There was a time, not too long ago, when the primary concerns of a financial institution’s CIO were hardware and software. Not anymore. Today’s CIO must navigate an intertwined web of macroeconomic and market conditions, fragmented and diverse regulations, rapidly expanding business expectations and goals, and the evolution of banking technology (although “revolution” might be a more accurate term). CIOs today are strategists and business partners as well as managers of the mission-critical function that other company leaders are relying on to deliver their agendas.
This is not an incremental change in role and responsibilities. It is causing CIOs (and CEOs) at top banks and other financial institutions to look at the tech function through a recalibrated strategic lens. Technology is central to both strategy and execution, and progressive CIOs have realized that they need to address all the factors described above collectively, as an integrated set of challenges rather than as individual issues. They cannot, for example, deliver the products and services that other functions need without scaling up AI and AI agents, which has big implications for data access and management, vendor partnerships, and people. They cannot address AI and its related components without adapting their strategy to local market and regulatory conditions in an increasingly multipolar world.
Most CIOs’ agendas are already overloaded, and we are certainly not looking to add to the burden. But as technology takes its place at the center of enterprise performance, CEOs and boards see a new role for the CIO: that of a performance orchestrator. In functionally organized banks, few roles span the enterprise; CIOs are the exception. They are positioned to connect systems, align functions, and engineer a technology spine that powers the organization. To be sure, complexity reigns, but the best executives are transcending it by setting direction, challenging tradeoffs, and mobilizing change across business, risk, operations, and partners. In the process, they are creating the capabilities that sustain lasting advantage.
Our work with leading financial institutions around the world has helped us develop an approach based on convergence and focus for CIOs tackling their companies’ strategic imperatives.
The Forces Shaping the Mandate
Three trends—changing competition and business and customer expectations; evolution of banking technology and tech talent; and fragmentation in geopolitics, markets, and regulation—are shaping banks and the technology that they rely on. (See Exhibit 1.) While each trend can be assessed separately, it is chancy to try to address them this way because they are interwoven, and developments in one area (say, geopolitics) affect the competitive environment in others.
Tech + Us: Harness the power of technology and AI
Changing Competition and Business and Customer Expectations
Banks have a lot of expectations for their CIOs. CEOs and boards, shareholders, regulators (indirectly), and consumers and businesses doing business with the bank all have their own set of demands.
Inside the organization, business leaders need technology to support new products, and delays threaten competitive advantage. Innovative digital-first players already scale up products faster than incumbents. CEOs look to the tech function to address resilience and compliance issues as regulators tighten constraints in both areas. Complicated legacy tech stacks are big impediments, eating up large shares of management time and resources.
Externally, customers expect convenience and features like those offered by the big tech players. A 2025 study for the Consumer Bankers Association found that 80% of banking leaders believe they deliver great customer experience, but only 24% of customers agree.
Banks must adapt their products to meet new or fast-changing opportunities on a market-by-market basis. Technology arms need to move at pace in building, testing, and launching products to match customers’ expectations on agility and resilience.
Everyone, from investors and customers to internal stakeholders, is looking for results from fast-developing AI. BCG has found that 43% of consumers worldwide are already using AI to research brands and products and obtain purchasing recommendations. “Pilot” and “use case” have become dirty words. AI initiatives need to be deployed at scale to solve business or customer problems and create real financial impact. Effective deployment requires strengthening data foundations, which creates new risks to be mitigated. There also is intense competition for scarce talent.
On top of everything else, cost pressures remain a constant and even increase with expectations for AI. Simultaneously containing the cost curve and scaling AI require a shift in approach: increases in the operating costs of the tech function must drive efficiencies that lead to reductions in nontech areas.
Evolution of Banking Technology and Tech Talent
The evolution of banking technology has created architectural sprawl, exacerbated complexity, and created an ever-expanding to-do list for CIOs. Absent simplification, every new initiative adds fragility to the technology landscape. There are a number of near-term priorities demanding attention at most institutions.
Build. Attempts at modernization using APIs and microservices are complicating tech stacks, creating resilience challenges as volumes increase substantially. As a result, single points of failure must be reduced and complicated architectures simplified. Funding to modernize the “thick tail” of legacy apps and infrastructure drains tech function resources. Banks spend less than 20% of their application hosting budgets on cloud services, meaning that more than 80% of spending goes toward legacy infrastructure. As resilience standards rise, legacy structures are likely to need significant investment for modernization since they create risks in meeting new stability and resilience targets.
