The financial sector faces a widening defensive gap as artificial intelligence amplifies the speed and sophistication of cyberattacks, compelling regulators globally to leapfrog traditional oversight methods and embrace AI-powered supervision themselves. Marlene Amstad, president of Switzerland's FINMA and chair of an international supervisory technology forum, has warned that the window for banks and regulators to close critical system vulnerabilities is rapidly narrowing. Speaking following an initial hackathon convened to prototype new regulatory tools, Amstad underscored that as cybercriminals leverage AI to accelerate attack vectors, financial institutions must simultaneously increase the pace of their vulnerability remediation efforts.
The acceleration of AI capabilities has exposed a troubling paradox in financial system resilience. Recent advances in machine learning models designed to detect software vulnerabilities have simultaneously illuminated the growing surface area of potential cyber intrusions across banking networks. Beyond technical concerns, these developments have triggered broader questions about operational safety and institutional accountability within financial organisations that lack adequate frameworks for managing AI-related risks. The convergence of these threats has elevated cybersecurity from a secondary compliance concern to a frontline supervisory priority, reshaping how regulators allocate resources and expertise.
Switzerland has positioned itself at the centre of this global regulatory realignment by catalysing formal coordination among international market supervisors. FINMA spearheaded the creation of a dedicated forum within the International Organization of Securities Commissions, a body that establishes baseline standards for 95 per cent of the world's financial market regulators. This institutional innovation reflects recognition that fragmented national approaches to supervisory technology will leave gaps that sophisticated threat actors can exploit. By concentrating expertise and resources, the forum aims to ensure that even smaller regulatory jurisdictions gain access to cutting-edge detection and response capabilities.
The practical expression of this coordination framework materialised during a week-long hackathon that assembled approximately 100 policy specialists and technology experts. Rather than remaining confined to theoretical discussions, participants worked collaboratively to develop operational tools for supervising cryptocurrency markets, an area where regulatory gaps have historically enabled fraud and systemic risk accumulation. The compressed timeline and collaborative structure of the hackathon model represents a deliberate shift away from conventional rulemaking processes, acknowledging that regulatory technology must evolve at velocity comparable to the threats it addresses.
Beyond detection and response, regulators are exploring more radical architectural interventions. Amstad indicated that supervisory authorities are investigating possibilities to embed compliance and risk-management safeguards directly into the technical infrastructure of digital asset systems themselves. Such an approach would represent a fundamental departure from traditional ex-post oversight, where regulators detect violations and impose sanctions after violations occur. Instead, preventive controls would be woven into the operational layer, making certain categories of risky behaviour technically infeasible rather than merely illegal. For emerging markets like those in Southeast Asia with less mature regulatory infrastructure, such embedded approaches could leapfrog the need for expensive institution-building.
The leverage point for international AI adoption among regulators lies partly in access to the most advanced language and reasoning models. Amstad has explicitly stressed that Switzerland and other financial centres must retain unrestricted access to frontier AI systems, a position that has become increasingly contentious as geopolitical considerations shape export controls. This month, the United States government ordered Anthropic to suspend international shipments of its latest Mythos and Fable models, justifying the restriction on national security grounds. The decision crystallises the tension between financial system resilience and Great Power competition for technological dominance.
China's response to these restrictions has underscored the emerging bifurcation of AI development pathways. The country's prominent cybersecurity firm 360 Security Technology announced development of a domestically engineered alternative to Mythos, signalling intent to reduce reliance on American-controlled AI infrastructure. Such parallel development tracks could fragment the global supervisory ecosystem, creating scenarios where Chinese regulators operate advanced domestic tools while American-aligned jurisdictions employ different systems, complicating cross-border enforcement and creating opportunities for regulatory arbitrage.
For Southeast Asian financial regulators and institutions, these developments carry direct implications. The region's banking systems are increasingly integrated into global payment networks and capital flows, exposing them to cyber threats that originate from anywhere on the globe. Yet many Southeast Asian regulatory authorities lack the technical specialisation or resources to independently develop and deploy advanced AI-based supervision tools. Participation in FINMA's international forum and similar collaborative frameworks provides a pathway to acquire sophisticated capabilities without bearing the full cost of in-house development, though questions remain about whether such tools can be effectively localised for non-English financial markets or regulatory environments with distinct structural features.
The strategic calculation underpinning regulatory AI adoption reflects a harder realism about the asymmetry between defender and attacker dynamics in cybersecurity. Traditional compliance regimes assume regulators possess sufficient time to detect violations, initiate enforcement procedures, and impose corrective measures before systemic harm materialises. AI-enabled attacks compress these timelines to seconds or milliseconds, making human-speed regulatory response structurally obsolete. By automating detection and embedding preventive controls, regulators attempt to rebalance this asymmetry. However, the approach introduces new risks: automated systems themselves become targets for manipulation, and the centralisation of supervisory capability in AI platforms creates single points of failure with potentially economy-wide consequences.
Amstad's conviction that AI testing and vulnerability assessment must occur before systems are deployed operationally reflects hard-won lessons from the technology sector's repeated cycles of damage-control retrofitting. Rather than permitting financial institutions to roll out AI applications and then managing downstream crises, the supervisory approach emphasises rigorous pre-deployment stress-testing. This stance challenges prevailing innovation incentives within the financial technology sector, where speed to market traditionally outweighs exhaustive safety validation. Reconciling accelerated AI deployment in financial systems with adequate safety assurance remains an unresolved institutional challenge.
Looking forward, the international supervisory technology framework represents an experiment in whether regulatory institutions can evolve governance approaches as rapidly as the technological landscape itself transforms. Success will require sustained coordination across jurisdictions with competing economic interests, technical investment proportional to emerging threats, and institutional cultures willing to abandon legacy processes. For Malaysia and other Southeast Asian nations, participating in and learning from this international supervisory innovation may prove more cost-effective than attempting to develop indigenous regulatory AI capabilities in isolation.
