AI in FinTech: Global Trends, Data & the Race for Sovereign Infrastructure

For most of the last decade, AI in financial services was a feature. A fraud-detection model bolted onto an existing transaction system. A chatbot wrapped around an existing call centre. A risk score blended into an existing underwriting workflow. Useful, incremental, and easy to underwrite.

That shape is now ending. The market is consolidating around a different question — who owns the substrate the AI runs on — and the answers are being decided by nation-states, not by enterprise procurement teams. This briefing pulls together what the public data shows about where the spend is going, where the fraud is going, and where the regulatory perimeter is being drawn.

1. Market fundamentals: a $99B base becoming a $500B trajectory

North America still leads on absolute spend. EMEA holds the second slot, driven by London, Frankfurt, and increasingly the Gulf. Asia-Pacific is the fastest-growing region by deployment count, though deal sizes remain smaller.

What changed in the last 18 months is the shape of the spend. Through 2024, AI-in-FinTech budgets sat inside individual business lines — a fraud team's tooling, a compliance team's RegTech subscription. Through 2026, those line items are getting consolidated into platform investments owned at the CIO or Chief Data Officer level. The Sovereign Infrastructure Race (Chapter 3 below) is the most visible consequence of that consolidation.

Regional spotlight: Latin America is moving faster than the projections

Four conditions are doing the work in Latin America: a mobile-first user base that adopts new financial UX in weeks rather than years, a deeply underbanked population that gives challenger players room to build without incumbent friction, regulatory environments that have stayed flexible long enough for product to ship, and a Spanish-and-Portuguese GenAI download base that's now large enough to support local model fine-tuning.

2. Where AI is reshaping FinTech operations

Fraud detection: an arms race between AI defenders and AI attackers

The asymmetry has flipped. Through 2023, AI in fraud was a defender's tool — banks deployed machine-learning models to score transactions, attackers ran scripted, predictable playbooks. By 2025 that gap had closed: more than 50% of observed fraud rings are now using generative AI in some part of their attack chain, against 90% of defenders who do the same.

The new threat topology that's emerged:

The most expensive single vector remains investment fraud — synthetic-identity-led schemes that convert stolen or fabricated KYC documents into brokerage accounts and pump-and-dump runs. Public reporting puts annual losses to this single category at $8.648 billion.

Generative AI: from experiment to enterprise scale

BNY Mellon is the cleanest public case study of what at-scale GenAI looks like inside a regulated balance sheet. Their model-risk-management cycle — the regulatory process every new model has to clear before it touches a customer — has compressed from months to days. Adoption of generative AI across the firm has moved from a 23% pilot footprint to a target north of 30% production footprint inside eighteen months.

The next frontier flagged in the case data is agentic. Not single-shot question-and-answer chatbots, but autonomous workflows that string together multiple tools, multiple data sources, and multiple sub-decisions inside a single audit-able transaction. This is where the regulatory perimeter starts to bend — and where the Sovereign Infrastructure Race in Chapter 3 becomes load-bearing.

The use-case landscape, today

Four verticals are absorbing most of the production-grade AI spend in financial services:

• Fraud & AML. Real-time transaction monitoring, synthetic identity detection, automated compliance reporting.
• Customer experience. AI chatbots, hyper-personalised recommendations, eKYC automation.
• Credit & lending. Predictive underwriting, AI-driven risk segmentation, dynamic pricing.
• Regulatory reporting. AI-powered RegTech, JSON-exportable audit trails, automated capital-adequacy submissions.

The verticals where AI has not yet meaningfully landed are equally informative: front-office investment banking, complex M&A advisory, large-corporate relationship lending. Each is bottlenecked by data-confidentiality constraints that the current generation of public-cloud AI infrastructure can't cleanly satisfy. Which sets up Chapter 3.

3. The sovereign infrastructure race

If 2023–25 was the era of "which model do we buy from which vendor," 2026 onward is the era of "where does the model run, who owns the substrate, and what regulatory perimeter does the data sit inside." Three jurisdictions are visibly ahead.

UAE: the world's first sovereign financial cloud

The Central Bank of the UAE (CBUAE) and Presight have stood up the Sovereign Financial Cloud Services Infrastructure — branded SFCSI — as the world's first end-to-end sovereign cloud purpose-built for financial services. Two platforms are already operational on top of it: the CBUAE + Presight joint venture for regulated workloads, and Nebras Open Finance for cross-institution data exchange.

The legal foundation is Federal Decree-Law No. 6 of 2025, which mandates full data sovereignty for regulated financial workloads and creates a path for embedded AI analytics inside the regulated perimeter. Three reference workloads already live inside the vault: the country's CBDC infrastructure, the Aani instant-payments platform, and the Jaywan domestic card scheme.

Saudi Arabia & the European Union: two competing answers

The contrast is the story. Saudi Arabia is buying its way to sovereignty with concentrated state capital and a hard operational deadline. The EU is regulating its way to sovereignty by setting the rules first and letting industry build inside them. The UAE has done both — a relatively small state with both the capital and the regulatory authority to ship the substrate in a single coordinated motion.

4. The regulatory imperative: four moves policymakers cannot wait on

Across the three public-policy reviews the data informing this briefing draws from, four recommendations show up consistently. None of them are technically novel. All of them are politically hard.

What this means for enterprise AI buyers right now

Strip the geopolitics out of the four recommendations and they collapse into a single buyer instruction. Any AI deployment you are planning to put into production in financial services between now and end-2027 needs to clear three tests it didn't have to clear in 2024.

Test one — data residency. Can the inference happen inside the sovereign perimeter your regulator will require by the time the system is in production? If your vendor's answer is "we'll have that capability next year," the system you're buying is a 2026 system, not a 2027 system.

Test two — fraud co-evolution. Is the fraud-detection layer in the deployment capable of multi-modal, real-time evaluation, or is it a single-model score retrofitted into a legacy pipeline? The 1,210% surge is not a one-year anomaly; it is the new baseline. A defence built for the 2023 threat shape will be overrun inside eighteen months.

Test three — agentic readiness. Is the architecture you're committing to capable of running agentic workflows when the regulatory perimeter for them is set in 2027–28? Or is it locked into single-shot prompt-and-response patterns that will need rebuilding once agents become the default deployment shape?

The buyers who pass all three tests will sit inside the 13% who consistently ship AI to production. The buyers who pass none of them will be back in market by 2028 rebuying what they thought they bought today. This is the buyer-side reality of the sovereign infrastructure race — even if the geopolitical context is doing the headline work.