Abstract
The growing complexity of global financial systems, combined with the digital transformation driven by AI and decentralized technologies, has increased vulnerabilities in data security, privacy, and regulatory compliance. These challenges are particularly dire in the financial sector, where institutions must not only safeguard sensitive financial data but also comply with diverse national and international regulatory frameworks. This study aims to investigate existing approaches for securing financial systems through machine learning, legal frameworks, and regulations, while also highlighting strategies based on decentralization. The review is conducted through the database searches of relevant literature in IEEE Xplore, ACM, ScienceDirect, Springer, and Web of Science. The search covers journals and conferences from 2014 to 2024. Studies not in English and those not addressing the security of financial systems through data sovereignty are excluded. We adopted PRISMA for selecting the final papers for analysis. A total of 741 studies were identified and narrowed down to 52 studies. Following a comprehensive analysis of the legal frameworks and regulatory measures pertaining to artificial intelligence (AI) across various nations and regions, it emerges that the European Union (EU) is at the forefront in this domain. Our in-depth research reveals significant variations in the methodologies employed by different countries to regulate AI and maintain sovereignty over financial data. Of the 13 data sovereignty methods examined, only five explicitly address security concerns, which are viewed as the most important component. Research highlights the challenges of protecting financial systems through data sovereignty in an increasingly digital economy. Although regulatory frameworks, particularly in the EU, have made significant progress in addressing AI-related risks in banking, challenges remain in balancing innovation with regulatory compliance across jurisdictions. The research emphasizes that while AI and machine learning technologies offer significant potential for enhancing financial security, they must operate within robust, harmonized regulatory frameworks to address issues of trust, privacy, and autonomy. Future research should focus on harmonizing global regulatory efforts and exploring ethical considerations to ensure financial systems remain secure, compliant, and inclusive.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
In the contemporary digital economy, financial systems have become the foundation of global trade, providing seamless transaction flow and promoting economic progress. The increasing reliance of these systems on digital processes has amplified concerns about data security, privacy, and regulatory compliance. With the growing incidence of cyberattacks and data breaches, preserving the integrity and confidentiality of financial data has become a fundamental duty for both governments and financial institutions. In a multipolar monetary system where economic influence is spread across multiple regions, financial systems are confronted with unparalleled challenges and opportunities. The transforming international landscape, transitioning from U.S. hegemony to a more diversified global power distribution among the United States, the European Union, and emerging economies like China and India, necessitates novel approaches to financial regulation and data governance [1].
The European Union (EU) has exemplified this shift towards structured data governance by actively creating sector-specific data spaces to regulate and safely share data across its member states [2]. The EU’s recent endeavours on financial data spaces, a component of its broader Digital Single Market strategy, aim to democratize access to financial data by making it available to competitors. This promotes competition while securing data sovereignty and guarding against monopolistic behaviors [3]. The EU has assumed a significant role in shaping the global regulatory framework for data governance, driven by the "Brussels Effect" [4] phenomenon, where EU regulations set global standards, particularly in data protection and privacy [5]. This is exemplified by the EU’s general data protection regulation (GDPR), which imposes strict rules on the handling of personal and financial data across borders.
Data sovereignty, defined as the concept that data is subject to the legal and regulatory frameworks of the nation where it is collected, stored, or processed, has become a crucial issue. This is particularly relevant in the financial sector, where the global dynamics of data flows, combined with the rising use of cloud computing, have given rise to significant challenges in balancing data security with regulatory compliance [6]. As data is increasingly perceived as a valuable resource, its economic influence permeates deeply into the digital economy and financial systems. In this digital environment, data has become a key asset for spurring innovation, informing decision-making, and boosting competitiveness. However, it also introduces risks associated with privacy, security, and regulatory supervision. As a result, nations are endeavoring to protect their citizens’ data, while corporations require control over their data as they operate in multiple countries. Despite the growing importance of data sovereignty, there is a lack of comprehensive research that systematically examines the varied methods and policies across different regions. The complexity of this regulatory landscape is further compounded as countries like China and the European Union adopt contrasting strategies regarding the extraterritorial enforcement of data legislation and artificial intelligence (AI) policies [7]. While the EU prioritizes strict data privacy and human rights, China’s Personal Information Protection Law (PIPL) focuses on protecting data within its platform economy [8].
Financial institutions, frequently operating on a global scale, confront the formidable challenge of maneuvering through varied regulatory regimes while maintaining the security of their systems. The problem is exacerbated by the swift incorporation of AI systems into financial processes, which raises questions around algorithmic bias, transparency, and adherence to emerging AI legislation [9]. AI algorithms in financial systems are transforming risk assessments and fraud detection; nevertheless, their implementation also presents new dangers that regulators are already addressing [10] [11]. In this setting, nations such as India are contending with the changing ICT regulatory framework, which influences their approach to international commerce and data governance challenges [12]. India’s regulatory structure is evolving to safeguard sensitive data while balancing its increasing involvement in global digital markets [12].
This work seeks to fill the research gap by performing a systematic review of contemporary methods for protecting financial systems via data sovereignty. This will evaluate essential legislative frameworks across various locations and examine how financial institutions might conform to these requirements to enhance their data security protocols. This research analyzes 52 pertinent papers from databases such as IEEE Xplore, ACM, ScienceDirect, Springer, and Web of Science to offer a thorough overview of the tactics and legal frameworks employed to safeguard financial systems in a progressively globalized and digital environment.
The major contributions of the present work are as follows:
-
1.
To conduct a systematic review of contemporary methods for securing financial systems through data sovereignty, focusing on machine learning, legal frameworks and decentralized methods.
-
2.
To analyze the scope of the search in the 52 selected studies.
-
3.
To provide an analysis of the regulatory frameworks that are adopted by different countries or regions.
-
4.
To highlight the importance of a robust, harmonized regulatory framework that support AI and machine learning technologies while addressing issues of trust, privacy, and data autonomy in the financial sector.
-
5.
To outline the research challenges, emphasizing the need to strike a balance between innovation, security and compliance, and safeguard financial systems through data sovereignty.
Section 2 describes the background and methodology for identifying, selecting and analyzing relevant studies throughout various databases is in Sect. 3. Then, Sect. 4 gives a comprehensive presentation of the results and key findings from the reviewed studies. Section 5 provides our views about the findings, providing critical insights into why security remains a subordinate focus. This section also explores the balance between innovation and regulatory compliance in AI-driven financial systems, alongside the potential obstacles in fostering inclusivity and fairness, and finally, Section 6 concludes the paper by summarizing the key takeaways and suggesting future directions.
2 Background and related work
In modern financial ecosystems, the increasing reliance on vast data stores driven by advanced technologies such as artificial intelligence (AI) and machine learning poses both opportunities and challenges. These innovations provide benefits such as enhanced risk management, fraud detection, and operational efficiency. However, they also introduce intricacies related to data governance and security. A fundamental issue is safeguarding data sovereignty, which is the extent to which a country or organization controls the data generated within its borders. This matter has gained increasing significance in the globalized digital economy, where financial data frequently traverses multiple jurisdictions [13].
2.1 Data sovereignty and financial systems
The principle of “data sovereignty” holds that data is governed by the legal and regulatory frameworks of the jurisdiction in which it is collected. In the financial sector, where data constitutes both a strategic asset and a locus of regulatory attention, this principle plays a critical role in ensuring compliance and safeguarding sensitive financial information. However, the evolving landscape of emerging technologies, particularly artificial intelligence (AI), machine learning, blockchain, and decentralized systems, has introduced new challenges and opportunities for financial institutions and regulatory bodies [14]. To ensure clarity, it is essential to distinguish between data sovereignty and digital sovereignty. Data sovereignty refers specifically to a nation’s legal and regulatory control over data generated within its borders. In contrast, digital sovereignty has a broader scope, encompassing not only data governance but also technological self-sufficiency, infrastructure control, and the regulation of digital ecosystems. Clearly defining these terms helps prevent confusion and ensures precise discussions on regulatory frameworks and the technological implications for financial security.
As AI-driven financial security mechanisms—such as enhanced risk management, fraud detection, and operational efficiency—become more prevalent, financial institutions must navigate a complex regulatory environment. These advancements introduce novel security risks that necessitate adaptive regulatory frameworks to ensure compliance and resilience against emerging threats. Various national and international regulations, such as the General Data Protection Regulation (GDPR) in Europe, the AI Act, China’s Cybersecurity Law, and India’s evolving data protection framework, establish distinct legal requirements for financial data governance [14]. Financial data governance refers to the comprehensive framework of policies, procedures, and technologies employed by financial institutions to manage the confidentiality, integrity, and availability of financial data in compliance with legal and regulatory obligations. These laws aim to enhance data security and privacy while addressing the risks posed by AI-driven financial systems.
The interplay between these regulatory approaches and financial data sovereignty significantly influences global financial operations. While regulations enhance control over data within national borders, they also pose challenges for multinational financial institutions that require seamless cross-border data flows to maintain efficiency and competitiveness. Consequently, policymakers and industry leaders are increasingly focused on achieving a balance between regulatory compliance, technological innovation, and economic efficiency [14].
