Financial regulators race to harness AI defences as cyber threats accelerate

Regulators and banks face mounting pressure to deploy advanced artificial intelligence systems to defend against spiralling cybersecurity threats that AI itself has intensified, according to Switzerland's chief financial markets supervisor. The challenge marks a critical moment for the global financial system, which must balance innovation with the safety concerns that emerge when machine learning models are weaponised by criminal actors.

Marlene Amstad, president of FINMA, Switzerland's financial market regulator, emphasised in recent remarks that supervisory authorities cannot afford to lag behind the pace at which hackers now operate. As cyber-criminals increasingly leverage AI to probe banking infrastructure for weaknesses, the traditional approach of patching vulnerabilities on a reactive basis has become dangerously outdated. Regulators must now match threat velocity by automating their own detection and response mechanisms, a shift that requires not just capital but cultural transformation within institutions built for slower, manual oversight.

The acceleration of this arms race reflects broader geopolitical pressures. Last month, the United States government moved to restrict exports of advanced AI models developed by Anthropic, citing national security concerns that extend beyond commercial competitiveness into concerns about financial system integrity. Such constraints complicate life for international regulators who rely on cutting-edge technology to stay ahead of threats, particularly as countries like China move to develop homegrown alternatives. Chinese cybersecurity firm 360 Security Technology has already unveiled a domestic counterpart to Anthropic's models, signalling that the fragmentation of the AI landscape may soon mirror Cold War technology divides.

Swiss authorities are at the forefront of coordinating a global response. FINMA helped establish a specialised forum within the International Organization of Securities Commissions, the body that sets standards for market regulation across more than 95 percent of global financial markets. This structure gives Switzerland outsized influence over how the world's financial watchdogs approach AI adoption. The forum recognises that isolated national efforts are insufficient; cyber threats operate without borders, and neither can defences.

The practical dimension of this shift came into focus during a hackathon held recently in Zurich, where roughly 100 policy specialists and technology experts gathered to collaboratively develop regulatory tools. The exercise was not academic—participants focused on building concrete solutions for supervising cryptocurrency markets, an arena where the convergence of novel technologies and weak regulatory frameworks has created acute vulnerabilities. By working together, regulators hope to accelerate the pace of tool development and share best practices that might otherwise take years to cascade across different jurisdictions.

Amstad flagged an innovative approach: regulators are exploring the possibility of embedding protective safeguards directly into the architecture of digital asset systems themselves, rather than bolting on external monitoring layers. This design philosophy mirrors cybersecurity best practices in other industries, where resilience is built into systems from inception rather than retrofitted. For cryptocurrencies and blockchain-based financial instruments, which operate continuously without traditional gatekeepers, such embedded protections could prove transformative.

The vulnerabilities that AI systems themselves expose underscore the stakes. Recent testing with models like Anthropic's Mythos has revealed operational risks that financial institutions had underestimated. These aren't theoretical concerns; they point to real gaps in the defences protecting trillions of dollars in assets. The fact that vulnerabilities are being identified now, during this comparative calm period, offers a window to strengthen systems before sophisticated criminal networks or hostile state actors develop more refined attack methodologies.

Switzerland's positioning in this contest reflects its historical role as a financial centre committed to regulation and stability. Amstad's insistence that Switzerland must retain access to the most advanced AI models is not mere technological nationalism; it is a statement that financial supervision cannot effectively operate under artificial constraints imposed by geopolitical competition. Regulators need the same tools as threats, a principle that becomes more fraught as great powers disagree on which AI capabilities pose security risks.

For Asian and Southeast Asian regulators watching from the region, the Swiss-led initiative offers both a template and a cautionary tale. Nations here are themselves grappling with how to supervise fintech ecosystems where innovation often outpaces regulation. The collaborative approach championed by FINMA and IOSCO suggests that regional regulatory bodies might benefit from similar coordinated efforts, particularly given the interconnected nature of Asian financial markets. A cyber-attack cascading across Singapore, Hong Kong, or Malaysia could swiftly destabilise regional trading and settlement systems.

The broader implication is that regulators have entered a new era where technological sophistication is no longer optional. The old model of regulatory bodies staffed primarily with lawyers and economists, relying on periodic examinations and backward-looking analysis, cannot function effectively in an environment where threats evolve in real time and decisions must be made algorithmically. Financial institutions are investing heavily in AI talent and infrastructure; regulators must do the same to maintain credible oversight.

Yet this race carries its own risks. As regulators hurry to deploy AI tools, they must guard against introducing new vulnerabilities through hastily implemented systems, or concentrating supervisory power in automated mechanisms that themselves become targets. The goal is not merely to match hacker speed but to maintain the human judgment and accountability that distinguishes legitimate supervision from unchecked algorithmic control. Amstad's emphasis on using AI to toughen systems before deployment reflects this tension—the technology must strengthen rather than undermine the stability foundations on which financial systems rest.