AFME and PwC UK convened over the summer of 2025 a series of roundtables with senior banking
executives representing wholesale capital markets, to explore emerging AI-related risks, the measures
banks are implementing, and the role of regulation in enabling AI adoption in a secure way. The following
paper, co-authored by PwC UK and AFME, summarises the key insights from these discussions, with
thanks to Clifford Chance for their assistance on the regulatory dimension.
AI (Artificial Intelligence) technologies are becoming increasingly embedded within financial services. This
is altering the cyber threat landscape, with the technology harnessed by hackers into new forms of attack,
for example advanced phishing and deep fakes. To explore these shifts in further depth, AFME and PwC
convened a series of roundtables over the summer of 2025. These discussions highlighted that:
- The resulting impact is primarily one of scale and pace, where the underlying attack vectors and
drivers remain the same, but the volume and sophistication of attacks are now at a muchheightened
scale. In tandem, this means the margins within which a firm must respond are
significantly intensified. - Financial entities are already responding to these external shifts in cybercrime, through a range of
essential mitigations such as inoculating users through isolated browsers and sandboxing of
inboxes, and by working with vendors and suppliers on enhanced security measures. - Internally, firms are also putting in place enhanced governance supported by automated controls to
ensure that the deployment of AI happens safely and that employees are appropriately trained and
skilled. - Crucially, while misguided AI deployment internally can introduce new risks, these technologies can
also serve to protect organisations and secure them from external attacks. - When putting in place these strategies, firms are mindful of the increasing regulatory and
supervisory expectations in this space. These can at times be conflicting and overlapping from the
perspective of a multi-national bank, and AFME will continue to stress to regulators how compliance
is best demonstrated from an outcomes-based approach. - AFME has additionally noted the role of cyber security agencies and joint public-private forums. The
guidance produced by these bodies to date can provide a baseline for firms’ incident response and
management, and it is worth echoing how these agencies and our members have both highlighted
that AI can itself be part of the solution.
