February Global Regulatory Brief: Digital finance

As technology continues to reshape financial services, regulators and policy setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. The following digital finance policy developments represent a sample of wider regulatory and policy coverage available to Bloomberg Terminal customers. Run REGS <GO> to find out more or contact your Bloomberg representative to learn more:

• UK: Treasury Committee publishes AI in financial services report
• EU: European Commission proposes revised Cybersecurity Act
• Malaysia: BNM issues discussion paper on operational resilience
• Australia: Australia’s Productivity Commission reports on data and AI

UK Treasury Committee publishes AI in financial services report

The UK House of Commons Treasury Committee has published a report assessing the use of artificial intelligence (AI) in financial services, concluding that regulators are taking an overly reactive “wait-and-see” approach. While recognising AI’s potential benefits, the Committee finds that current regulatory practices leave consumers and financial stability exposed to significant risks.

Context

The inquiry was launched in February 2025 amid rapid growth in AI adoption across UK financial services, where around 75% of firms now use AI. The UK does not have AI-specific legislation for financial services, and the FCA and Bank of England currently rely on existing regulatory frameworks, including the Consumer Duty and the Senior Managers and Certification Regime (SM&CR), to oversee firms’ use of AI.

Key takeaways

• No AI-specific financial regulation: The FCA and Bank of England maintain that existing rules are sufficient, but the Committee finds this approach provides limited practical clarity for firms.
• Consumer risks: The report highlights concerns around opaque AI-driven credit and insurance decisions, risks of financial exclusion, misleading unregulated AI-based financial advice, and increased fraud.
• Regulatory uncertainty: Firms face uncertainty over accountability under SM&CR, particularly given the limited explainability of some AI models, which may discourage advanced AI adoption.
• Financial stability risks: The Committee flags heightened cyber risks, reliance on a small number of US AI and cloud providers, and the potential for AI-driven trading to amplify market stress.
• Gaps in stress testing: Regulators do not currently conduct AI-specific cyber or market stress tests, despite evidence that such scenarios could be valuable.
• Critical Third Parties Regime delays: Although the regime was established in 2023 to oversee systemic third-party providers such as major cloud and AI firms, no designations had been made as of late 2025.

Recommendations

• The Committee recommends that by the end of 2026, the FCA publish comprehensive, practical guidance on how existing consumer protection rules and SM&CR apply to AI use.
• The Bank of England and FCA are urged to introduce AI-specific stress testing to improve preparedness for AI-driven shocks.
• HM Treasury is called on to designate major AI and cloud providers as Critical Third Parties by the end of 2026, with the Financial Policy Committee expected to monitor progress and intervene if necessary.

European Commission proposes revised Cybersecurity Act

The European Commission (EC) has introduced a proposal for a revised Cybersecurity Act (CSA2) as part of a comprehensive new EU cybersecurity package. The proposal follows increasing concerns over the security of critical infrastructure and the influence of third-country jurisdictions on essential ICT components. It builds upon the existing NIS2 Directive and the original Cybersecurity Act, integrating supply chain security with broader industrial policy to protect EU interests in sectors such as cloud services, semiconductors, and energy.

Key takeaways

• High-risk vendor phase-out: The EC has introduced binding rules to phase out ICT vendors from countries deemed high risk within critical sectors. This specifically impacts supply chains for medical devices, energy systems, and cloud infrastructure.
• New designation powers: The EC is now empowered to designate third countries posing cybersecurity concerns via implementing acts. This triggers targeted restrictions on entities established in or controlled from those jurisdictions, including bans from EU cyber certification, public procurement, and certain EU funding streams.
• NIS2 integration: The EC will be able to restrict NIS2 entities from using high-risk components in key ICT assets. Additionally, the EC can impose mitigating measures such as supplier diversification and limits on third-country data transfers or remote processing.
• Cyber simplification: To ease the compliance burden, the proposal includes targeted NIS2 amendments aimed at maximum harmonization. This includes new guidelines for supply chain security requirements.
• ENISA and certification changes: The role of ENISA (EU cyber agency) is expanded, and the procedure to develop cyber certification schemes has been reformed to be faster (12-month deadline). While certifications remain voluntary, the proposal mandates that conformity assessments for “high” assurance levels be carried out within the EU to protect against IP exposure.
• Increased stakeholder involvement: A new European Cybersecurity Certification Assembly will be established to integrate industry and user involvement in identifying strategic priorities and new cybersecurity challenges.

