Este artigo está disponível apenas em inglês no momento.
AI Governance in Financial Services: The Complete 2026 Compliance Map
Banks, insurers, asset managers and fintechs face AI governance obligations from prudential regulators, conduct regulators, and the EU AI Act simultaneously. This is the integrated compliance map senior executives need.
Key Takeaways
Financial services firms face AI governance obligations from three distinct regulatory layers simultaneously: prudential regulators (APRA, ECB, PRA), conduct regulators (ASIC, FCA, SEC), and horizontal AI regulation (EU AI Act, national AI laws).
The EU AI Act classifies AI in credit scoring (Annex III, Category 5b), life/health insurance risk assessment and pricing (Category 5c), and employment decisions (Category 4) as high-risk — firms deploying these systems have compliance obligations running in parallel with existing sector-specific requirements.
Model risk management frameworks (SR 11-7 in the US, equivalent guidance from APRA and ECB) apply to ML and AI models, but most firms have not extended their model governance to cover modern AI architectures.
The conduct dimension of AI governance — whether AI systems produce fair outcomes for consumers — is increasingly the primary lens of financial services regulators, not technical compliance.
Third-party AI risk is the largest unmanaged exposure: most financial services AI sits in vendor systems, and deployer liability under the EU AI Act cannot be contracted away to the vendor.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
The three-layer compliance architecture
Financial services AI governance is not a single compliance problem — it is three overlapping compliance problems that interact in complex ways. Layer one is prudential regulation: central banks and prudential supervisors expect AI to be governed within existing operational risk, model risk, and technology risk frameworks. Layer two is conduct regulation: financial conduct authorities expect AI to produce fair outcomes for consumers and to comply with consumer protection obligations. Layer three is horizontal AI regulation: the EU AI Act and emerging national AI laws create standalone obligations that apply regardless of sector-specific frameworks.
The challenge for senior compliance executives is that these three layers are governed by different regulatory bodies, use different frameworks and terminology, and are enforced through different examination and enforcement processes. A firm that manages each layer in isolation — as separate compliance workstreams — will inevitably have gaps at the intersections. The EU AI Act creates deployer obligations that are separate from APRA model risk obligations, but they apply to the same AI system. A credit scoring model must simultaneously satisfy APRA's model validation requirements, ASIC's responsible lending obligations, and the EU AI Act's high-risk AI requirements if it affects EU customers.
Credit and lending AI: the highest-risk use case
AI in credit and lending decisions sits at the intersection of all three regulatory layers simultaneously and has attracted the most enforcement attention globally. Prudential regulators require model validation, documentation, and risk appetite governance. Conduct regulators require fair treatment, explainability, and accessible dispute resolution. The EU AI Act classifies AI used in creditworthiness assessment and credit scoring as high-risk AI requiring conformity assessment, technical documentation, human oversight, and incident reporting.
The specific governance requirements for credit AI in 2026: the model must be validated by parties independent of the development team; the validation must specifically test for demographic disparities in outcomes; the model's decision logic must be explainable to the customer and to the regulator on demand; there must be a human oversight mechanism that allows meaningful review of automated decisions; and the firm must have an incident response plan for material model failures. Most firms satisfy some of these requirements. Few satisfy all of them for every model in production.
Insurance AI: pricing, underwriting, and the discrimination risk
Insurance AI governance has two distinct risk dimensions. The first is discriminatory pricing — AI systems that charge higher premiums to protected groups, either directly or through proxy variables correlated with protected characteristics. Regulators in the UK (FCA), Australia (ASIC), and multiple US states have taken enforcement action against discriminatory insurance pricing, and the EU AI Act's prohibition on real-time biometric categorisation overlaps with some insurance AI use cases. The second risk dimension is claims AI — automated claims assessment systems that systematically under-settle or delay valid claims. This is active enforcement territory for insurance conduct regulators.
Asset management AI: from algorithmic trading to AI-generated advice
Asset managers face AI governance obligations across the investment lifecycle. Algorithmic trading systems have been subject to market conduct oversight for a decade, but the governance frameworks have not kept pace with the complexity of modern ML-based trading strategies. AI in investment research and analysis creates new questions about the reliability of AI-generated insights and the liability for recommendations based on them. AI-generated client communications and personalised advice create consumer protection obligations that most firms have not fully mapped. The combination of MiFID II obligations in Europe, ASIC and APRA obligations in Australia, and SEC oversight in the US creates a complex cross-border compliance environment for global asset managers.