Regulating AI in Financial Services: Governance, Risk, and Compliance

The AI Transformation Reshaping Financial Services

Regulating AI in financial services has become one of the most pressing challenges facing policymakers and supervisors worldwide. As artificial intelligence permeates every layer of banking, insurance, and capital markets, the scale of adoption has reached a tipping point that demands clear governance frameworks. According to the Bank for International Settlements (BIS) Financial Stability Institute, financial sector AI spending reached USD 35 billion in 2023 and is projected to surge to USD 97 billion by 2027 — a nearly threefold increase that underscores the urgency of getting regulation right.

The launch of ChatGPT in late 2022 accelerated an already vigorous adoption cycle. McKinsey estimates that generative AI alone could add USD 200 to 340 billion annually to the global banking sector, representing 2.7% to 4.7% of total industry revenues. JPMorgan Chase has estimated USD 1 to 1.5 billion in value from AI deployment through productivity gains and cost reduction, while DBS Singapore reports over 800 AI models deployed across 350 use cases with an estimated economic impact exceeding SGD 1 billion in 2025.

Yet financial institutions remain cautious about deploying generative AI in customer-facing and high-risk activities. The reasons are threefold: uncertainty about customer acceptance of AI-mediated interactions, growing dependence on a concentrated set of third-party AI providers, and above all, regulatory uncertainty about how supervisors will treat AI-driven processes. This caution is warranted — the stakes of getting AI governance wrong in financial services extend beyond individual firms to the stability of the entire financial system.

Key AI Use Cases in Banking and Insurance

Understanding the regulatory challenge requires examining how financial institutions actually deploy AI today. The most mature use cases fall into three categories: customer engagement, risk detection, and underwriting — each carrying distinct regulatory implications for how we approach regulating AI in financial services.

Customer support and engagement represent the most visible AI deployment. Bank of America’s virtual assistant Erica has processed over 1.5 billion interactions with more than 37 million clients. Bradesco’s chatbot handles 283,000 questions monthly with 95% accuracy. In Asia, Ping An’s AI representatives managed approximately 870 million interactions in the first half of 2024, covering 80% of customer service queries. According to the Consumer Financial Protection Bureau, 37% of the US population interacted with a bank chatbot in 2022, and Forrester estimates these tools reduce human interaction handle time by up to 30%.

Fraud detection and anti-money laundering is where AI delivers some of its most compelling risk-management value. HSBC’s AI-powered AML tool identifies two to four times more suspicious activities than its previous system while simultaneously reducing false-positive alerts by 60%. Financial institutions globally use machine learning models to detect payment anomalies, identity fraud, and sanctions evasion in real time. With the Financial Action Task Force emphasizing technology-enabled compliance, AI has become central to meeting regulatory expectations in this domain.

Credit and insurance underwriting represents the highest-stakes AI deployment from a regulatory perspective. Machine learning models now evaluate creditworthiness using alternative data sources beyond traditional credit scores, and insurers use AI to process unstructured data for risk assessment and claims handling. The RGA 2024 survey found that 48% of surveyed insurers have already suffered AI-related fraud involving deepfakes and falsified records — highlighting both the promise and peril of automation in underwriting decisions that directly affect consumers’ financial lives.

How AI Amplifies Risk Across the Financial Sector

A critical insight from the BIS FSI analysis is that AI does not introduce fundamentally new risks to financial services — instead, it amplifies and accelerates existing ones. This distinction matters enormously for regulatory design because it suggests that existing frameworks may already capture most AI-related risks, requiring targeted enhancements rather than entirely new regulatory architectures.

Microprudential risks intensify across multiple dimensions. Model risk increases because AI systems, particularly deep learning and generative models, lack the transparency of traditional statistical models. Hallucination rates in large language models range from 1.4% to 4.2%, meaning that for every hundred outputs, up to four may contain fabricated information — a dangerous flaw in financial decision-making contexts. Credit risk may increase if AI models overfit to historical data, reinforcing past biases rather than improving accuracy. Cyber risk escalates as AI enables more sophisticated attacks while simultaneously serving as a defensive tool, with 37% of UK financial services firms already using AI for cybersecurity.

