What Should Your Institution Do? A Roadmap by Size, Charter, and Ambition
By: Paul Schaus
April 22, 2026
Every January, bank boards across the country sit through strategy presentations filled with the same buzzwords, AI, digital transformation, cloud, real-time payments, and customer experience. The slides are polished. The vendor promises are compelling. And by March, most institutions have committed budgets to a dozen initiatives without a clear answer to the only question that actually matters, given who we are, what should we do first? I have sat in hundreds of those boardrooms over a career that started as a teller and eventually took me through management training, executive leadership, de novo bank startups, and managing U.S. bank operations in Europe. The pattern is always the same. The institutions that try to do everything end up doing nothing well. The ones that match their ambitions to their resources and then execute with discipline are the ones that win.
The nine articles preceding this one have laid out the technology landscape: agentic AI, stablecoins, payments modernization, the lending transformation, cybersecurity, customer experience, core modernization, and the governance imperatives that tie them together. Seventeen industry reports converge on remarkably similar conclusions about where banking is headed. But no research report can tell a $400 million community bank in rural Kansas and a $60 billion regional institution and a fintech in Phoenix the same thing. Their resources are different. Their competitive pressures are different. Their regulatory obligations are different. And their paths forward should be different too.
What follows is my honest assessment, drawn from decades of building, running, and advising financial institutions of what each category of institution should prioritize right now, and what they should stop pretending they can do.
If you lead a community bank under $10 billion in assets, you have a trust advantage that no amount of technology spending by your larger competitors can replicate. I know this because I helped build that trust from the ground up when I was involved in starting multiple de novo banks. There is nothing that teaches you the value of community relationships faster than opening doors for the first time and asking people to deposit their money in an institution that did not exist six months ago. That trust is your greatest asset and technology should amplify it, not replace it.
CSI's 2026 survey shows 86 percent of community bank leaders are optimistic about their technology prospects, and they should be, but only if they resist the temptation to chase every trend in this series simultaneously. I like to call the shiny object syndrome. Community banks cannot and should not try to build agentic AI platforms, issue stablecoins, or construct enterprise data lakes. They should focus on three things that will determine their competitive survival.
First, modernize the lending experience. BAI's research identifies $130 billion in SMB lending revenue across 34.8 million small businesses, and community banks are the natural providers of that credit. I learned as a young banker working my way up through management that small business owners choose their bank based on two things: whether they trust you and whether you can move at the speed their business requires. Trust is already there. The speed is not. You will lose those relationships if a small business owner can get a working capital decision from an online lender in four hours while your process takes four weeks. Invest in automated underwriting for credits below a defined threshold, say $250,000 with streamlined documentation, digital application intake, and decisioning timelines measured in hours. Keep your relationship managers focused on the complex credits where local knowledge and human judgment genuinely matter.
Second, get serious about cybersecurity. You do not need a 50-person security operations center, but you do need a managed security service provider that delivers 24/7 monitoring, AI-driven threat detection, and incident response capabilities. The interagency computer-security incident notification rule requires notification within 36 hours, and community banks without monitoring infrastructure will not even detect the incident in time to comply. When I ran bank operations overseas, I saw how a single security incident could cascade across borders and jurisdictions in ways that domestic-only institutions rarely contemplate. Cybersecurity is the one area where underinvestment is existential, regardless of your size.
Third, demand more from your core vendor. CSI reports that 69 percent of community banks plan to stay with their current core provider, which is fine, but vendor loyalty does not require technological complacency. Push your vendor for a credible API strategy, cloud-native deployment options, and a modernization roadmap with specific milestones. If your vendor cannot articulate where their platform will be in three years, start the conversation about alternatives now, not when your contract is up for renewal and your leverage is gone.
What community banks should stop doing: stop trying to build custom AI models, stop investing in blockchain pilots, and stop sending your CEO to conferences about technologies your institution will never deploy directly. Instead, focus on consuming AI capabilities embedded in your existing vendor platforms, fraud detection, credit scoring, customer analytics and governing those capabilities under the proportionate framework that OCC Bulletin 2025-26 explicitly provides for community institutions. The OCC's shift toward risk-based examination approaches rather than fixed requirements is a genuine opportunity. Use it.
