US AI governance for financial services, the 2026 regulatory landscape
US financial services AI governance is shaped by sector-specific regulation from multiple agencies, each with enforcement authority. There is no single federal AI law, but the combination of existing statutes, new supervisory guidance, and active enforcement creates a substantive and enforceable framework.
Federal Reserve SR 26-2 (17 April 2026)
The most significant recent development. SR 26-2, Supervisory Guidance on Model Risk Management Including Artificial Intelligence, supersedes SR 11-7 for banks and holding companies with $30 billion+ in total consolidated assets. It requires: materiality-tiered model risk management (not all AI systems get the same governance); continuous validation replacing annual revalidation; board-level accountability for AI governance; explicit treatment of AI and machine learning models including generative AI. Footnote 3 excludes "stand-alone" GenAI tools from the full MRM framework but expects governance appropriate to the risk. Federal Reserve, OCC, and FDIC issued it jointly, reflecting supervisory consensus.
CFPB
The Consumer Financial Protection Bureau has been active on AI credit and lending decisions. ECOA and FCRA adverse action notice requirements apply fully to AI-driven decisions, lenders cannot hide behind algorithmic complexity to avoid providing specific denial reasons. The CFPB has pursued enforcement actions involving AI in credit, collections, and servicing.
SEC
The SEC has focused on AI in broker-dealer and investment adviser contexts: AI-driven investment recommendations, predictive data analytics, and the use of AI in securities marketing (including "AI washing", misleading claims about AI capabilities). The SEC's 2024 proposed rules on predictive data analytics remain under consideration.
OCC
The OCC's Model Risk Management guidance (OCC 2011-12) applies to AI models in national banks. The OCC participates in the interagency SR 26-2 framework. OCC examiners increasingly assess AI governance during examinations.
State regulation
State regulators and laws add another layer: Colorado's AI Act was repealed and replaced by SB 189 (a narrower disclosure-based law effective 1 January 2027); NYC AEDT law (effective since July 2023) regulates automated employment decision tools; Illinois BIPA and Illinois AI Video Interview Act; multiple states have introduced AI insurance regulation. State attorneys general have enforcement authority under consumer protection statutes that apply to AI.
What financial services firms should do
For banks >$30B: implement SR 26-2 immediately, this is current supervisory guidance. For all financial services: maintain an AI model inventory with materiality classification; implement validation appropriate to risk tier; establish board reporting on AI risk; include AI-specific provisions in vendor contracts; prepare for examination questions on AI governance. For consumer-facing AI: ensure adverse action notice compliance; implement fair lending testing for AI credit models; monitor CFPB enforcement developments.
Primary sources: Federal Reserve SR 26-2 · CFPB · OCC
Related reading
- AI Governance for Financial Services: Regulators Are Watching
- AI Controls for Financial Services: The Framework Your Regulator Expects to See
- AI Governance in Financial Services: The Complete Regulatory and Operational Guide for 2026
- AI Governance in Financial Services: The Complete 2026 Compliance Map