Ultimately, the broader implications of data sovereignty extend beyond financial data governance to encompass digital sovereignty, which involves the governance of digital infrastructures, platforms, and emerging technologies. As financial data sovereignty gains prominence, a comprehensive approach integrating emerging technologies, AI-driven financial security measures, regulatory frameworks, and digital sovereignty strategies is essential to fostering a secure, resilient, and compliant financial ecosystem.
2.2 Historical and regulatory context
The evolution of financial systems has been shaped by historical crises and regulatory responses aimed at mitigating systemic risks. The 2008 global financial crisis served as a pivotal moment, exposing significant vulnerabilities in the financial sector and demonstrating the inadequacies of existing regulatory frameworks. The crisis stemmed from high-risk financial practices, particularly subprime mortgage lending and the excessive use of complex financial instruments, such as mortgage-backed securities (MBS) and credit default swaps (CDS). These instruments, often poorly understood and insufficiently regulated, contributed to a cascading failure that led to the collapse of major financial institutions and global economic turmoil [15].
In the aftermath, regulatory bodies worldwide introduced measures to enhance financial stability. One of the most influential responses came from the Basel Committee on Banking Supervision, which published a report to the G20 outlining steps to address regulatory shortcomings. This initiative led to the development of Basel III, a set of international banking standards that introduced enhanced capital and liquidity requirements, more robust risk management practices, and greater supervisory oversight of globally significant financial institutions [15]. In parallel, the United States enacted the Dodd–Frank Wall Street Reform and Consumer Protection Act in 2010, aiming to improve financial transparency, reduce systemic risks, and promote accountability in the financial sector.
As financial markets increasingly integrate emerging technologies such as artificial intelligence (AI), machine learning, and blockchain, the regulatory landscape continues to evolve. AI-driven decision-making in financial systems enhances risk assessments, fraud detection, and operational efficiency, but also introduces new risks, such as algorithmic biases and cybersecurity threats. In response, regulatory initiatives like the European Union’s AI Act propose risk-based governance approaches to ensure responsible AI deployment while safeguarding financial integrity [16]
The regulatory landscape also varies across regions. In Europe, stringent data protection regulations, such as the General data protection regulation (GDPR) [14], emphasize user data privacy and strict compliance requirements. While this approach strengthens consumer protection, it also presents challenges in fostering rapid innovation. In contrast, other jurisdictions, such as the United States and China, have adopted distinct regulatory strategies. China’s personal information protection law (PIPL) [17] and India’s digital personal data protection act (DPDP) [18] reflect efforts to assert greater national control over data, ensuring compliance with local laws while balancing economic and technological interests.
2.3 Technological drivers of data sovereignty
The increasing integration of artificial intelligence (AI) and machine learning into financial systems has transformed critical operations such as fraud detection, credit scoring, and risk assessment [19]. By leveraging vast datasets, these technologies enhance predictive accuracy and operational efficiency. However, extensive reliance on AI-driven automation raises significant concerns regarding privacy, security, and algorithmic bias. Without adequate regulatory oversight and security frameworks, AI models in financial systems may introduce vulnerabilities that could undermine trust, fairness, and compliance with data sovereignty laws. As financial markets become more interconnected, ensuring control over financial data has emerged as a priority for both governments and institutions. The challenge is further exacerbated by the cross-border nature of data flows, where financial institutions must navigate diverse and sometimes conflicting national regulations. This complex regulatory landscape has given rise to new security threats, including adversarial attacks, algorithmic biases, and data poisoning, all of which can compromise the integrity of AI-driven financial systems.
One of the primary security risks associated with AI in financial systems is adversarial attacks, where malicious actors manipulate AI models by injecting deceptive inputs. This can lead to incorrect financial predictions, unauthorized transaction approvals, and flawed risk assessments. Similarly, algorithmic biases, which stem from training models on historical financial data, can perpetuate discriminatory lending practices or lead to imbalanced fraud detection mechanisms. Data poisoning attacks further exacerbate these challenges, as attackers can introduce manipulated data into AI training sets, leading to inaccurate financial predictions and potential financial losses. These vulnerabilities underscore the necessity for robust AI governance and regulatory compliance frameworks to prevent misuse and enhance financial system resilience.
To mitigate these risks, AI security frameworks must incorporate mechanisms such as explainability, governance, and federated learning. The model governance policies must be established to continuously monitor AI model performance, detect anomalies, and prevent algorithmic drift. Human-in-the-loop (HITL) systems play a crucial role in overseeing AI-driven financial transactions, allowing human intervention in high-risk scenarios to minimize false positives and negatives in fraud detection. Federated learning (FL) further strengthens AI security by enabling multiple financial institutions to collaboratively train machine learning models without directly sharing sensitive data. This decentralized approach reduces the risk of data breaches while ensuring compliance with global data sovereignty laws such as the General data protection regulation (GDPR) in the European Union and the Personal information protection law (PIPL) in China. By integrating privacy-preserving techniques such as differential privacy and homomorphic encryption, federated learning enhances security while maintaining cross-border financial intelligence capabilities.
Beyond AI-specific security measures, regulatory bodies have introduced guidelines to ensure AI compliance in financial applications. The EU AI Act imposes stringent regulations on high-risk AI models, emphasizing fairness, transparency, and accountability [18]. Additionally, the Financial Stability Board (FSB) provides risk-based governance recommendations for AI adoption in financial institutions, while the Basel Committee on Banking Supervision (BCBS) offers AI risk management guidelines tailored for global financial institutions [15]. These regulatory frameworks aim to harmonize AI-driven security measures with evolving financial data protection laws. Despite these challenges, AI remains a vital tool for strengthening financial security. Machine learning algorithms can detect anomalies in financial transactions, significantly reducing fraud-related losses. AI-driven compliance monitoring tools enhance regulatory adherence by analyzing vast datasets in real time, ensuring that financial institutions remain aligned with evolving legal requirements. Furthermore, AI-powered cybersecurity risk assessments can predict and mitigate emerging cyber threats, fortifying financial systems against sophisticated attacks.
In this evolving landscape, achieving a balance between AI-driven innovation and regulatory compliance is essential for securing financial data while upholding principles of data sovereignty. The integration of advanced AI security frameworks, alongside robust governance mechanisms, will be critical in ensuring the resilience and trustworthiness of AI-powered financial systems.
2.4 Balancing data sovereignty with cross-border financial data flows: global regulatory initiatives
Efforts to balance data sovereignty with the need for secure cross-border data flows are evident in international initiatives like the Data Free Flow with Trust (DFFT), which seeks to facilitate global data exchange while respecting national regulations and privacy concerns. Harmonizing domestic laws with global standards, however, remains a significant challenge [20].
Countries have adopted diverse approaches to data protection and sovereignty. For instance, Japan and Brazil have implemented GDPR-like laws, aligning with international norms to safeguard financial data security, while China, under its Cybersecurity Law, imposes strict data localization requirements, mandating that certain data be stored and processed within its borders. These differences in regulatory approaches create complexities for multinational financial institutions that must navigate a patchwork of laws to ensure compliance across jurisdictions [21] [14].
At the same time, central banks and regulators are exploring the implications of Central bank digital currencies (CBDCs), which attempt to balance privacy with traceability in a decentralized financial architecture. CBDCs have the potential to increase financial inclusion and improve payment systems, but they also raise concerns about surveillance and data protection [21].
Countries like France, through its 2030 strategic plan, emphasize the importance of AI and decentralized technologies as drivers of financial and industrial transformation. Within this framework, the financial sector is positioned to shape Europe’s leadership in AI governance while ensuring compliance with international regulations. Securing financial systems in this evolving landscape will require integrating advanced technologies, such as AI and blockchain, with robust legal frameworks, while fostering international cooperation to align global and local regulatory efforts [9].
2.5 Conceptual framework
Figure 1 shows how emerging technologies, financial security, regulations, and data sovereignty all interact within modern financial systems. It illustrates how technological advancements drive security measures, demand regulatory compliance, and shape governance structures related to sovereignty.
Conceptual framework for AI-driven financial security and data sovereignty
At the core of this framework, technologies like artificial intelligence (AI), machine learning, and decentralized systems are transforming financial operations. They enhance security, improve risk management, and boost efficiency. However, their widespread use also brings new challenges, such as cybersecurity threats, data privacy concerns, and the growing need for strong regulatory oversight.
AI-driven solutions help financial institutions improve fraud detection, risk assessment, and decision-making. But these benefits come with greater regulatory scrutiny. Authorities are focused on preventing algorithmic bias, data exploitation, and ethical risks. The framework highlights that AI-driven financial security must align with regulations that promote transparency, accountability, and consumer protection.
