Connect with us

Business

A bank’s ESG record depends on how its technology is built

Source: Finance Derivative

By Tony Coleman, CTO, Temenos

ESG (environmental, social, and corporate governance) has become mission-critical for banks, from meeting regulatory obligations to aligning with customer values to win market share. 

Many banks have turned to technology to manage their ESG position. But technology is not a panacea. It also presents a risk that banks fall short of their ESG targets. 

Technology that greens

Let’s look at the environmental pillar. Run on-premises or in a private datacentre, technology can be a big consumer of carbon. But deployed with the right infrastructure partners, it can enable banks to reduce their carbon footprint. Cloud is the best example of this. Banks that outsource their computing infrastructure to the public cloud hyperscalers can benefit from their economies of scale and energy efficient build principles. 

The geographical spread and scale of these datacentres allows for carbon-aware computing, which involves shifting compute to times and places where the carbon intensity of the grid results in lower carbon emissions. One study of Microsoft’s cloud infrastructure concluded its datacentres emit 98% less carbon than traditional enterprise IT sites. These hyperscalers have a focussed mindset and the deep pockets to match. The new Graviton3 processors that AWS is now installing in its public datacentres, which claims to use 60% less energy than the standard X86 models that have been in wide circulation, is an example of the progress that only a hyperscaler can achieve.

The green benefits ‘of the cloud’ are enhanced by software purposefully built to run ‘in the cloud’. Software vendors that are committed to decarbonising their solutions in the build phase pass those wins down the supply chain to banks. For example, the latest version of the Temenos Banking Cloud was built with a 12% improvement in carbon efficiency. How the software operates can have an even more profound benefit for banks. For example, banking software that runs ‘scale-to-zero’ protocols will automatically shut down or scale down availability according to demand for its service. This is one factor that has contributed to a 32% carbon efficiency improvement in the run time of the latest Temenos Banking Cloud release.

Collecting this evidence is not simply an internal tracking exercise. Regulations are reaching a point where publishing data against ESG targets will be legally mandated. In Europe the ECB and the Bank of England have launched climate risk stress tests to assess how prepared banks are for dealing with the shocks from climate risk. Meanwhile, initiatives like the UN-convened Net-Zero Banking Alliance (representing over 40% of global banking assets), the Glasgow Financial Alliance for Net Zero and ​​the Principles for Responsible Banking add to the clamour for banks to evidence their progress. Tracking ‘Scope 3 emissions’, which includes all indirect emissions that are not owned or controlled by the bank, is the next phase. Recognising this, Temenos has developed a carbon emissions calculator, which gives our customers deeper insight into carbon emissions data associated with their consumption of Temenos Banking Cloud services.

The same concept can be extended to a bank’s customers, with carbon calculators and automated offsetting schemes that help people build towards their personal environmental goals. Doing so brings a bank’s green credentials into the public sphere, turning environmental initiatives into commercial opportunity.

(Box-out)

Flowe, a cloud-enabled digital bank built on green principles, launched in June 2020. It is the first bank in Italy to be certified as a B-Corp and has been able to maintain its overall carbon footprint close to zero, saving 90.81% – 96.06% in MTCO2e emissions compared to the on-premise alternative. Within six months of launch, 600,000 mainly young Italians had become customers, at one point onboarding 19 new customers per second. This rapid launch and growth was only possible with the agility and scalability of cloud. Read more about this story.

Technology that reaches

Cloud also enables financial inclusion, a key tenet of ESG ambitions. Today, anyone with a mobile phone and internet connection can access banking services. With elastic scalability and software automation, banks have an almost limitless capacity to serve more customers. And they might not be where you think; 4.5% of US households (approximately 5.9 million) were “unbanked” in 2021. In the past, banks would have seen them as unprofitable targets. But as cloud and the associated automations cut go-to-market and operational costs, the commercial case for inclusion becomes stronger. 