Run. Technology “run efficiency” (efficient use of resources to achieve desired results) continues to present challenges. As tech stack complexity increases, so does the importance of optimizing run costs, especially given that banks spend less than 20% of their application hosting budgets on cloud infrastructure, meaning that more than 80% of spending goes toward managing and maintaining legacy infrastructure. (These costs increased 21% from 2021 to 2025, with the most basic costs “to keep the lights on” rising even faster.) Consistent measurement of key operational metrics is an important lever for ensuring service resilience and optimization.
Rising complexity in third-party risk management requires more exhaustive monitoring and contingency and disaster recovery planning. Internal knowledge can suffer from staff churn. To limit complexity, rationalizing data management and analytics tools across multiple platforms will become more important.
Protect. Cybersecurity tools must mitigate risk across an expanding set of threats, with a strong focus on protecting core systems and books of record. Multimodal threats are rising as AI refines image and voice spoofing and introduces new risks, such as vulnerabilities created by “vibe coding.” Problem solving requires consideration of multiple issues, as fraud, cybercrime, and money laundering increasingly interact. There is also opportunity: banks that strengthen threat protection can deepen customer trust in the security of their personal and financial data, which can be an advantage amid rising skepticism over privacy and data safety in an AI-driven environment.
Impact of AI. As AI tools mature and adoption expands, banks need robust controls on usage and development to prevent cost spikes. For example, the use of AI to accelerate the building of new technology systems is proliferating—and creating a new need to establish guardrails and ensure quality. Effective outcomes require high-quality data and maturity. A strong large-language-model operations function will be key to managing computing and cloud spending.
The expanding capabilities of AI agents will require changes in task allocation between humans and agents. Banks will need new skill sets and refocused recruitment strategies for an AI-native future. The ability to fill new positions will be limited in the near term owing to a lack of trained talent and the challenge of upskilling current employees.
Fragmentation in Geopolitics, Markets, and Regulation
Rising multipolarity and disintegrating globalization create additional challenges for banks and banking technology. Fragmenting geopolitics raises resilience considerations, such as concentration of exposure and risk, which increasingly influence banks’ infrastructure decisions.
Heterogeneity in financial-crime risk compliance adds complexity. Banks need to preemptively implement controls and safeguards around internal and customer AI usage to mitigate both current and future operational and regulatory risk.
To reduce risk while balancing cost and complexity, banks need a pragmatic jurisdictional view of data hosting and processing. Increasing localization requirements for data, storage, and computing undercut global banks’ efforts to standardize technology and product development across markets and regions.
The CIO’s Docket
Today’s CIO already has a long list of critical tasks that include cost optimization, regulatory readiness, resilience, risk management, product development, and talent management—in addition to ongoing efforts to set up effective platform operating models. For many, to this list can be added actions in areas such as scalable infrastructure patterns, AI foundations and experimental “sandboxes,” vendor partnerships, and AI-driven shifts in work, workers, and the workforce.
In our experience, the best way to ensure strategic coherence and address operational complexity is to focus on a few critical actions executed concurrently. This approach both brings order to complexity and addresses the problems of today while preparing for the priorities of tomorrow. Adding new capabilities accelerates progress on multiple fronts that simple linear efforts across individual agenda items and subitems do not. For example, modernizing a bank’s data platforms with discrete transactional and analytical capabilities addresses the need for consistent and accurate regulatory reporting, improves resilience, and creates a strong base for the deployment of AI agents. This approach also helps avoid common missteps and pitfalls. (See “Debunking the Myths in Technology Transformations.”)
Debunking the Myths in Technology in Banking Transformations
Financial “super apps” with extensive feature sets are the only way to win. Not all banks need to mimic the feature set of fintech operators such as Revolut. Instead, they should adopt the approach of building digital offerings tied to target segments.
Real time is always critical. Real-time transparency (such as clarity on international transfer status and timelines) remains valuable to customers, but real-time access to data and processing does not add significant value in most transactions—while it does add significantly to operational and resilience pressures. Current information based on process needs is sufficient in most journeys and transactions.
Modularizing every component in the stack (including core systems) with API and microservice accessibility is key. Modularity is valuable where systems face high change intensity, but complicated microservice stacks in low-change core systems introduce resilience risk with additional failure points and error permutations. For example, banks need to make tradeoffs between agility and resilience in core payment stacks with high volumes and transaction types.
