IBS Intelligence Global FinTech Interviews
Go one-on-one with the innovators, disruptors, leaders, and decision-makers driving change in FinTech and financial services. IBS Intelligence delivers exclusive global interviews that uncover strategies, challenges, and the ideas powering the next wave of financial technology.
IBS Intelligence Global FinTech Interviews
EP958: Rewriting the Rules of Regulatory Resilience
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Bhavana Mallesh, Chief Technology Officer and Co-Founder of Gieom Business Solutions Private Ltd.
As regulatory expectations shift from periodic compliance to continuous supervision, financial institutions are rethinking how they manage operational resilience, risk governance and regulatory accountability. Against this backdrop, Puja Sharma speaks with Bhavana Mallesh, Chief Technology Officer and Co-Founder of Gieom Business Solutions, about embedding AI-driven intelligence into compliance and resilience frameworks, navigating complex global regulations and emerging RBI guidelines, and how financial institutions can move from reactive, deadline-driven compliance to building transparent, future-ready resilience operating models.
I'm Kuja Sharma of IBS Intelligence, and you are listening to the IBS IVUs podcast. And today we are spotlighting the evolving world of regulatory technology and operational resilience. Founded in 2012, Geeom is a global direct tech provider enabling enterprises and consulting firm to manage operational risk resilience and regulatory compliance through an integrated AI-powered platform. Joining me today is Bhavna Maleh, Chief Technology Officer and Co-founder of Geo Business Solution Private Limited. Bhavna with operational resilience moving from compliance to continuous supervision globally, what structure shift must financial institution make to stay ahead?
SPEAKER_00So if you look at operational resilience, it has moved from thick PowerPoints and static documentation to active command centers. It is no longer about proving you have a resilience plan. It's about proving that the plan is working and it is working continuously and it's backed by data. So in 2026, if you cannot evidence it, it does not exist. So if you look at the structural shifts that are required, it's no longer acceptable to label a service as critical just based on judgment alone. You have to demonstrate is the service critical based on maybe real-time transaction volumes, revenue exposure, what's the impact on customer market and the ecosystem? If you cannot quantify what is at stake when a service fails, you have not really mapped it. You've just labeled it. Now if you look at the second factor, third-party oversight must move beyond contractual comfort. So regulators now are expecting to see operationally, are you handshaking more with your vendor who's providing your critical service? Do you do the contracts talk about audit rights into the vendor's assets? Is there a clear defined exit strategy? Is there visibility into your vendor's nth party dependencies? Now, if you look at governance, governance is all about proactive and continuous resilience management. So they say, you know, in resilience, it is almost one part is proactive risk management, and another is your ability to recover and perform even if there is a disruption, and that you have to, you know, recover within the defined impact tolerances before any harm is caused to customer markets and your firm. Traditional risk registers is no longer adequate. Supervisors want to see did you perform control testing this week, not last quarter? Are they automated audit rates? What about the feedback loop from your incidents? You know, are there new controls that have been established? And more importantly, is your board and senior management engaging in doing these reviews? Do they have an insight into the impact tolerances that you're managing? So risk management is no longer something like a quarterly report. It is like an operating heartbeat. Now, um, scenario testing is another important factor. Scenario tests have to be plausible and it is almost like an operational rehearsal. Can you evidence these recent disruption simulations? Did you do testing of critical third parties recently? Were there any lessons that were learned? And is this part of your uh process design and control design today? So the age of Excel ecosystems is totally ending. You cannot manage 2026 scale and digital interdependence just with my manual artifacts. So operational resilience, it's no longer a regulatory project which has an end date. It is the operating model of a very digitally interconnected ecosystem. So institutions that systemize all this through automation, integrated platforms, and AI-driven insights, like you know, the kind Geomes Rectech AI platform offers, they will lead the supervision discussions. Those that remain manual, you know, I'm not sure, you know, they're just going to be defending maybe the documentation that they have.
SPEAKER_01Bhavna, how will convergence across Europe, the UK, and India shape more unified approach to resilience and third-party risk governance?
