Podcast Summary: GRC & Me

Episode: 2025 Financial Industries and Banking Trends
Date: April 30, 2025
Host: Megan Maneval (hosting live at the Agility Conference, Chicago)
Guests:

• Steph Southard, Chief Security Officer (BCU)
• Donald Rome, Chief Risk Officer (Centurbank)
• Steve Gazellamas, VP Information Security (Bilgo)

Episode Overview

This episode explores key governance, risk, and compliance (GRC) trends facing financial industries and banking in 2025, with a strong focus on AI, regulatory shifts, cybersecurity threats, and the evolving role of risk management teams. Panelists from traditional banking, credit unions, and fintech share hands-on insights into today’s challenges and future opportunities in protecting data and organizational integrity.

Key Discussion Points

1. Myth Busters: AI and Risk Management

[00:30 – 04:38]

• AI Will Eliminate Human Error in Risk Management — Myth:

  • Steve Gazellamas explains that technology cannot remove all human error or risk:
    • “You cannot eliminate risk. So you can mitigate it as much as possible. But at the end of the day, you have to measure this technology just like with any other new technology that comes out. Fortunately, you still need some human interaction with this technology.” – Steve [01:08]
  • Emphasized anxiety/unknowns about AI’s trajectory, referencing cultural fears (“seen the movie…Terminator”).
  • AI is seen as a buzzword; the focus is on smart adoption and maximizing value while policing AI technology internally.

• Avoiding AI Protects Against Hackers — Myth:

  • Steph Southard argues avoidance is not possible:
    • “You can run from it… but it’s going to sneak right up on you. It's everywhere… Your best bet is to go ahead and figure out an adoption plan, making sure you have clear guidelines, making sure you have guardrails.” – Steph [03:46]
  • Importance of proactive engagement with AI to create guardrails/controls.

• Deregulation is No Big Deal — Myth:

  • Donald Rome highlights the dramatic, “near shocking” shift toward deregulation:
    • “...the escalation of this deregulation has been near shocking… Not all deregulation… is good.” – Donald [04:38]
  • While there’s opportunity, prudent self-regulation is essential to avoid latent risks.

2. Regulatory Trends and their Impact on Fintech and Banking

[06:03 – 11:45]

• Fintech Perspective (Steve):

  • Current pressures are less regulatory, more contractual (vendor/client contracts increasingly stipulate AI/data controls).
  • Maturing internal AI programs and balancing adoption with data protection is key.

• Credit Union View (Steph):

  • Regulatory oversight now extends deep into third- and fourth-party risks.
  • Efforts focus on best practices and adapting to new privacy laws, with an emphasis on staying ahead rather than catching up.

• Traditional Banking View (Donald):

  • Deregulation creates business and acquisition opportunities, but also requires robust internal controls.
  • “Governance and good risk practices make good business practices. …We need to self-regulate and keep ourselves in check.” [10:19]

3. Adapting GRC Programs for Emerging Technology (AI, Blockchain, Crypto)

[11:45 – 18:30]

• Donald:

  • Risk management fundamentals remain, but the pace of change is unprecedented.
  • “Is the program sophisticated? Is it mature enough? Does it have the backing…that you can move at the pace that these things are coming in?” [12:09]

• Steph:

  • Identifying "emerging" risks is tricky (e.g., AI is now embedded, not “emerging”).
  • Fraud and phishing have grown more sophisticated due to AI:
    • “AI has made phishing scams…so much more sophisticated. We can no longer tell [people] look for the misspelled word… It’s come such a long way. Now we have deep fakes, clone voices…” [13:31]
  • Difficulty in proactive defense, not just internal, but also protecting members.

• Steve:

  • “Using AI to fight AI”—heavy investment in AI-driven security tools to detect advanced attacks.
  • Fintech’s adoption of crypto remains cautious, often dictated by partner banks’ risk tolerance.
  • “You’re always playing catch up…we are just individual companies trying to protect their assets.” [17:53]

4. Collaborative Security and Intelligence Sharing

[18:25 – 19:24]

• Consensus that security shouldn’t be siloed; adversaries (hackers) have significant resources and agility.
• Steve: “Technically what we try to accomplish…is, hey, have enough to make that hacker go down the street, annoy them…We are going up against countries that are well organized…” [18:49]

5. Practical Advice: Balancing AI Innovation with Risk

[19:52 – 24:37]

• Steph:

  • Advocate for collaborative, committee-based evaluation of AI’s value.
  • Establish clear guidelines and guardrails (e.g., “stay away from PII”).
  • Challenge: people often don’t know what data they’re submitting to AI.
  • Ongoing checks and balances are crucial: “...what you’re doing today…may change, and that may change how you’re interacting with AI…” [19:52]

• Donald:

  • Governance is the foundation.
  • Define what’s in- and out-of-bounds, align with business goals, and avoid chasing AI trends without clear business problems or efficiencies.
  • “If you don’t have the governance… it’s going to be impossible to catch up…” [21:11]

• Steve:

  • Protection of data is paramount; contracts are now written with this as the focus.
  • Awaiting more formal AI regulatory frameworks (NIST, OCC, NCUA, etc.):
    • “Security that you’re doing today is the same security that hasn’t changed over the many, many years in our industry. We’re just modifying it… Security to me always bleeds compliance.” [22:14]

• Megan’s Wrap:

  • “Compliance becomes a byproduct of good risk management and good security… but you might have to go a little deeper with controls” [24:37]

6. AI Governance Solutions and Tools

[24:37 – 26:36]

• Steph on Risk Cloud's AI Governance Module:
  • Excitement about automating governance workflows, integrating committee feedback, and maintaining robust regulatory records:
    • “We’re so excited to be able to put that in place so we don’t have to have our hands around all of the different steps in the process. It can actually just be flowed through the committee… and then we’ll have it on record for our regulators…” [25:24]
  • Importance of adaptable workflows, stakeholder engagement, and control assessments tied into the AI governance process.

Notable Quotes & Memorable Moments

• “You cannot eliminate risk… you still need some human interaction with this technology.” – Steve [01:08]
• “You can run from [AI]…but it’s going to sneak right up on you. It’s everywhere." – Steph [03:46]
• “The escalation of this deregulation has been near shocking.” – Donald [04:38]
• “AI has made phishing scams…so much more sophisticated. We can no longer tell them, look for the misspelled word…It’s come such a long way.” – Steph [13:31]
• “Using AI to fight AI.” – Steve [15:07]
• “Good security bleeds good compliance.” – Steve [22:14]
• “What you’re doing today…may change, and that may change how you’re interacting with AI and your data…always stay on top of that ever changing emerging risk.” – Steph [19:52]

Timestamps for Key Segments

• 00:30 – 04:38: Mythbusters: AI, human error, and deregulation
• 06:03 – 11:45: Regulatory trends and impact on fintech, credit unions, traditional banks
• 11:45 – 18:30: Risk programs adapting to AI, crypto, and digitalization
• 19:52 – 24:37: Advice for balancing AI innovation and risk management
• 24:37 – 26:36: Tools for AI governance and Risk Cloud module discussion

Tone and Takeaways

The tone throughout is open, realistic, and pragmatic—balancing optimism for innovation with sober assessments of risk. The panelists emphasize collaboration, the need for proactive governance, and the value of sharing intelligence across the financial sector. Their candor about persistent threats (“fighting the good fight”), along with practical advice and references to industry-leading tools, make this an invaluable listen for financial services GRC professionals looking ahead to 2025 and beyond.