Regulatory approaches vary across the world, shaping financial security and data governance. Different countries have established legal frameworks to protect financial data and regulate AI-driven operations. For example, the European Union enforces strict data protection and AI risk management through the General data protection regulation (GDPR) and the AI Act. China’s Personal information protection law (PIPL) and Cybersecurity Law emphasize national data control and security, requiring companies to store data within their borders. India’s Digital personal data protection act (DPDPA) focuses on regulating data processing while encouraging financial innovation. In contrast, the United States follows a decentralized approach, with agencies like the Securities and exchange commission (SEC) and the Consumer financial protection bureau (CFPB) overseeing sector-specific regulations. These differing regulatory landscapes create compliance challenges for multinational corporations operating across multiple jurisdictions.
The effects of these regulations extend into the broader realm of data and digital sovereignty. Governments are increasingly prioritizing national control over financial data and digital infrastructure to protect economic interests and strengthen cybersecurity. Data localization laws, financial regulations, and sovereignty policies determine how data is handled within national borders while balancing the need for global financial integration.
Financial systems must constantly adapt to technological advancements, regulatory changes, and shifting sovereignty concerns. The complex relationship between financial security, legal frameworks, and digital sovereignty underscores the need for a balanced approach—one that encourages innovation while ensuring compliance with evolving legal and ethical standards worldwide.
3 Research methodology
This section describes the research method used, namely the eligibility criteria, information sources and search, study selection and data collection.
4 Research questions
The research questions that formed the basis of the investigation in this study are as follows:
RQ1. How Do Different Countries Come Up with Various Modes of Regulating AI Use in Financial Systems in the Context of Data Sovereignty?
This question highlights the global diversity in regulating AI in financial systems. Exploring how nations balance innovation, privacy, and control over sensitive financial data is essential for understanding AI governance.
RQ 2. How have theories, models, and frameworks for AI-driven security and data sovereignty in the financial sector evolved?
This question examines the theoretical models, frameworks and approaches for securing AI-driven systems in finance.
RQ 3. What are the research challenges in this area?
This question highlights the research challenges in approaches for securing financial systems through Data Sovereignty.
4.1 Search strategy and results
Given the research questions formulated in the previous section, our study primarily focused on data sovereignty in financial systems, the legal and regulatory frameworks shaping technological advancements in this domain, and the role of emerging technologies in securing financial systems. To ensure a comprehensive and multidisciplinary review of the literature, we carefully selected databases that cover key aspects of this topic. IEEE Xplore and ACM Digital Library were chosen for their strong emphasis on technological and cybersecurity innovations, offering access to cutting-edge research in computer science and engineering. ScienceDirect and SpringerLink provide broad coverage of peer-reviewed studies across multiple disciplines, including finance, technology, and policy, essential for understanding both the regulatory and technical dimensions of data sovereignty. Web of Science was included for its rigorous indexing of high-impact literature, ensuring a well-rounded, cross-disciplinary perspective. Additionally, SSRN was incorporated to capture emerging trends and grey literature, particularly in the evolving domain of regulatory frameworks. Together, these databases form a strong foundation for our systematic review, encompassing a diverse and authoritative range of scholarly resources. From Table 1, we can see that we designed two search strings to identify relevant studies in SSRN. The first ("Sovereignty" AND ("Regulatory" OR "Governance") AND ("Finance" OR "Banking")) was highly specific but yielded only two results, indicating a limited number of studies explicitly addressing sovereignty in financial regulations. To broaden the scope, we used the second string ("Regulatory" OR "Governance") AND ("Finance" OR "Banking”), which retrieved 127 results, capturing a wider range of relevant research. While the first string ensures specificity, it is too restrictive, whereas the second allows for broader discussions on financial governance and regulation, providing a more comprehensive literature base.
The search string incorporated various spellings and synonyms pertinent to these topics. Search conditions were combined using the logical operators "OR" and "AND." The systematic literature review (SLR) conducted by Kitchenham [22] on other existing SLRs served as inspiration for the formulated search string. Different online databases necessitate the articulation of different search strings, depending on their advanced search options. Table 1 (in the next section) summarizes the details of the search string and the databases. Advanced search options were used to streamline search results by locating terms in the abstracts of the studies, given the extensive volume of available literature.
Following the PRISMA guidelines [23], we conducted a comprehensive search for relevant papers on our topic in 2024. Table 1 summarizes the records retrieved from online databases using our specific search terms. It also details the filters applied, the range of years considered, and the number of studies identified.
4.2 Inclusion and exclusion criteria
To ensure a focused and relevant scope for this systematic review, a structured set of inclusion and exclusion criteria was established. This approach guarantees the selection of studies that provide valuable insights into regulatory frameworks, AI-driven security measures, and technological advancements within the financial sector.
The inclusion criteria encompass research specifically related to financial services, including banking, insurance, and investments, where data sovereignty, AI, and emerging technologies play a critical role. Eligible studies include empirical research, theoretical analyses, systematic reviews, and case studies. While case studies may not always be peer-reviewed, they offer essential real-world insights into regulatory and technological challenges. The selected studies focus on key areas such as data localization, federated learning, algorithmic decision-making, and data protection in finance. Furthermore, restricting the selection to articles published in English from 2014 onward ensures the relevance of the research to current industry practices and regulatory developments.
The exclusion criteria were designed to eliminate studies that do not align with the review’s objectives. Research outside the financial sectors, such as that focusing on smart cities, healthcare, cloud computing, and agricultural technology, was excluded to maintain a clear financial focus. Additionally, non-academic sources such as blogs and abstracts were omitted to uphold academic rigour, except in cases where case studies offer significant contextual insights. Studies that merely reiterate existing knowledge without contributing new findings were also excluded to ensure the review captures only novel and impactful research.
4.2.1 Inclusion criteria (IC)
IC1: Focus on financial services and emerging technologies
Studies must primarily focus on financial services (banking, insurance, investments) and explore aspects of data sovereignty, AI-driven financial security, or regulatory frameworks in these domains.
IC2: Relevance to regulatory and governance aspects
Papers should analyze or discuss regulatory approaches, governance models, or compliance strategies related to emerging technologies in financial systems.
IC3: Research methodology
Included studies must be based on empirical research, theoretical analysis, systematic reviews, or case studies providing substantial insights into financial security, AI governance, or data sovereignty.
IC4: Key topics of interest
The study must cover one or more of the following topics within financial security:
-
1.
Data localization and sovereignty–Regulations and policies governing data storage and control.
-
2.
Federated learning and decentralized data processing–AI-driven approaches to ensure data security.
-
3.
Algorithmic decision-making–The role of AI in risk assessment, fraud detection, or financial compliance.
-
4.
Data protection and privacy laws–Implications of GDPR, PSD2, and other financial data regulations.
IC5: Timeframe and language
Only studies published in English from 2014 onward will be considered to ensure relevance to recent advancements and regulatory developments.
IC6: Case studies
Research incorporating real-world case studies on how financial institutions adapt to data sovereignty laws and AI-driven security measures will be included.
4.2.2 Exclusion criteria (EC)
EC1: Non-financial domains
Studies focusing on unrelated sectors such as smart cities, healthcare, general cloud computing, or agricultural technology will be excluded unless they explicitly discuss financial security implications.
EC2: Lack of regulatory or governance focus
Papers that mention AI, data sovereignty, or financial security but lack substantial discussions on regulatory frameworks, governance, or compliance measures will not be considered.
EC3: Non-academic sources
-
1.
Blogs and news articles will be excluded.
-
2.
Abstracts without full study details will not be included, except in cases where case studies provide significant insights.
EC4: Redundant or insufficient contributions
-
1.
Studies that repeat existing insights without introducing new perspectives, methodologies, or findings will be excluded.
-
2.
Papers with insufficient methodological rigor or lacking detailed data will not be considered.
EC5: Outdated research
Studies published before 2014 will be excluded unless they offer foundational theoretical models that remain highly relevant today.
Figure 2 illustrates the systematic approach taken to identify, screen, and select studies for this review. The initial search retrieved 741 records from databases, supplemented by six records from external sources (legal texts). After removing 35 duplicates, 707 records were screened, leading to the exclusion of 627 non-relevant studies. Following retrieval attempts, 71 reports were assessed for eligibility, with 15 reports excluded due to lack of relevance to emerging technologies, finance, or data sovereignty. Additionally, six externally sourced reports were assessed, and all were included. Ultimately, the review incorporated 52 studies along with six additional reports, ensuring a comprehensive analysis of data sovereignty in financial systems. This systematic selection process enhances the rigor and reliability of the study.
PRISMA flow diagram
Figure 3 presents the distribution of studies based on their source type. The dataset consists of studies obtained from journals, conference proceedings, and books. Among these, books contribute the highest number of studies, followed by journal articles, while conference proceedings represent the smallest share. This distribution highlights the substantial role of books in the literature on data sovereignty and financial systems, possibly due to their in-depth treatment of regulatory frameworks and theoretical foundations.
