Este artigo está disponível apenas em inglês no momento.
What Financial Services Regulators Actually Want on AI Governance in 2026
The gap between what financial services regulators say in guidance documents and what they actually look for in examinations and enforcement actions is significant. Based on regulatory engagement across APRA, FCA, MAS, and ACPR, here is what actually matters.
Key Takeaways
Financial services regulators in 2026 are conducting AI-specific thematic reviews — no longer asking 'do you use AI' but 'show us how you govern the AI you use'. The level of specificity required has increased significantly.
The single most common finding in AI governance examinations is the gap between documented governance and operational reality — policies that exist but are not being applied to actual AI deployment decisions.
APRA's approach: model risk management through CPG 234 and operational risk prudential standards. The examination asks for evidence that AI models are validated, monitored, and within approved risk appetite.
The FCA's approach: consumer outcomes focus — AI governance is assessed through the Consumer Duty lens, asking whether AI systems produce fair outcomes for consumers rather than whether the AI policy document is comprehensive.
MAS's approach: principles-based but increasingly specific — the November 2025 consultation on AI risk management guidelines signals mandatory obligations for all financial institutions, moving beyond voluntary frameworks.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
What regulators say versus what they examine
Regulatory guidance documents on AI governance tend to be principle-based and comprehensive — they cover the full landscape of AI governance considerations and create the impression that demonstrating compliance requires a correspondingly comprehensive governance programme. The reality of regulatory examination is more specific and more operational than the guidance suggests. Regulators are not reading your AI governance policy document and checking it against a framework. They are asking specific questions and looking for specific evidence.
The most consistent examination question across all major financial services regulators is some version of: walk me through how your organisation decided to deploy [specific AI system] and how you governed that deployment. The answer they are looking for is not a description of your governance framework — it is a specific account of the specific decisions made about the specific system, who made them, what they were based on, and how the system has been monitored since deployment.
APRA: model risk as the primary lens
APRA's approach to AI governance in financial institutions is primarily through the model risk management lens, applied through CPG 234 (Information Security) and the operational risk prudential standards. APRA examiners ask for the model inventory, select individual models for deep review, and examine the model development, validation, and monitoring documentation for those models. The specific examination points: Is the model within the approved model risk appetite? Was it validated by someone independent of the development team? Is performance being monitored against defined thresholds? Is there a model owner with documented accountability? What is the process for model updates and when does a material update require revalidation?
The common APRA finding is not that organisations have no model governance — it is that model governance exists for traditional statistical models but has not been extended to ML and AI systems on the same terms. The ML model used for fraud detection was built by the data science team, is monitored by the data science team, and does not have a model owner in the risk management sense. APRA's view is that the risk management requirements apply equally regardless of model complexity.