Conduct and consumer protection risks demand particular regulatory attention. AI models can produce discriminatory outcomes in credit scoring, insurance pricing, and product recommendations — potentially excluding vulnerable populations or engaging in what regulators describe as proxy discrimination. The BIS identifies three categories of AI bias: systemic bias embedded in historical data, computational and statistical bias arising from model design, and human-cognitive bias introduced during development and deployment. Additionally, AI-enabled price collusion, where algorithms independently converge on anti-competitive pricing without explicit human coordination, represents a novel conduct risk that existing competition frameworks struggle to address.

Macroprudential risks could threaten financial stability at the systemic level. When multiple institutions rely on similar AI models and data sources, herding behavior may amplify market movements. The concentration of foundation model development — with Stanford’s AI Index reporting that 97 of 163 foundation models between 2019 and 2023 were owned by just four big tech companies — creates interconnectedness and single points of failure that could cascade through the financial system.

Global Regulatory Landscape for AI in Financial Services

The global regulatory landscape for AI in financial services is shaped by a layered architecture of international standards, cross-sectoral legislation, and financial sector-specific guidance. At the international level, the OECD AI Principles adopted in 2019 and updated in 2024 provide the most widely referenced framework. The G7 Hiroshima AI Process in 2023, UNESCO’s AI ethics recommendations adopted by 193 UN member states, and the United Nations’ first AI resolution in March 2024 have established a broad normative foundation.

Cross-sectoral AI guidance across jurisdictions converges on common themes: reliability and soundness, accountability, transparency, fairness, and ethics. More recent guidance adds emphasis on data privacy and protection, safety, security, explainability, sustainability, and intellectual property. However, these themes are deeply interconnected, creating trade-offs that regulators must navigate — for example, maximizing model reliability may require complexity that conflicts with transparency and explainability requirements.

The financial sector sits at a unique intersection of these frameworks. Standard-setting bodies including the Basel Committee on Banking Supervision (BCBS), the International Association of Insurance Supervisors (IAIS), and the Financial Stability Board (FSB) have issued clarifications on how existing standards apply to AI. Significantly, the IAIS concluded that its Insurance Core Principles are sufficiently principles-based to capture AI risks, a finding that supports the prevailing view among financial authorities that separate comprehensive AI regulations may not be necessary. The FSB published a toolkit for third-party risk management in 2023 and a report on financial stability implications of AI in 2024, reflecting growing macroprudential concern about AI concentration.

An OECD survey from the first quarter of 2024 found that the majority of 49 surveyed jurisdictions do not plan to introduce new AI regulations specifically for finance in the near future. Meanwhile, Stanford’s Human-Centered AI Institute reports that 148 AI-related bills were passed across 128 countries between 2016 and 2023, with 32 countries enacting at least one — illustrating the acceleration of cross-sectoral AI legislation that inevitably affects financial institutions.

Regulating AI in Financial Services: Principles vs. Rules

Perhaps the most consequential divergence in regulating AI in financial services is the split between principles-based and rules-based approaches. This choice shapes not only immediate compliance requirements but also the long-term adaptability of regulatory frameworks as AI technology evolves.

Principles-based jurisdictions — including the United Kingdom, the United States, and Singapore — favour non-binding guidance supported by voluntary industry commitments and technical standards. The rationale is pragmatic: given the rapid pace of AI development, rigid rules risk becoming obsolete before they take effect, potentially stifling innovation. The UK established the AI Safety Institute and issued supervisory statement SS1/23 on model risk management through the Bank of England and Prudential Regulation Authority. Singapore’s Monetary Authority developed the FEAT Principles (Fairness, Ethics, Accountability, Transparency) and co-created the Veritas Initiative with industry to develop practical assessment tools. In the US, the National Institute of Standards and Technology (NIST) AI Risk Management Framework provides a comprehensive voluntary structure, while individual regulators like the CFPB enforce existing consumer protection laws against AI-specific harms.

