With a career spanning over two decades at the confluence of banking, technology, and regulatory affairs, Priya Jaiswal has a unique vantage point on the digital transformation of finance. She has witnessed firsthand the shift from a culture where innovation was stifled by institutional inertia to one where regulators are often the primary catalysts for change. In our conversation, we explored the deep-seated legacy challenges that create “spaghetti” within major banks, the delicate dance between progress and protection in the age of AI, and why a firm but transparent regulatory hand is not a hindrance but a vital guide into the future.
You describe how “The regulator will never permit it” was once a common roadblock, yet you credit them for pushing API-first architecture. Could you share an anecdote of this dynamic in action and explain, step-by-step, how that regulatory push ultimately benefited an institution that was initially resistant?
I remember a specific instance at a large incumbent bank where the tech team was desperately trying to get funding to build out a modern, API-driven core. The business, however, kept shutting it down, and their ultimate defense was always, “The regulator would never approve opening up our systems like that. It’s too risky.” They saw the core system as a fortress, and APIs were seen as punching holes in the walls. Then, the regulatory mandate came down, forcing them to open up access for third parties. The initial reaction was pure panic and resentment; it was viewed as a massive, expensive compliance exercise. But once they were forced to build that API architecture, a light went on. They suddenly realized they could use those same APIs to rapidly build new features for their own mobile app, partner with fintechs to offer novel products, and streamline internal processes that had been clunky for years. The regulatory push didn’t just force a compliance change; it dragged them, kicking and screaming, into a more agile and competitive future they were too afraid to build for themselves.
You compellingly connect organizational “spaghetti and archaeology” to the business’s historical demand for immediate, visible returns. Can you walk me through the typical lifecycle of a decision like this, from the initial push for “bling” to the long-term operational costs and risks that accumulate over time?
It’s a story I’ve seen play out countless times. It starts in a boardroom where the business feels pressure to launch a flashy new product or a slick user interface to compete with a new challenger. They want that “bling” and they want it in six months. The tech team comes back and says, “To do this properly, we need to modernize the underlying legacy platform, which will take two years and cost millions.” The business immediately balks. The return on that investment isn’t immediate or visible enough. So, they push for a workaround: build a shiny new application that sits on top of the old system, a “wrapper” that essentially translates new requests into a language the old core can understand. In the short term, it’s a win. The new feature launches, and everyone celebrates. But then the rot sets in. Every small update to the new app requires complex, fragile changes to the wrapper. The old system, which was never designed for these real-time demands, starts to buckle, causing outages. Soon, you have a tangled mess where no single person understands the entire data flow, and the operational risk is immense. That initial decision to prioritize visible bling over foundational strength creates a decade of technical debt, slowing all future innovation to a crawl.
You highlight agentic commerce as a new frontier lacking regulatory rails for KYC and fraud accountability. Looking ahead, what are the first few crucial steps regulators should take to build these guardrails, and how can they balance consumer protection with the need to foster continued innovation in AI?
This is one of the most pressing challenges we face. The first crucial step is to establish a clear framework for accountability. Right now, if your AI agent books the wrong flight or gets scammed, who is responsible? Is it you, the platform that built the AI, or the bank that processed the payment? Regulators need to define this liability chain immediately. The second step should be creating a standard for what I’d call “Know Your Agent” or KYA. We have robust KYC protocols for humans; we need a digital equivalent to authenticate and verify AI agents acting on our behalf. This prevents a free-for-all where malicious bots can run rampant. The key to balancing this with innovation is to avoid being overly prescriptive. Instead of dictating the specific technology, regulators should set principles-based rules focused on outcomes—ensuring consumer protection, providing clear audit trails, and demanding transparency—which gives tech companies the freedom to innovate on how they achieve those safe outcomes.
You characterize your interactions with regulators as “cooperative but unyielding” and “demanding but transparent.” Could you share a specific story that brings this duality to life, detailing a difficult request they made and how their transparent approach ultimately led to a constructive outcome for your team?
A few years ago, we were subject to a new, incredibly stringent set of requirements for data resiliency. The regulator’s initial demand was that our critical systems needed to be able to failover to a secondary site with zero data loss and near-instant recovery—a standard far beyond what we had in place. That was the “unyielding” part; they were absolutely firm on the outcome. Our first reaction was that this was an impossible and astronomically expensive ask. But then the “cooperative and transparent” side emerged. They didn’t just hand us the rulebook. They organized workshops, brought in experts to explain the threat models they were seeing, and walked through the systemic risks they were trying to prevent. They made it clear this wasn’t an arbitrary exercise; it was about protecting the entire financial system from a new class of cyber threats. By being so transparent about the “why,” they transformed our team from being resentful to being partners in solving the problem. It was still demanding, but it felt like a shared mission, not a top-down decree.
You end with a wish for regulators to mandate a “spring clean” of legacy systems, noting the business would resist. In practical terms, what would a mandate like this involve? Please outline the key standards a regulator could enforce to define future-ready “robustness and efficiency.”
A mandated “spring clean” wouldn’t be a vague directive; it would be grounded in concrete, measurable standards. For “robustness,” a regulator could mandate that any system processing payments must run on currently supported infrastructure—no more relying on code from the 1980s. They could enforce specific uptime requirements, say 99.995%, and require demonstrable, regularly tested disaster recovery plans. For “efficiency,” they could set standards for API response times for critical functions or even mandate the decommissioning of systems that cannot be patched or updated in a timely manner. A key standard would be interoperability, requiring that core functions be accessible via modern APIs, effectively outlawing the monolithic, closed-off systems of the past. The business would absolutely resist the cost, but by framing these as non-negotiable operational resilience standards, the regulator provides the necessary leverage to force investment in the foundational health of the institution, rather than just the next piece of customer-facing bling.
What is your forecast for the evolving relationship between financial innovators and regulators over the next decade?
I believe the relationship will become even more deeply intertwined, shifting from a reactive “cat and mouse” game to a proactive, symbiotic partnership. We’ll see regulators embedding themselves much earlier in the innovation lifecycle, moving beyond sandboxes to ongoing dialogues with tech firms about emerging capabilities like quantum computing or decentralized identity. For innovators, robust regulation will increasingly be seen not as a burden but as a competitive differentiator—a seal of approval that builds customer trust in a very noisy market. The greatest challenge, however, will be the sheer speed of change. The test for regulators will be to develop forward-looking, principles-based frameworks that can accommodate technologies we haven’t even conceived of yet, ensuring the rails are in place before the train is already moving at full speed.
