(De)regulation in a new geopolitical world – CRO Roundtable

To unpack these trends, we hosted a roundtable on 25 June with CROs from an array of banks and investment firms. Below, we have summarised the key takeaways from the event. The discussion was moderated by Huseyin Sahin (Banking Risk Consulting Partner), with our panellists – Sylvie Matherat (Senior Global Advisor) and Eric Cloutier (Group Head of Banking Regulations) – drawing from their interactions with senior regulators across the EU, UK, and US.

Looking ahead, key regulatory priorities, supervisory expectations, economic trends, and the evolving risk landscape for financial services in these three jurisdictions will be central to strategic decision making. More specifically, firms must afford special attention to differences in regulators and governments’ approaches to:

• Prudential requirements, including Basel guidelines.
• ESG requirements.
• Data management.
• Operational resilience.
• AI and crypto assets.

Each of the approaches presents unique risks and opportunities for financial services firms, with the UK sitting in a ‘sweet spot’, capable of learning from the opposing strategies of the US and EU. Regulators also need to manage their approaches effectively to successfully balance regulatory priorities, financial stability, and economic growth.

The Basel bottleneck: Timing, calibration, and cross-border challenges

As with many trends in the financial sector, the US has led the way – this time by delaying the implementation of Basel 3 (‘Endgame’) regulations. Whilst US regulators have signalled a willingness to implement Basel, there is still no clarity regarding how and when Basel III will be implemented. US hesitation has arisen primarily from the question of whether rules negotiated and calibrated over a decade ago are still appropriate today. Considering the importance of the US in the global financial ecosystem, this creates global uncertainty and pressure on other regions.

To maintain a level playing field with the US, the Bank of England postponed the final implementation of Basel 3.1 until 2027, and the EU delayed the Fundamental Review of the Trading Book (FRTB) until the same date.

This said, Basel standards are the foundation of global financial market integration, as an estimated 70% of global jurisdictions have already implemented final Basel III standards. The current uncertainty surrounding the dates and extent of Basel implementation creates challenges for banks operating across different jurisdictions, meaning that CROs must navigate both uncertainty and the high likelihood of regulatory fragmentation. Capital calibration gaps (i.e. Basel III, MREL) could also present a material risk in making EU and UK mid-tier banks less competitive than their US peers; this must be monitored closely by regulators.

Finding the middle ground: The UK’s ESG advantage

Another key point of contention between the three jurisdictions concerns ESG requirements for financial institutions. Similar to the delays in Basel III implementation, this issue arises at least partially, if not largely, from the US reversing its stance on ESG requirements for the financial sector, scaling back regulatory efforts in response to political and market pressures. EU regulators have also received critical feedback from companies regarding ESG reporting requirements, leading them to simplify these requirements through the Omnibus package. Despite these efforts, EU's ESG regulations remain the most stringent of the three jurisdictions.

Our panellists’ view was that the UK will be able to learn from US deregulation and EU overregulation to develop a well-balanced ESG reporting framework. Indeed, the UK has already carved its own path, as, despite deregulatory pressures coming from across the Atlantic, the Bank of England released Consultation Paper 10/25 (for an overview of the paper, see our article linked here) in April 2025, which will raise regulatory expectations regarding financial services firms’ consideration of climate risk. Although the UK is drawing itself closer to the EU on climate risk regulation, the panellists still see room for the EU to simplify ESG requirements, notably its taxonomy for sustainable activities.

Data management

Data management has been a major touch point for regulators across the three jurisdictions, namely in terms of how banks ensure the accuracy and completeness of their data and use it to manage and report on activities and risks. The EU has taken the most comprehensive approach to regulating data management through Risk Data Aggregation and Risk Reporting (RDARR). Aligned with BCBS 239 principles, RDARR underscores EU regulators’ commitment to strengthening an area of perceived shortcoming for banks. Broadly speaking, compliance requires banks to have:

• Sound data governance and definition of responsibilities.
• Data requirements and awareness.
• A system of data centralisation.
• Adequate tools and data management system.
• Methods for the correct use of technology.

