How banks can build a risk-intelligent approach to core modernization  | amznusa.com

Banks aren’t short on AI ambition. Across the industry, there are almost weekly announcements about new deployments, new partnerships, and new capabilities.

But amidst the lofty pronouncements, not enough attention is given to building the underlying architecture that makes any of it sustainable.

The UK Treasury Committee has already warned that the financial system is not adequately prepared for a major AI-related incident, and from where I sit, that warning is aimed squarely at how modernization programs are being run.

This is a governance problem which stems from unmade decisions; most banks have yet to make the strategic, organisation-wide commitment that should determine what gets built, before anyone starts building.

There is a real opportunity to be grasped by inviting the risk team to be part of design before you begin delivery.

Risk teams are being invited to the table too late

In traditional program structures, risk and compliance are brought in to validate decisions already made. Platforms are selected, designs agreed and timelines set, and the role of the risk function has typically been to check these things, rather than shape them. That model was never ideal, but now, in the AI-era modernization push, is structurally backwards at best and dangerous at worst.

A genuinely AI-ready bank requires continuous data lineage, runtime-embedded controls and a real-time, cloud-native core. None of these can be retrofitted cheaply once architecture decisions have already been made. By the time a compliance team discovers that a new platform can’t meet AI governance or data traceability requirements, the cost of fixing it is prohibitive

If the risk function is part of the design process from the outset, banks can build a risk-conscious architecture rather than a risk-adjacent one. The difference in outcome is substantial, and increasingly, the difference between an institution that can operate confidently with AI and one that can’t.

How legacy cores create invisible risk

The story of legacy architecture’s constraints on innovation is well told, but it also creates blind spots that risk professionals can’t see, let alone manage.

Batch-processing cores are the clearest example of this. When a core updates positions overnight rather than in real time, AML and fraud systems are operating on stale data. Suspicious activity that occurs between batch runs is invisible until the next cycle, a direct operational liability as the volume and speed of financial crime increases.

Fragmented data pipelines create a related problem. Continuous lineage (the ability to trace every decision to its data source) is a prerequisite for AI governance. On architectures where data moves through multiple disconnected systems before reaching an analytics layer, that lineage is structurally impossible to maintain without a modern, cloud-native architecture.

Finally, third-party AI deployment adds an additional layer of exposure. When models are embedded in platforms a bank doesn’t have full control over, it leaves compliance teams operating with limited visibility into how decisions are being made.

Under the EU AI Act, which requires traceability and explainability for high-risk AI systems which may credit decisioning and fraud detection, that becomes a direct regulatory risk, and that’s just one of a raft of emerging AI regime banks must navigate.

Risk is moving from chronic to acute

What has changed is the speed at which risk moves.

Banks now have to contend with an increase in state-based cyberattacks on financial supply chains, a trend accelerated by geopolitical instability, with agentic AI substantially increasing the speed and scale of those attacks.

Under regimes such as DORA, which introduce near real-time cyber incident reporting, means institutions need detection and response infrastructure that operates on live data, capable of identifying and escalating incidents as they happen rather than after the fact. Batch architectures don’t meet this standard, and the window to remediate is narrowing.

The EU AI Act raises the bar further on traceability and explainability, particularly for credit decisioning and fraud detection, both areas where AI adoption is moving fastest.

Banks not designing against these requirements are accumulating risk, not avoiding it. The regulatory deadlines are known. The technical requirements are understood. The question is whether the architecture being selected today is capable of meeting the obligations that will be enforced tomorrow.

What risk-intelligent modernization looks like

I have sat in enough program steering committees to know that the moment risk professionals are brought into a modernization program shapes everything that follows.

When we arrive after the architecture is set, we are negotiating against decisions that are already expensive to reverse. When we are in the room from the start, we can design the non-negotiables in rather than bolt them on.

The practical starting point is three questions that every bank should answer before any platform decision is made:

What risk posture must we preserve throughout migration? The answer defines the non-negotiables for any new architecture: data integrity, audit continuity, access controls, and the governance structures that cannot lapse during transition.

What are we engineering against on a ten-year horizon? Regulatory requirements in 2036 will look different from those in 2026. The architecture being selected today needs to be capable of meeting obligations that do not yet fully exist, which means flexibility and real-time data capability are not optional extras. Some of the newer, digitally-native fintechs have demonstrated that building with this horizon in mind from the outset produces materially different, and more resilient, architecture than retrofitting compliance onto an existing estate.

What governance must change so we don’t embed legacy risk into a modern platform? New infrastructure running old processes is window-dressing. If you modernize technology without modernizing governance, you recreate the same control failures in a different environment.

Modernization is not risk-free. But the risk of standing still now exceeds the risk of moving carefully, and the cost of getting the architecture wrong compounds with every year it goes unfixed.

Store you business data in the cloud with the best business cloud storage services.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit