Cyber trends and predictions 2025: Spotlight on financial services

Spotlight on financial services – Chantal Constable, Director of Financial Services and Insurance 

The financial services and insurance sectors are continually evolving, and with this evolution comes an increasing need for robust cyber security measures.  

Financial services (FS) have been identified as one of the UK Government’s eight priority sectors for growth in its draft Industrial Strategy. This means the industry will have a dedicated Financial Services Growth and Competitiveness Strategy (to be published in the first half of 2025) that will consider how it enables the growth of the sector, including taking “advantage of trends in digitalisation, to attract the firms of the future and increase productivity across the economy”.  

In the US, many believe that a new administration in 2025 will lead to an increase in granting bank charters which could spark fintech expansion, and a shift in M&A regulatory posture that will unlock a backlog of transactions. While in Europe, the expansion of crypto exchanges continues its drive into 2025, which will not only drive innovation but increase security scrutiny. 

As we look towards 2025, several key themes and considerations are emerging that will shape how the FS industry can continue to grow and capitalise on tech innovation while securing their assets and protecting their clients' data. 

1. Rolling regulation 

It’s fair to say that a state of rolling regulation is what the financial services industry finds itself in. The Digital Operations and Resilience Act (DORA) comes into full force in January 2025. While the majority of financial institutions have maturing responses to DORA, such as threat-led penetration testing, the Act’s broad scope - particularly regarding Critical Third Parties (CTPs) - is having a growing impact on the fintech market, where we have seen an explosion of innovation (especially in paytechs and insurtechs) over the last 5 years. However, now that many of these entities fall within the scope of CTP regulations, their ability to adapt quickly to these new requirements is being tested, posing challenges to their operating models. 

To compound this, in November 2024, the Bank of England released their long-awaited Critical Third Parties regulation, which will see some of the biggest tech companies fall under the direct regulation of the Bank. This is the final stage of the UK FS regulation on operational resilience that essentially mirrors DORA. Once informed of their CTP status, the tech companies have one year to get compliant. 

Couple these with the AI Act, the Cyber Resilience Act (impacting smartcards), PCI DSS V.4, and NIS2, 2025 promises a bow wave of security-focussed regulation with a far-reaching scope for new participants in the industry. 

When we look back to 2018 across the UK & Europe, when GDPR, Open banking, and the Payment Services Directive 2 (PSD2) all came into force in the same year, we can see how these regulations created an inevitable Venn diagram of convergence. Organisations that identify common security threads within overlapping regulations and approach them with a holistic view of cyber security compliance are better positioned to succeed, as they adapt more quickly and effectively to change.  

Then there is the Payment Services Directive 3 (PSD3), an updated version of PSD2. It provides rules on the efficiency and security of electronic/digital payments and financial services in the EU, aiming to improve competition and innovation in the financial industry. While unlikely to come into force until 2026 at the earliest, 2025 will be all about preparing for compliance. The Directive is expected to strengthen elements around payments security, such as secure customer authentication (SCA) and broaden its industry scope. This may include provisions similar to DORA, as well as recognising telecom providers as key players in the digital payment ecosystem.  

This leads me to my second theme... 

2. Protecting payments 

From paying for your train ticket via text in France, using a QR code at the till for a clothing purchase in Japan, or using your smart watch to pay for coffee in London- the increasing global shift to digital payments continues. As well as giving rise to innovative new payment services, this is leading to an increased focus on enabling open banking, and a drive to support account-to-account payments as a secure everyday payment method. 

In the UK, the payments industry has long been the centre for global innovation in payments; nearly 50 billion payments were made by UK consumers last year alone. In November 2024, the government launched the Nation Payments Vision (NPV), an ambitious plan to achieve a trusted, world-leading payments ecosystem, delivered on next-generation technology which is secure and resilient. 

The NPV outlines three key pillars designed to guide future activity: innovation, competition and security. It highlights the growing role of identity in payments and emphasises the need for safe and trustworthy digital identity products to protect consumers against fraud. The NPV also lays out a clearer regulatory strategy for Open Banking in the UK. Many will be looking to 2025 as the year the full benefits of Open Banking will start to be realised, especially around account-to-account payments.   

Looking to the US, The Consumer Financial Protection Bureau (CFPB) has finalised the ‘Personal Financial Data Rights’ rule, a new rule to trigger the start of the open banking era in the US and enable it to start catching up with nations such as the UK. 

Open banking developments are also expected to pick up pace in Europe, with the European Council’s agreement on the Financial Data and Access Regulation (FIDA) in late December 2024 paving the way for final negotiations to begin on the regulation in early 2025. 

Having robust security design principles at the forefront of payment innovation will enable organisations - especially fintechs - to weather the upcoming changes to the global payments landscape in 2025 faster, without stifling their ability to innovate. 

3. Cloud confidence & emerging tech 

Over the past 3-5 years, the financial services industry has embraced rapid cloud adoption. This shift toward componentised architectures, coexisting with legacy applications and infrastructure, has introduced complexities in achieving optimal cloud security. Firms that focus on cloud confidence – by avoiding a “lift and shift” approach that risks creating future legacy systems – and view security as a key enabler of cloud adoption will be better positioned to maximise their cloud investments for the long term.   

Looking to the future – 2030   

As we look ahead beyond 2025, we can also expect... 

• Cyber fraud fusion: we are already seeing signs in banking of the blurring of boundaries between cyber and fraud. The next 5 years will see a shift in financial services operating models as a Cyber Fraud Fusion develops bringing together cyber, identity, and fraud teams to create solutions to better protect consumers. 

• Security will be a customer experience differentiator: as we enter 2025, cyber security continues to play an elevated role in financial services operations. However, it has yet to evolve from a hygiene factor to a competitive advantage. As consumers become subject to increasingly complex fraud and seek out better protection for their payments and moving of funds, we will see security and protection becoming the customer experience differentiator in retail financial services.