For further details of RDARR and good data management practices, see our article linked here.

Although the US and UK have not developed such comprehensive regulatory frameworks, data still presents a key risk to banks operating in these jurisdictions and, at least in the UK, has been a source of regulatory scrutiny[1]. In this regard, whilst aligning their practices with BCBS 239 is not a regulatory requirement in the US or UK, banks adopting the good practices listed above will only reinforce their operational resilience and improve their standing in the eyes of regulators.

DORA and Operational Resilience

The panellists view the EU’s DORA as a net positive. Although complex and challenging to navigate, it is a constructive step towards strengthening firms’ digital resilience. DORA is now entering the implementation phase and is high on the EBA’s agenda. A central concern is the EU’s systemic dependency on non-EU critical ICT providers, notably in cloud services. The heavy reliance on non-EU technology companies, especially US-based cloud services, creates operational and strategic risks linked to digital sovereignty. CROs of banks operating in the EU should expect increased scrutiny and regulatory expectations around third-party tech, operational risk, and digital outsourcing resilience.

Regulations such as DORA are particularly important given the potential threat cyber risks pose to the health of firms and the wider financial sector. In the UK, there are also clear requirements aiming to ensure that firms and the sector can prevent, adapt, respond to, recover, and learn from operational disruptions, with particular focus on important business services.

Whilst DORA does not apply in the UK, its core principles echo the UK’s own operational resilience regime. With new rules on critical third parties taking effect from January 2025, UK CROs should expect closer scrutiny of third-party dependencies, especially in cloud and ICT services. Aligning with both UK and EU expectations will be key for firms operating across borders.

Competing visions for crypto assets and AI governance

In line with the other policy areas, there is a significant gap between the EU’s and US’s approaches to regulating crypto assets and AI. For one, the EU is taking a strict approach, instituting the Markets in Crypto-Assets Regulation (MiCA) and the AI Act. Whilst the EU is pushing ahead with the digital euro, it maintains a strong regulatory approach to crypto assets and stablecoins.

The US is taking the opposite route, as Trump-era policy prohibits the Fed from pursuing a central bank digital currency (CBDC). The US is instead favouring private sector-led stablecoins as alternatives. President Trump has expressed his desire to pass a stablecoin bill (‘The GENIUS Act’) by August, and a number of major American banks are already discussing the principles of a potential framework for interbank exchanges of digital coins. The EU–US divergence will have major implications for digital finance, cross-border payments, and regulatory arbitrage.

Our panellists contended that, whilst the UK has been less stringent in regulating crypto and AI compared to its EU counterparts, it currently lacks the infrastructure to compete with the US in these sectors. Furthermore, if the aforementioned bill and banking framework materialise in the US, this is likely to reinforce US hegemony in the digital asset space, particularly in the domain of stablecoins, which – unlike more volatile crypto assets – are backed by real-world reserves and are increasingly being integrated into regulated financial frameworks. When also considering structural disadvantages, such as Europeans tending to invest their savings in lower-risk investments than Americans, this could indicate that the EU is likely to continue falling behind the US in crypto asset/stablecoin use and innovation.

Conclusion

A common theme throughout the discussions was the contrast between overregulation in the EU and deregulation in the US. The UK finds itself somewhere in between, responding pragmatically to the distinct approaches of the EU and US in financial services regulation. If executed well, this could be an effective strategy that, combined with the UK’s strong reputation in financial services, including sustainable finance, may bode well for the Government’s growth objectives. Time will tell which method proves superior. However, as evidenced in 2008, neither the US, EU, nor UK can fully shield themselves from the consequences of their peers’ regulatory approaches.

Overall, we had an engaging and interactive session with our speakers and clients. We look forward to the next roundtable and continuing these valuable discussions.

Get in touch

To discuss the evolving risk landscape for financial services firms, get in touch with a member of our team using the button below.

Get in touch 

Sources 

[1] See also the ‘Data risk’ section of the Bank of England’s 2024 Dear CEO letter on supervisory priorities for international banks.