Embedded finance gives banks another avenue of reach. Via simple APIs, banks can provide their solutions to non-financial businesses. This ready-made audience might otherwise take years to reach through a bank’s own marketing and sale channels. The embedded finance market is set to be worth $183 billion globally in 2027. That can be seen as a proxy of greater financial inclusion. 

AI offers another opportunity to improve financial inclusion. Armed with AI, banks can deliver highly personalised products and experiences for customers. People can be directed to the most appropriate investments, including funds that promote sustainability and loans made with a better understanding of the applicant’s ability to pay it back. ZestAI (previously Zest Finance), a leading provider of AI-powered credit underwriting, claims that banks using its software see a 20%- 30% increase in credit approval rates and a 30-40% reduction in defaults. 

But mismanaged, AI can have a dark side. If the data used to train them has bias, systems will perpetuate these discriminations. This can lead to unequal access to financial services and unjust or irresponsible credit decisions. In a study conducted by UC Berkeley, Latin and African-American borrowers were found to pay 7.9 and 3.6 basis points more in interest for home-purchase and refinance mortgages respectively, representing $765 million in extra interest per year. What’s more, AI algorithms are often complex and difficult to understand, so it is hard for customers to challenge decisions and for regulators to enforce compliance.

ESG by design

So how do banks reconcile the ESG benefits of technology with the risks? The answer is in how the technology is built; or more specifically, in the principle of ESG by design.  

ESG by design is the concept of incorporating environmental, social, and governance factors into new technology and software features from the outset. The desired outcome is that the solution’s architecture, functions and UX enable ESG optimisation. But it is enabled with a commitment that all decisions taken through the design and build phase are judged through the lens of ESG criteria and targets. 

At Temenos, ESG by design is a core principle to how we build technology. Let’s unpick what that means in practice, with some examples.

  • Shift-left is how we systematically embed ESG into our banking software services. It means estimating the potential carbon footprint of a new project from the start, and then working back to mitigate it at every stage. The same goes for usability, compliance, and other factors that impact ESG. Detecting and addressing issues earlier in the development process is more effective than taking remedial actions after the event, which risks both compromising the efficacy of the solution and increasing the cost and time of the development lifecycle. 
  • If there’s a choice to be made, banks should make it. Though ESG goals align with most bank’s commercial aspirations (i.e less carbon equals less cost, more choice and better experiences equals more customers) it is not binary. Banks will have varying appetites of commitment to ESG. Take scale-to-zero, which I referred to earlier. Limiting service availability and adding latency impacts the customer experience and regulatory SLAs, such as payment processing speeds. 

The optimum balance is not a call for us, as the technology vendor, to make. Instead we give banks the parameters and configurabilities to make the choice themself. This higher degree of control encourages banks to (a) use carbon-aware computing solutions, and (b) engage with the technology with more purpose.

  • Use technology to improve technology. Humans are fallible. AI is only as good as the people that program it. Their biases become the system’s biases. But the black box nature of many AI systems means that these biases go unnoticed. At Temenos we embed an explainable component to our AI tools (XAI). It allows us and our banking clients to understand how AI decisions have been made, and in doing so surfaces flaws that can be fixed. We extend this capability to a bank’s customers, allowing them to interrogate and challenge decisions.
  • The complex supply chains in technology makes ESG a collaborative effort. The work we do at Temenos to support banks with their ESG goals would be undermined if our partners didn’t share our same commitment. That means working with hyperscalers and partners in our ecosystem, and opening ourself up to third party validation. We did just that, using an independent carbon calculation platform (GoCodeGreen) to assess our carbon efficiency. I shared the evidence earlier; a 32% carbon efficiency improvement in the run time of the latest Temenos Cloud release, and a 12% improvement in build time. These are the sort of independently verified data points that banks should be asking their technological providers to submit. 

Collaboration also means being honest about what others can do better, and enabling their innovations. The Temenos Exchange has almost 120 vendors that are continually extending and improving our core solutions. These include Bud, an AI capability that drives highly personalised experiences for lending and money management; and Greenomy, that makes it easier for banks to capture sustainability data and report on it.

