The Case for Recognition of Technology Standards in Financial Regulation

In partnership with

Daniel Gorfine, Founder and CEO of Gattaca Horizons, Adjunct Professor at Georgetown University Law Center, and former Chief Innovation Officer at the U.S. Commodity Futures Trading Commission (CFTC).

Natalia Bailey is a Principal at Gattaca Horizons.

The pace and opportunity of technology-driven innovation in financial services and markets are expanding exponentially. Financial regulators are tasked with overseeing this rapidly evolving landscape, but the challenge and consequences are immense. Headlines regarding technology-based operational flaws or cascading failures are increasingly common, but cannot and should not deter continued development. To this end, regulators and regulations have a critical role to play in establishing safeguards and clear compliance expectations that facilitate responsible growth and technology adoption. American consumers, small businesses, and the broader economy deserve no less.

A recent Government Accountability Office (GAO) report underscores the urgency of the challenge: fewer than half of select financial regulatory staff surveyed said they possessed relevant financial technology skills, and many agencies have not systematically assessed the skill sets required to conduct effective oversight. Without deeper and more consistent technical capacity, regulatory frameworks will struggle to meet the moment. 

While many agencies are seeking to take positive steps to build internal capabilities – through expert hires, innovation offices, interagency collaboration and sandboxes or internal laboratories – this alone is not enough to keep pace. Regulations themselves are often too slow and static to keep up with rapidly evolving technologies, vulnerabilities, and best practices. To effectively foster innovation and competition, while also ensuring stability and consumer protection, financial regulators need a new approach, including within regulations themselves: the formal, methodical recognition of standards developed by well-governed, industry-recognized standards-setting bodies.

A Well-Established Idea to Establish Here 

This call for greater reliance on industry-led or public-private standards-setting is not new. Former FDIC Chairman Jelena McWilliams, current FDIC Acting Chairman Travis Hill, and Brandon Milhorn, President and CEO of the Conference of State Bank Supervisors (CSBS), have all spoken about the need for standards-setting efforts to guide the industry, facilitate third-party due diligence, and inform regulatory expectations. This call is echoed in international models: in the UK, for example, the Financial Conduct Authority has previously “confirmed” industry-proposed guidance – particularly when it incorporates consumer or investor protection perspectives – creating a trusted pathway for innovation and compliance. In Singapore, the industry’s API Playbook, developed in consultation with the Monetary Authority of Singapore (MAS), recognizes international standards for secure information management. The UK and Australia similarly rely on such standards in the context of open banking and digital financial infrastructure. 

But regulators can–and should–go even further by specifically stating that adherence to well-crafted and well-recognized standards serves as a good faith indicia of compliance – or even a safe harbor in appropriate circumstances – in satisfying regulatory requirements and expectations.  

Keeping Pace with Change

Embracing recognized standards would provide financial services providers and third-party vendors or partners with a clearer roadmap for compliance in technology-centric areas where static regulation will inevitably lag. By explicitly stating in rulemakings that adherence to recognized standards constitutes evidence of compliance, agencies can promote clarity, while allowing innovation and compliance best practices to evolve. This approach could be especially transformative in rapidly developing domains such as cloud computing, cybersecurity, artificial intelligence, bank-fintech partnerships, and open finance/data sharing and processing.

We've already seen some promising steps in this direction. While aspects of the CFPB’s Section 1033 open banking rulemaking should and will be revisited, the Bureau’s approach of explicitly recognizing the role of industry standards developed by well-governed bodies that meet high thresholds of transparency, openness, balance, and consensus-based governance should be embraced (in that case, FDX). This endorsement of an industry-led standards organization reinforces the principle that regulators can rely on well-structured and governed bodies to help bridge technical gaps without outsourcing supervisory authority. 

Likewise, the Federal Risk and Authorization Management Program (FedRAMP) offers a model for how government-recognized standards can promote innovation, accountability, and security. FedRAMP has standardized cloud cybersecurity expectations across federal agencies and is based on technical standards from the National Institute for Standards and Technology (NIST), which established a structured, risk-based methodology for evaluating security controls. Notably, FedRAMP and its government-recognized authorizations already require a vast majority of the same types of cybersecurity compliance practices as the federal banking regulators require. If financial regulators in formal rulemakings were to specify that FedRAMP compliance meets the majority of regulatory requirements, this would create a clear baseline for the financial services industry and simplify technology and vendor due diligence in the cloud cybersecurity context. 

Similarly, the Cyber Risk Institute (CRI) Profile was developed by a “not-for-profit coalition of financial institutions and trade associations working to protect the global economy by enhancing cybersecurity through standardization. Through consensus among the financial sector ecosystem… [the Profile] and related guidance help firms better manage cyber compliance programs.” While federal financial regulators have issued statements of support for tools such as the CRI Profile, they refrain from offering any “endorsements.” 

We encourage regulators to go further – as demonstrated by the CFPB in recognizing a standards setting organization in its open banking rule, it is possible for regulators to give even more explicit recognition of such organizations and efforts. Beyond such recognition in rulemakings and related guidance, policymakers and regulators should also consider when such standards bodies warrant designation as self-regulatory organizations (SROs). In an era of efforts to restrict government spending, SROs can help fill the gap and be more nimble than government in evolving compliance standards at the pace of innovation. Whether through explicit recognition of standards or considering SRO designation, such bold and decisive actions would go a long way in increasing clarity, reducing compliance costs, and enabling regulatory frameworks to be agile and adaptive to rapidly changing technologies. 

A Good Next Step

Ultimately, to keep pace with increasingly technology-driven financial services, regulators will need to adopt new strategies and approaches. Increasing internal capabilities and expertise is one key pillar. But another must be finding official ways to leverage external technical expertise, embed notions of agility and adaptability in the face of a rapidly changing landscape, and promote clarity, competition, and innovation within the industry. Well-crafted standards can do precisely this.

A timely example of where officially recognized standards can support innovation and the safeguarding of the financial system is in the context of bank-fintech partnerships. As these partnerships became more integrated and enabled by leading-edge technologies, they created a commensurate increase in questions regarding compliance and partner responsibilities. Fortunately, organizations like the Coalition for Financial Ecosystem Standards (CFES) are working to develop clear standards that can promote safe and sound bank-fintech collaboration. Bank regulators should embrace and empower these kinds of efforts by offering official recognition, which in turn will increase participation in developing standards and speed adoption. 

While standards are not a substitute for strong oversight – they’re a force multiplier. Used well, they can allow agencies to focus scarce resources on supervision based on clear expectations, while ensuring consistency and trust in the broader financial ecosystem. In a time of accelerating change, standards offer a durable bridge between innovation and regulation – one that helps protect consumers, foster competition, and future-proof financial regulation.

The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.

Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at [email protected].

What Top Execs Read Before the Market Opens

The Daily Upside was founded by investment professionals to arm decision-makers with market intelligence that goes deeper than headlines. No filler. Just concise, trusted insights on business trends, deal flow, and economic shifts—read by leaders at top firms across finance, tech, and beyond.

Join 1M+ professionals who stay informed before the rest of the market catches up.