The aggregate count of studies gathered from each source
Figure 4 illustrates the temporal distribution of the selected studies, showing an increasing trend in publications over time. A noticeable rise in the number of relevant studies begins around 2020, with a significant surge observed in 2022 and beyond. The peak in 2024 suggests growing academic and industry interest in the topic, likely driven by emerging technological advancements and regulatory developments in data sovereignty within financial systems.
Number of noteworthy studies per year
4.3 Data extraction and summarization
All the 52 selected secondary studies were thoroughly examined to extract details according to RQs.
-
1.
Online database: Six common and mostly searched online databases were selected to gather the results. These include the ACM digital library, IEEE Explore, Science Direct, Springer digital library, Web of Science, SSRN.
-
2.
Publication details: The name of the publishing journal or conference.
-
3.
Year of publication: The year in which the research was published.
4.3.1 Parameters considered
-
4.
Publication type: The publication type was categorized into a journal paper, conference paper, or book chapter.
-
5.
Focus area: Prioritizes papers that introduce and discuss theories, models, or frameworks in the field of financial security driven by emerging technologies, as well as regulatory approaches governing their usage. Furthermore, we focus on case studies that examine the challenges institutions face in adapting to regulations and laws.
-
6.
Range of years covered in the survey: Range of years of primary texts considered in each of the secondary studies.
-
7.
Analysis aspects: The type of analysis performed in each study.
5 Results and analysis
Table 2 summarizes all the selected 52 research papers. The table provides an organized overview, including the author names, publication specifics, and pertinent references for easy retrieval. These papers cover a wide range of topics relevant to the field of data sovereignty and its implications in securing financial systems.
RQ1. How do different countries come up with various modes of regulating AI use in financial systems in the context of data sovereignty?
The European Union stands as a global leader in establishing comprehensive regulations and dedicated bodies to oversee artificial intelligence (AI), setting a benchmark for the world. However, other nations like the United Kingdom, India, the United States, and Japan are now stepping up, recognizing the need to craft their frameworks to manage AI’s rapid development [36]. While these regulatory efforts unfold, many governments have also launched national AI programs designed to fuel the growth of this revolutionary sector. These programs aim to ramp up investments in scientific research, enhance technological infrastructure, promote the sharing of open data, and foster global cooperation (see Chapter 2) [36].
What’s more, regulations that were originally designed for cybersecurity and privacy are now becoming relevant to AI, especially in sectors like finance. For example, Study [18] resembles that all the changes that have been done in respect to privacy laws and in the field of cybersecurity has been imparting a huge impact on the journey of development of AI technologies ensuring nations retain control over the data generated and used within borders, even in a highly interconnected financial landscape.
At the heart of these initiatives lies a collective vision: to harness the incredible potential of AI while ensuring it is developed responsibly, with safeguards for security, privacy, and ethical use. It’s not just about advancing technology but ensuring it works for the betterment of society.
In October 2018, the Government of India took a crucial step towards shaping the future of Artificial Intelligence (AI) by forming an expert panel to guide the Ministry on AI policy matters. [12] These moves reflected India’s growing awareness of the need to navigate the challenges and opportunities AI presents. By bringing together experts, the government aimed to ensure that its policies aligned with global advancements while safeguarding the country’s interests.
Even earlier, in April 2017, the Ministry of Electronics and Information Technology (MeitY) released essential guidelines on IT infrastructure for government departments [12]. These guidelines mandated that all data generated from government activities, whether at the central, state, district, or municipal level, must stay within India’s borders. This was a critical step in ensuring data sovereignty, reflecting the government’s commitment to protecting sensitive national data from external vulnerabilities. This policy decision wasn’t just about data security, was about fostering a sense of ownership and responsibility over the country’s digital assets. By keeping vital information within the country’s geographical boundaries, India sought to build trust in its growing digital economy, ensuring that the government could maintain greater control over its data infrastructure.
Figure 5 highlights the core pillars of laws and regulations in various countries, illustrating the key frameworks that guide the governance of data sovereignty. These regulations encompass a wide spectrum of financial data protection measures, including privacy laws, cross-border data transfer restrictions, and security mandates aimed at mitigating risks to critical financial infrastructures.
Core pillars of laws and regulations observed in various countries
Countries around the world are increasingly shaping their regulatory frameworks to address the rise of emerging technologies like Artificial Intelligence (AI). In Latin America, governments are using AI policies not just to spur innovation but to protect societal interests, balancing growth with ethical considerations [32]. Similarly, a study on open banking [52] under the revised Payment Services Directive (PSD2) highlights how new financial regulations are fostering competition and innovation. However, these advancements also bring risks, particularly in data security and privacy, pushing countries to craft laws that ensure consumer protection without stifling the fintech sector.
Beyond AI and fintech, other critical areas like cybersecurity and platform regulation are also under scrutiny. Commonwealth countries are enhancing cybersecurity and data protection laws [12] to create a safe digital environment, essential for the responsible development of AI and other technologies. Gawer’s [44] research emphasizes the need for anti-competitive regulations to ensure fairness on digital transaction platforms. By preventing monopolistic behavior, these laws promote competition, benefiting consumers and smaller businesses alike. Together, these efforts highlight the delicate balance that governments must strike to ensure that technology serves the greater good while safeguarding security, privacy, and fair competition.
Financial data governance is crucial for maintaining security, privacy, and regulatory compliance in an increasingly digitized global economy. Table 3 provides a comparative analysis of financial data governance frameworks. This analysis evaluates key regulatory frameworks—GDPR (EU), PIPL (China), ADPPA (U.S.), and DPDP (India)—highlighting their enforcement mechanisms, impact on financial data security, and the challenges of cross-border compliance.
Navigating conflicting data transfer restrictions presents a significant challenge for financial entities operating across multiple jurisdictions. The GDPR permits international data flows only under strict conditions, such as an adequacy decision or contractual clauses, while China’s PIPL mandates government approvals and localized data storage. The ADPPA does not yet establish uniform rules on data transfers, creating uncertainty for global financial institutions. Similarly, India’s DPDP remains in the early stages of implementation, with evolving guidelines on cross-border data flows [63].
Jurisdictions impose unique compliance requirements, requiring financial institutions to implement adaptive strategies to navigate varying regulatory landscapes. Many institutions have established dedicated compliance teams and invested in advanced technological solutions, such as automated compliance monitoring and cross-border data management tools, to ensure adherence to regional mandates. Additionally, financial firms are increasingly engaging in regulatory dialogue and industry collaborations to proactively address evolving requirements and mitigate compliance risks [60]. In the European Union, financial firms must align with GDPR while ensuring compliance with sector-specific regulations such as PSD2. In China, companies handling Chinese data must appoint local representatives and comply with CAC assessments. In the United States, diverging state laws under the ADPPA create an uneven regulatory landscape. In India, uncertainty remains over the Data Protection Board’s enforcement mechanisms and long-term policy direction [61].
Harmonizing financial data governance across jurisdictions is particularly challenging due to differing regulatory priorities, enforcement mechanisms, and geopolitical considerations. The absence of universally accepted compliance standards often results in operational inefficiencies and increased compliance costs for financial institutions. To mitigate regulatory fragmentation, financial entities and policymakers can adopt several harmonization strategies. Standardized compliance mechanisms, such as the adoption of globally recognized frameworks like ISO 27701 and NIST privacy controls, can help establish a common baseline for financial data protection [60]. Regulatory cooperation, including increased collaboration between regulatory bodies such as the EU-U.S. Data Privacy Framework, can foster interoperable compliance mechanisms. Contractual safeguards, including the expanded use of standard contractual clauses (SCCs) and binding corporate rules (BCRs), can ensure that cross-border data transfers meet jurisdictional requirements. Technology-driven compliance solutions, such as leveraging privacy-enhancing technologies (PETs), encryption, and decentralized data storage solutions, allow firms to comply with differing regulations while maintaining operational efficiency. Sector-specific guidelines should be developed in partnership with regulators to balance compliance with operational needs, similar to the EU’s PSD2 and open banking initiatives [52]. PSD2 has significantly influenced global financial data governance by mandating strong customer authentication (SCA) and open access to financial data through application programming interfaces (APIs). This has encouraged innovation in financial services while ensuring consumer protection and data security. Many jurisdictions have adopted similar principles, fostering interoperability and transparency across financial markets.
RQ2. What key areas of research still require attention at the intersection of Data sovereignty and AI in the financial sector?
In today’s rapidly evolving world of financial technology, we find ourselves constantly navigating the delicate balance between staying in control of our data and trusting the systems that manage it. Whether you’re an individual managing personal finances or a business relying on digital platforms, the issues of autonomy, trust, privacy, and security are becoming more pressing than ever. In Table 4, we have categorized studies based on these issues.
