International Finance
BankingMagazineOpinion

European banks have been banking on borrowed time

Darren Guccione
This was highlighted when the most capable AI systems for discovering vulnerabilities were made available primarily to US-based organisations

The European Central Bank (ECB) does not convene urgent meetings lightly. When its supervisory board vice-chair Frank Elderson gathered more than 300 participants from industry, the public sector and representative associations in late May to discuss AI-driven cybersecurity risks, it was a signal that the calculus of financial sector security has changed, not incrementally but fundamentally.

The trigger was a new category of advanced AI model, a system capable of identifying and exploiting software vulnerabilities faster than human security teams can detect them, let alone respond. These models have demonstrated the ability to produce working exploits on their first attempt in the majority of attempts during controlled testing. In some evaluations, they managed to clear expert-level cybersecurity benchmarks that no previous AI system could pass as recently as a year ago. The ECB’s message to eurozone banks was blunt: patch faster, govern better and act now.

The Access Asymmetry Problem
There is a structural problem at the centre of this situation that demands direct attention. The most capable AI systems for discovering vulnerabilities – the same systems now defining the threat horizon – have been made available to a small group of organisations, predominantly based in the United States. That group includes major hyperscalers, large cybersecurity firms and a number of significant American financial institutions. It does not include any European bank.

The ECB supervises 111 of the largest eurozone banks. As of the time of this meeting, none of them had access to the frontier models regulators are asking them to defend against. Elderson acknowledged the gap directly, calling the disparity ‘unfortunate’ while making clear it cannot justify inaction.

European banks are facing an obligation to build defences against attack capabilities they have not yet been permitted to evaluate. That’s an uncomfortable position, one which regulators have made explicit.

The asymmetry is not a temporary administrative inconvenience because it carries material implications for how European banks plan, test and invest in their security posture. Defensive programmes built on yesterday’s threat models will inevitably fail against adversaries who are using today’s offensive tools.

No Room for Hesitation: ECB Expectations
ECB Vice-President Luis de Guindos has been equally clear that the pressure applies universally, not just in the largest institutions. Every supervised bank both large and small will need to spend significantly more on cybersecurity to keep pace. That is a structural shift in the cost base of operating a regulated financial institution in Europe.

The practical expectations are well-defined, but the implementation demands considerable scrutiny and effort. Banks are being asked to accelerate software patch cycles, given that advanced AI models can reverse-engineer fixes within minutes of their release, and reconstruct exploitable vulnerabilities from the patch itself. The already narrow window between disclosure and exploitation has effectively collapsed. Banks operating on monthly or quarterly patching cycles are running an exposure risk they can no longer afford.

Beyond the patching cycle, the ECB’s intervention reinforces obligations that already existed under the EU’s Digital Operational Resilience Act (DORA), which came into effect in January 2026. DORA places binding requirements on financial entities to manage Information and Communication Technology (ICT) risk, govern third-party dependencies, and demonstrate operational resilience. Institutions that treated its introduction as a compliance exercise rather than a structural prompt are now receiving a second, harder signal. Resilience frameworks must now be reassessed through the lens of AI-driven attack scenarios, including recovery testing and incident response.

UK banks are facing a parallel dynamic. A joint statement from the Financial Conduct Authority, the Bank of England and His Majesty’s Treasury stopped short of implementing new rules, but it did sharpen expectations considerably under existing operational resilience frameworks. That statement noted that these latest AI systems are already performing certain cyber tasks beyond what individual skilled practitioners can achieve, and at far greater speed. The expectation is that continuous testing must replace scheduled cycles.

The Financial Sector’s Identity Crisis
Regulation is effective for directing attention, but it cannot substitute for actual structural remediation. The vulnerabilities that advanced AI models are most effective at exploiting are the accumulated effects of poor identity governance at scale.

Research conducted across 3,200 IT and security professionals globally reveals the underlying weakness. Among finance sector respondents, 75% found managing the growing number of identities – both human and non-human – at least moderately challenging. Finance sector professionals also rated the governance of AI-driven access and automation as a top security gap (45%). Globally AI-related Non-Human Identity (NHI) Management ranked among the top three AI security concerns.

These metrics underline a genuine gap in governance. Every AI agent, automated workflow and machine account introduced into a financial institution creates an NHI that requires privileged access to function. Those identities are routinely provisioned quickly, governed poorly, and rarely revoked with the same rigour applied to human accounts. In a traditional threat environment, that was a meaningful but manageable risk. In an environment where advanced AI can systematically probe every access point at machine speed, it becomes a critical one.

Keeper research points to where finance sector institutions are investing in response to this new threat environment. Improved monitoring and detection of identity-based threats was the most notable area of increased implementation over the past 12 to 18 months, cited by 45% of finance sector respondents. That’s notably higher than the global average of 38%. Passkey and passwordless adoption are being prioritised at above average rates. Both trends are the right direction of travel.

Closing the Gap
The institutions that will convert regulatory pressure into genuine resilience are those that treat identity governance as operational infrastructure rather than a compliance layer. That means enforcing least-privilege access across every AI agent and automated process, extending privileged access management to cover machine credentials and secrets, and building continuous governance into how access is provisioned, monitored and revoked.

The ECB’s intervention is significant because it calls out a present-day obligation rather than a future risk. Advanced AI has already altered the threat landscape. Yes, the access asymmetry between European banks and the frontier models shaping the environment is real. What banks can control, however, is the rigour of the security architecture they build in response.

What's New

Where are World’s Wealthiest Families Investing

EPR is not a pain, but a means to reduce packaging cost

International Finance Business Desk

Meeting Gen Z demands while preventing fraud in gadget insurance

International Finance Business Desk

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.