A financial services AI policy must cover model risk management requirements under SR 11-7, fair lending obligations for credit AI, employee data handling requirements, third-party AI vendor oversight, and documentation standards for regulatory examinations.
Why AI Policy Is Different for Financial Services
Financial services is one of the most heavily regulated industries in the world, and AI introduces new dimensions of risk that existing regulatory frameworks are still adapting to address. Unlike many industries where AI governance is primarily a matter of best practice, financial institutions face explicit regulatory requirements that mandate specific governance controls for AI and machine learning systems.
The Federal Reserve's SR 11-7 guidance on model risk management applies directly to AI and ML models used in financial decision-making. The OCC, FDIC, and state banking regulators all reference SR 11-7 when examining financial institution AI practices. The CFPB has issued guidance on AI in consumer lending that addresses fair lending obligations, adverse action notice requirements, and explainability standards. The SEC has proposed rules on AI use by broker-dealers and investment advisors. Financial institutions must build AI policies that satisfy all of these overlapping requirements simultaneously.
Financial services also faces unique AI risks related to systemic stability. When AI models drive trading strategies, credit decisions, or risk assessments across multiple institutions, correlated failures can create systemic risk that regulators are acutely focused on preventing. AI policies in financial services must address not only institutional risk but also the broader systemic implications of AI adoption.
For a broader overview of AI governance applicable across industries, see our complete guide to AI policy and governance.
Top Risks Financial Services Organizations Face with AI
Financial institutions deploying AI face a risk landscape shaped by regulatory intensity, data sensitivity, and the high-consequence nature of financial decisions.
| Risk Category | Description | Financial Services Impact |
|---|---|---|
| Model risk | AI models producing inaccurate outputs for credit, trading, or risk decisions | Financial losses, regulatory enforcement, MRA/MRIA findings |
| Fair lending violations | AI credit models producing disparate outcomes across protected classes | CFPB enforcement, DOJ referrals, consent orders, reputational damage |
| Data privacy violations | Customer financial data exposed through AI tool usage | GLBA violations, state privacy law penalties, customer notification costs |
| Regulatory examination failure | Inability to produce adequate AI documentation during examinations | MRAs, consent orders, increased examination scrutiny, growth restrictions |
| Third-party AI vendor risk | Inadequate oversight of AI vendors processing customer data or making decisions | OCC third-party risk management violations, concentration risk, business continuity exposure |
The most consequential risk for financial institutions is regulatory examination failure. Unlike many industries where the consequences of governance gaps are theoretical until a breach occurs, financial institutions face regular examinations where examiners actively probe AI governance practices. A financial institution that cannot produce documented AI policies, model validation records, and risk assessments during an examination will receive matters requiring attention or matters requiring immediate attention findings that can restrict business activities and trigger enhanced supervisory oversight.
What Regulators Expect from Financial Services AI Programs
Financial services regulators have set clear expectations for AI governance programs, drawing on existing frameworks and supplementing them with AI-specific guidance. Understanding these expectations is essential for building a policy that satisfies examiners.
SR 11-7 requires financial institutions to maintain a model risk management framework that covers the entire model lifecycle from development through deployment, monitoring, and retirement. For AI and ML models, this means documenting the training data, model architecture, validation methodology, performance metrics, and ongoing monitoring procedures. The framework must include independent model validation by qualified personnel who were not involved in model development.
The CFPB expects financial institutions using AI in consumer lending to comply with the Equal Credit Opportunity Act and Fair Housing Act. This means institutions must be able to explain AI credit decisions in terms that satisfy adverse action notice requirements, test AI models for disparate impact across protected classes, and maintain documentation that demonstrates fair lending compliance. The CFPB has signaled that using complex AI models does not relieve institutions of their obligation to provide specific and accurate reasons for adverse credit decisions.
The OCC's third-party risk management guidance requires financial institutions to conduct due diligence, ongoing monitoring, and risk assessment of AI vendors that perform critical activities. This includes assessing the vendor's data security practices, model risk management capabilities, business continuity plans, and compliance with applicable regulations. Financial institutions cannot outsource their regulatory obligations to AI vendors.
Build examination-ready AI policies for your financial institution. PolicyGuard provides financial services AI policy templates aligned with SR 11-7, CFPB guidance, and OCC requirements, plus automated documentation that keeps you examination-ready year-round. Request a demo today.
PolicyGuard helps companies like yours get AI governance documentation audit-ready in 48 hours or less.
Start free trial →Building an AI Policy for Financial Services
A financial services AI policy must be comprehensive enough to satisfy regulators while practical enough that employees follow it. The following framework addresses the key requirements that examiners look for.
Section 1: Model risk management for AI and ML. Establish a clear model risk management framework that addresses AI-specific challenges. Define what constitutes a model under your framework, ensuring that AI and ML systems are included regardless of whether they are developed internally or provided by vendors. Document the model inventory process, including how new AI models are identified, classified, and registered. Define validation requirements that address AI-specific concerns such as training data quality, algorithmic bias, concept drift, and explainability. Establish ongoing monitoring requirements that include performance metrics, threshold alerts, and periodic revalidation schedules.
Section 2: Fair lending and consumer protection. Define specific requirements for AI models used in consumer lending or credit decisions. Require disparate impact testing before deployment and at regular intervals. Document the methodology for generating adverse action reasons from AI model outputs. Establish procedures for responding to fair lending complaints involving AI decisions. Define the escalation process when testing reveals potential disparate impact.