Conclusion

ESG by design is an holistic approach to all tenets of ESG: energy efficiency, financial inclusion, transparency and accountable governance. By working with technology partners that elevate ESG to a core design principle, banks can recognise a wide range of commercial opportunities and ensure compliance with evolving regulations. That should make ESG a core selection criteria of software vendors. Banks will want to find the evidence that their technology partners are as serious about ESG as they are; and that they have the design and build practices that bring these to life.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Business

PSD3 and the Real-Time Fraud Imperative: What the Regulation Actually Demands of Financial Infrastructure 

Baiba Miezere, Group Product Development Director at Eastnets 

The payments industry has spent years treating fraud prevention as a detection problem. PSD3 reframes it as an infrastructure problem, and that distinction matters enormously for how institutions should now be thinking about their technology stack. 

The Regulatory Signal Worth Reading Carefully 

PSD3 is frequently discussed in terms of its compliance burden: stronger authentication, expanded liability, tighter rules around authorised push payment fraud. But the more important signal is structural. By increasing liability for fraud losses and accelerating the shift toward instant payment rails, the regulation is effectively forcing fraud prevention out of the back office and into the transaction execution path itself. While PSD was concentrating more on cards, pull payments, reversible transactions, PSD3 addresses rapidly growing pain-point in financial market: instant payments, irreversible push payments, open banking Account-to-account payments, real time fraud.   

This is a meaningful change. For most institutions, fraud review has historically happened after the fact, a monitoring function that flags anomalies, investigates cases, and seeks recovery. That model was always imperfect, but it was manageable when payment cycles gave you hours or days. Instant payments collapse that window to seconds. Once funds move, recovery options are limited. The liquidation point, where fraudsters convert access into irreversible transfers, now happens faster than most legacy fraud systems can respond. Fraud methods have also rapidly evolved: social engineering scams, synthetic identities, account takeovers, authorised push payment fraud – all requiring shift from traditional post-transaction rule-based monitoring to real-time cross-payment channels detection, combined with behavioural biometrics and artificial intelligence layer.  

PSD3 doesn’t just tighten rules. It implicitly requires a different architecture, different tooling. 

Why Behavioural Intelligence Is Now Central, Not Optional 

The fraud typologies that PSD3 is most focused on, particularly APP fraud and account takeover, share a common characteristic: they’re hard to catch at the transaction level alone. A payment instruction may look entirely legitimate in isolation. The anomaly only becomes visible when you layer in behavioural context: Is this consistent with how this customer normally behaves? Is the session access pattern unusual? Is the same device and behavioural pattern spotted across other accounts and payment methods?  Has the beneficiary relationship changed recently? 

This shift explains why the industry has been moving toward a more integrated approach to fraud prevention. To comply with PSD3 and evolving fraud, institutions shall combine entity-level risk profiling, session-level intelligence, and transaction-level risk scoring to create a fuller view of risk before a payment is executed. 

The challenge is that, in most institutions, these capabilities remain siloed. Behavioural analytics may sit in a separate system or be missing altogether, while transaction monitoring is split across channels, with one solution for cards and another for wire transfers. This often leaves instant payments, account-to-account payments, crypto payments, and buy-now-pay-later flows insufficiently covered, especially when detection and decisioning must happen within milliseconds. 

The result is a fragmented control environment, with no unified decision point that brings all relevant signals together before a payment is released. 

The gap between these layers is where fraud increasingly lives. Schemes evolve precisely to exploit the seams between detection systems. Static rules, however sophisticated, are inherently reactive, they catch what’s already been seen. The more durable approach combines rules-based detection for known patterns with unsupervised machine learning that identifies deviations from normal behaviour without requiring prior fraud examples. This handles both the known unknowns and the genuinely novel. 

The Swift Dimension That Often Gets Overlooked 

Much of the conversation around PSD3 and instant payments focuses on domestic retail rails, which makes sense given where consumer fraud volumes are concentrated. But high-value cross-border payments represent a distinct and underserved risk surface. 

