The Evolving Landscape of Privacy, AI, and Cybersecurity in Fintech
The intersection of privacy, cybersecurity, and artificial intelligence (AI) is significantly reshaping risk and regulation in the fintech sector. Recent developments, from AI-powered phishing attacks to fragmented privacy laws, are pressuring fintech companies to reassess their governance and compliance strategies. General counsel and risk leaders must prioritize several key areas to navigate these challenges effectively.
1. Navigating a Patchwork Privacy Regime
Unlike the EU’s General Data Protection Regulation (GDPR), the U.S. privacy landscape is characterized by a patchwork of state and sector-specific laws. The Gramm-Leach-Bliley Act governs financial non-public data at the federal level, but 20 states have enacted comprehensive privacy laws with varied requirements regarding disclosures, consents, and opt-outs. Additionally, numerous standalone state AI laws and biometric laws, such as Illinois’ Biometric Information Privacy Act (BIPA), add to the complexity.
Fintech firms subject to these state privacy laws have adopted two main strategies:
- Uniform strict compliance, such as adopting California standards across all users.
- Tailored compliance based on geography or the business value of data.
Both approaches require a state-by-state gap assessment, particularly for companies using facial recognition or voiceprints, which may trigger obligations under specific state laws.
Action Item: Prioritize a state-by-state legal review and audit your biometric and AI-related data flows.
2. The Rapid Evolution of AI Use and Regulation
AI is increasingly powering credit decisions, onboarding processes, and fraud detection in fintech. However, it is also drawing regulatory scrutiny, particularly regarding bias in automated decision-making, lack of human oversight, and opacity in model logic or training data.
While the 2023 Biden Executive Order on AI was repealed, and the House of Representatives passed the “Big Beautiful Bill,” which aims to prohibit states from enforcing state AI laws, states like California and Colorado have enacted AI acts requiring impact assessments and transparency for high-risk applications.
Action Item: Treat AI governance as a legal function by establishing internal review protocols and testing for bias and explainability.
3. Sophisticated Cyber Threats and the Role of AI
AI is being leveraged by threat actors to enhance phishing and social engineering attacks. Emails generated using tools like ChatGPT are nearly indistinguishable from legitimate communications. Future risks include AI capable of autonomously scanning for vulnerabilities or writing malware. Ransomware remains a dominant threat in 2025, with established and new threat actors targeting companies with evolving tactics.
Action Item: Audit your cybersecurity stack to ensure that tools are properly configured, governed, and owned internally.
4. Regulatory Scrutiny and Enforcement
Regulators are escalating enforcement actions despite the lack of a federal playbook. The New York Department of Financial Services (NYDFS) is actively enforcing cybersecurity regulations and overseeing AI and crypto oversight. The SEC has ramped up breach disclosure and board accountability rules, while state attorneys general and privacy agencies are leveraging broad consumer protection laws in response to cyber incidents.
Action Item: Align your incident response with regulator expectations and ensure that ransomware, breach, and AI risks are modeled and tested.
Final Thoughts
“Your tools are not going to save you. The best prevention is a lawyered approach that combines technology, people, and processes working together.” Fintech companies must move beyond checkbox compliance to effectively manage privacy across multiple states, govern algorithmic bias, and prepare for AI-assisted hacks. Legal teams should lead the charge in aligning business, technology, and risk functions.
For more insights or assistance with privacy, cybersecurity, or AI compliance programs, please reach out to your usual A&O Shearman contact or visit aoshearman.com.
