Financial and operational risks are accelerating at North America’s banks, driven largely by sophisticated criminal schemes and banks’ technology exposure tied to new offerings that can require collaboration with complex networks of third parties. In response, risk leaders are calling for strengthening their institutions’ risk governance infrastructure, data management, IT systems, and oversight of third-party relationships. Meanwhile, they remain vigilant in their efforts to detect and respond to signs of a downturn—even as the economy seemed to be holding up into the fourth quarter of 2025.
These were among the themes from a session at the recent ProSight Annual Risk, Compliance & Fraud Virtual Conference. The session included highlights from the 2026 ProSight CRO Outlook Survey, conducted in collaboration with Oliver Wyman, and a conversation among CROs on their perspectives as risk leaders.
Technology and Accelerating Risk
The panelists noted the need for risk teams to improve data aggregation and understand the risks new technologies may bring to their business operations. “We are focused on resiliency and the maturity of our risk governance infrastructure,” said James Lentino, EVP and CRO at Chicago-based Wintrust Bank, “including the robustness of the data used across our businesses. Second, we are working to understand some of the newer, emerging nontraditional banking opportunities including innovative AI business use cases, banking as a service partnerships, and increasing demand from customers for crypto and digital asset services. Importantly, we are also working to manage the pace at which they’re coming at us.”
Technology lies at the heart of many top risks. Bradley Bender, SEVP and CRO at Charlotte, North Carolina-based Truist Financial Corporation, said he was assessing IT with an eye on “the emerging technologies that are going to be transformative over the coming years—and to start integrating some of them into our normal workflows and move toward a more risk-sensing mentality.” Dawn Mugford, SVP and CRO at Norway Savings Bank in Maine, concurred, adding that her team is also focusing on “our relationships with third-party vendors”—of particular concern at community banks like Norway. “Where are they using AI? Do we have all the right contracts? Do we have the appropriate risk mitigations to manage the breadth and depth of those relationships?”
Technology is a double-edged sword, providing fast, convenient, and accurate transaction processing and data management to banks, but also exposing them and customers to risks. “Technology risk, fraud, and financial crime are top of mind for a lot of risk executives now, and they’re very much and increasingly interconnected,” Lentino said. “Fraud has always been there,” he said. “What’s changed is the speed at which attacks are evolving and the constantly changing attack vectors criminals use. It requires banks to invest more heavily in technology.”
The Economy
According to the survey, more risk leaders now consider a potential recession to be a top emerging risk than a year ago. “Just by nature of the credit cycle and the economic cycle, at some point it’s going to turn,” Mugford said. “We have to be prepared with the right mitigation, tools, and technologies in place, so that we see early warning indicators and respond appropriately.”
At the same time, Lentino said, the economy had proved surprisingly resilient through the first three quarters of 2025. “Over the past few years everything has been thrown at this economy,” Lentino said. “But when you look at the economic statistics, we’re still humming along. The government has demonstrated that they understand the ways that they can mitigate some of these deeper recessions by knowing which levers to pull, in terms of flooding the market with liquidity where it’s needed or modifying interest rates.”
Bender said, “Transportation and consumer discretionary spending are areas we’re watching carefully, particularly among low-income borrowers. We are seeing them under a bit more stress, so we have activated certain preventative measures.”
Artificial intelligence
AI applications are well on their way to adoption at banks, with risk leaders focused first on establishing policies and procedures for their use. “Governance is where we’ve spent a tremendous amount of time,” Bender said. “We’ve got the right working groups within the risk organization that feed up through our strategic investment planning, and then to our board governance to make sure there’s full visibility. And we’re having robust conversations with our supervisors about the permissible use cases, how we protect data privacy, compliance, and so on. For us, it always starts with the question, ‘How are we going to govern or manage the risk?’ before we talk about where we are going to innovate and explore or expand.” Bender said he benefits from conversations with industry experts and peers who face similar hurdles. “We talk often with the largest technology providers about the use cases and how they are governed within their four walls. My team is sitting down with our information office and business partners to flesh out rapidly the highest and best use cases, which gives us the ability to attack the risk rather than to chase it.”
Lentino said that, at Wintrust, “A primary foundational element before you can move forward with application development is to invest in technology to monitor how it is used.” Lentino cautioned, “While many employees are anxious to have ChatGPT-like technology available to them, it is important to first invest in technology to be able to monitor what employees are sending into those tools and sending out of those tools.” Like others on the panel, he affirmed the importance of long-term governance, adding that the risk function’s oversight needs to be forward-looking and proactive as AI finds its way into many business uses.
On risks tied to technology and third-party relationships more generally, panelists said that external relationships warrant additional scrutiny as technology comes to permeate banking. “We think robustly about the end-to-end connectivity across the provider and supplier network and the dependency that they have on one another,” Bender said. He cited recent concerns about potential zero-day vulnerabilities in software systems and their broad implications for a bank and its network of suppliers and customers. He said his team is concerned about “third-, fourth-, even fifth-party implications,” as a vulnerability may span across a firm and its network of external partners. “We spend a lot of time looking at the full solution set and having conversations about what does fail-and-recovery look like? What is resiliency? How do we message that up through senior management and through the board?”
Read More – The 2026 ProSight CRO Outlook Survey: Technology’s Promise and Peril – ProSight Financial Association
