How are you incorporating regulatory uncertainty and policy changes into your technology roadmaps? What contingency planning approaches have proven most effective for your organization?

I would also highlight the importance of risk management frameworks, such as those offered by ISACA. These frameworks provide guidance on responding to risk—whether by avoiding, accepting, reducing, or mitigating it through controls. Adopting a robust risk response framework is critical for managing regulatory uncertainty and aligning with best practices in IT risk management.

In finance, regulatory requirements are especially stringent and frequently changing, which creates a lot of uncertainty. Even well-established practices can be upended as regulations evolve, and rapid technological change adds another layer of complexity. For example, with stable coins and tokenized deposits, there is still significant ambiguity about regulatory expectations. Our approach is to anticipate potential impacts and prepare for different scenarios, making educated guesses about where regulations are heading and reacting accordingly.

We work closely with legal, compliance, and risk teams, and we monitor upcoming regulations, especially outside the US. Typically, we see regulatory changes coming and have time to react. We take all this into consideration and collaborate to develop compliance plans when necessary.

Although we do not face many regulations that directly impact us, we follow an approach by evaluating enterprise risk for each piece of legislation. This helps us determine how quickly we need to achieve compliance. When implementing technology to address regulatory requirements, we tend to err on the side of caution, aiming for compliance with the most stringent regulations, such as GDPR. This ensures we also meet other privacy laws, like those in Canada or California.

A key part of our approach is partnering with legal and regulatory compliance teams to examine both current and draft regulations that could impact our business. For example, we closely monitored the drafting of GDPR and similar legislation in California, such as CCPA and CPRA. We also pay attention to federal legislation and executive orders, which can rapidly introduce new requirements. We conduct risk assessments to determine the potential impact on our business and develop appropriate responses. Managing regulatory uncertainty requires staying informed and being prepared to pivot as new policies emerge.