The cloud is a shortcut for removing legacy complexity. Cloud migrations without effective re-architecting of platforms and robust cloud financial operations will only replicate the same challenges with (potentially) higher costs.
AI can replace all software and workflows, including deterministic processing. While AI tools and agents can have a significant impact on orchestrating workflows and customer intent and exception handling, the mathematical precision and efficiency of deterministic, procedural code remain key in core systems and workflows such as interest calculations and ledger postings.
Product development is commoditized by vibe coding. Just about anyone today can vibe code, but that doesn’t mean the result is scalable or secure. Fostering a culture of experimentation in a controlled “sandbox” environment is critical to promoting organic innovation and adoption; at an enterprise level, however, integrated design, security, and resilience are critical. These essentials require principal engineers and architects to design system components and integrations and determine how data platforms are used. Usage, revenue, and loss thresholds tied to business value help constrain cost overruns. One large North American bank has long used transaction thresholds with a $1 million limit to cap expenditure on experiments and push toward scalable initiatives.
We are seeing top banks focus on four areas: enabling customer journeys, building strong data and AI foundations, scaling AI, and securing the necessary talent.
Enabling Customer Journeys
BCG’s 2025 global Build for the Future study of AI adoption and value found that 75% of AI’s value comes from core business functions, including 11% from enabling customer journeys. The key to matching consumers and businesses with the right products and services, these journeys require modern, flexible architecture and systems.
At the top of the modern tech stack, a journey orchestration layer sources customers’ needs by channel and connects their information from two key data platforms to a centralized core book of records. This core is both narrow and deep, narrow in that it holds only critical bank and customer data—such as transactions and customer reference information and balances—and deep by providing comprehensive and accurate records over time. Agents (whether human, deterministic algorithms, or agentic AI) gather data from the core, cleanse and validate it, provide context, standardization, and structure, and update the core only when changes are mandated.
Watch out for one common pitfall: future-state architecture mandates have typically been used to outline the path to modernizing banks’ technology foundations, but a lack of coordinated execution only results in increased complexity. We believe that concentrated and concurrent efforts across the lean core, data platform setup, chosen infrastructure, and run controls enable banks to execute most effectively against the discrete components, furthering full-scale modernization.
Strong Data and AI Foundations
Banks should prioritize building AI foundations with optimized data layers and dedicated platforms for tooling. (See Exhibit 2.) A strong foundation enables orchestration across multiple layers:
- The core model layer hosts, routes, manages, and orchestrates AI, providing reliable access to traditional and custom models.
- The developer tools layer provides frameworks, workflows, and toolkits that allow teams to design, execute, and manage AI agents.
- The safety and controls layer builds in safeguards that enforce compliance and reduce risk, including guardrails, approvals, audits, and registries. It includes the most recent catalogue of permissible models and agents.
- The operations layer orchestrates activities across humans and AI agents, providing capabilities for observability and evaluation to ensure that AI systems remain reliable, high performing, and cost efficient; it also provides clearly defined standards for model validation and agent monitoring.
Banks need the two types of data platforms: transactional and analytical. Transactional platforms collect, transmit, and analyze work in progress and read-only data, which enables agents (whether human or AI) to access current information. Completed transactional data is updated into the core book of records. The transaction platform collects and transmits data at the individual and aggregate transaction levels for risk and operations analytics and tracking. This removes the need for read-only transactions to hit the core layer and enables agentic workflows that are easier to align with customer journeys as the bank modernizes.
As AI adoption scales, transactional data platforms must evolve beyond data movement to enable quick, high-quality interaction with core systems. This requires better-curated data, tighter synchronization with the book of record, and architectures that support agentic access and execution. In this model, transactional platforms both enable AI agents and are enhanced by them, creating a feedback loop among data quality, system interaction, and automation.
Analytical platforms are optimized for computing intensity. They enable insights and personalization at scale by processing customer usage and transaction history. They also enable testing and validation of risk and pricing models. Analytical data platforms organize data from multiple sources to reveal relationships and ensure that banks gain a better understanding of customers’ needs so they can personalize service and offers.
Both platforms also help eliminate the tail of legacy apps and infrastructure and avoid peer-to-peer interface proliferation and multiple API updates into the core. They create flexibility in data structures and patterns, eliminating the need to retain these applications in order to cater to nonstandard workflows.
