logo
Banner
Banner

Resilience and security at the core of Standard Chartered’s growth

Resilience and security at the core of Standard Chartered’s growth
Author
Written by Nanda Lakhwani
  • Sep 17, 2025
  • 7 min read

Rising AI risks, regulatory fragmentation and complex supply chains are reshaping the resilience agenda for banks across global markets. Against this backdrop, Standard Chartered is elevating technology resilience to a board-level priority, positioning it as the foundation of long-term trust and the enabler of sustainable growth.

Standard Chartered is embedding resilience across its people, processes and technology as cyberthreats intensify and regulatory expectations diverge globally. The bank’s layered strategy spans artificial intelligence (AI) governance, supplier oversight and preparation for post-quantum threats, positioning robust operations as the enabler of secure innovation.

This agenda is led by Álvaro Garrido, chief operating officer (COO) for technology and operations and chief information officer (CIO) for information security and data, together with Cezary Piekarski, group chief information security officer (CISO). Garrido emphasises that efficient, reliable operations are integral to the group’s wider transformation, while Piekarski underscores the centrality of security in safeguarding growth.

In parallel, under the Fit for Growth programme — targeting $1.5 billion in cost savings by 2026 — Standard Chartered is simplifying platforms and processes to ensure structural efficiency while reinforcing business continuity. These initiatives are designed to deliver sustainable performance even as risks grow more complex across markets. The bank’s half-year 2025 results underscore its efficiency push: operating income rose 10% year-on-year to $10.9 billion, while the cost-to-income ratio improved 230 basis points to 54.7%.

Embedding resilience as a discipline

For Garrido, resilience is not a project or milestone, but a discipline practised continually. Technology and operations, he said, exist to provide “elasticity and optionality” for the business — always delivered responsibly and sustainably. The bank identifies “important business services” (IBS) such as payments, liquidity and mobile banking, and maps them against disruption scenarios ranging from natural disasters and cyberattacks to human error and geopolitical shocks. “We rehearse, model and run exercises so that if something happens, we can respond swiftly and decisively,” Garrido said.

Each IBS is assessed for gross exposure, then layered with compensating controls including “latest-generation technology for detection, protection, response and recovery.” Garrido said that this mapping feeds into investment plans and is tracked through measurable outcomes, resulting in quantifiable reduction of residual risk for every asset and service in the bank. He highlighted benefits such as faster digital channel deployment (from months to weeks), overnight liquidity reconciliation with fewer errors and an observability platform that provides continuous visibility and faster issue resolution.

This risk-first approach is aligned with diverse regulatory expectations — from the EU’s Digital Operational Resilience Act (DORA) to guidelines from the Monetary Authority of Singapore and stress-testing requirements of the Hong Kong Monetary Authority. Garrido framed legislation as an accelerator rather than a barrier: “Because of where we operate, we were naturally forced to learn and to be the best. Legislation helps us get better.”

Garrido cited the bank’s geo-resilient architecture in Asia as an example, with seamless failover between its Hong Kong and Singapore data centres 3,000 kilometres apart. He noted that few banks attempt geo-resilience at this scale, but emphasised that the greater challenge lies in reconciling localisation with global integration, as data residency becomes increasingly pivotal. “Our technology needs to provide resilience cross-border, but at the same time respect ring-fencing and keep things where they belong,” he said.

Security and the role of AI

Drawing on his CISO background, Garrido framed security controls as enablers rather than constraints. He warned that the threat landscape is evolving rapidly, with cybercriminals industrialising the use of AI to automate phishing, scale ransomware and even generate deepfakes of bank staff. Piekarski noted that fraud techniques now increasingly mimic legitimate service models, underscoring the importance of advanced detection.