A closer look at Fig. 6 and the referenced studies shows where researchers are focusing their attention. Interestingly, the bulk of the research is devoted to autonomy and privacy, revealing a clear desire for individuals and institutions to have greater control over their financial data. For example, autonomy, is emphasized in studies [10, 21, 26,27,28, 30, 31, 34, 36, 53, 54, 58] seems to resonate deeply with people’s desire to manage their own data and make decisions independently. The push for autonomy is a reflection of the growing movement towards decentralization, where individuals and entities want more freedom to operate without heavy oversight from central authorities. At the same time, privacy-discussed in studies [10, 26, 27, 30, 31, 36, 53, 58], is another top priority. As more transactions and sensitive financial data are shared digitally, ensuring that this information remains protected is crucial. People want to know that their personal and financial details are safe from intrusion by foreign invaders or misuse. Privacy isn’t just about shielding data from theft, but it’s also about maintaining control over who has access to it and how it’s used. This is particularly important in decentralized systems where multiple entities may interact with your data.
Categorization of studies based on key pillars
Trust is another key element, highlighted in studies [10, 25, 27, 30, 58]. Trust isn’t just about security; it’s about transparency and confidence. People need to feel assured that the systems they’re using are reliable and that all parties involved in a transaction are adhering to the same rules. Establishing trust in a system goes a long way toward building confidence, especially in decentralized or less-regulated environments. Surprisingly, security, which one would think to be a major concern, is only emphasized in 5 studies [10, 25, 27, 30, 58]. This could be because security, while foundational, is often taken for granted as something that should already be embedded into the system. Once a system has a strong security backbone, the focus shifts towards more dynamic aspects like privacy and autonomy, which allow individuals and organizations to control their data while trusting that the underlying infrastructure is secure.
RQ 3. What are the research challenges in this area?
The evolution of financial technology has introduced both opportunities and challenges in securing financial systems while ensuring data sovereignty, compliance, and consumer protection. As Decentralized Finance (DeFi), Central Bank Digital Currencies (CBDCs), and AI-driven Regulatory Technology (RegTech) gain traction, they reshape financial security landscapes but also introduce significant cybersecurity risks, regulatory dilemmas, and ethical concerns.
DeFi platforms operate without traditional financial intermediaries, allowing users to engage in peer-to-peer transactions on blockchain networks. While this enhances financial autonomy, it simultaneously eliminates centralized oversight, making DeFi highly vulnerable to security exploits and fraudulent activities. One of the primary security concerns is the vulnerability of smart contracts, which are self-executing and immutable once deployed. Beyond audits, formal verification methods can be used to mathematically prove the correctness of smart contract code, reducing the risk of vulnerabilities. Additionally, adopting secure coding practices and utilizing bug bounty programs can further enhance contract security. If these contracts contain coding errors or loopholes, they become easy targets for attackers, as demonstrated by incidents such as the DAO Hack in 2016 and the Poly Network Exploit in 2021, both of which resulted in the theft of hundreds of millions of dollars.
Furthermore, DeFi projects often launch with minimal regulatory scrutiny, increasing the risk of fraudulent activities such as rug pulls and exit scams, where developers promote a project, attract significant investments, and then suddenly withdraw liquidity, defrauding investors. Unlike traditional banks, which offer mechanisms to reverse unauthorized transactions, DeFi lacks consumer protection frameworks, making fund recovery nearly impossible in the event of a hack. Given DeFi’s operation on global blockchain networks, enforcing national financial regulations, including anti-money laundering (AML) and know-your-customer (KYC) laws, presents a significant challenge. For example, the United States has attempted to regulate DeFi through the proposed Digital Asset Anti-Money Laundering Act, which seeks to impose AML and KYC requirements on decentralized platforms. Similarly, the European Union’s Markets in Crypto-Assets (MiCA) regulation aims to establish a comprehensive framework for governing DeFi activities within the region. [62]
To mitigate these risks, several solutions have been proposed. One approach is to implement mandatory third-party audits to ensure smart contract security before deployment. Additionally, integrating decentralized identity verification frameworks could introduce KYC compliance without compromising DeFi’s core principles. Establishing regulatory sandboxes for testing DeFi models under controlled conditions could help governments assess compliance and associated risks before wider adoption. Given the lack of clear regulatory frameworks for DeFi, international cooperation is essential in formulating standardized guidelines for cross-border DeFi activities.
Unlike DeFi, CBDCs are government-backed digital currencies designed to enhance financial security and stability. However, their centralized nature raises critical security and privacy challenges. One of the primary concerns is state surveillance, as CBDCs enable governments to have full visibility into financial transactions, thereby reducing user privacy. For instance, China’s Digital Yuan (e-CNY) is designed to track and control transactions, raising concerns about excessive state oversight. In contrast, the European Central Bank’s Digital Euro is being designed to incorporate privacy-enhancing features for small transactions while maintaining strict AML and KYC compliance for larger transfers [61]. Additionally, given their entire digital nature, CBDCs become prime targets for cyberattacks, and a successful attack on a CBDC network could have severe consequences for national economies. While CBDCs ensure compliance with national regulations, they necessitate cross-border regulatory cooperation to facilitate secure international transactions. An example of such an initiative is the Bank for International Settlements (BIS) Innovation Hub’s mCBDC Bridge project, which explores the interoperability of multiple CBDCs to enhance efficiency and security in cross-border payments. Additionally, the European Central Bank and the Federal Reserve have engaged in discussions to align regulatory frameworks for digital currencies, ensuring consistency in compliance and security measures.
Addressing these challenges requires the adoption of privacy-enhancing technologies such as zero-knowledge proofs and encrypted transaction logs to protect user privacy while maintaining regulatory compliance. Furthermore, international coordination is crucial in establishing global cybersecurity standards to mitigate hacking risks and ensure secure CBDC adoption. Given that different jurisdictions have varying regulatory approaches to digital currencies, harmonizing regulatory frameworks through international collaboration would enhance the security and trustworthiness of CBDCs.
AI-driven regulatory technology (RegTech) is increasingly being leveraged to automate fraud detection, AML compliance, and risk assessments. While AI-based RegTech improves financial security, it also introduces new cybersecurity risks. Algorithmic bias in fraud detection is a significant concern, as AI models trained on biased datasets may disproportionately flag transactions from certain demographics as fraudulent, potentially leading to financial discrimination. For instance, in 2019, a study revealed that an AI-driven credit assessment system used by a major financial institution was more likely to reject loan applications from minority communities due to historical biases in training data. Such instances highlight the necessity for continuous auditing and refinement of AI models to mitigate discriminatory practices in financial transactions. Additionally, AI models are susceptible to adversarial attacks, where malicious actors manipulate data inputs to trick fraud detection systems into misclassifying fraudulent transactions as legitimate.
Another challenge lies in cross-border data conflicts, as AI-driven financial security tools require real-time financial data sharing across jurisdictions. For instance, the implementation of GDPR in the European Union has complicated data-sharing practices for multinational financial institutions, as it restricts the transfer of financial data outside EU borders. Similarly, China’s Cybersecurity Law imposes strict data localization requirements, creating compliance challenges for AI-driven financial tools operating across multiple jurisdictions. Many countries enforce strict data sovereignty laws, such as the General Data Protection Regulation (GDPR) in the European Union and China’s Data Protection Laws, which restrict the free flow of financial data across borders [36, 62].
To address these risks, implementing transparent AI algorithms with explainability features can reduce biases in fraud detection and ensure fairness. Establishing standardized AI security regulations at a global level would also contribute to ethical and secure AI deployment in financial systems. Furthermore, regulatory frameworks must include stringent cybersecurity measures to prevent adversarial attacks on AI models.
The security risks across these emerging financial technologies vary in nature. DeFi provides financial autonomy and reduces transaction costs but is susceptible to smart contract exploits, fraud, and a lack of centralized oversight, making regulatory enforcement challenging. CBDCs offer government-backed stability and improved financial inclusion but pose privacy concerns due to state surveillance risks and vulnerability to cyberattacks. AI-based RegTech enhances compliance automation and fraud detection capabilities, yet it introduces risks related to AI bias, adversarial attacks, and regulatory conflicts concerning data sovereignty. [28]
The increasing adoption of DeFi, CBDCs, and AI-driven RegTech presents both opportunities and challenges in securing financial systems while ensuring compliance with data sovereignty principles. While these technologies improve efficiency, reduce fraud, and streamline regulatory compliance, they also disrupt traditional financial regulatory frameworks. In response, governments must strengthen cybersecurity regulations to ensure that emerging financial technologies incorporate robust security frameworks such as smart contract audits and AI risk assessments. Balancing innovation with consumer protection is essential, as DeFi and AI-driven finance must operate within ethical and secure boundaries. Ethical considerations should prioritize transparency in financial decision-making, ensuring AI-driven algorithms remain unbiased and fair. Additionally, consumer autonomy and informed consent must be safeguarded, particularly regarding data privacy and financial inclusion. Regulators and developers should also address the environmental impact of AI and blockchain technologies, promoting sustainable practices in financial innovation. Additionally, enhancing international cooperation on data sovereignty is critical in aligning global regulations to harmonize financial security and data governance policies. By embedding data sovereignty principles into financial security policies, regulators can foster technological innovation while safeguarding financial systems from emerging risks.
