The simultaneous arrival of three significant regulatory frameworks – the Markets in Crypto-Assets (MiCA) Regulation, the Digital Operational Resilience Act (DORA), and the EU Artificial Intelligence (AI) Act – presents a complex compliance landscape for financial services firms. While these regulations aim to bolster security, consumer protection, and responsible innovation, a critical gap exists: the absence of a unified governance architecture to encompass all three. This oversight leaves institutions grappling with the challenge of ensuring accountability and control in increasingly convergent technological environments, a situation exemplified by the hidden costs of rapid innovation outpacing regulatory oversight.
A recent case study highlighted this precarious balance. An institution had invested 18 months in integrating smart contract settlement, decentralized finance (DeFi) protocols, and AI-driven risk models. Externally, the operation appeared successful, with systems functioning and revenue growth evident. However, a supervisor’s inquiry into the legal entity responsible for an AI model routing assets through an unaudited protocol revealed a significant governance deficit. Responsibility was fragmented across three distinct teams, with no single entity possessing end-to-end oversight of the logic. The AI model, validated at its inception, had become detached from the underlying protocols, which had undergone multiple updates. Furthermore, jurisdictional discrepancies between the client-facing entity and the AI engine obscured crucial visibility, demonstrating how the speed of innovation can erode the ability to govern effectively.
The Regulatory Collision and the Governance Void
The European Union has proactively addressed distinct areas of emerging financial technology and digital operations through these landmark regulations, yet their convergence has not been explicitly managed.
MiCA (Markets in Crypto-Assets Regulation): Fully applicable to crypto-asset service providers (CASPs) across the EU, MiCA establishes the first continent-wide licensing, custody, and conduct requirements for crypto assets. This framework aims to create a level playing field and enhance investor protection within the rapidly evolving digital asset market.
DORA (Digital Operational Resilience Act): Effective from January 2025, DORA mandates robust information and communications technology (ICT) risk management, incident reporting, and comprehensive third-party oversight. Critically, DORA’s provisions extend to CASPs authorized under MiCA, creating a direct link between the two regulatory regimes. This ensures that entities operating within the crypto space are also subject to stringent operational resilience standards.
EU AI Act: This regulation is progressively implementing risk-based obligations for high-risk AI systems. Key requirements include the establishment of risk management systems, stringent data governance practices, detailed technical documentation, and mandatory human oversight. For financial institutions leveraging AI in decision-making, client interaction, or risk assessment, compliance with the AI Act is paramount.
The challenge for financial services firms lies in the fact that each of these frameworks operates independently, without a consolidated governance blueprint. An institution involved in asset tokenization, providing access to DeFi protocols, and employing AI for client-facing decisions must meticulously comply with all three. This necessitates the development of internal governance structures that bridge the gaps left by the separate regulations.
The broader international regulatory landscape further underscores the complexity. The International Organization of Securities Commissions (IOSCO) has issued DeFi recommendations urging jurisdictions to identify responsible parties behind decentralized arrangements. Concurrently, the Basel Committee on Banking Supervision’s prudential framework for crypto-asset exposures is integrating crypto risk into formal capital and disclosure requirements for globally active banks. The Financial Action Task Force (FATF) continues to highlight the persistent challenge of identifying individuals exercising control over DeFi activities. This multi-directional expansion of the supervisory perimeter demands a holistic approach to compliance.
Where Governance Truly Breaks Down
Effective governance for these convergent systems begins with a granular understanding of an institution’s operational activities. This involves creating an "activity map" that details:
- Product Offerings: What financial products and services are being provided?
- Client Base: Who are the target clients and what is their risk profile?
- Legal Entities: Which specific legal entities are involved in each activity?
- Protocols: Which blockchain or DeFi protocols are being utilized?
- AI Models: What AI models are in operation and for what purpose?
- Data Sources: What data is being fed into these systems?
- Third-Party Dependencies: Which external vendors or service providers are involved?
- Asset Custody: Where are client assets held?
- Transaction Flows: How and where does money move?
Without the ability to clearly delineate and visualize these elements, effective governance becomes impossible. The National Institute of Standards and Technology (NIST) AI Risk Management Framework, with its four core functions – govern, map, measure, and manage – offers a useful structural backbone. However, its efficacy hinges on the reality of data lineage. In AI and DeFi environments, data serves as the de facto control environment.
The inability to trace the origin of data, its transformation, and the subsequent decisions it informed renders an institution incapable of defending its actions to supervisors. Furthermore, a robust governance framework must include a mechanism for immediate intervention, not merely an escalation path that terminates in a committee meeting. This means possessing a genuine ability to pause an AI model, freeze a specific feature, or restrict access to a protocol before the next transaction is cleared. While many firms can approve a new product within weeks, halting an operation under pressure often proves a protracted and challenging process.
