Banks race to adapt as traditional risks rebound and new threats accelerate, EY and IIF survey shows

• The 15^th EY and IIF Global Bank Risk Management Survey, reveals credit risk (62%) and financial crime (43%) have re emerged as top concerns, highlighting the continued evolution of risk profiles within the industry
• AI adoption in risk management remains limited – 72% of CROs report early-stage AI adoption within the risk function, despite 55% citing advanced technology as a top priority for managing critical risks
• Regional risk priorities are diverging sharply, with geopolitical tension dominating CRO agendas in Europe and the Middle East, credit worries intensifying in North America and concerns about digital-asset-driven fraud rising fastest in Asia-Pacific

The 15th EY and Institute of International Finance (IIF) Global Bank Risk Management Survey reveals a sharp return of traditional risks such as credit and financial crime, even as scrutiny intensifies around cyber threats, digital fraud and the rapid adoption of artificial intelligence (AI).

Based on responses from 101 banks across 31 countries, the report shows a sector reshaping its priorities as geopolitical tension rises, regulatory approaches diverge and technology driven risks expand, widening the CRO agenda.

Geopolitical forces remain especially influential in Europe and the Middle East and North Africa where 95% and 90% of CROs surveyed respectively say geopolitical developments are shaping their strategic agenda. By contrast, only 57% of CROs surveyed in Latin America cite geopolitics as a major driver, with 76% instead identifying rapid technological change as the primary external force influencing their priorities.

Traditional risks return to centre stage

After several years dominated by non-financial risks, credit risk has reemerged as a top priority (62%), driven by rising default concerns and competition from non-banks. Financial crime has also surged to 43%, up from 23% year on year, alongside a sharp rise in digital fraud to 59%, up from 23%.

CROs also report that the rapid growth of private credit is adding new layers of complexity to their risk assessments. More than one third say private credit has increased the complexity of analysing exposures and 26% report rising concentrations of credit and counterparty risk, prompting many banks to revisit exposure limits and strengthen scenario analysis around non-bank financial institutions.

Meanwhile, cybersecurity remains banks’ top near term risk at 86%, reflecting the continued escalation of cyber threats and their potential to disrupt core operations.

Nigel Moden, EY Global Banking and Capital Markets Leader, says:

“Banks are facing a moment that demands both decisiveness and imagination. Traditional risks have resurfaced while technology driven threats are accelerating, and that combination is reshaping how CROs lead.

The institutions that move with clarity now will be the ones that build more resilient risk frameworks, unlock the full value of AI and data and support their people through significant capability shifts. This is a period of rapid change, but it is also a period of real opportunity for banks that are ready to adapt at pace.”

Technology ambition is growing faster than implementation

Although more than half of CROs surveyed (55%) identify advanced technologies as a top priority, 72% say AI adoption in the risk function remains in early stages, a pace that has changed little since 2024.

Banking CROs surveyed are already using AI most extensively to detect fraud and financial crime, with 61% reporting active deployment in these areas. AI is also being used to strengthen cyber and operational risk monitoring (41%), and 33% of CROs surveyed are using it to support credit and market risk modelling. The biggest constraint to further progress remains data quality and availability, which 80% of CROs identify as the primary barrier to adoption.

Looking ahead, CROs surveyed expect the most significant increases in AI deployment to come in fraud detection, cyber risk monitoring and credit modelling as banks seek to scale the technology responsibly and address the data, governance and capability gaps that currently limit adoption.

Tim Adams, IIF President and CEO, says:

“CROs are operating in a world where risks no longer sit in separate boxes. Cyber, technology transformation, fraud, financial crime and macro shifts are interconnected, and CROs are responding with stronger governance, better data and responsible tech deployment.”

Talent pressures intensify as expectations expand

CROs face widening capability demands - especially in AI, data and digital, yet 30% expect smaller risk teams over the next three years, almost double last year’s figure of 16%. In 2024, 68% of respondents expected hiring to increase, compared with just 49% today.

Digital acumen which includes technology, data, AI and programming capability is now viewed as the most important skill set for risk teams and is cited by 71% of CROs. A further 56% highlight adaptability as essential as teams adjust to shifting geopolitical, technological and market conditions.

At the same time, 64% plan to automate manual roles and 55% expect hybrid human AI roles to increase. Upskilling is becoming central to the response, with 79% emphasizing the importance of data and AI skills to meet rising expectations around both risk oversight and business partnership.

Digital assets expand the risk perimeter

Digital asset related concerns are rising quickly, with cybersecurity risk at 83% and financial crime at 78%. Adoption remains uneven; 60% of banks do not yet have a digital asset strategy, while those that are advancing focus primarily on client exposure areas (29%) and digital asset services (16%).

Regional differences persist. 25% of European banks offer digital asset services such as custody and tokenized deposits, followed by 20% of banks in the Middle East and Africa. North American banks show a more traditional profile, with 41% providing digital asset services compared with 14% offering digital asset products.

Tom Campanile, EY Global and Americas Financial Services Risk Consulting Leader, says:

“The role of the CRO has shifted. What was once oversight is now enterprise leadership. As banks balance credit pressures and emerging AI risks, CROs have an opportunity to move risk management from reactive to transformative.”

For more information, read the full report.

-ends-

About EY

EY is building a better working world by creating new value for clients, people, society and the planet, while building trust in capital markets.

Enabled by data, AI and advanced technology, EY teams help clients shape the future with confidence and develop answers for the most pressing issues of today and tomorrow.

EY teams work across a full spectrum of services in assurance, consulting, tax, strategy and transactions. Fueled by sector insights, a globally connected, multi-disciplinary network and diverse ecosystem partners, EY teams can provide services in more than 150 countries and territories.

All in to shape the future with confidence.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.

This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.

Notes to editors

EY researchers, in conjunction with the IIF, surveyed IIF member firms and other banks globally from September 2025 through November 2025. The survey includes responses from 101 banks across 31 countries, with headquarters distribution across North America (30%), Asia-Pacific (20%), Europe (20%), Latin America (20%) and Middle East & Africa (10%); 12% of participating banks are G-SIBs.