6 Discussion
The analysis of security within financial systems underscores the critical role of data sovereignty in mitigating cyber threats. Despite stringent regulatory frameworks and advanced technological interventions, high-profile incidents such as the Capital One and Equifax data breaches reveal persistent vulnerabilities that undermine financial data security. The interplay between compliance measures, technological limitations, and institutional risk management practices must be examined to contextualize the ongoing challenges in securing financial systems through data sovereignty.
The Capital One data breach serves as an illustrative case of the limitations inherent in cloud-based security frameworks. The attack, which exposed the personal and financial data of approximately 106 million individuals, was attributed to a misconfigured Web application firewall (WAF) that enabled an attacker to execute unauthorized commands via a server-side request forgery (SSRF) vulnerability [64]. The incident highlights a fundamental concern: while cloud computing offers scalability and efficiency, misconfigurations and insufficient monitoring mechanisms can compromise data integrity. Despite Capital One’s adherence to the NIST Cybersecurity Framework and its rigorous compliance posture, the breach underscores the discrepancy between regulatory compliance and actual security effectiveness [64]. The failure to proactively detect anomalous access patterns or implement more stringent Identity and Access Management (IAM) controls exemplifies the gap between policy adherence and operational resilience [64].
Similarly, the Equifax data breach of 2017, which compromised sensitive data belonging to 148 million individuals, demonstrates how regulatory oversight and internal cybersecurity deficiencies can converge to facilitate large-scale data exposure [65]. The breach resulted from the exploitation of an unpatched Apache Struts vulnerability, despite multiple advisories and patch releases prior to the attack [65]. The incident raises concerns regarding institutional accountability, particularly in patch management and vulnerability assessment protocols. While regulatory mandates such as the General Data Protection Regulation (GDPR) and the Fair Credit Reporting Act (FCRA) impose strict compliance requirements, the lack of enforceable technical standards and the delay in implementing security updates remain significant risk factors [65]. Furthermore, Equifax’s delayed disclosure and inadequate incident response strategies compounded the impact of the breach, leading to financial penalties and reputational damage [65].
These case studies collectively highlight the limitations of current regulatory frameworks in enforcing proactive cybersecurity measures. The Capital One breach exposed the risks associated with cloud misconfigurations, while Equifax’s failure to patch known vulnerabilities demonstrated weaknesses in regulatory enforcement and institutional accountability [64, 65]. Both incidents underscore the gaps in timely threat detection, patch management, and adaptive security controls within financial institutions. While compliance mandates serve as foundational guidelines, they do not inherently guarantee security. The persistence of AI-driven security failures, as seen in the delayed detection of anomalies in both Capital One and Equifax, suggests that financial institutions must enhance their adaptive security measures [64]. This necessitates a shift toward continuous compliance monitoring, AI-driven threat intelligence, and real-time access controls to mitigate emerging threats.
Moreover, regulatory enforcement mechanisms require evolution to bridge the gap between compliance and security effectiveness. The U.S. Securities and Exchange Commission’s (SEC) enforcement actions against financial institutions for inadequate cybersecurity measures highlight the need for stricter accountability. Similarly, the EU’s enforcement of GDPR penalties against firms failing to protect consumer data has led to increased investment in cybersecurity frameworks. However, gaps remain, as inconsistent enforcement across jurisdictions allows some institutions to evade stringent compliance, undermining overall security effectiveness. Financial institutions operating across multiple jurisdictions face challenges in harmonizing global regulatory expectations with localized data sovereignty requirements. The EU’s AI Act, for instance, categorizes AI systems based on risk levels, a framework that could provide a benchmark for AI-driven financial security models. However, such regulatory measures must be complemented by industry-driven best practices that emphasize secure coding, zero-trust architectures, and robust threat intelligence-sharing networks.
The future of securing financial systems through data sovereignty hinges on a multifaceted approach that integrates technological innovation, regulatory evolution, and institutional accountability. Decentralized financial technologies, including blockchain and privacy-preserving computation, offer promising avenues to enhance data sovereignty while mitigating centralization risks. For instance, JPMorgan Chase has successfully implemented blockchain-based payment systems to improve transaction security and efficiency, while several European banks have leveraged zero-knowledge proofs to enhance privacy in cross-border financial transactions [64]. However, their adoption must be accompanied by clearly defined governance models that ensure security without undermining compliance obligations. The equilibrium between regulatory compliance and technological agility remains a pivotal determinant in shaping the security landscape of financial institutions [64].
Ultimately, while security remains paramount, financial institutions must navigate the dual imperatives of compliance and innovation. The Capital One and Equifax breaches serve as cautionary narratives that reinforce the necessity of proactive security strategies, real-time threat mitigation, and the continuous evolution of regulatory frameworks to safeguard financial data sovereignty in an increasingly digitized financial ecosystem [64, 65].
7 Conclusions and future work directions
We evaluated 741 studies that focused on the securing of financial systems through data sovereignty, out of which a mere 52 were deemed highly pertinent. The analysis illuminates the intricacy of the global regulatory environment where the swift progression of Artificial Intelligence (AI) and digital technologies intersect with the urgent requirement for security, trust, and data independence. After analyzing countries/regions, the European Union (EU) emerged as a global pioneer in AI regulation, with frameworks such as the General Data Protection Regulation (GDPR) and the AI Act setting rigorous standards for data privacy and sovereignty. In addition to safeguarding private and financial information, these rules set international standards that influence policy well outside the borders of the European Union. The EU is now at the forefront of regulation development as a result of these phenomena, known as the Brussels Effect [5]. Simultaneously, other regions, including the United Kingdom, India, the United States, and Japan, are increasingly acknowledging the pressing need to establish robust legal and regulatory structures that are tailored to AI’s transformative influence on financial systems. However, despite the existence of numerous regulatory frameworks, our review pinpointed a significant gap in many of the 13 data sovereignty approaches analyzed: an insufficient emphasis on two critical pillars—security and trust. Security is of paramount importance in financial institutions where a solitary cyberattack, or data breach can severely undermine both operational integrity and consumer trust. Trust is equally essential, especially in AI-driven financial systems where transparency and reliability are frequently under scrutiny. The lack of comprehensive strategies to address these pillars reveals a vulnerability in global financial infrastructures, particularly in developing regions that may lack the resources to deploy advanced security measures. The gap highlights the more general difficulty of balancing innovation and regulation. Artificial Intelligence (AI) has the potential to significantly transform financial systems by improving risk assessments, fraud detection, and decision-making processes. However, AI must operate within frameworks that support technological growth and provide strong security of sensitive data. This is especially important because decentralized technologies, such as blockchain, introduce new ways to secure financial data while also adding complexity to regulations. Although decentralization encourages autonomy, it bears the danger of fostering conditions where it is difficult to maintain accountability and compliance in the absence of appropriate governance.
A notable limitation of this systematic review is its focus on peer-reviewed literature, which excludes grey literature such as industry reports and government documents. These sources often contain up-to-date information on practical implementations of regulations and technologies, which could provide additional context. The time frame of the study (2014–2024) might also limit its relevance, as rapidly evolving technological and regulatory environments may have introduced new challenges not covered in the selected studies. Also, this review does not consider the financial sector’s resistance to adopting new AI-driven security measures due to issues such as high costs, which could present practical barriers to implementing the strategies discussed.
The following fields should be given top priority in future research projects:(1) Global Regulatory Harmonization: To guarantee the safe transfer of data across borders while upholding the concept of data sovereignty, future research should focus on harmonizing regulatory frameworks across various countries. International regulatory agencies must work together to address these issues, as well as national approaches that differ, as seen between China and the European Union. (2) Decentralized Technologies: Researching how decentralized technologies, such as distributed ledger technologies (DLTs) and blockchain, supporting the security of financial data is crucial. Research ought to examine how new technologies might be integrated into the financial systems that are in place now, making sure that compliance with regulations is not compromised.(3) Ethical AI and Data Sovereignty: As AI develops further and transforms financial institutions, it is becoming more and more important to address ethical concerns about algorithmic bias, transparency, and fairness. Future research should focus on creating frameworks that ensure AI models used in finance don’t exacerbate already-existing disparities or compromise personal freedom. (4) Building Trust in AI and Financial Technologies: Research should concentrate on developing techniques to increase user confidence in AI-enabled financial solutions, given the cautious uptake of FinTech services because of trust issues. This can entail strengthening cybersecurity protocols and developing transparent AI governance frameworks. (5) Inclusive Financial Systems: Future studies should investigate how new technology and legal frameworks might promote inclusivity in international financial systems. This guarantees that more susceptible people are not left out of the digital financial revolution. Furthermore, exploring the role of decentralised technologies like blockchain and distributed ledger systems in achieving financial data sovereignty would provide valuable insights into new strategies for securing financial systems. Future research should also address the ethical implications of using AI in financial systems, particularly concerning transparency, algorithmic bias, and fairness.
Data availability
Not applicable.