Swift traffic sits largely outside the scope of consumer-focused fraud tools. Yet correspondent banking flows carry significant value, and the attack vectors, compromised operator credentials, fraudulent payment instructions, manipulation of debit confirmations, are well-documented. The ability to monitor Swift messages at multiple interception points, cross-reference MT900 confirmations against MT103 instructions, and, critically, issue stop-and-recall instructions via the GPI tracker for payments already in-network, meaningfully extends the intervention window beyond what’s possible on domestic rails. 

Very few fraud prevention architectures address this channel natively alongside retail payments. That gap deserves more attention as institutions think about end-to-end coverage. 

From Compliance Burden to Architecture Decision 

The institutions that will navigate PSD3 most effectively aren’t those that treat it as a compliance checkbox. They’re the ones that use the regulatory moment to reassess their fraud prevention architecture more fundamentally, asking not just “what do we need to do to comply?” but “what does a genuinely real-time, multi-channel fraud prevention capability actually look like, and do we have it?” 

That question tends to surface uncomfortable answers. Fragmented point solutions. Offline analysis loops. Gaps in channel coverage. Detection capabilities that operate after execution rather than within it. Manual fraud investigation processes. Rapidly growing fraud volumes that institutions are expected to manage without proportionally increasing investigator teams and operational costs. 

The regulation provides the mandate. The harder work is architectural: building or acquiring a unified control layer that sits within the payment workflow, combines behavioural and transactional signals, covers the full range of payment rails, and makes preventive decisions in real time rather than purely detective ones after the fact. Done well, this approach can strengthen detection, improve the customer experience, reduce operational costs, and significantly increase the effectiveness and productivity of fraud investigators.  

That’s not a product category. It’s an infrastructure requirement. And PSD3 has just made it non-negotiable. 

Continue Reading

Business

The compliance cost trap and why efficiency must be the next frontier

Hassan Zebdeh, Financial Crime and Payment Advisor at Eastnets, outlines how banks can achieve stronger compliance outcomes by embracing more efficient, connected ways of working. 

Compliance has become one of the most resource-intensive functions inside modern banks. Year after year, institutions invest more people, more technology and more time into meeting expanding regulatory expectations, yet many find themselves no closer to achieving meaningful reductions in risk. Or cost. 

At the same time, financial crime is evolving daily, payments are moving in real time and regulators are increasingly focused on outcomes rather than process. While effort may increase, effectiveness doesn’t always follow suit. The systems and processes that once supported compliance in a pre-AI age are now being stretched to their limits, revealing a widening gap between what institutions put in and what they get back. 

This growing imbalance raises a critical question for the industry: how financially sustainable is the current approach to compliance, and what needs to change if banks are to keep pace with risk and regulation? 

The growing strain on compliance

Regulatory compliance can now account for more than 13% of operating costs, yet many banks continue to struggle with the same operational challenges. For most, rising spend has become the default setting for keeping up with regulatory obligations, rather than a reliable way to improve how risk is managed in practice. 

Part of the challenge lies in how compliance has evolved. In recent years alone, banks have had to absorb a wave of new and evolving requirements – from the EU’s AML Package and DORA’s operational obligations to global FATCA/CRS reporting deadlines and many other regulations globally. The response to these changes has often involved layering new controls, systems and processes onto existing ones, adding complexity without fundamentally rethinking how compliance has changed. 

The result is an environment that’s increasingly fragmented and difficult to scale. Compliance teams are expected to deliver faster detection, clearer auditability and stronger risk differentiation, while still relying on operating systems shaped by outdated processes and disconnected data. And yet, a single alert can take anywhere up to 22 hours to action – while some instant payments schemes require decisions in seconds, other nations still operate within minutes or longer. Sanctions lists are also changing, with the Office of Foreign Assets Control (OFAC) imposing sanctions on [https://”/]over 1,300 individuals and entities in 2025 alone, with this likely to double in 2026​. Banks are having to manage risk continuously, even as they attempt to modernise operations that were never designed for today’s pace, landscape or scale. 