Next steps

• The proposal will now undergo review by the European Parliament and the Council as part of the ordinary legislative procedure.
• The EC is expected to follow this proposal with additional updates in the upcoming Industrial Accelerator Act and the Cloud and AI Development Act.

BNM issues discussion paper on operational resilience

Overview

Bank Negara Malaysia (BNM) has issued a discussion paper outlining its emerging direction to strengthen the operational resilience of financial institutions amid increasing digitalisation, complex interdependencies, and rising operational disruptions. The paper invites feedback from stakeholders on proposed approaches and governance mechanisms to ensure continuity of critical financial services.

Context

Global megatrends such as technological innovation, cyber threats, and climate risks have amplified operational vulnerabilities. International standard-setters like the Basel Committee and IAIS have emphasised resilience as a core capability. Malaysia has experienced notable disruptions in banking and payment systems, prompting BNM to explore enhancements to its regulatory framework beyond existing policies on business continuity, technology risk, outsourcing, and governance.

Key takeaways

• Core Themes of Operational Resilience:
  • Preserve continuity of critical operations and services.
  • Map internal and external interdependencies.
  • Manage third-party dependencies effectively.
  • Set clear impact tolerances for disruptions.
  • Assess capabilities under severe but plausible scenarios.

• Global and Domestic Drivers:
  • Increasing reliance on real-time digital channels, cloud services, and shared infrastructures.
  • Rising sophistication of cyberattacks, including AI-enabled exploits and ransomware.
  • Climate-related physical risks affecting infrastructure and operations.

• Malaysia’s Current Framework:
  • Existing policies include Business Continuity Management (BCM), Risk Management in Technology (RMiT), Outsourcing, Operational Risk, and Governance standards.
  • Differentiated approach: prescriptive requirements for technology and third-party risks; principle-based for governance and accountability.

• Challenges and Trade-offs:
  • Balancing cost versus resilience, innovation versus safety, and institutional priorities versus systemic stability.
  • Misaligned incentives within organisations and limited leverage over critical third-party providers.
  • Need for industry-wide collaboration to set common resilience standards.

• Governance Expectations:

• • Boards must prioritise operational resilience, approve critical services, set impact tolerances, and oversee resilience testing.
  • Responsibility Mapping (effective 1 Jan 2026) requires a designated senior manager accountable for operational resilience outcomes.

Next steps

• Feedback Deadline: Written comments must be submitted using the provided template to pfpconsult@bnm.gov.my by 30 April 2026.
• Future Direction:
  • Possible introduction of a standalone operational resilience framework or integration into existing requirements.
  • Enhanced guidance on dependency mapping, third-party risk management, and scenario testing.
  • Continued engagement between BNM, financial institutions, and critical service providers.

Australia’s Productivity Commission reports on data and AI

In its final report on harnessing data and technology, released in December, the Productivity Commission (PC) highlights the productivity gains from AI and data.

Detail

In January 2025, the PC had asked stakeholders for ideas about improving productivity through data and digital technologies.

In its August interim report, the PC had presented draft recommendations focused on four key policy reform areas:

• Enable AI’s productivity potential.
• New pathways to expand data access.
• Supporting safe data access and use through outcomes-based privacy regulation.
• Enhance reporting efficiency, transparency and accuracy through digital financial reporting.

This final report makes recommendations across these areas, intending to boost overall productivity, taking account of the unique nature of data and digital technology:

• Productivity growth from AI should be enabled within existing legal foundations. Gap analyses of current rules need to be expanded and completed. AI-specific regulation should be a last resort.
• The Australian Government should commit to reforms that will enable the Consumer Data Right (CDR) to better support data access for high-value uses while minimising compliance costs.
• The Australian Government should amend the Privacy Act to embed an outcomes-based approach that enables regulated entities to fulfil their privacy obligations by meeting criteria that are targeted at outcomes, rather than controls-based rules.
• Digital financial reporting should be the default.

The report called for an outcomes-based approach to AI regulation – using existing laws and regulatory structures to minimise harms.

Its also recommended the government rightsize the Consumer Data Right (CDR) by making the accreditation model, technical standards and designation process less onerous. This is to help make the CDR a more effective data access and sharing platform that supports a broader range of use cases. Underpinning Australia’s open banking regime, the CDR framework is a secure online system that enables consumers to get value from data that is collected about them through the provision of specific goods and services by consenting to that data being shared with trusted accredited third parties.