Attention CROs: The greatest threat may be behind you

Forces have recently conspired to make financial regulations as mild as they have been since the Global Financial Crisis. Perhaps surprisingly, this makes the job of the Chief Risk Officer (CRO) harder rather than easier. As business and competitive pressures mount, savvy CROs will focus inward, realizing that the greatest threat to their institutions may come from their own employees.

The magnitude and speed of change in the current regulatory environment is breathtaking. Regulators have pulled back many of the rules that had constrained the industry. The Federal Reserve Board has proposed reducing the enhanced supplementary leverage ratio for capital requirements for large banks. The Consumer Financial Protection Bureau (CFPB) withdrew a significant number of policy statements and other guidance, some of which dates back to the Bureau’s earliest days. The White House has directed agencies to eliminate the use of disparate-impact liability “in all contexts to the maximum degree possible.” The Office of the Comptroller of the Currency (like the CFPB and the National Credit Union Administration) has tied its own hands when considering whether to make a criminal referral to the Justice Department. If you want to break the law, you might want to first consider becoming a national bank. 

At the same time that rule-slashing has heightened certain risks (for example, lower capital ratios could increase the risk of bank failures), DOGE and other staffing reduction efforts have shrunk staffing levels across all the banking agencies, meaning the rules that remain on the books may not be enforced. Experienced regulators have retired or been pushed toward the exits, and some younger employees were fired nearly as soon as they were hired. Those who remain may be demoralized and feel stretched thin. 

Even where agencies want to enforce their regulations, the U.S. Supreme Court has made it more difficult for them to do so. In June 2024, in Loper Bright, the Court said that courts may ignore an agency’s rules unless Congress has been unambiguous in directing the agency to take action. In June 2025, in McLaughlin Chiropractic, the Court signaled that it would curtail an agency’s ability to enforce its own rules against rulebreakers. These and other recent decisions mean that many regulatory actions will be vulnerable to challenge in court, even where agencies and industry both may be relying on interpretations stretching back decades.  

Meanwhile, business pressures are mounting. Banks and financial technology companies large and small face increasing competition. Customers demand new, easy-to-use services that require ever-larger technology investments. Consumer delinquency rates are rising. Tariffs pose additional economic uncertainty. And financial institutions of all sizes are in an outright sprint to figure out how to either profit from or fend off the forces of AI and other new technologies, including cryptocurrencies.  

What should a CRO do? Now is the time to evaluate whether a firm’s compliance systems are as efficient and effective as they could be. Processes and systems that were designed to check boxes or appease regulators rather than improve outcomes should be re-evaluated. Good risk and compliance systems remain valuable even in a regulation-light environment because they help banks prevent bad outcomes and understand risk. A financial institution can only price for the risks it knows it’s taking.   

Responsible companies will recognize that despite waning interest from federal regulators, many risks remain. Most laws haven’t changed (regardless of regulators’ enforcement priorities), and states, private plaintiffs, and consumer advocates will remain vigilant. And looking a bit further down the road, the federal regulators’ attention may snap back into focus under a new administration just as quickly as it has faded over the last six months. Future regulators aren’t likely to overlook problems that began today.

Smart CROs will also realize that in this hotbed of change, the biggest threat to their institutions may be heightened risk from inside the company. Eager employees, management, and board members may read the headlines and come to their own (wrong) conclusions about where risk lies. With growing competitive pressure, distracted regulators, and companies seeking optimal performance come incentives to take on more risk. Insiders may take governance shortcuts to speed products to market without proper review or skip disclosures that add “friction” to the sales process. They may turn to unapproved AI tools for marketing or targeting. They may find other ways to override guardrails or even act outside of company policy, especially since the regulators have signaled they may turn a blind eye to all but the most egregious violations.  

It may seem counterintuitive to suggest that a CRO’s job is harder today than it was a year ago. But perceptive companies will see today’s risks for what they are. They should seize the opportunity to re-focus their compliance systems   on real risks–without leaving the door open to new ones.