It’s critical to integrate input from technology, business, and operations in planning so there is alignment on transition paths and everyone is on the same page with respect to customer outcomes, scalability, risk and controls, and operational workflows. Business and technology leaders need to develop a mutual understanding of the underlying tradeoffs and implications of each technology; this will enable both teams to debate those tradeoffs for future investment. By combining technology and business transformation programs into an integrated effort, one large European bank reduced its technology operating costs by 5 percentage points.
Scaling AI
At large global banks, CIOs are under increasing pressure to deliver productivity gains of 30% or more in technology operating costs. AI, especially agentic capabilities, are expected to drive this step change by, for example, automating incident resolution, reducing redundant development efforts, and improving coordination across complex organizations.
Even though the potential of AI is clear, banks have been slow to move on their AI agendas because of a lack of clarity in the operating model. Prioritizing the AI initiatives to scale involves identifying opportunities to meet several goals at once: redesigning work to improve outcomes, reducing cost, and optimizing previously unaddressed complexity. Put another way, the most promising initiatives are those that solve business or customer problems while maximizing return on investment by advancing an AI-first technology deployment. The key is to reimagine the work of the future to maximize the impact of agents and other AI tools, while building in risk controls at each step, rather than as separate overlays.
The key is to reimagine the work of the future to maximize the impact of agents and other AI tools.
AI can handle much of the heavy lifting (with appropriate oversight) by helping to reimagine the product development life cycle as an AI-first process. (See Exhibit 3.) For example, banks are currently targeting 30% to 50% cost reductions in software development through AI-enabled productivity improvements. In this process, deterministic AI establishes rule-based systems. Generative AI produces code or documentation and explores multiple solution paths. Agents translate goals into executable plans, coordinate models and workflows, and iterate based on outcomes. Humans provide judgment, governance, and trust, as well as defining intent, constraints, and rules for escalation.
AI-based workflows and tools can increase productivity by enabling tech functions to understand, rationalize, and optimize both legacy codebases and new development efforts. Similarly, agentic deployments in run and cyber operations can better process the high volume of logs, filter out noise, and improve monitoring and first-line resolution.
Securing the Necessary Talent
Delivering the expected productivity gains requires rethinking not just tools but how work is structured: reshaping roles, reducing duplication, and reallocating effort across humans and AI agents. The work of the future will involve a mix of deterministic algorithms, judgment-driven agentic AI workflows, and human interactions and relationship management.
These are big changes with equally big implications for work, workers, and the workforce. (See Exhibit 4.) The required skill sets within technology organizations expand in breadth, with top talent needing sufficient depth across multiple domains (such as cyber, data, and DevOps). At the same time, as AI matures it upends many of today’s roles and creates new sets of critical skills, such as large-language model operations specialists who can control AI spending as agentic deployments scale. (See Exhibit 5.)
As these skills are identified, banks will need to make build-versus-buy choices. We recommend focusing partnerships on the skills that outside experts are likely to better develop (such as research teams for various layers of the models). Banks also need to adapt training and upskilling programs and career pathways for existing roles, both to provide for current staff and to ensure that new roles align with the work to be done. Identifying the extent to which today’s talent pools can be upskilled will provide a path toward the reallocation of spending between building and buying.
Vendor management will likely increase in importance, particularly as banks seek to partner on both talent acquisition and product development. Building partnerships with strategic vendors can align AI product goals and push a shift from computing consumption to co-development across the technology agenda. We expect to see a blurring of the capabilities that banks procure from technology vendors, which increasingly will expand beyond software and infrastructure products into critical business and operational processes (for example, using agentic deployments to replace business process outsourcing offerings). As technology vendors expand their reach, banks will need to adapt management of the buy-run-renew life cycle with suppliers, since third- and fourth-party risk management will rise in importance.
Banks also will increasingly need to strike a balance between vendor offerings, concentration risks (such as vendor lock-in), and operational resilience. One useful approach is to adopt annual 36-month forecasts for vendor portfolios. CIOs should oversee the structure of banks’ technology supply chains (vendor portfolio, allocations, and contingencies), while procurement teams support execution and commercial considerations.
Just as the rise of AI transforms the skills required in the tech function, the expanding range of today’s business and technology challenges requires a new mix of capabilities in financial institutions’ CIOs. Technology knowledge and expertise remain core, of course, but the skill mix now also includes global geopolitical understanding, strategic thinking, and executional excellence. It’s an ambitious combination, but the CIOs with the right capabilities can face the future with confidence in their ability to master the challenges and create lasting advantage for their companies.