"Trustless" Does Not Mean Unaccountable
The term "trustless" accurately describes the underlying mechanism of many blockchain protocols, indicating that transactions can be settled without relying on a central intermediary. However, this characteristic says nothing about the accountability of the firm that connects its clients and custodial infrastructure to these protocols.
The critical practical question for financial institutions revolves around identifying and controlling key touchpoints within their operations. These include:
- Client Onboarding: Where do clients enter the system? Who performs the necessary screening?
- Access Provision: Which legal entity grants access to services and protocols?
- Asset Handling: Where are client assets stored and managed?
- Smart Contract Interaction: Which smart contracts are being engaged with?
- Contingency Planning: What measures are in place for liquidity shortages, protocol exploits, or sudden sanctions?
- Intervention Capabilities: Who has the authority to halt operations, and how rapidly can this be executed?
A common, yet flawed, argument encountered is that firms do not control the underlying protocol, thereby absolving themselves of responsibility. While a regulated firm may not control the Ethereum network, it unequivocally controls its decision to route clients, assets, and regulated services through it. The U.S. Treasury’s DeFi risk assessment directly addressed this, noting that the points of interaction between regulated entities and decentralized protocols establish the "accountability surface," irrespective of the protocol’s inherent architecture. Consequently, due diligence, approved protocol lists, smart contract audits, wallet screening, sanctions compliance, concentration limits, and incident response playbooks are not optional; they are essential prerequisites for participation.
AI Operating Within the Control Perimeter
A fundamental principle for managing AI in financial services, particularly when interacting with decentralized infrastructure, is to establish stringent pre-execution controls. My recommended rule is that no execution, asset movement, exposure approval, or interaction with DeFi infrastructure should occur without clearly answering six critical questions:
- Data Inputs: Precisely what data does the AI model utilize?
- Behavioral Analysis: How does the model perform under stress and adversarial conditions?
- Permitted Actions: What are the model’s authorized actions, clearly defined, limited, and enforced?
- Human Intervention Points: Where are the opportunities for human oversight and intervention?
- Decision Reconstruction: Can every decision made by the model be reconstructed retrospectively?
- Drift Monitoring: How is model drift monitored once it is live, acknowledging that models evolve with changing data, markets, and client behaviors?
Article 17 of the EU AI Act mandates quality management systems for providers of high-risk AI. This aligns with the principles already established by regulatory bodies like the U.S. Securities and Exchange Commission (SEC) Rule 15c3-5, designed for traditional broker-dealer market access. This rule emphasizes the necessity of documented pre-trade controls, supervisory procedures, and clear system ownership for automated market access. These principles become even more critical when automated systems are making decisions concerning client funds on decentralized infrastructure.
Model validation should not be a one-time event. Progressive firms treat model versioning akin to software engineering, where every new data source or retraining cycle necessitates a fresh approval process. If an institution cannot clearly explain a model’s decision-making process to a regulator, that model should not be entrusted with making such decisions.
Furthermore, the remediation process following a model or smart contract failure differs significantly from addressing manual process errors. It involves disentangling a system that may have propagated an error across all its operations. The existence of a comprehensive audit trail – including logs, inputs, outputs, model versions, code versions, and deployment records – is crucial before a failure occurs. Simply attributing a failure to "the model" will not satisfy supervisors. Instead, they will demand explanations regarding who approved the model, how it was tested, which controls failed to detect the issue, and which clients were impacted.
The 2027 Prognosis: A Controlled and Accountable Governance Perimeter
Over the next two years, supervisory scrutiny is expected to intensify in several key areas:
- Custody and Client Asset Protection: Ensuring the secure safeguarding of client assets within complex digital ecosystems.
- Liquidity and Concentration Risk under Stress: Assessing an institution’s resilience during periods of market volatility and concentrated risk.
- Operational Resilience: Maintaining robust operations across evolving technology landscapes, including blockchain disruptions.
- Model Accountability: Verifying real-world validation and meaningful human oversight for AI models.
- Cross-Border Clarity: Establishing clear lines of responsibility for legal entities operating across different jurisdictions.
The UK’s Financial Conduct Authority (FCA) discussion paper DP25/1 already signals the UK’s intent to integrate crypto activities within its regulatory perimeter. This trajectory is consistent globally, despite variations in implementation timelines.
By 2027, the defining question for any institution operating at the intersection of these emerging technologies will be its ability to demonstrably prove, both in real-time and retrospectively, that every automated decision, asset movement, and client exposure was contained within a controlled, explainable, and accountable governance perimeter. This includes clearly identifying who approved the model, who validated the data, who tested the smart contract, and who possessed the authority to halt operations.
Institutions that proactively address these governance gaps will be instrumental in shaping the future of the financial services landscape. Those that fail to do so risk learning about the consequences through enforcement actions.
