AI governance in financial services.

The regulatory landscape

Financial services AI governance is being shaped simultaneously by general AI regulation and by prudential regulators extending existing model risk frameworks to AI. The result is denser regulation than most sectors, but also more familiar regulation: the conceptual scaffolding has existed for years.

• EU AI Act: AI used in credit scoring, life and health insurance pricing, and similar consequential financial decisions is classified as high-risk. The Act applies cumulatively with sectoral financial services regulation.
• SR 26-2 (US Federal Reserve / OCC / FDIC): the revised model risk management guidance issued April 2026, superseding SR 11-7 (2011). Preserves core principles — conceptual soundness, independent validation, governance — with updated expectations for AI/ML characteristics including model opacity, distributional shift, and emergent behaviour.
• PRA SS1/23 (UK): the Prudential Regulation Authority's supervisory statement on model risk management for banks, with broadly aligned principles to SR 11-7 and explicit consideration of machine learning models.
• APRA CPG 234 (Australia): the prudential standard on information security, with increasing focus on AI as a category of operational risk that requires equivalent governance.
• MAS guidelines (Singapore): principles-based guidance on responsible AI use in financial services, treated by many MAS-regulated entities as a compliance baseline.
• Consumer credit and insurance regulation: anti-discrimination obligations apply to AI used in credit and insurance decisions, with regulatory enforcement attention growing.

Where existing model risk frameworks need extension

Financial services firms with mature model risk management functions have most of what they need to govern AI. The gaps are specific and addressable.

1. Conceptual soundness assessment for opaque models: traditional validation reads model logic. ML model validation requires interpretability techniques: SHAP values, feature importance, partial dependence plots, adversarial testing. Validation teams need new tooling and skills.
2. Continuous monitoring infrastructure for distributional shift: AI model performance can degrade rapidly when input distributions change. Periodic review is inadequate; automated monitoring with defined intervention triggers is required.
3. Fairness testing across demographic subgroups: aggregate performance metrics can hide significant performance differences for minority groups. Subgroup analysis is now standard expectation.
4. Vendor AI risk management: AI components embedded in vendor-supplied platforms require diligence that traditional vendor risk assessment does not capture.

Financial services AI guidance

Questions prudential regulators are asking

Based on supervisory guidance from the Federal Reserve, PRA, APRA, and MAS, these are the AI governance questions regulated financial institutions should be prepared to answer.