Core banking platformconcentration and AI

Core banking platform concentration risk is the risk a credit union runs by depending on a single core technology vendor for the systems it cannot operate without. Most credit unions run on one core platform, so an outage, a failure, or a poor change at that vendor flows straight through to members. In Drova's AI Disruption Risk Index, this risk scores 71 out of 100 for UK credit unions.

The dependency itself is old and well understood. What has changed is what now sits inside it.

AI changes the risk in three ways. Lock-in deepens as AI embeds in the vendor's workflows, because the more the platform decides automatically, the harder it is to move or to second-guess. Opacity grows, because AI inside a vendor's system rarely arrives with governance disclosures a credit union can inspect. And the shape of an incident changes, because an AI-driven action can move faster than a human can catch it.

Here is what that looks like in practice, from the edition. The core platform ships an AI fraud-screening upgrade. It flags an unusual loan repayment and freezes a member's account overnight. The risk team finds out at 8am, from the member's complaint, not from the platform. The control worked exactly as built; the credit union just had no sight of it until a member was already affected.

The PRA's operational resilience framework (PS6/21) expects firms to identify their important business services, set impact tolerances, and stay within them through severe but plausible disruption, including disruption originating at a third party. AI embedded in a core platform sits squarely inside that expectation.

The supervisory picture is also tightening on outsourcing specifically: the PRA's credit union service organisation rules (PS5/26, implementing SS2/23 Chapter 18) take effect on 20 August 2026 and sharpen how credit unions govern the third parties they rely on. The direction is consistent. A credit union is expected to understand, and to evidence, the dependencies it does not directly control.

You manage it by making the hidden dependency visible and planning around it, not by re-platforming. The move from the edition is a simple one: put three written questions to the vendor on its AI usage and governance, keep the answers on file, and refresh them yearly. The credit unions that get clean answers use them to harden their operational resilience self-assessments; the ones that get evasive answers have learned something important early.

Seen early, this stops being a risk you absorb and becomes one you plan around, which is the closeable upside here. And it keeps the human in charge of the judgement. As Steven Cunningham, Partner at Alexander Sloan, put it in Drova's Credit Union Outlook Report 2025: "AI ... isn't a substitute for sound governance... the best results come when these tools are paired with strong human judgment. Automation should strengthen decision-making, not sidestep it."