FINMA's Amstad on the AI Cyber Threat: Why Banks Must Adopt Supervisory Tech Now

Global financial regulators are racing to build their own technological defenses as artificial intelligence dramatically escalates cyber threats to the banking system. The message from Switzerland's top financial watchdog is clear: adopt supervisory AI tools now, or risk being overwhelmed.

Amstad's Reuters Interview: A Call to Action

In a Reuters interview published June 26, 2026, FINMA President Marlene Amstad said banks and financial sector watchdogs must move quickly to adopt new technology to plug system vulnerabilities as AI "supercharges" cybersecurity risks . She made the remarks immediately following an initial hackathon designed to build new supervisory tools for market watchdogs.

Amstad's warning was not abstract. Models that detect software vulnerabilities have recently pointed to surging cyberattack and national security risks, with AI raising the stakes significantly . The core problem, as FINMA has documented, is structural: many important institutions outsource central IT systems to a small number of service providers, making the entire system extremely vulnerable to cascading failures .

The IOSCO SupTech Forum and Hackathon

FINMA played a central role in establishing a dedicated IOSCO forum on supervisory technology (SupTech) in 2026, with Amstad serving as its chair . The initiative launched with a hackathon bringing together around 100 policy and technology specialists to build new tools for supervising cryptocurrency markets . This forum sits within the International Organization of Securities Commissions (IOSCO), the global standard-setting body that brings together securities regulators from more than 130 countries covering over 95% of the world's securities markets .

IOSCO's Supervisory Toolkit for AI

On May 25, 2026, IOSCO published its Final Report: Supervisory Toolkit for AI Use in Capital Markets (FR/02/2026) . The toolkit provides practical, non-binding supervisory tools covering the full AI lifecycle — from traditional Machine Learning models to Generative AI and emerging agentic AI techniques . It sets out three core components:

1. Potential risk areas meriting supervisory consideration
2. Tools for supervisory oversight covering governance and risk management, third-party and outsourcing risk management, disclosure, and recordkeeping and reporting
3. Indicators for monitoring AI adoption and use, alongside engagement strategies

IOSCO Board Chair Jean-Paul Servais said supervisors need "practical and proportionate tools to assess emerging risks while supporting innovation and safeguarding market integrity and investor protection" .

The Mythos Dilemma: Systemic Risk vs. Access

A critical tension emerged in April 2026 when FINMA classified the uncontrolled availability of Anthropic's Mythos AI model as a systemic risk for Switzerland's financial system if given directly to banks . A FINMA spokesperson explained that in such a scenario, "virtually all existing software systems could simultaneously be affected by a multitude of previously unknown zero-day vulnerabilities, which would be exploited immediately and via AI" .

Yet Amstad's position is not to block access entirely. She has stressed that Switzerland must retain access to the most advanced AI models — the other side of her systemic-risk warning. While uncontrolled immediate access to Mythos is dangerous, she advocates for managed, ongoing access so Swiss financial institutions are not cut off from frontier AI capabilities . This dual imperative defines her approach: deploy supervisory AI tools urgently while securing controlled access to cutting-edge models.

U.S. Banking Regulators: Every Exam Is Now an AI Interrogation

The regulatory shift is not confined to Europe. U.S. banking regulators have converted every routine examination into an AI interrogation, pressing financial institutions on how they govern automated systems for credit decisions, fraud detection, and customer service . The Federal Reserve, OCC, and FDIC are scrutinizing:

• AI systems' data access and privacy controls
• Human oversight and kill switches for AI tools
• Vendor risk and exit strategies for AI breaches

Federal Reserve Governor Michelle Bowman confirmed in a May 2026 speech that supervisors are engaging with banks to ensure AI is deployed responsibly and effectively, noting that the Fed, OCC, and FDIC recently amended model risk management guidance to clarify it does not apply to generative or agentic AI .

This creates a structural paradox: the same agencies conducting these intensive AI examinations issued new guidance in April 2026 that explicitly excludes generative and agentic AI from existing model risk management rules — precisely the systems banks are most rapidly adopting .

The Regulatory Landscape: What's Confirmed and What's Not

The following table summarizes the fact-checked status of the key developments discussed:

Development	Status	Source Confidence
Amstad Reuters interview — banks must adopt AI tools vs cyber threats	Confirmed	High
IOSCO dedicated SupTech forum established 2026	Confirmed	High
Hackathon — 100 specialists building crypto supervision tools	Confirmed	High
IOSCO May 25 final report: Supervisory Toolkit for AI	Confirmed	High
U.S. regulators pressing banks to map AI in high-risk areas	Confirmed	High
FINMA: Mythos uncontrolled access = systemic risk	Confirmed	High
Amstad: Switzerland must retain access to advanced AI	Confirmed	High
Hong Kong SFC warning about AI-enabled attacks	Not found in sourced material	—
FSB call for tighter controls on agentic AI	Not directly sourced	—
U.S. ordered Anthropic to suspend Mythos/Fable exports	Partially sourced — FINMA confirms Mythos risk; specific export order not independently confirmed	Medium

The Bottom Line: A Dual Imperative

Amstad's core message represents a dual imperative for the global financial system: deploy supervisory AI tools urgently to counter AI-powered cyber threats, while securing controlled, safe access to cutting-edge models rather than walling them off entirely. This strategy is being operationalized through the IOSCO SupTech Forum she chairs, a 100-person crypto-supervision hackathon, and the May 2026 AI supervisory toolkit. The U.S. parallel is a simultaneous crackdown, with regulators converting every bank exam into an AI governance review — even as they acknowledge that current model risk rules don't fully cover the most advanced AI systems banks are adopting.