Regional banks between $10 billion and $100 billion in assets occupy the most strategically interesting position in American banking. You have enough scale to invest meaningfully in technology, enough customer relationships to generate valuable data, and enough organizational complexity to benefit from AI-powered operations. You also face the most acute competitive pressure squeezed from above by the top 50 banks with their massive technology budgets and from below by community banks and credit unions with lower cost structures and deeper local relationships. Having worked my way through the management ranks at institutions of varying sizes, I understand the particular challenge of the middle: you are expected to deliver the digital sophistication of the largest banks with a fraction of the resources. Your survival depends on turning your middle position from a liability into an advantage.
The single most important investment for a regional bank in 2026 is data unification. As I argued in my article "The Great Rebuild Core Modernization Data Infrastructure, and Cloud", most banks have a data problem masquerading as an AI problem. For regional banks, this is particularly acute because you have enough data across enough product lines and customer segments to generate genuinely valuable insights but only if that data is unified, clean, and accessible in real time. Every dollar you spend on AI, personalization, or analytics before solving the data integration problem is a dollar partially wasted. Build the data foundation first. Everything else accelerates from there.
Second, build a real AI governance capability. Not a policy document that sits in a compliance folder, but a cross-functional team with the authority to approve AI use cases, validate models, monitor performance, and shut down deployments that drift outside acceptable parameters. Experian reports that 87 percent of institutions expect convergence of credit, fraud, and compliance functions. Regional banks are the right size to lead that convergence, large enough to justify the investment, small enough to execute without the bureaucratic complexity that slows the top 50. SR 11-7 and the CFPB's guidance on AI credit decisioning provide the regulatory scaffolding. Build the organizational muscle around it.
Third, attack the private credit threat directly. Capgemini's data showing $1.7 trillion in global private credit assets represents capital that used to flow through bank balance sheets. Regional banks should be building direct lending capabilities, co-origination partnerships, and structured finance platforms that compete on speed and flexibility while maintaining bank-grade credit discipline. The OCC and FDIC's December 2025 rescission of the interagency leveraged lending guidance gives you more room to compete. Use it but use it wisely, deregulation is not an invitation to abandon underwriting standards. I have seen what happens when banks confuse deregulation with permission to lower credit standards, and the results are always the same.
What regional banks should stop doing is stop running thirty AI pilots without scaling any of them. EY's finding that 60 to 70 percent of organizations fail to scale AI beyond pilots should alarm every regional bank CTO. Three AI applications in production with measurable business impact are worth more than thirty experiments in various stages of completion. Appoint a Chief Transformation Officer or equivalent who owns cross-functional execution and has the authority to kill projects that are not progressing toward production.
If you are among the fifty largest banks in the United States, you have resources that the rest of the industry can only envy, technology budgets in the billions, data assets covering millions of customer relationships, and the organizational capacity to pursue multiple transformation initiatives simultaneously. You also have the weight of legacy complexity, regulatory intensity, and organizational politics that can turn those advantages into liabilities. Having managed bank operations across international borders, I can tell you that the complexity challenge at the top 50 is not just a domestic phenomenon, it compounds exponentially when you add cross-border regulatory requirements, multi-currency operations, and the cultural dimensions of serving customers across geographies.
The top 50 should be leading the industry on agentic AI at enterprise scale. Accenture's research on AI-first credit systems, EY's vision of intelligent agent ecosystems, and Deloitte's work on spatial computing and ambient intelligence are describing a future that the largest banks have the resources to build now. The competitive advantage will go to institutions that move beyond departmental AI deployments to enterprise-wide intelligent automation, where AI agents coordinate across credit, operations, compliance, and customer service to deliver outcomes that no siloed implementation can match.