Making matters harder, many firms are struggling to find and retain professionals with the right mix of legal, technical and operational expertise to work on these older platforms too. Experienced professionals are retiring en-masse, while nearly half of the new entrants lack the right experience needed to step into these roles effectively. Then again, why would the modern workforce want to work on outdated systems when they can choose new, more agile players within the industry? 

Taken together, this all culminates into a costly endeavour. There is little being done on a broader scale to address the underlying mismatch between rising complexity and operational capacity. Therefore, to keep pace with risk and regulation, we need an entirely different approach; one that focuses more on how compliance is designed, connected and executed. 

Reimagining compliance for a real-time world

For banks willing to rethink how compliance operates, this moment presents a clear opportunity to not only strengthen oversight, but to escape a cycle of rising cost and diminishing returns. As regulatory expectations rise and financial infrastructure accelerates, institutions have a chance to move beyond reactive expansion and build compliance frameworks that are both more effective and more economically sustainable. 

An efficiency-driven compliance framework is central to breaking this cycle. Rather than increasing headcount or layering new processes each time risk or regulation evolves, the focus needs to be on improving how compliance work is performed. By reducing duplication and allowing better decision-making at scale, efficiency helps banks contain costs while improving outcomes, addressing the root cause of the compliance cost trap. The question becomes; how can organisations unlock these improvements? In practice, this shift is anchored in four core capabilities that together redefine modern compliance. 

First, automation helps decouple compliance effectiveness from both headcount growth and large-scale system change. By streamlining the likes of data collection, enrichment and alert handling on top of existing environments, automation reduces manual effort without requiring a full ‘rip and replace’ approach of legacy platforms. This lowers the cost of day-to-day compliance activity while improving consistency and investigation speed. 

Next, risk-based approaches make sure resources are applied where they make the most difference. In practice, this means deeper scrutiny for higher-risk customers, geographies or transaction patterns, while allowing faster, lighter-touch processing for low-risk activity. With AI models and agents, banks can learn from historical patterns, detect subtle anomalies and adapt to evolving fraud and financial crime typologies, using a risk-based approach to automatically reduce false positives. But by tailoring controls to actual exposure, institutions can improve outcomes while reducing unnecessary operational burden. 

The third capability is streamlined reporting. This can be a time-consuming component of compliance, but automated, standardised reporting helps institutions meet regulatory obligations more efficiently, particularly across jurisdictions. By producing consistent, explainable and audit-ready outputs, financial institutions can reduce the recurring cost of manual reconciliation, remediation and regulatory engagement – all while strengthening compliance confidence. 

Finally, interoperability underpins efficiency. Compliance systems rarely operate in isolation and replacing them outright is too costly and disruptive. Interoperable environments, however, allow institutions to modernise incrementally – connecting existing systems, eliminating duplication and extending the value of current investments – without downtime or operational risk. 

Together, these four capabilities help shift compliance away from perpetual cost growth and toward a more stable, scalable model. Efficiency simply becomes the next frontier. Not as a shortcut, but as the mechanism through which banks strengthen defences, control costs and remain resilient in an increasingly demanding regulatory environment. 

Escaping the cost trap

As regulation becomes more outcome-focused and financial crime continues to evolve, banks are being pushed to reconsider not how much they spend on compliance, but how effectively that investment is put to work. 

Efficiency now represents the next frontier of compliance. And those institutions that rethink how compliance is designed, connected and scaled will be better positioned to strengthen defences, control cost growth and respond faster to change.  

The opportunity ahead is to move compliance beyond perpetual expansion and toward purposeful design. For banks, regulators and the wider financial ecosystem, the objective is clear: build compliance frameworks that are fit for the future, resilient by default and capable of keeping pace with risk – all without letting cost become the limiting factor. 

Continue Reading

Business

Why Resilience Is Replacing Prevention as the Defining Cybersecurity Strategy

by Manuel Sanchez, Information Security and Compliance Specialist, iManage

For decades, cybersecurity centered around prevention. Build the right walls around your perimeter, deploy the right tools, train your people not to click the wrong links, and you could keep the bad actors out.

