Financial Innovation in the Evolving Regulatory Environment: Responsibility Still Matters
The regulatory landscape is shifting dramatically.
With the changes in Washington, many financial institutions are seeing what
appears to be a green light for innovation and growth that was previously
constrained. While there may be truth to this, a fundamental question emerges: will
credit unions approach innovation responsibly?
Consider this question instead: would you still wear a seatbelt even if it was no longer legally required? Most of us would answer "yes" without hesitation, recognizing that seatbelts protect us regardless of enforcement.
The same principle applies to risk management and compliance in credit union today. Without guardrails, innovation can become less beneficial and outright reckless for customers and even the profitability of the credit union.
The Current Regulatory Reality
We’re witnessing unprecedented changes in the regulatory environment. Recent developments at the CFPB and other agencies signal a shift toward less prescriptive oversight. Some advisors have argued that we've moved from a 'no' environment to a 'yes' environment, and that now is the time to move forward swiftly.
Others are even warning that fintechs stand to win against credit unions in a post-CFBP environment. There is indeed an actual risk, where credit unions and fintechs come out on top. After all, they will have almost nothing standing int their way to developing new products.
However, there is a caveat: those who decide to ignore risk management and regulatory compliance will inevitably lose.
What Credit Unions Are Focused On
Despite the shifting regulatory sands, our 2025 Third-Party Risk Management Survey reveals that financial institutions continue to prioritize risk management.
According to our research, 85% of financial institutions report moderate to high value from their third-party risk management programs – viewing them not merely as regulatory obligations but as strategic assets that strengthen operational resilience and reduce costs.
This isn't surprising. Financial institutions understand that regulatory risk represents only a small fraction of the total risk landscape they navigate daily. Cyber threats, strategic missteps, operational failures, and reputational damage remain constant concerns regardless of the regulatory climate.
Back to Basics: Knowledge as Protection
In conversations across the industry, I've also observed a noticeable trend toward fundamental risk management principles. With experienced examiners departing regulatory agencies (at least 800 people took early retirement offers at the OCC alone), institutions recognize that less-experienced examiners may bring different perspectives to supervision.
This has prompted many institutions to strengthen their baseline understanding of risk management frameworks. Much like learning defensive driving beyond just following speed limits, they're developing deeper knowledge of risk identification, measurement, monitoring and control – skills that serve them well regardless of who's enforcing the rules.
Strategic Risk in an Era of Innovation
One particularly misunderstood dimension is strategic risk – what happens when an institution moves too quickly, partners with the wrong vendors, or pursues priorities misaligned with capabilities or risk appetite. As Jonathan Gould noted during his nomination hearing, "The U.S. economy needs financial institutions to engage in prudent risk-taking."
Prudent is the operative word. Smart institutions don't fear risk; they understand it.
This perspective aligns with findings from our survey, where 61% of companies reported experiencing a third-party data breach or cyber incident in 2023. These breaches have risen 49% year over year since 2021, highlighting why third-party oversight remains crucial even in a more permissive regulatory environment.
What Credit Unions Should Focus On Now
As financial institutions consider their approach to risk management in this new era, several priorities emerge:
1. Rethink Risk Assessment Methodologies
Too often, risk assessment becomes a mechanical exercise in scoring rather than substantive analysis. Focus on the fundamental questions: What could go wrong? How much damage would result? How confident are we in our controls?
Avoid what some call "the charade" of
quantifying risk on vaguely defined scales that create an illusion of certainty.
Instead, embrace me...