SPEAKER_00So, what we see is regulators are using different terminologies, but the underlying philosophy is the same. So the convergence, if you see, is more structural, it's not semantic. So Dora is talking about critical functions, uh, UK operational resilience is talking about important business services, and RBI speaks of critical services. So they're all different labels, but the intent supervisory is the same. Across these jurisdictions, resilience and third-party governance are kind of becoming the five pillars. So, first thing is the service identification. Institutions really must define what truly matters to the organization and not based on some internal metrics. It has to be in terms of customer harm, financial stability. Now, if you look at the second pillar, it's about your end-to-end mapping of your critical service. Have you identified all the dependencies? Whether it is the role, the person, uh, what is the infrastructure, what is the system that is supporting, what are the processes in place, are they are they third-party dependencies? Okay, is there a concentration risk? All of this is required to be, all of this is required to be available as part of your service. So if you look at the third pillar, impact tolerances, there needs to be a clearly defined threshold that when disruption happens, are you able to recover the critical service before there is harm to the customer and market? So, can you demonstrate proof of this? Talked about third-party dependencies as part of your dependency mapping. But then are you doing full-fledged lifecycle governance of your third party? Right from onboarding to ongoing monitoring, periodic performance validation, and also do you have clearly defined exit strategies? Finally, the most important thing is active accountability by the board. Resilience is no longer delegated to compliance, risk, or IT. Boards and senior managements are expected to demonstrate the ownership. So, what this convergence is creating is like a sort of a global baseline. Supervisors are increasingly aligned in their expectations around transparency, traceability, and demonstrable execution.
SPEAKER_01With Reserve Bank of India introducing framework like Free AI, uh, how should institution balance innovation with accountability and human oversight?
SPEAKER_00So if you look at RBI's Free AI framework, it's a very welcome and progressive signal. It is acknowledging fundamentally that innovation without governance is not acceptable. You know, it can fail. They are emphasizing that trust and fairness, reliability, explainability, ethics, accountability, all of this in the framework makes it clear that you should have visibility into what are the risks associated with use of AI. And it's not merely seeing AI as a productivity tool. AI cannot operate as an autonomous layer outside governance structures. It must sit within them. So, what does this mean for AI solution providers like Geome? Governance cannot be retrofitted after the deployment, it has to be embedded as part of the engineering lifecycle itself. We need to have protocols for model validation. There has to be testing guidelines for bias and fairness, explainability should be there for all outcomes, and there has to be clear model documentation. The final crux is mandatory human SME review has to happen before release. So the human in the loop is becoming very important. Now, if you look at the buyers, the financial institutions, accountability does not transfer to the AI vendor. Institutions must test models using production grade representative data. They have to challenge the outputs, not just review dashboards. There is also a need for maintaining override controls and escalation mechanisms. So at Geome, we operationalize all this through structured AI safely and securely using our G0 framework, security framework, which is all which is part of our build pipeline and quality gates.
SPEAKER_01What risk do firms face if they continue to rely on manual and static approaches as regulators demand real-time evidence and continuous monitoring?
SPEAKER_00So if you look at operational resilience, it has moved from being an IT program to becoming the core of enterprise architecture. It is no longer about having a plan, it is about having the ability to provide continuous evidence. So if you look at the last year, 2025, it was all about meeting deadlines, be it DORA on Jan 17, be it UK Operational Resilience Framework on 31st March, and others. Many institutions met all these initial deadlines using spreadsheets, static PowerPoints, and maybe one of consulting assistants. This would have helped them achieve the compliance, but this is not sustainable. Supervisors have shifted from asking, have you implemented to show us how it works continuously? So I already talked about you know the critical service dependency mapping. They want to see uh how how you identified a critical service, what are the key performance metrics that is being looked at? Is there proof of service recovery for your critical service and that too within defined impact tolerances? Do you have real-time oversight of third and end-party risk? So and more. And so an Excel file definitely cannot withstand that level of scrutiny. So if you ask me, some you know, some of the shifts that are mandatory is end-to-end mapping of your critical service with all the dependency identification, and then you look at governance. Governance cannot sit outside the system, it has to be embedded. So if you look at regulations, policies, it cannot sit in PDFs, it has to be part of your process design, it has to be part of your workflows, and all of this you will need to evidence through data. Whether it is, you know, how you identified your critical service or you know, what are your system scenario test results, you you need to have the data and timestamp information uh to share. So let me take one example of how Geome is enabling organizations to move away from the so-called static, you know, um age-old approaches. And they're doing this with embedded governance. So if you look at a recent implementation at a client site, we saw that within just one month after going live, um, there were about 22,500 plus queries which were asked by the workforce there, which spanned across upwards of 540 policies, and this was through MacPy AI. So we are really breaking barriers. Now, if you look at another deployment in the Middle East, we saw the staff querying in both Arabic and English. So platforms like Geom have normalized language barriers, ensuring that frontline staff has instant guidance to make compliant decisions. So this is the difference. You know, come if you look at just compliance as a pillar, it's no longer dependent on annual training. It becomes embedded in how work happens and how decisions are made.