Section 3: Data handling and privacy. Define data classification requirements for financial data used in AI systems. Establish controls for customer data, including the Gramm-Leach-Bliley Act requirements for nonpublic personal information. Specify which data classifications can be used with which AI tools and under what conditions. Address data retention, deletion, and portability requirements specific to AI systems. Define requirements for data used in model training, including customer consent and anonymization standards.
Section 4: Third-party AI vendor management. Establish a vendor assessment framework for AI providers that aligns with OCC third-party risk management guidance. Define due diligence requirements for new AI vendors, including security assessments, financial stability reviews, and regulatory compliance evaluations. Specify ongoing monitoring requirements including performance reviews, security assessments, and contractual compliance checks. Address concentration risk by tracking dependencies on individual AI vendors across the organization.
Section 5: Documentation and examination readiness. Define documentation standards that satisfy regulatory examination requirements. Specify what documentation must be maintained for each AI model, including development documentation, validation reports, ongoing monitoring records, and change management logs. Establish document retention periods that meet regulatory requirements. Create an examination preparation playbook that defines what documentation should be readily available and who is responsible for producing it during examinations.
How to Monitor AI Compliance in Financial Services
Monitoring AI compliance in financial services requires a combination of model-specific monitoring, enterprise-wide oversight, and examination readiness procedures that operate continuously rather than being activated only before examinations.
Model performance monitoring: Implement continuous monitoring for all AI models used in financial decision-making. Track model accuracy, stability, and fairness metrics against predefined thresholds. Configure automated alerts when performance degrades or when metrics approach threshold boundaries. Conduct formal model performance reviews on a schedule determined by the model's risk classification, with higher-risk models reviewed more frequently.
Fair lending monitoring: Run disparate impact analyses on AI credit models at least quarterly and whenever model updates are deployed. Compare approval rates, pricing, and terms across protected classes. Document the results and any remediation actions taken. Maintain a fair lending monitoring log that demonstrates continuous compliance to examiners.
Employee AI usage monitoring: Track which AI tools employees are using, what data is being processed, and whether usage patterns align with approved use cases. Financial institutions should pay particular attention to AI tool usage by employees with access to material nonpublic information, customer financial data, and trading systems. Implement technical controls that prevent data classified above approved levels from being entered into AI tools.
Vendor monitoring: Conduct ongoing oversight of AI vendors that includes regular performance assessments, security reviews, and compliance verification. Track vendor-reported incidents, service level agreement compliance, and any changes to the vendor's data handling practices. Review vendor AI model updates for potential impact on your institution's compliance obligations.
Examination preparation: Maintain a standing examination readiness package that includes the current AI policy, model inventory, validation reports, monitoring records, fair lending analyses, vendor assessments, training records, and incident reports. Update this package monthly so that examination preparation is a matter of packaging existing documentation rather than creating it under time pressure.
FAQs
Does SR 11-7 apply to all AI tools used by financial institutions?
SR 11-7 applies to models used in financial decision-making, risk management, and compliance processes. General productivity AI tools like email assistants or meeting summarizers typically fall outside SR 11-7 scope, though they still require governance under the institution's broader information security and data handling frameworks. The key determination is whether the AI tool's output influences financial decisions, risk assessments, or compliance determinations. When in doubt, financial institutions should err on the side of inclusion and apply model risk management principles to any AI tool that could materially affect institutional risk or customer outcomes.
How should financial institutions handle AI adverse action notices?
Financial institutions must provide specific and accurate reasons for adverse credit decisions, even when those decisions are informed by AI models. The CFPB has made clear that using a complex AI model does not excuse vague or generic adverse action reasons. Institutions should implement AI explainability methods that can identify the principal factors driving adverse decisions for individual applicants. These factors must be translated into clear, specific reasons that consumers can understand and act upon. Document the methodology used to generate adverse action reasons and validate that the reasons accurately reflect the model's decision logic.
What model validation is required for AI in financial services?
AI model validation in financial services must be performed by qualified personnel independent of the model development team. Validation should assess conceptual soundness, data quality, model performance, outcome analysis, and ongoing monitoring effectiveness. For AI and ML models specifically, validation should also address training data representativeness, algorithmic bias potential, model stability over time, and explainability. Validation frequency depends on model risk classification, with high-risk models validated annually and medium-risk models validated every eighteen to twenty-four months. Any material model change triggers a revalidation requirement regardless of the scheduled timeline.
How should financial institutions manage third-party AI vendors?
Financial institutions must apply their third-party risk management framework to AI vendors, with enhanced due diligence for vendors performing critical activities. The initial assessment should cover the vendor's security posture, financial stability, regulatory compliance, model risk management practices, and business continuity capabilities. Contracts should include data handling requirements, audit rights, incident notification obligations, and performance standards. Ongoing monitoring should include regular performance reviews, security assessments, and verification that the vendor's practices remain aligned with the institution's regulatory obligations. Institutions should also assess concentration risk across AI vendors and develop contingency plans for vendor failure or service disruption.
What documentation should financial institutions maintain for AI regulatory examinations?
Financial institutions should maintain a comprehensive documentation package for each AI model that includes the model development documentation covering training data, methodology, and assumptions. The validation report with findings and remediation actions. Ongoing monitoring records including performance metrics, threshold breaches, and investigation results. Change management logs documenting all model updates and their rationale. Fair lending analysis results for consumer-facing models. Third-party vendor assessment records for externally sourced AI models. Training records demonstrating that model users and validators are appropriately qualified. Incident reports for any model failures, unexpected outputs, or compliance events. This documentation should be organized by model and maintained in a centralized repository that can be accessed quickly during examinations.
