Artificial intelligence (AI) is beginning to be widely adopted in the payments and electronic money sector. It is poised to drive significant innovation and efficiency; however, it is a disruptive technology. It introduces novel risks that must be managed at both strategic and operational levels. For financial institutions, finding, understanding and mitigating AI-related risks is a regulatory requirement and essential for maintaining customer trust.

Understanding these emerging AI risks requires looking first at the strategic forces shaping adoption – both the maturity of AI as a technology and the broader economic conditions influencing its supply.

Strategic AI risks: technology maturity and macroeconomics

Firms must establish clear objectives for AI’s capabilities as a technology, resist the fear of missing out, and seek opportunities offering a genuine return on investment. At the same time, market analysts are warning of a potential “AI bubble” driven by financial links between model providers and hardware suppliers, ambitious infrastructure promises, and growing market concentration. These factors call for a more cautious investment approach. Mitigation of these external risks suggests:

  • Diversifying AI providers to avoid a single point of failure;
  • Conducting effective due diligence and contractual arrangements that prevent provider lock-in;
  • Considering building internal AI capabilities to reduce external dependencies.

While strategic and market risks influence a firm’s overall position on AI adoption, effective control depends on its internal risk-management processes.

The AI risk management cycle

When deploying AI internally, a firm’s objective is to maximise benefits while maintaining robust risk controls. This requires a cyclical risk management process comprising the following steps:

  • Find: Proactively identify potential AI risks.
  • Understand: Assess the likelihood and consequences of these risks materialising.
  • Act: Implement risk treatment or avoidance strategies.
  • Monitor: Continuously assess the adequacy of AI risk controls and ensure appropriate board oversight.
  • Repeat: Periodically review and refine the AI risk controls. Reviews may be triggered by incidents, regulatory changes, or technological advancements.

AI risk management is often complicated by the need to rely on third-party providers. In a highly competitive market, firms struggle to obtain clear information about providers’ training data, testing methods, and safety processes. Moreover, providers of foundation models cannot exhaustively foresee every use case to which deployers may apply their models. Responsibility for model behaviour may appear to be shared, but in financial contexts it is the deployer who regulators are likely to hold responsible when the behaviour of an AI model fails to meet expectations. 

Each phase of the risk management cycle depends on a firm’s ability to identify specific AI-related risks across its activities. The following section outlines some practical resources reporting examples of AI risk.

Finding AI risks

The UK’s FCA emphasises that AI deployment requires firms to consider operational resilience (SYSC 15A), particularly where AI supports important business services. It has also raised concerns about concentration risk within the small pool of foundation model providers. This echos similar concerns to the concentration risk around cloud services that formed a core part of the European Union’s Digital Operational Resilience Act (DORA), which came into force in early 2025.

However, AI also introduces fundamentally new types of risk, including issues in decision explainability and the potential for bias inferred from historical datasets. 

To effectively identify AI risks, financial institutions can draw on resources such as:

  • MIT AI Risk Repository: A comprehensive taxonomy of over 1,600 AI-related risks.
  • AI Incident Database: A searchable database of reported AI incidents since 2021.
  • OECD Framework for Reporting AI Incidents: A project aimed at identifying the risks and harms posed by AI systems to reveal emerging risk patterns.

AI risks across financial use cases

Having identified where AI risks can arise in general, firms must consider how these risks materialise in operational contexts. AI risks are not theoretical; they manifest in applications in customer onboarding, credit scoring, or transaction monitoring. In customer service, virtual assistants and chatbots introduce risks related to data privacy, ethical decision-making, and the potential for bias and discrimination. Similarly, in fraud prevention and financial crime monitoring, AI systems must be carefully managed to avoid false positives, ensure fairness, and detect and resist manipulation or misuse by malicious actors.

Regulatory expectations and AI risk management standards

As global regulatory frameworks evolve, supervisors expect financial institutions to take a proactive stance on AI governance and risk management. This involves embedding accountability, transparency, and human oversight throughout the AI lifecycle. Regulators now emphasise the need for firms to explain and evidence effective control over the risks associated with AI-driven decisions. In Europe, the EU AI Act exemplifies this shift, adopting a risk-based model that requires oversight and controls proportionate to the impact of AI systems on consumers.

To meet these expectations, firms can also refer to established international standards. Examples include the NIST AI Risk Management Framework (AI RMF 1.0) and ISO/IEC 23894:2023, which provide guidance on AI risk management. These recognised frameworks outline best practices for identifying, assessing and mitigating risks at each stage of AI design, development, and deployment.

Applying the principles in recognised standards gives firms a strong basis for addressing regulatory concerns and should help promote customer confidence in AI technology.

Beyond internal governance and compliance, firms must also address the threat of AI being misused by external adversaries.

External sources of risk: AI cyber threats

Finally, a firm’s approach to AI risk management must address the threat of AI misuse by external adversaries. AI enables attackers to refine and advance existing tactics, techniques and procedures while also introducing fundamentally new classes of threat. AI-powered attacks now include hyper-personalised phishing messages, deepfakes that bypass authentication systems, and direct attempts to manipulate AI models through data poisoning or prompt injection. These threats require new thinking to discover them and robust cybersecurity measures to counter them if firms are to keep AI-augmented financial systems and customer data safe.

Conclusion

While AI presents significant opportunities for the financial services sector, a robust and agile approach to AI risk management is needed. Firms must demonstrate strategic analysis of the maturing technology, of AI model supply chains and of regulatory dependencies. But they must also find, understand, and treat risks that come from their internal deployment of AI. By expanding existing risk management practices to include new AI risks and by effectively applying recognised AI risk management standards, firms can support controlled AI innovation while protecting operations and customers.

Posted: 20 Oct 2025

Want to comment or have questions? You can contact the AI team at Flawless via:

Disclaimer: The information provided in this blog post is for general informational purposes only and does not constitute advice, legal or otherwise.