SPEAKER_01My next question was actually a follow-up to how GM's AI-driven mapping and regulatory intelligence helps firm move from deadline compliance to a sustainable resilience operating model. How can GOM's AI-driven mapping and regulatory intelligence help firm move from deadline compliance to sustainable resilience operating model today?
SPEAKER_00Ability to query against uh policies and process through MAPI AI. So, one key differentiation that we are bringing in with uh GOM's AI. Now, other thing is we don't want banks to just survive the regulatory deadline. We want them to use this opportunity to reassess their operating model, make it more agile so that you know it can foster continual growth. So, what Geome helps is you know turn static assets, whether it is your process, policies, SOPs, standard operating procedures, and also the GRC assets like your risk registers, control registers, business continuity management assets like business impact analysis, your BCP test plans. All of this was done manually. You know, you had to map this uh uh process, you had to create registers, uh, you had to do the interlinking. Now with MacPy AI, it has the ability to ingest text, voice, or transaction logs to auto-generate end-to-end process maps. So the SME, who used to initially do mapping and who was the creator, has now become the editor. So they review AI-generated artifacts that are already linked to critical dependencies. So this is intelligent processes or you call it process intelligence. The next point is regulatory agility. You look at policy management again, that was a very overwhelming and labor-intensive activity. Now that has been compressed with AI. So the cycle for analyzing, updating policies, looking at overlaps across frameworks, whether it is DORA, whether it is you know the RBI, it is resulting in time saving of 60 to 70 percent and also the accuracy because it's very thorough. So we don't just tell the law has changed, we show exactly which process step needs to be updated, you know, to stay compliant. Now, another area is the governance risk risk and control. Once you have your digitized map and policy, our AI is able to identify hidden risks, identify and come up with suggested controls, which the human reviewer can then look at and operationalize. The same thing we are doing even for third-party due diligence. So, our RegTech platform streamlines the entire due diligence bottleneck. We are having automated workflows for vendor evaluation and the scoring that is required to be done periodically. So, this is how we are enabling TPRM to keep pace with the speed at which organizations and businesses today have to perform. Now we looked at policy process digitization, then we looked at you know the risk and control management. Let's look at another area which is business continuity management. Our system is able to close the gap between an impact analysis that you do on your business processes and required business continuity plans. So basically, you you can have playbooks which are mapped directly to the actual process. So, what this will do is in the event there is any kind of an issue, you you can actually remediate what should be the plan that needs to be put in place. Finally, our resilience command center. So we have a comprehensive dashboards which are offering real-time visibility, and this is again AI powered. So Geome's platforms are all integration ready. So you can integrate data from core systems apart from all the insights that already are generated on the system. So AI insights will give you the necessary alerts that don't just flag issues. The workflows are designed such that direct actions go to the inbox of your workforce. This shifts resilience management from you know kind of retrospective reporting to something where you can do a forward-looking control.
SPEAKER_01What role does Geome play in embedding resilience, governance, and regulatory traceability into day-to-day operations?
SPEAKER_00So I already talked about several things that Geome is doing with our AI-based Rectech platform. But let me summarize. So the biggest challenge for an organization today is not about having a resilience plan, it's making the plan visible and actionable for the workforce who is sitting at their desk. At Geome, we ensure resilience isn't a document or a manual, you know, in a binder, which is sitting on a desk catching dust. It's about making it the daily workflow. Call it the operating model. We are providing visibility into operations and all the other risk and resilience workflows. So, in the event a critical service or its system fails, with all the data integration that the system supports, you will see the resilience dashboard light up showing exactly which customer service is impacted and which is the connected business continuity playbook that needs to be executed. I already talked about how we are embedding compliance into the daily operations. Compliance is becoming part of the process design. So you don't need employees to remember regulations. So with Geom's AI-powered rec tech, we take the complex burden of global regulation and turn it into simple guided actions. That is how you move from a deadline compliance to a truly sustainable operating model.
SPEAKER_01Bhavna Malesh, Chief Technology Officer and Co Founder of Geome Business Solution.