AI Pulse Daily Brief | 2026-04-28
AI Pulse Daily Brief | 28 April 2026
Reading time ~3 mins
Dutch cabinet opens AI Act implementation consultation with AP as lead supervisor and June 1 deadline. Unpatched MCP protocol flaw exposes banking AI infrastructure. Treasury and Fed brief bank CEOs on Mythos zero-day threat. MATCH Act advances ASML DUV ban toward floor vote. FCA launches live AI testing with Barclays and Lloyds.
Top signal
Dutch cabinet publishes AI Act implementation bill; AP designated lead supervisor, consultation closes June 1. Authority
Signal: Staatssecretaris Aerdts submitted the Uitvoeringswet AI-verordening on April 20, designating the Autoriteit Persoonsgegevens as the national competent authority for AI Act domains not covered by DNB or AFM, with the Rijksinspectie Digitale Infrastructuur in a coordinating role; consultation closes June 1.
Relevance: This resolves the central supervisory uncertainty for Dutch banks under the AI Act, and the June 1 deadline is a narrow window to shape national implementing rules before they enter parliamentary debate.
Consider: Assess whether to submit a position paper to the internetconsultatie before June 1, particularly on how AP's high-risk AI system oversight intersects with DNB prudential supervision.
Security
Unpatched MCP flaw exposes up to 200,000 AI instances as Anthropic declines to remediate. Media
Signal: OX Security disclosed an RCE vulnerability in Anthropic's MCP SDK affecting an estimated 200,000 instances across 150 million downloads; Anthropic called the behaviour "expected" and declined to patch.
Relevance: Banks using MCP-compatible agentic tooling carry DORA third-party risk liability regardless of upstream remediation, and the vendor's refusal to fix makes this a design-level exposure for the AI vendor risk register.
Consider: Confirm which internal agentic AI deployments use MCP-connected tooling and verify input sanitisation at every tool-invocation boundary.
American Banker | Infosecurity Magazine
Treasury and Fed brief bank CEOs on Mythos zero-day risk; fewer than 1% of flagged vulnerabilities patched. Advisory
Signal: Sullivan & Cromwell documented an April 15 meeting where Bessent and Powell warned bank CEOs that Claude Mythos autonomously discovers zero-days across operating systems and browsers; fewer than 1% of vulnerabilities shared with vendors have been patched.
Relevance: An unprecedented government-to-bank-CEO briefing on a single AI model's threat signals that European supervisors are likely to follow within 12 months.
Consider: Assess whether the bank's patch management cadence is calibrated for AI-discovered zero-days at scale, before DNB or ECB issue analogous advisories.
Regulatory
Digital Omnibus trilogue today; GDPR Article 4 "relative approach" to personal data on the agenda. Institute
Signal: The April 28 trilogue includes a proposal under which whether data is personal depends on the means available to each controller, plus replacement of 27 national DPIA lists with one EU-wide template.
Relevance: For a bank with extensive data-linking capabilities, the relative approach could reclassify datasets currently treated as pseudonymised, requiring changes across data-sharing agreements and processing registers.
Consider: Check whether pseudonymisation classifications in the bank's data governance are absolute or controller-relative, since a political agreement today would signal the change is coming.
Perspectives
The Mythos meeting focused on the wrong AI risk: fraud, not cyber intrusion, is the unaddressed threat. Corporate
Signal: Dr. Shlomit Wagman argued in Fortune that the Treasury/Fed Mythos briefing concentrated on cyber-intrusion while ignoring AI-generated phishing, voice clones, and synthetic video that convince customers to authorise transactions at near-zero marginal cost.
Relevance: The higher-probability threat to a retail bank is machine-generated social engineering that bypasses perimeter defences entirely, a risk that received no equivalent mobilisation in the government response.
Consider: Evaluate whether fraud controls are calibrated for machine-generated social engineering at scale or still built for pre-generative-AI fraud volumes.
Netherlands & Sovereignty
MATCH Act clears House committee; ASML DUV ban advances with 150-day Dutch response window. Media
Signal: The MATCH Act passed the House Foreign Affairs Committee on April 22, targeting ASML DUV lithography exports to China; Bank of America estimates a full ban could reduce ASML revenues by 14-15%.
Relevance: Committee clearance raises the probability of a floor vote and triggers a 150-day window in which the Dutch government must demonstrate equivalent controls or face unilateral US action via the Foreign Direct Product Rule.
Consider: Review whether investment and credit exposure to ASML-linked entities accounts for this revenue disruption scenario, with the Dutch response deadline around late September.
Industry & competition
UK FCA selects Barclays, Lloyds, UBS and five others for live AI testing with real customers. Media
Signal: Eight firms will test AI in live market conditions under FCA oversight from April through December 2026, with an assessment report due Q1 2027.
Relevance: This is the first regulator-supervised live AI testing programme in financial services, and European regulators have historically adopted FCA innovation approaches within 12 to 18 months.
Consider: Track Q1 2027 results as a leading indicator of what structured AI deployment pathways European regulators could introduce for Dutch banks.
On the radar
- A financial services firm replaced its QA team with AI, saving $1.2M annually; the system then generated a pricing error costing $6M, a 5x loss-to-saving ratio. QA Financial
- Anthropic acknowledged three engineering changes degraded Claude for up to six weeks without notifying enterprise users, including a reasoning downgrade and a caching bug. The Register
- France is migrating its Health Data Hub from Microsoft Azure to Scaleway on CLOUD Act grounds, establishing the most concrete EU precedent for sovereign data repatriation. Euronews