References
Dailami, M. and Masson, P.; The new multi-polar international monetary system. In: Policy Research Working Papers. The World Bank, (2009). https://doi.org/10.1596/1813-9450-5147.
The European Financial Data Space (EFDS). Accessed: Oct. 29, 2024. [Online]. Available: https://www.european-financial-data-space.com/
Digital Aspects of The EU Single Market.
Bradford, A.:The Brussels effect. In: The Brussels Effect, 1st ed., Oxford University Press, New York, pp. 25–66 (2020). https://doi.org/10.1093/oso/9780190088583.003.0003.
Novelli, C., Casolari, F., Rotolo, A., Taddeo, M., Floridi, L.: AI risk assessment: a scenario-based, proportional methodology for the AI act. Digit. Soc. 3(1), 13 (2024). https://doi.org/10.1007/s44206-024-00095-1
Lukings, M. and Habibi Lashkari, A.: Emerging topics in data sovereignty and digital governance. In: Understanding Cybersecurity Law in Data Sovereignty and Digital Governance, in Progress in IS. Springer International Publishing, Cham. pp. 205–277 (2022). https://doi.org/10.1007/978-3-031-14264-2_6.
Wang, Y.: Do not go gentle into that good night: the European Union’s and China’s different approaches to the extraterritorial application of artificial intelligence laws and regulations. Comput. Law Secur. Rev. 53, 105965 (2024). https://doi.org/10.1016/j.clsr.2024.105965
You, C.: Half a loaf is better than none: the new data protection regime for China’s platform economy. Comput. Law Secur. Rev. 45, 105668 (2022). https://doi.org/10.1016/j.clsr.2022.105668
Chauhan, M., Perera, I.M.: Artificial intelligence: promises, perils—and political economy. Fr. Polit. 22(2), 152–163 (2024). https://doi.org/10.1057/s41253-024-00240-9
Walsh, J. M., Varia, M., Cohen, A., Sellars, A. and Bestavros, A.: Multi-regulation computing: examining the legal and policy questions that arise from secure multiparty computation. In: Proceedings of the 2022 Symposium on Computer Science and Law, in CSLAW ‘22. Association for Computing Machinery, New York, NY, USA. pp. 53–65 (2022). https://doi.org/10.1145/3511265.3550445.
Taylor, R.D.: ‘Data localization’: the internet in the balance. Telecommun. Policy 44(8), 102003 (2020). https://doi.org/10.1016/j.telpol.2020.102003
Birudavolu, S. and Nag, B.: India’s regulatory environment and response to international trade issues. In: Business Innovation and ICT Strategies. Springer Singapore, Singapore. pp. 275–312 (2019). https://doi.org/10.1007/978-981-13-1675-3_10.
Schinasi, G. J. and International Monetary Fund, Eds.: Safeguarding financial stability: theory and practice. International Monetary Fund, Washington, DC. (2006).
“General Data Protection Regulation (GDPR)–Legal Text,” General Data Protection Regulation (GDPR). Accessed: Oct. 15, 2024. [Online]. Available: https://gdpr-info.eu/
“The Basel Committee’s response to the financial crisis: report to the G20”.
Zekos, G. I.: Digital politics, GDPR, and AI. In: Political, Economic and Legal Effects of Artificial Intelligence, in Contributions to Political Science. Springer International Publishing, Cham. pp. 473–511 (2022). https://doi.org/10.1007/978-3-030-94736-1_11.
Verri, B.: The Chinese frontiers of data protection: the personal information protection law (PIPL). In: Quo Vadis, Sovereignty?, Timoteo, M., Verri, B. and Nanni, R. Eds., in Philosophical Studies Series, vol. 154. Springer Nature Switzerland, Cham. pp. 181–197 (2023). https://doi.org/10.1007/978-3-031-41566-1_11.
Shandilya, S. K., Datta, A., Kartik, Y. and Nagar, A.: Navigating the Regulatory Landscape. In: Digital Resilience: Navigating Disruption and Safeguarding Data Privacy, in EAI/Springer Innovations in Communication and Computing. Springer Nature Switzerland, Cham. pp. 127–240 (2024). https://doi.org/10.1007/978-3-031-53290-0_3.
AI Credit Scoring: The Future of Credit Risk Assessment. Accessed: Oct. 23, 2024. [Online]. Available: https://www.datrics.ai/articles/the-essentials-of-ai-based-credit-scoring
G20 Osaka Leaders’ Declaration. Accessed: Oct. 16, 2024. [Online]. Available: https://www.consilium.europa.eu/media/40124/final_g20_osaka_leaders_declaration.pdf
Schumacher, L. V.: Central bank digital currencies (CBDCs): exploring characteristics, risks and benefits. In: Decoding Digital Assets. Springer Nature Switzerland, Cham. pp. 81–157 (2024). https://doi.org/10.1007/978-3-031-54601-3_12.
Kitchenham, B.A., et al.: Refining the systematic literature review process—two participant-observer case studies. Empir. Softw. Eng. 15(6), 618–653 (2010). https://doi.org/10.1007/s10664-010-9134-8
Moher, D., Liberati, A., Tetzlaff, J., Altman, D. G. and The PRISMA Group: Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement. PLoS Med. vol. 6, no. 7, p. e1000097 (2009). https://doi.org/10.1371/journal.pmed.1000097.
Eckert, D.: Seeking digital sovereignty. In: 40 Years of European Digital Policies. In: Professional Practice in Governance and Public Organizations. Springer Nature Switzerland, Cham. pp. 147–168 (2024). https://doi.org/10.1007/978-3-031-61641-9_9.
Arner, D.W., Zetzsche, D.A., Buckley, R.P., Barberis, J.N.: The identity challenge in finance: from analogue identity to digitized identification to digital KYC utilities. Eur. Bus. Organ. Law Rev. 20(1), 55–80 (2019). https://doi.org/10.1007/s40804-019-00135-1
Arner, D. W., Barberis, J., and Buckley, R. P.: RegTech: building a better financial system1. In: Handbook of Blockchain, Digital Finance, and Inclusion, Volume 1, Lee Kuo Chuen, D. and Deng, R. Eds., Academic Press, pp. 359–373 (2018). https://doi.org/10.1016/B978-0-12-810441-5.00016-6.
Mavrogiorgou, A. et al.: FAME: Federated decentralized trusted data marketplace for embedded finance. In: 2023 International Conference on Smart Applications, Communications and Networking (SmartNets). pp. 1–6 (2023). https://doi.org/10.1109/SmartNets58706.2023.10215814.
Singi, K., Choudhury, S. G., Kaulgud, V., Bose, R. P. J. C., Podder, S. and Burden, A. P.: Data sovereignty governance framework. In: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops, in ICSEW’20. Association for Computing Machinery, New York, NY, USA. pp. 303–306 (2020). https://doi.org/10.1145/3387940.3392212.
Liu, J., Peng, S., Long, C., Wei, L., Liu, Y. and Tian, Z.: Blockchain for data science. In: Proceedings of the 2020 2nd International Conference on Blockchain Technology, in ICBCT ‘20. Association for Computing Machinery, New York, NY, USA. pp. 24–28 (2020). https://doi.org/10.1145/3390566.3391681.
Altendeitering, M., Pampus, J., Larrinaga, F., Legaristi, J. and Howar, F.: Data sovereignty for AI pipelines: lessons learned from an industrial project at Mondragon corporation. In: Proceedings of the 1st International Conference on AI Engineering: Software Engineering for AI, in CAIN ‘22. Association for Computing Machinery, New York, NY, USA. pp. 193–204 (2022). https://doi.org/10.1145/3522664.3528593.
Barbereau, T., Bodó, B.: Beyond financial regulation of crypto-asset wallet software: in search of secondary liability. Comput. Law Secur. Rev. 49, 105829 (2023). https://doi.org/10.1016/j.clsr.2023.105829
Zambrano, R. and Sanchez-Torres, J. M.: AI public policies in Latin America: disruption or more of the same?. In: Proceedings of the 14th International Conference on Theory and Practice of Electronic Governance, in ICEGOV ‘21. Association for Computing Machinery, New York, NY, USA. pp. 25–33 (2022). https://doi.org/10.1145/3494193.3494294.
Tanda, A. and Schena, C.-M.: An attempt at synthesis: financial market digitalisation scenarios, opportunities and challenges. In: FinTech, BigTech and Banks, in Palgrave Macmillan Studies in Banking and Financial Institutions. Springer International Publishing, Cham. pp. 101–108 (2019). https://doi.org/10.1007/978-3-030-22426-4_6.
Curry, E. and Tuikka, T.; An organizational maturity model for data spaces: a data sharing wheel approach. In: Data Spaces, Curry, E., Scerri, S. and Tuikka, T. Eds. Springer International Publishing, Cham. pp. 21–42 (2022). https://doi.org/10.1007/978-3-030-98636-0_2.
Outeda, C. C. and Cacheda, B. G.: Artificial intelligence: a reading from european politics. In: Digital Development of the European Union. Ramiro Troitiño, D., Kerikmäe, T. and Hamuľák, O. Eds. Springer International Publishing, Cham. pp. 363–381 (2023). https://doi.org/10.1007/978-3-031-27312-4_23.