Today, the question driving security strategy is no longer “how do we stop a breach?” but “how do we survive one?” It is a subtle but profound shift in philosophy, and it is reshaping everything from how IT and Security leaders structure their teams to how they select their vendors and deploy AI.

Rehearsing for the worst

The practical expression of this shift is visible in how security teams are being restructured. Organisations are establishing dedicated disaster recovery teams – not to prevent incidents, but to contain and recover from them when they occur. These teams maintain detailed, regularly updated playbooks covering everything from backup restoration to stakeholder communications, with roles pre-assigned and procedures rehearsed well in advance.

In many ways, this mirrors the logic behind disaster drills: fire alarms matter, but knowing the evacuation routes and the post-incident recovery plan determines how well an organisation survives. Critically, responsibility cannot rest with the CISO alone. Business continuity after a cyber incident is a whole-company challenge – which means every core part of the organisation is involved to sustain critical business operations.

Governance in the gray areas

Running alongside this shift is a governance crisis that is easy to underestimate until it becomes a serious risk. As organisations adopt more applications across more vendors and hosting services, the shared responsibility model that was supposed to keep cloud accountability clear has become increasingly difficult to enforce.

The sheer volume of cloud applications in use at any given enterprise is too vast for consistent governance under current approaches – and bad actors have become skilled at identifying exactly where vendor responsibility ends, and customer accountability begins, then operating precisely in that “gray area”. Being aware of this risk and putting preventative measures in place is important, but recognising the role these cloud applications play and the impact to key business operations if these applications were compromised, is critical.

Meanwhile, data volumes continue to grow exponentially, and unstructured data continues to accumulate in the background across many digital systems. Why is this important? If you don’t know what data you have, where it is stored, who has access to it, and, most importantly, how it is protected – onsite or cloud backup – this makes the recovery process a lot harder.

AI agents on the rise – and with it new risks

Although the focus of this article is on resilience, prevention must still remain an essential part of your defences. On that front, the accelerating adoption of autonomous AI in cyber defence tasks is reshaping security operations as visibly as anything else happening in the field right now. The volume, speed, and sophistication of modern threats have simply outpaced what human analysts can manage in real time.

The shift is toward AI that doesn’t just flag anomalies for human review, but actively detects, analyses, and neutralises threats as they emerge, even using predictive models to anticipate attacks before they fully materialise. This frees human experts to focus on strategic decisions and complex defence work rather than spending their days firefighting.

Autonomous AI does, however, introduce risks of its own. When AI agents operate across systems – accessing sensitive repositories, triggering actions, sharing data – they expand the attack surface in ways that aren’t always immediately visible.

Managing the digital identities of AI agents, much like managing employee access credentials, is becoming a critical security discipline. Accordingly, comprehensive traceability frameworks that log every action an agent takes are no longer optional; they are the foundation of responsible AI deployment in any security context.

The supply chain wake-up call

The case for moving from a “prevention” mindset to a “resilience” one is further bolstered by recent high-profile breaches via compromised managed service providers, which have forced a fundamental reset in how organisations evaluate their vendors.

The era of cost-first selection is over. Security credentials, demonstrated through continuous and verifiable evidence, are now non-negotiable for any provider hoping to retain enterprise clients – and what organisations are demanding goes well beyond point-in-time audits. They want real-time visibility into every third-party integration, every software update, and every vendor interaction – including the cloud services the vendors themselves use.

“Trust but verify” has become the operational standard, and providers who cannot demonstrate validated controls and live monitoring are finding themselves out of contention. It is a structural shift that will reshape the vendor landscape considerably — and it is already underway.

A new era demands a new approach

In the end, prevention still matters, but resilience – instilled via the key focus areas above – is what turns disruption into survivable events rather than existential crises. The organisations that are honest about the limits of prevention and embrace the shift towards resilience won’t just better withstand the next wave of attacks – they’ll be differentiating themselves from competitors still clinging to yesterday’s playbook.

Continue Reading

Copyright © 2021 Futures Parity.