Este artigo está disponível apenas em inglês no momento.
AI Controls for Financial Services: The Framework Your Regulator Expects to See
Financial services regulators globally — APRA, FCA, Federal Reserve, MAS, ECB — have all published guidance that implies or explicitly requires AI controls. Here is the complete controls framework for financial services firms, mapped to regulatory expectations.
Key Takeaways
APRA, FCA, the Federal Reserve, MAS, and ECB/EBA have all published guidance creating explicit or implicit AI controls expectations. These are not advisory — they form the basis of supervisory examinations and can trigger enforcement where AI governance failures cause harm.
The regulatory minimum: every financial services firm using AI in consequential decisions (credit, insurance, trading, advice, customer assessment) should have: an AI model inventory; pre-deployment validation requirements; ongoing performance monitoring; demographic bias testing; board-level AI risk reporting; and an AI incident response process.
APRA's CPS 230 (effective July 2025) and CPG 220 model risk management guidance create the most comprehensive Australian framework — AI in material business processes requires governance, validation, and monitoring controls equivalent to traditional financial models.
The FCA's Consumer Duty requires financial firms to evidence, not just assert, that AI-driven customer decisions produce good outcomes. This requires a detective controls infrastructure: ongoing monitoring of AI customer outcomes, demographic analysis, and complaint tracking.
The Federal Reserve's SR 11-7 model risk management guidance, adopted by OCC and FDIC for their supervised institutions, explicitly covers AI and machine learning models — validation, ongoing monitoring, and use limitation controls are regulatory expectations for US banks and thrifts.
MAS FEAT principles and the Veritas assessment framework establish Singapore-specific controls expectations — fairness testing, explainability, and accountability documentation are the Singaporean regulatory baseline for financial services AI.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
The global regulatory baseline for financial services AI controls
Financial services regulators have moved from guidance to examination-ready expectations for AI controls. Understanding what each major regulator expects — and how their expectations overlap — allows financial services firms to design a controls framework that satisfies multiple regulatory requirements with a unified approach.
APRA: Australia
APRA's model risk management guidance (CPG 220) and CPS 230 operational risk standard create the most comprehensive Australian AI controls framework. CPG 220 applies to all APRA-regulated entities and covers AI models used in material business decisions. Key control requirements: model inventory (all material AI models documented); pre-deployment validation (independent review before deployment); ongoing performance monitoring (regular assessment against defined thresholds); use limitation (AI used only within its validated scope); model change management (revalidation when AI is significantly changed); and model risk reporting (board and management visibility of model risk including AI).
CPS 230 adds operational resilience requirements: AI systems used in material business processes are critical resources requiring maintenance, monitoring, and resilience planning. Third-party AI providers are material service providers requiring due diligence and contract provisions. AI incidents are operational incidents requiring notification and root cause analysis.
FCA: United Kingdom
The FCA's consumer outcomes framework — driven by Consumer Duty but also including the Senior Managers and Certification Regime, Treating Customers Fairly, and product governance requirements — creates a controls expectation that is different in structure from traditional MRM but equally demanding. The FCA expects financial firms to demonstrate, through data, that their AI produces good outcomes for retail customers.
This requires detective controls infrastructure: ongoing monitoring of AI customer outcomes (what are the rates of declined applications, rejected claims, and adverse terms across customer segments?); demographic analysis (do outcomes differ materially across demographic groups?); complaint monitoring (are customer complaints indicative of systematic AI problems?); and mystery shopping or other sampling approaches to verify that AI-generated customer communications are clear and fair. The FCA has published guidance on fair treatment of vulnerable customers that applies to AI customer-facing systems — firms must identify and accommodate customers who may be disadvantaged by AI interactions.
Federal Reserve / OCC: United States
SR 11-7 (2011, superseded April 17, 2026 by SR 26-2) was the Federal Reserve's foundational model risk management guidance, adopted by OCC and FDIC. SR 26-2 preserves the core principles while shifting to a risk-based, materiality-tiered approach. It explicitly covers AI and machine learning: "The use of models across the financial services industry has grown rapidly in recent years, particularly with the adoption of complex models that employ sophisticated analytical methods, including machine learning and artificial intelligence."
SR 11-7 control requirements: conceptual soundness review (is the modelling approach appropriate and well-founded?); outcomes analysis (does the model perform as expected on historical and new data?); ongoing performance monitoring (regular assessment of model accuracy and stability); and use controls (limitations on where the model can be used, and by whom). For AI models, these requirements extend to include bias testing, explainability assessment, and adversarial robustness testing as validation elements.
MAS: Singapore
MAS FEAT principles establish Singapore's AI controls baseline: Fairness controls (demographic disparity testing for AI decisions affecting customers); Ethics controls (review process for AI use cases to ensure ethical alignment); Accountability controls (documented responsibility for AI systems and outcomes); and Transparency controls (explainability of AI decisions to customers and MAS). The Veritas Consortium's assessment methodology provides the technical framework for implementing FEAT controls in credit and marketing AI.
A unified controls architecture
Financial services firms operating across multiple jurisdictions should design a unified AI controls architecture that satisfies the requirements of each relevant regulator. The good news: there is substantial overlap. All major financial services regulatory frameworks expect: an AI model inventory; pre-deployment validation; ongoing performance monitoring; demographic bias testing; incident response; and board-level oversight. A controls framework designed to meet all of these requirements simultaneously — with jurisdiction-specific documentation as needed — is more efficient than building separate frameworks for each regulator.