The Case for Standards-Backed Supervision in a Technology-Driven Banking System

Sima J. Gandhi is co-founder of CFES and President of Alton Strategies, advising companies at the intersection of tech, business, and policy and is a Sr. Advisor at FS Vector. She was previously on the founding team at Plaid, CEO of Creative Juice, and ex-US Treasury.

The American banking system requires its examiners to be experts. By some accounts, OCC examiners undergo seven years of training and apprenticeship before they are able to receive certification as full-fledged bank examiners. They master capital adequacy, Basel framework requirements, concentration limits, liquidity coverage ratios — the core architecture of safety and soundness that has evolved over a century of regulatory experience. That expertise is deep, rigorous, and hard-won.

But the technology stack that underlies modern banking is evolving faster than any traditional training regime  can follow. Seven years ago, Open Banking and APIs were nascent concepts. AI Agents and models that are quickly embedding throughout our banking system were science fiction. Technology is increasingly the infrastructure on which the banking system runs. And understanding the full scope of it — from quantum risk and computing to AI-model enabled credit scoring — at the pace that it evolves requires a depth of expertise that no regulator, however talented and well-resourced, can be expected to develop alone. Something else is needed.

Understanding the Problem…

This is not a criticism of our regulators. It is simply an observation about the nature of specialized knowledge. The Federal Reserve does not build its own semiconductors. The FDIC does not write its own cryptographic protocols. The question is not whether regulators should know everything — it is how they get reliable, structured access to the expertise they need.

This challenge became visible again recently when the OCC, Federal Reserve, and FDIC released updated interagency guidance on model risk management. The agencies reaffirmed the importance of sound model governance but declined to provide specific direction on AI models and autonomous agents, the very area where institutions are most hungry for clarity and where examiners are most exposed. The guidance told the industry to do model risk management. It did not tell them or examiners what good looks like for the tools that matter most right now.

And Solution

We have seen glimpses of a better model. The Cyber Risk Institute pioneered a profile-based approach to cybersecurity risk in financial services, partnering with industry and regulators to define assessable, sector-specific standards. That work illustrates the core principle: the private sector, when properly organized and accountable, can generate the technical depth that examination teams need. The challenge is to build this principle into the architecture of supervision itself, not leave it as an occasional supplement.

This is the structural problem. And it calls for a structural solution.

Standards Become Meaningful When They are Tied to Audits and Certifications 

This is the essential insight that separates a useful framework from a soft aspiration. Voluntary guidance that invites firms to consider their practices is worth… something. A certification that an independent, qualified assessor has evaluated a firm against defined benchmarks — and has issued a report that can be reviewed, relied upon, and challenged — is worth everything.

In this model, industry-led standards bodies, working with both private sector participants and regulators, establish technology risk benchmarks across domains: model risk, cybersecurity, operational resilience, third-party risk management, AI governance. These standards are not static rules — they are frameworks calibrated to mature with the size and complexity of the institution. A pre-launch fintech does not face the same expectations as their GSIBlings. What matters is that each firm can be located on the spectrum, and that expectations for progression are clear.

Credible assessments require credible firms that do the work. Standard setting bodies can also authorize qualified independent private-sector firms to conduct appropriate evaluations. A substantive report that documents where a firm sits, what controls are in place, and what gaps require remediation can become an invaluable component, not substitute, for an examination. These reports arrive in the hands of bank examiners not as a substitute for supervisory judgment, but as a force multiplier for it.

The examiner who once had to reconstruct transaction monitoring logic from scratch — often without the technical background to fully evaluate it — now begins the examination with a pre-validated technical picture. Her time and expertise can be focused on the strategic and systemic questions only a regulator can ask: Is this firm taking on risks its management team understands? Does the board have visibility? Are the incentive structures sound? These are examination questions. The technical baseline has already been established.

This Model Serves the Full Ecosystem 

For community banks, which have seen their numbers fall by half since 2000 and face crushing compliance burdens relative to their size, industry standards provide a common lexicon for managing technology partnerships. Instead of building bespoke oversight frameworks for every new fintech relationship, a community bank can ask: Are you certified? At what maturity level? Against what standards? Due diligence becomes auditable and scalable. The community bank that embraces this model can compete in the digital economy without sacrificing its safety and soundness obligations — or its examiners' confidence. Community banks remain responsible, just more informed.

For fintechs, certification creates a genuine differentiator. At the vendor onboarding stage, where banks are conducting due diligence on technology partners, a third-party certification speaks more credibly than any self-attestation. It creates a common language between the fintech's engineering organization and the bank's compliance team. And as the relationship deepens and examination exposure grows, that certification provides ongoing evidence of a maturing risk posture — not a static snapshot, but a documented trajectory.

For regulators — and here it is worth speaking directly to the supervision leadership at the FDIC, OCC and Federal Reserve who set the tone for examination culture — this model is not a retreat from regulatory authority. It is an expansion of regulatory capacity. The certification does not create a safe harbor. An examiner who sees a clean certification report and then observes conduct inconsistent with it should pursue that discrepancy aggressively. What the certification does is change the starting point of examination from a blank slate to a documented baseline — and free supervisory resources for the questions that demand regulatory judgment.

Why Not?

The concern worth taking seriously is that private sector involvement in standards-setting could lower the bar rather than raise it. This is a legitimate question in a democracy with a living memory of financial crises.

The answer is that well-designed private certification makes the bar more visible, not lower. When expectations are vague, firms fill the ambiguity with what is convenient. When standards are explicit and independently verified, firms must meet them or the gap is documented and discoverable. The record of industry-led standards in other regulated sectors (e.g., aviation safety, nuclear operations, pharmaceutical manufacturing) suggests that when the stakes are genuinely high and the consequences of failure are visible, private standards bodies tend toward rigor rather than laxity. The financial sector has every reason to replicate that pattern.

Add to that belt the suspenders that regulators retain full enforcement authority. It’d be naive to believe that any standard setting organization would operate in a vacuum, without regulatory influence. The reality is much more of a public-private partnership with a broader framework within which to collaborate. Further, no certification insulates a firm from supervisory action. What the model provides is a more informed starting point for that supervision — one that reflects genuine technical expertise, not the uncomfortable asymmetry of an examiner evaluating technology she was never trained to assess.

Making it So

The current trajectory where fintechs increasingly seek their own charters to escape the friction of bank partnerships, where examiners work with limited technical tools, and where the guidance vacuum around AI and model risk grows wider by the quarter — is not a stable equilibrium. It ends either in a supervisory gap that creates systemic risk, or in a regulatory overreach that stifles the innovation the system needs.

There is a third option. It requires regulators willing to acknowledge the limits of their own technical capacity, and a private sector willing to be genuinely accountable rather than merely compliant. Standards backed by audits, certifications tied to examinations, and maturity frameworks that reward improvement rather than just punish failure — these are not radical ideas. They are the logic of every other complex regulated industry that has figured out how to keep pace with the technology it depends on.

The financial sector can do the same. The infrastructure for doing so is closer than it appears.

The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.

Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at [email protected].