Stablecoins and tokenized deposits are squarely in the top 50's domain. The GENIUS Act, signed in July 2025, creates a framework that favors well-capitalized, well-governed issuers which is a description of the largest banks. Comptroller Jonathan Gould has emphasized technology-neutral, risk-based supervision. My experience managing U.S. bank operations in Europe gave me an early window into how digital assets and cross-border payment innovations develop in markets with different regulatory frameworks. The lessons are transferable: the institutions that establish infrastructure early own the rails for the next decade. The banks that establish stablecoin and tokenized deposit capabilities in 2026 will own the infrastructure of programmable money. Those that wait will be renting access from competitors or fintech partners.
The talent reconstruction that EY describes is most urgent at the top 50. Deloitte's 93/7 spending imbalance, 93 percent on technology, 7 percent on people is most pronounced at the largest institutions, where the gap between technological capability and organizational readiness is widest. I started my banking career in a management training program that invested heavily in developing people across every function of the bank, credit, operations, compliance, and customer service. That model of comprehensive talent development has largely disappeared at the biggest institutions, replaced by hyper-specialization that produces deep expertise in narrow domains but very few leaders who understand the whole enterprise. Every large bank I advise has more AI technology than has people capable of deploying, governing, and extracting business value from that technology. Rebalance investment. Rebuild the management development programs that produced the generation of bankers who actually understand how all the pieces fit together.
Credit unions occupy a unique position in this landscape. Your cooperative structure, member-first mission, and community embeddedness create a trust advantage that commercial banks spend billions trying to replicate through marketing. But trust alone is not a technology strategy, and the expectations of your members are shaped by every digital experience they have not just the ones you provide. When a member can deposit a check, transfer money, and check their balance through a banking app in seconds, they expect the same experience from their credit union.
The NCUA has taken a thoughtful approach to AI oversight, aligning its guidance with the NIST AI Risk Management Framework and grounding supervisory expectations in existing third-party risk management frameworks rather than creating bespoke AI regulations. This gives credit unions a stable governance foundation. The updated NCUA AI resource hub, issued in early 2026, consolidates the technical and policy references that federally insured credit unions need to evaluate and deploy AI responsibly.
My strongest recommendation for credit unions is to embrace the CUSO model aggressively for technology investment. No individual credit union under $5 billion in assets can justify the cost of building AI capabilities, real-time fraud detection platforms, or cloud-native core infrastructure independently. But a consortium of twenty credit unions, pooling resources through a technology CUSO, absolutely can. The cooperative model that defines the credit union movement should extend to technology strategy, shared investment in digital banking innovation with costs distributed across the membership. Credit unions that try to go it alone on technology will either overspend relative to their asset base or underinvest relative to member expectations.
Focus your direct investment on three things: digital lending that rivals fintech speed for consumer and small business loans, member-facing AI that personalizes the experience without losing the human touch that differentiates you, and cybersecurity that protects the trust your members have placed in you. I learned at my first banking job that every interaction is personal and the member standing in front of you is trusting you with their financial life. That truth has not changed in the digital age. It has simply moved from the teller line to the mobile app. Everything else should be consumed through vendor partnerships, CUSO collaborations, or shared services.
The fintech landscape in 2026 looks nothing like it did three years ago. The era of regulatory arbitrage, operating lending, payments, and deposit-like products outside the banking regulatory perimeter is closing. The OCC received 14 de novo charter applications in 2025 alone, nearly matching the total from the prior four years, with many from fintech and digital-asset companies seeking to move core activities inside the regulated banking perimeter rather than relying on third-party bank partnerships. The OCC has already approved four new applications in early 2026 and received more than seven additional applications in barely two and a half months.
I have a perspective on de novo chartering that most fintech advisors lack. I have actually done it. Starting a bank from scratch is one of the most demanding undertakings in financial services. The charter application is just the beginning, you need a credible board, sufficient capital, a viable business plan that satisfies regulators, compliance infrastructure from day one, and the operational capacity to survive the intensified examination schedule that every de novo institution faces for its first several years. Fintechs considering this path should understand that a bank charter is not a license to operate the way you have been operating with a regulatory seal of approval. It is a fundamentally different business model with fundamentally different obligations.
