Encouraging innovation, managing risks: the ECB’s approach to digital transformation

Keynote speech by Patrick Montagner, Member of the Supervisory Board of the ECB, at the 10th Annual FinTech and Regulation Conference

Brussels, 3 February 2026

Good morning and thank you for inviting me to speak at this important conference on digital finance and regulation.

Let me start with a provocative statement: the greatest risk facing European banks today may be the innovations they fail to pursue.

Innovation is a key driver of economic growth and productivity. In banking, as in other sectors, standing still means falling behind. As supervisors, we therefore welcome banks’ efforts to innovate and invest, but we also want to see innovation that strengthens the financial system and supports the economy, and to avoid innovation that exploits differences in regulatory treatment.

Powerful transformation is in fact already taking place: artificial intelligence is supporting credit decisions and fraud detection, tokens representing deposits and securities are moving from concept to reality, and digital payment systems are evolving rapidly. At the same time, traditional banks often feel shielded from these changes by regulation, physical branch networks and established customer bases. But this model is becoming increasingly vulnerable. Banks face intensifying competition from neobanks, fintechs and big tech firms that build fully digital services without legacy constraints.

Banks must therefore innovate. The key question is how we encourage the right kind of innovation – innovation that creates value, strengthens resilience and serves the economy – while managing the associated risks and preserving financial stability.

Today, I would like to make four points. First, innovation is essential and requires sustained investment. Second, AI adoption is accelerating, and governance must keep pace with increasingly sophisticated systems. Third, tokenisation and digital assets require strategic thinking. And fourth, regulation enables innovation by creating a common language for managing risks – particularly the interconnected risks related to cybersecurity, AI and third-party dependencies.

Innovation drives economic growth and warrants strategic investment

First of all, innovation is essential. Research consistently shows that innovation, especially the adoption of new technologies, is a key driver of productivity growth and economic competitiveness.^[1] For European banks in particular, digital transformation is critical to remaining competitive in global markets.

In banking, we see that innovation often comes from outside the sector, for example from large US-based tech firms. Fintechs and neobanks that are not held back by legacy systems can build fully digital solutions from scratch, often disrupting well-established banking business models. And large technology companies draw on their vast, global customer base and technological capabilities to start offering financial services, mostly via payment services.

Traditional banks often feel protected by barriers to entry, such as regulatory licences, branch networks and their own customer bases. But this model is becoming increasingly vulnerable. Competition is intensifying and customer expectations are evolving rapidly.

As supervisors, we encourage investment in innovation in all its forms, but it should be well governed, soundly managed and aligned with banks’ risk appetite and strategic objectives. This is all the more important as our internal analysis shows that banks’ investment in digitalisation is positively correlated with both higher costs and higher profitability.

With this in mind, I would like to focus on two technologies that illustrate both the opportunities and the challenges of innovation: artificial intelligence and decentralised finance through tokenisation. Of course, they are not the alpha and omega of technologies capable of disrupting the financial sector. Cloud computing, quantum computing and advanced data analytics also have transformative potential, and the principles I will outline today apply to these too.

AI is being adopted rapidly and governance must keep pace

AI applications extend far beyond generative AI and require robust governance

Today, over 85% of the banks we supervise are using AI. The adoption of generative AI in particular is accelerating in IT operations, legal and document analysis and frontline applications – these are the most common use cases we are seeing.

Recently, we ran some workshops with banks that are using AI in credit scoring and fraud detection. These banks believe they are equipped to reap the benefits of AI while prudently managing the risks, building on their existing governance frameworks and risk modelling capabilities.

But significant gaps remain. Many banks still need to update their risk management frameworks to address AI‑specific challenges, including robust data quality controls, explainability of AI output, model governance across the full life cycle and clear accountability for AI‑driven decisions.

AI systems can respond in concerning ways that governance frameworks need to address

Recent research, for example, has shone a light on a specific concern in the area of governance known as “reward hacking”. In short, advanced AI systems can start to respond in unexpected ways that undermine their intended purpose. The company Anthropic has documented cases where AI systems, when given specific objectives, find ways of scoring highly in their performance metrics without actually completing the underlying task they were designed to perform.^[2] The system appears to be working correctly during testing, but is in fact exploiting loopholes in how its performance is measured.

For banks using AI at scale, this means governance frameworks cannot simply rely on initial testing and validation. They need ongoing monitoring, robust oversight mechanisms and human accountability for AI-driven decisions throughout the entire period that the system is operational. Banks must ensure that AI systems go beyond optimising narrow metrics and genuinely achieve the intended outcome, whether that is accurately assessing credit risk, effectively detecting fraud or providing appropriate customer service.