Cui, Y.: AI laws and policies. In: Blue Book on AI and Rule of Law in the World Cui, Y. Ed., in Artificial Intelligence and the Rule of Law. Springer Nature Singapore, Singapore. pp. 51–152 (2021). https://doi.org/10.1007/978-981-99-9085-6_2.
Marwala, T.: Chapter 11-Cross-border data flow. In: Mechanism Design, Behavioral Science and Artificial Intelligence in International Relations, Marwala, T. Ed., Morgan Kaufmann, pp. 157–168 (2024). https://doi.org/10.1016/B978-0-443-23982-3.00011-7.
Walters, R. and Novak, M.: Cyber security. In: Cyber Security, Artificial Intelligence, Data Protection & the Law. Springer Singapore, Singapore. pp. 21–37 (2021). https://doi.org/10.1007/978-981-16-1665-5_2.
Walters, R.: Localisation. In: Cybersecurity and Data Laws of the Commonwealth. Springer Nature Singapore, Singapore. pp. 159–167 (2023). https://doi.org/10.1007/978-981-99-3935-0_7.
Liu, Z., and Hou, W.: Cybersecurity and data privacy in digital finance. In: Digital Finance. Springer Nature Singapore, Singapore. pp. 121–138 (2023). https://doi.org/10.1007/978-981-99-7305-7_8.
Cheng, S., Li, J., Luo, L., Zhu, Y.: Cybersecurity governance and digital finance: evidence from sovereign states. Finance Res. Lett. 65, 105533 (2024). https://doi.org/10.1016/j.frl.2024.105533
Sun, L., Zhang, H., Fang, C.: Data security governance in the era of big data: status, challenges, and prospects. Data Sci. Manag. 2, 41–44 (2021). https://doi.org/10.1016/j.dsm.2021.06.001
Rafik, M.: Data sovereignty: new challenges for diplomacy. In: Artificial Intelligence and Digital Diplomacy. Roumate, F. Ed., Springer International Publishing, Cham. pp. 33–43 (2021). https://doi.org/10.1007/978-3-030-68647-5_3.
Gawer, A., Bonina, C.: Digital platforms and development: risks to competition and their regulatory implications in developing countries. Inf. Organ. 34(3), 100525 (2024). https://doi.org/10.1016/j.infoandorg.2024.100525
J. Puaschunder, “Discussion,” in Advances in Behavioral Economics and Finance Leadership, in Contributions to Economics. , Cham: Springer International Publishing, 2022, pp. 197–219. https://doi.org/10.1007/978-3-031-15710-3_7.
Ignatov, A.: Global governance of cyberspace: the BRICS agenda. In: Digital International Relations. Baykov, A. and Zinovieva, E. Eds., Springer Nature Singapore, Singapore. pp. 305–327 (2023). https://doi.org/10.1007/978-981-99-3467-6_20.
Goniwada, S. R.: Health care and financial systems with decentralized identity. In: Introduction to One Digital Identity. Apress, Berkeley, CA. pp. 157–174 (2024). https://doi.org/10.1007/979-8-8688-0255-3_8.
Booth, J., Metz, W., Tarkhanyan, A. and Cheruvu, S.: Machine learning security and trustworthiness. In: Demystifying Intelligent Multimode Security Systems. Apress, Berkeley, CA. pp. 137–222 (2023). https://doi.org/10.1007/978-1-4842-8297-7_5.
Denni-Fiberesima, D.: Navigating the generative AI-enabled enterprise architecture landscape: critical success factors for AI adoption and strategic integration. In: Navigating the Technological Tide: The Evolution and Challenges of Business Model Innovation, Alareeni, B. and Hamdan, A. Eds., in Lecture Notes in Networks and Systems. vol. 1082. Springer Nature Switzerland, Cham. pp. 210–222 (2024). https://doi.org/10.1007/978-3-031-67434-1_20.
Dorfleitner, G. and Hornuf, L.: Need for regulation in the German FinTech market. In: FinTech and Data Privacy in Germany. Springer International Publishing, Cham. pp. 107–114 (2019). https://doi.org/10.1007/978-3-030-31335-7_6.
Stiefmueller, C. M.: New frontiers in cyberspace–recent European initiatives to regulate digital finance. In: Advances in the Human Side of Service Engineering. Leitner, C., Ganz, W., Satterfield, D. and Bassano, C. Eds., in Lecture Notes in Networks and Systems. vol. 266. Springer International Publishing, Cham. pp. 27–36 (2021). https://doi.org/10.1007/978-3-030-80840-2_3.
Mansfield-Devine, S.: Open banking: opportunity and danger. Comput. Fraud Secur. 2016(10), 8–13 (2016). https://doi.org/10.1016/S1361-3723(16)30080-X
Puschmann, T. and Of Liechtenstein, H. S. H. P. M.: Outlook. In: Financial System 2030, in Financial Innovation and Technology. Springer Nature Switzerland, Cham. pp. 159–166 (2024). https://doi.org/10.1007/978-3-031-55700-2_6.
Younas, A., Zeng, Y.: Proposing Central Asian AI ethics principles: a multilevel approach for responsible AI. AI Ethics (2024). https://doi.org/10.1007/s43681-024-00505-7
Xu, Y. and Li, Z.: Prudential regulation of the banking-like business of fintech companies in China. In: Commercial Banking in Transition. Bodellini, M., Gimigliano, G. and Singh, D. Eds., in Palgrave Macmillan Studies in Banking and Financial Institutions. Springer International Publishing, Cham. pp. 389–416 (2024). https://doi.org/10.1007/978-3-031-45289-5_18.
Whitney, C. D. and Norman, J.: Real risks of fake data: synthetic data, diversity-washing and consent circumvention. In: Proceedings of the 2024 ACM Conference on Fairness, Accountability, and Transparency, in FAccT ‘24. Association for Computing Machinery, New York, NY, USA. pp. 1733–1744 (2024). https://doi.org/10.1145/3630106.3659002.
Zekos, G. I.: Robo-Justice. In: Advanced Artificial Intelligence and Robo-Justice, Springer International Publishing, Cham. pp. 347–415 (2022). https://doi.org/10.1007/978-3-030-98206-5_11.
Tardieu, H.: Role of Gaia-X in the European data space ecosystem. In: Designing Data Spaces, Otto, B., Ten Hompel, M. and Wrobel, S. Eds., Springer International Publishing, Cham. pp. 41–59 (2022). https://doi.org/10.1007/978-3-030-93975-5_4.
Chen, J., Sun, J.: Understanding the Chinese data security law. Int Cybersecurity Law Rev. 2(2), 209–221 (2021). https://doi.org/10.1365/s43439-021-00038-3
Hammer, S.: Navigating the neural network: artificial intelligence in finance and recalibration of the regulatory framework. Social Science Research Network, Rochester, NY. 4988912 (2024). https://doi.org/10.2139/ssrn.4988912.
Rane, N., Choudhary, S.P., Rane, J.: Acceptance of artificial intelligence technologies in business management, finance, and e-commerce: factors, challenges, and strategies. Stud Econ Bus Relations 5(2), 23–44 (2024). https://doi.org/10.2139/ssrn.4842268
Foster, K., Blakstad, S., Gazi, S. and Bos, M.: Digital currencies and CBDC impacts on least developed countries (LDCs). Social Science Research Network. Rochester, NY. 3871301 (2021). https://doi.org/10.2139/ssrn.3871301
Castellano, G. G., Selga, E. and Arner, D. W.: the emergence of financial data governance and the challenge of financial data sovereignty. Social Science Research Network. Rochester, NY 4937954 (2024). https://doi.org/10.2139/ssrn.4937954
Novaes Neto, N., Madnick, S. E., Moraes, A., De Paula, and Malara Borges, N.: A case study of the capital one data breach. SSRN Electron. J. (2020). https://doi.org/10.2139/ssrn.3542567.
Thomas, J. E.: A case study analysis of the equifax data breach 1 a case study analysis of the equifax data breach. (2019) https://doi.org/10.13140/RG.2.2.16468.76161.
Acknowledgements
The authors acknowledge the support of their respective institutions (Sri Sri University and Institute for Energy Technology) for providing support to complete this work.
Funding
Open access funding provided by Institute for Energy Technology. No funding.
Author information
Authors and Affiliations
Contributions
All authors contributed equally.
Corresponding author
Ethics declarations
Conflict of interests
The authors declare that they have no conflict of interest.
Ethical approval
This article does not contain any studies with animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Patil, A., Mishra, B., Chockalingam, S. et al. Securing financial systems through data sovereignty: a systematic review of approaches and regulations. Int. J. Inf. Secur. 24, 159 (2025). https://doi.org/10.1007/s10207-025-01074-4
Accepted:
Published:
Version of record:
DOI: https://doi.org/10.1007/s10207-025-01074-4