

In response, FS firms must continue to develop their operational resilience strategies, processes and systems to meet regulatory expectations and mitigate potential disruptions. To manage these risks, firms should leverage their operational risk management functions to identify internal and external threats and potential failures in people, processes and systems.

Refers to the risks that arise from contracting with a third party and in particular the risk that a service/product/activity provided by a supplier will deteriorate, be interrupted, or cease indefinitely, exposing businesses to operational, reputational and/or financial damage.

In the UK from January 1 2025, the FCA and the PRA will implement the new Critical Third Parties (CTP) Regime (PS16/24). This policy, which applies to all critical third-party suppliers, aims to manage risks to the stability and confidence in the UK financial system arising from failures or disruptions in services provided by CTPs. FS firms will need to comply with six fundamental rules under this regime which involves continuous monitoring, regular testing and ensuring compliance with resilience standards [39]. These changes will not only affect FS firms but are also likely to require suppliers to adjust their service offerings to ensure compliance.

The growing dependence on third-party providers can introduce significant vulnerabilities to a firm. Any disruptions involving third-party providers can lead to operational disruptions for the firm, potentially resulting in a loss of confidence among stakeholders.

FS firms must also consider the concept of ‘Nth-Party’ risk which extends the risk assessment beyond immediate and secondary vendor connections. This encompasses the entire extended ecosystem of solution providers and support operating in your network[40]. To manage this risk effectively, firms must identify and mitigate risks associated with all extended connections that could impact the organisation's downtime, even if indirectly. The complexity of this type of risk can seem overwhelming, so it is essential for firms to map their outsourcing dependencies as thoroughly as possible to understand the full extent of their network and identify vulnerable areas.

By addressing these risks, FS firms can better manage their reliance on third-party providers and safeguard their operations and reputation. FS firms must have contingency plans to mitigate any issues that arise with their suppliers. Third-party suppliers may face cyber risk incidents that could impact the firm. It is crucial for FS firms to have robust ‘Nth party’ risk measures in place and to understand the protocols of their third-party providers.

Talent/remuneration risk refers to the potential negative impact on an organisation’s performance and stability due to challenges in attracting, retaining, and adequately compensating skilled employees.

In the increasingly complex FS landscape, attracting, retaining, and adequately compensating top talent is crucial for robust operations across all departments. High-performing functions rely on advanced IT and data infrastructure, including the increasing use of Generative AI. Building the right mix of talent is essential. Data scientists with advanced mathematical and statistical skills are needed to convert data insights into business actions, while professionals with expertise in cybersecurity or climate risk can become trusted advisors to business areas.

However, attracting talented employees is challenging, as potential candidates often prefer technology firms unless banks strengthen their value propositions with competitive remuneration packages. Inadequate or misaligned compensation can lead to high turnover rates and loss of key personnel.

Another observation within the industry is that not offering hybrid work can significantly reduce your talent pool, as many candidates prioritise flexibility. This can result in higher turnover rates, as employees may leave for organisations that provide more flexible working conditions [41]. Consequently, this places your company at a competitive disadvantage in attracting and retaining top talent.

Leaders are increasingly recognising the need for a diverse skill set within their teams and the company more generally, including traditional expertise, advanced data analytics, IT skills, cybersecurity, and climate and sustainability risk management. Integrating these capabilities allows for more sophisticated modelling and better decision-making processes. Thus, linking talent acquisition and competitive remuneration is vital for maintaining strong functions across all departments.

Data management risk refers to the potential for errors, data breaches, or loss of data integrity that can arise from inadequate data handling practices.

In today's digital age, data management has become a critical concern for banks. The increasing volume and complexity of data, the raise of AI requiring large volume and high data quality coupled with stringent regulatory requirements and evolving cybersecurity threats, have elevated data management to a top-tier risk.

Banks face significant challenges in managing vast amounts of data from various sources, which is crucial for maintaining data quality and making informed decisions. As we approach 2025, data management risk is set to evolve significantly with the increased use of AI and machine learning enhancing predictive capabilities, the rise of edge computing introducing new security challenges, and stricter data privacy regulations requiring more robust protection measures. Data democratisation, the practice of making data accessible to all employees, will increase. While this can drive innovation and improve decision-making, it also necessitates better governance to prevent data misuse. Organisations will need to establish clear policies and provide training to ensure that employees handle data responsibly and ethically. These trends highlight the need for businesses to stay proactive in managing data risks to safeguard their information and leverage data as a strategic asset.

Model risk is the potential for adverse consequences arising from decisions based on incorrect or misused models, leading to financial losses, regulatory penalties, and reputational damage.

Model risk is increasingly recognised as a critical concern for banks due to the growing reliance on complex models for decision-making across various functions, including credit risk assessment, market risk management, and regulatory compliance. The impact of model risk can be profound, leading to financial losses, reputational damage, and regulatory penalties if models fail to perform as expected or are misused.

Modern models, especially those incorporating AI and machine learning, are highly complex and can be difficult to understand and validate. This complexity increases the risk of errors and misjudgements. Models are also more dynamic, meaning they continuously update based on new data. This can lead to misalignment with their original design and purpose, making it challenging to ensure consistent performance over time. 

Consequently, regulators are increasingly focusing on model risk management (MRM) to ensure that banks have robust frameworks in place to manage these risks effectively. For example, the PRA has issued Supervisory Statement 1/23 (SS1/23) [42], which outlines the expectations for banks' management of model risk. This regulation emphasises the need for a strategic approach to MRM, treating it as a distinct risk discipline. 

Banks' policies, procedures, and practices to manage the risks associated with the use of models will have to align with the regulator's requirements and the complexity of models, ensuring they are well-prepared to handle the challenges posed by modern modelling techniques. These can be done by having a strong governance framework to oversee model risk, and rigorous standards for model development, implementation, and usage to ensure models are fit for purpose. Regular independent validation of models to verify their accuracy and reliability is also crucial.