So, when banks use AI to become more efficient and to innovate, they need to adopt strategies that reflect both the opportunities and the risks, supported by robust governance and risk controls.

Concentration in AI providers creates systemic dependencies

Another concern relates to strong market concentration. Generative AI models are often sourced from just a handful of major non-EU providers. This exposes banks using AI to geopolitical risk and potential concentration risks – including in terms of operational resilience and data protection – that supervisors cannot ignore.

We are building on the momentum created by the implementation of the AI Act to ensure that banks embrace new technologies prudently from the outset – before their use becomes systemic. The financial sector is already subject to governance supervision, which provides a strong foundation for implementing the AI Act. This implementation process offers opportunities to enhance coordination between prudential supervisors, market surveillance authorities and the European Banking Authority. At the ECB we are actively contributing to this coordination effort.

And we are also using our own experience of supervisory technology, or suptech for short, which gives us practical insights into both the opportunities and the challenges that AI presents.

Tokenisation offers opportunities but requires careful risk assessment and strategic planning

I would also like to highlight tokenisation. Tokenisation involves using technologies such as cryptography and distributed ledgers to record assets digitally as tokens. These tokens can represent traditional financial assets, such as securities and deposits, physical assets like real estate, or entirely new types of value, such as tokens without an issuer.

Tokenisation is still only happening on a small scale, but it is growing. It has the potential to improve operational efficiency and to open up new strategic opportunities for banks, which can act as trusted intermediaries in tokenised markets.

But banks getting involved in tokenisation should be doing so as part of a comprehensive strategy. They need to decide whether to build up capabilities in house or to rely on partners and service providers, taking into account the significant upfront and continued investment required. And they need to make these strategic choices in line with their risk appetite and risk management capabilities.

Tokenised deposits and stablecoins serve different purposes with different risk profiles

Within tokenisation, we need to distinguish between two types of application with very different risk profiles.

Tokenised deposits are simply deposits recorded on a distributed ledger rather than a traditional centralised ledger. As such, they preserve banks’ funding and lending capacity. And because they are deposits, they are subject to contractual arrangements that customers know and trust. They may have the potential to ensure interoperability, enable programmable payments and even enhance operational efficiency for repo and securities settlement using distributed ledger technology.

Stablecoins, meanwhile, are a different category of digital asset. US dollar-denominated instruments comprise much of the global stablecoin market, while the volume of euro-denominated stablecoins remains very small. In Europe and in various developed economies with efficient payment systems, they currently offer limited use cases, mostly within the crypto ecosystem or for international payments. The very features of stablecoins leave them inherently exposed to liquidity risks and operational risks – in particular cyber risks and compliance risk related to money laundering. Banks that are issuing stablecoins or taking deposits from stablecoin issuers need to ensure that such activities are aligned with their risk appetite and strategy. They also need to have adequate governance arrangements and internal controls in place, especially sound risk management practices.

Overall, banks should continue to harness the innovative potential of digitalisation, including the tokenisation of traditional assets such as deposits and securities, and well-designed, regulated euro-denominated stablecoins. At the same time, the ECB will continue to carefully assess the risks and long-term implications for the monetary and financial system.

Three supervisory principles guide our assessment of tokenisation

As supervisors, we keep three considerations in mind when assessing tokenisation activities.

First, we strive to ensure consistent implementation of international standards. This is essential to prevent regulatory fragmentation, maintain a level playing field and ensure coordinated responses to cross-border risks.

Second, while we encourage innovation through pilot projects, banks should not experiment for experimentation’s sake. They should put forward realistic business cases for pilots and carry out a thorough cost-benefit analysis to assess their impact on business models and profitability. It is also important for banks to determine whether an authorisation framework at national or EU level applies to an innovation pilot.

Third, we expect traditional and tokenised solutions to operate side by side. Digital transformation is unlikely to be a winner-takes-all scenario, and co-existence is necessary for digital operational resilience, at least in the medium term, and also to mitigate risks to financial stability.

The digital euro will also foster innovation in the European Union

The digital euro project aims to make central bank money available to the public in digital form. It will foster innovation in the European Union by combining the safety of cash with the efficiency of electronic payments and offer features such as online and offline use, strong privacy safeguards and instant settlement across the euro area.

As a digital payment option that is free, safe and easy to use everywhere in the euro area, the digital euro will complement cash and existing private sector solutions. It will also reduce Europe’s dependence on international card schemes and non-European digital payment wallet providers.

The digital euro will enable banks to enhance and scale up their payment services at reduced cost. Moreover, it will foster innovation by providing an open acceptance network and standards that private European initiatives can leverage to increase their commercial appeal and achieve pan-European reach.^[3]

Regulation enables innovation by creating a common language for risk

This brings me on to a crucial point about the role of regulation in managing the risks associated with innovation.