This is the most consequential strategic decision any fintech will make in the next two years: do you pursue a charter and accept the full weight of bank regulation, or do you maintain your partnership model with the governance maturity that regulators now demand? The FDIC has signaled more flexibility with certain customer identification requirements for bank-fintech partnerships, and the interagency third-party risk management guidance provides a workable framework for well-governed partnerships. But the consent orders of 2024 and the CFPB's continued scrutiny of BNPL and embedded lending make clear that the partnership model requires genuine compliance infrastructure, not a fig leaf of bank oversight layered over fintech operations.
My advice to fintech leaders is blunt, if your compliance function is smaller than your marketing team, you have a problem that no amount of growth will solve. The fintechs that will survive the current regulatory correction are the ones building compliance, risk management, and governance capabilities that would satisfy a bank examiner, whether or not they ever apply for a charter. Those capabilities are not a cost of doing business. They are the price of admission to the next phase of financial services, where the regulatory perimeter encompasses anyone who touches consumer financial products, regardless of what they call themselves.
Across all five categories, community, regional, top 50, credit union, and fintech, three priorities are universal. Governance is not optional, regardless of size; the framework should be proportionate, but it must exist. Data quality is the foundation that determines whether every other technology investment succeeds or fails. And talent attracting, developing, and retaining people who understand both technology and banking is the constraint that no amount of software spending can overcome.
I have seen this industry from every vantage point, from behind the teller window where I learned that banking is ultimately about people trusting you with their money, through the management ranks where I learned that execution matters more than strategy, to the executive suite where I learned that culture determines which institutions thrive and which merely survive, to starting banks from nothing where I learned that everything depends on getting the fundamentals right from the beginning, to managing international operations where I learned that the principles of sound banking are universal even when the regulations differ.
The institutions that act on the priorities outlined in this series will be the ones writing the next chapter of financial services. The ones that wait will be reading about it. The common thread in every success story I have witnessed over a career that spans the full arc of modern banking is the same, leaders who had the courage to invest ahead of certainty and the discipline to govern what they built. The research in this series provides the map. The rest is leadership.
CSI/CITE Research, 2026 Banking Priorities Executive Report (October 2025 survey)
BAI/ProSight, 2026 Banking Outlook Executive Report (SMB lending opportunity)
Accenture, Banking Tech Trends Report 2026
EY, Reconstructing the Financial Paradigm Through Intelligent Agents
Deloitte, 2026 Banking & Capital Markets Outlook; Tech Trends 2026
Capgemini, World CIB Report 2026 (private credit findings); Top Trends 2026 Banking
Experian, Global Insights 2026: 7 Shifts (AI accountability, credit-fraud-compliance convergence)
Finastra, Financial Services State of the Nation Survey 2026
11:FS, Making Embedded Banking Work
S&P Global, Banks Outlook 2026
NCUA, Credit Union Artificial Intelligence (AI) Resources (updated January 2026)
OCC, Comptroller Jonathan Gould Remarks on AI Oversight; OCC Bulletin 2025-26; National Bank Chartering NPR (January 2026)
FDIC, Rightsizing Regulation to Promote American Opportunity (2026 remarks)
OCC Bulletin 2025-44, Rescission of Interagency Leveraged Lending Guidance (December 2025)
Interagency Guidance on Third-Party Relationships: Risk Management (2023)
CFPB, Winter 2025 Supervisory Highlights: Advanced Technologies Special Edition
Interagency Computer-Security Incident Notification Rule (2021)
GENIUS Act (signed July 18, 2025)
This concludes the Bank Technology Trends 2026 series by Paul Schaus, CEO of CCG Catalyst Consulting.
CCG Catalyst Consulting is a banking and fintech advisory firm that has guided over 600 financial institutions through core modernization, digital transformation, AI strategy, payments, contract negotiations, and M&A. Through its Bankers Fintech Council, CCG Catalyst also bridges the gap between banks and fintechs to accelerate responsible innovation. Managing Partner Paul Schaus is a recognized Top 25 Financial Services Consultant, and subject matter expert in banking, bringing experience across every level of the industry to the firm's advisory practice. Learn more at www.ccgcatalyst.com