In response, the bank is deploying AI-enabled defences that analyse behavioural patterns and detect anomalies at scale. “AI-based attacks are being responded to by our own AI-enabled defences… what we want is to identify anomalies in behaviour rather than rely on static rules,” Garrido said. He outlined a three-part challenge: responding to AI-driven threats, using AI to defend, and protecting AI itself from manipulation such as data poisoning or hallucinations. He called it an “AI arms race” that requires governance as much as tools, noting the bank is developing intellectual property in this domain and preparing to file patents.

In terms of governance, function CISOs are embedded into business units from the design stage to maintain a defence-in-depth model, while a newly created data risk committee now reports directly to the board. Piekarski added that operationally, security is reinforced through global cyber fusion centres. The bank’s Kuala Lumpur global business services centre, for instance, integrates cyber, fraud and anti-money laundering (AML) intelligence into a single situational view — designed to analyse threats through the adversary’s lens and enable holistic defences. He cited joint initiatives with Malaysian regulators and law enforcement on scam prevention and AML as cases of effective public-private collaboration.

Ecosystem risk and digital assets

Beyond internal systems, Garrido and Piekarski give equal weight to the wider ecosystem, with Garrido listing third-party risk as one of his top three priorities, alongside operational resilience and responsible AI. With thousands of suppliers at differing maturity levels and fragmented regulations — “you may be secure as a bank, but your weakest supplier can compromise the chain,” he said.

Controls extend across the supplier lifecycle, including second-tier vendors, and are supported by uplift programmes for small and medium enterprises (SMEs). Garrido noted the bank uses telemetry to scan publicly available internet traffic for potential compromise and engages directly with SMEs or smaller firms to share best practices. He cited Singapore’s model, where agencies — including the Cyber Security Agency of Singapore (CSA), Infocomm Media Development Authority (IMDA) and Enterprise Singapore — coordinate grants, certification and monitoring as a blueprint for SME cyber resilience.

Garrido extended this supplier-risk lens to digital assets, where custody and settlement involve multiple counterparties, introducing additional layers of operational complexity that demand robust controls. He acknowledged that Standard Chartered was an early mover, launching custody through Zodia (established by SC Ventures), expanding into institutional crypto trading via FX platforms and partnering with firms such as FalconX. However, he cautioned that growth would only be sustainable with robust security and risk controls.

Piekarski added that identity and access remain the first line of defence — for clients, employees and partners alike — with layered authentication, biometrics and user education key to preventing vulnerabilities from spreading across the ecosystem. Identity, he warned, has become a focal point in emerging fraud and AML schemes, making user awareness as critical as the controls themselves.

People and culture as an enabler

With more than 48,000 people across Standard Chartered’s technology and operations division, Garrido and Piekarski stressed that culture and capability are as important as systems. Garrido noted that while the bank has extensive mandatory training, the more powerful driver is pull rather than push; employees themselves are increasingly demanding access to learning resources. This, he said, has led to the expansion of the bank’s aXess Academy, giving employees access to leading global courses, alongside the AI Learning Hub, which delivers training tailored by persona — from secure coding for developers, to resilience protocols for operations employees and leveraging responsible AI to tackle financial crime for client-facing teams.

He added that the bank is fine-tuning its in-house generative AI platform, SC GPT, embedding guardrails and data-loss prevention to ensure colleagues can innovate without compromising security. “Constraints that increase freedom” is how Garrido described the philosophy — by putting controls in place, employees are liberated to experiment safely and apply AI tools in client-facing contexts.

Piekarski also highlighted Standard Chartered’s aXess Academy, first launched in Kuala Lumpur, which he described as “extremely essential” for supporting continuous reskilling and career mobility. The programme enables employees to move between different skill sets and pursue new roles within the bank, he said, which strengthens resilience by retaining talent and building adaptability across the organisation.

While these people-centric initiatives strengthen the bank’s foundations, Garrido warned that the harder tests lie ahead — from AI-driven threats and fragmented regulations to sprawling supply chains and evolving fraud. For both him and Piekarski, sustaining growth will depend on anticipating risks early and ensuring people, systems and technology adapt in step.