Regulation – whether in the form of the Digital Operational Resilience Act (DORA)^[4], the Markets in Crypto-Assets Regulation (MiCAR)^[5], the Artificial Intelligence Act^[6] or other frameworks – aims to ensure that everyone involved – whether banks, supervisors or consumers – speaks the same language and has a shared understanding of the risks involved.

This common understanding is crucial for financial stability. As such, regulation allows supervisors to assess risks consistently across institutions and enables banks to benchmark their practices against peers. It also facilitates information sharing among banks and with supervisors about threats and vulnerabilities. And when systemic risks emerge, it provides the foundation for a coordinated response.

Let’s take a look at DORA, which became applicable across the European Union in January 2025. DORA forms the basis for managing interconnected risks in a systematic way by shining a light on where these risks compound. It does this, for example, through its unified incident reporting framework, which makes it easier to identify patterns across borders previously difficult to spot under fragmented national rules. DORA requires banks to provide information on contracts with third-party providers in ICT registers, offering a holistic view of dependencies. And it also introduces an oversight framework for critical third-party providers.

The reality is that cybersecurity, AI and third-party risks are all interconnected and cannot be managed in isolation.

Digital fraud is a perfect illustration of this. In a recent joint report on payment fraud, the ECB and the European Banking Authority found that payment fraud reported by industry across the European Economic Area amounted to €4.2 billion in 2024.^[7] This figure shows that digital fraud is a very concrete supervisory concern, as it entails a real loss of value, with the potential to damage trust in digital payments.

If we look at the patterns of fraud reported, we can see that manipulation of payers accounted for over half of fraudulent credit transfers. This typically takes the form of social engineering enabled by cyber capabilities. Card fraud predominantly occurred remotely using stolen credentials, often from data breaches at third parties. And the fact that most transactions were domestic while the majority of fraud took place across borders underlines just how interconnected our financial system has become.

This demonstrates why it is crucial to share information about threats sector-wide. Most parts of the sector face threats to their IT systems, so they have much to gain in terms of resilience by handling these collectively.

Banks also need robust protection against physical damage and hybrid threats that can affect operational resilience. This means implementing measures to ensure safety across multiple threat vectors.

More broadly, banks report increased dependence on third-party providers for critical functions. In particular, high levels of reliance on non-EU providers are a weak spot for banks and could make them vulnerable should escalating geopolitical tensions lead to disruptions in service provision. From a supervisory perspective, it is important that banks adopt comprehensive and forward-looking approaches to managing geopolitical risks. That’s why we encourage them to check the adequacy of their existing intelligence gathering and risk scenario analysis processes and to strengthen them where needed.

If we are to achieve system-wide resilience, traditional infrastructure and back-up systems need to be available to provide continuity during disruptions. And these safeguards need to be tested regularly. Our 2024 cyber resilience stress tests already highlighted the importance of these kinds of exercises.^[8]

Conclusion

Let me bring these themes together.

Innovation is essential for banks to remain competitive and for the European economy to grow. If banks do not adopt modern digital systems, the sector’s capacity to respond to competitive pressures from neobanks and large technology companies may diminish, potentially reducing revenues and leaving it more vulnerable to shocks. Reliance on outdated systems may also heighten banks’ exposure to cyberattacks and data breaches.

Indeed, the technologies we discussed today offer enormous potential. AI can dramatically improve decision-making, fraud detection and customer service. Tokenisation and smart contracts can revolutionise settlement, reduce friction and enable new business models. The digital euro, too, will provide European banks with infrastructure for digital payments that reduces strategic dependencies and fosters innovation.

But these technologies also create risks for individual institutions and for financial stability. They may give rise to real challenges, such as concentration in technology providers, sophisticated cyber threats enabled by AI, or complex dependencies across third parties, all of which require robust governance and forward-looking risk management.

To fully harness the benefits of innovation, which has already improved cross-border operations, we need to further promote integration and harmonisation within the Single Market. This will allow banks to build on these advancements, achieving greater integration and real economies of scale.

Regulation already gives us a foundation and a common language for managing these risks consistently. DORA, MiCAR and the AI Act create shared understanding, enable coordination and forge collective resilience.

In 2026 we will continue monitoring AI, with a focus on generative AI applications. We will deepen our assessment of third-party dependencies, particularly concentration in critical service providers. And, building on DORA, we will strengthen our work on operational resilience.

The banking sector is undergoing a transformation. And European banking supervision is moving with it by taking a supervisory approach that enables banks to be both stable and innovative.