Rules-based jurisdictions — led by the European Union, with Brazil, China, and Qatar following similar philosophies — believe that binding legislation provides regulatory clarity and stronger consumer protection. The EU AI Act, which entered into force in stages beginning 2024, establishes a risk-based classification with four tiers: unacceptable risk (banned), high risk (strict requirements), limited risk (transparency obligations), and minimal risk (no restrictions). Critically for financial services, the Act classifies AI credit scoring systems and certain health and life insurance underwriting applications as high-risk, imposing conformity assessments, documentation requirements, and human oversight mandates. Brazil’s Draft Bill 2338/2023 adopts a similar risk tiering (excessive, high, other), while Qatar’s Central Bank has issued some of the most prescriptive AI rules in the world, including a mandatory human overseer “stop button” requirement and documentation obligations extending to original training data sets.

In practice, the distinction between principles and rules is narrowing. Principles-based jurisdictions increasingly attach regulatory expectations to their guidance, while rules-based jurisdictions build in flexibility through proportionality mechanisms and regulatory sandboxes. Hong Kong’s HKMA has launched a GenA.I. Sandbox enabling supervised experimentation, and Singapore’s approach combines high-level principles with detailed implementation toolkits. The trajectory suggests convergence toward adaptive frameworks that combine binding baseline requirements with principles-based flexibility for emerging applications — an approach well suited to the rapid evolution of AI capabilities in financial services.

The Explainability Challenge in AI-Driven Finance

Explainability stands as the single most technically challenging aspect of regulating AI in financial services. When a machine learning model denies a loan application, recommends an insurance premium, or flags a transaction as potentially fraudulent, regulators and consumers alike need to understand why — yet the most powerful AI models are often the least transparent.

The challenge is compounded by generative AI, which introduces non-deterministic outputs, hallucination risks, and the problem of anthropomorphism — users attributing human-like understanding to systems that operate through statistical pattern matching. NIST has articulated four principles of explainable AI — explanation, meaningful, explanation accuracy, and knowledge limits — but translating these principles into consistent regulatory requirements remains difficult.

The European Banking Authority (EBA) surveyed financial institutions on their explainability practices and found a fragmented landscape. SHAP (SHapley Additive exPlanations) values are used by 40% of respondents, graphical tools by 20%, enhanced reporting and documentation by 28%, and sensitivity analysis by just 8%. These techniques vary dramatically in their suitability for different model types and use cases. SHAP values work well for explaining individual predictions in gradient-boosted models but struggle with large language models; LIME (Local Interpretable Model-Agnostic Explanations) provides local interpretability but may not capture global model behavior.

From a consumer protection perspective, the explainability requirement has direct legal consequences. In the United States, the Equal Credit Opportunity Act and the CFPB’s adverse action requirements mandate that lenders provide specific reasons when denying credit — a requirement that AI models must satisfy just as traditional scoring models do. The EU AI Act extends the right to explanation for high-risk AI systems, requiring deployers to provide meaningful information about the logic involved and its significance. These legal mandates create a practical imperative for financial institutions to invest in explainability infrastructure, even where the technology does not yet offer perfect solutions. As explored in our analysis of AI risk management frameworks, the gap between regulatory expectation and technical capability in explainability is one of the defining tensions in AI governance.

Third-Party AI Concentration and Systemic Risk

The dependence of financial institutions on third-party AI providers represents what may be the most underappreciated systemic risk in modern finance. A 2023 MIT-BCG survey found that 78% of organizations use third-party AI models, with 53% relying exclusively on external providers. In the United States, 20% of small-to-mid-size financial institutions have no in-house credit modeling staff, outsourcing this critical capability entirely to third parties.

The concentration dynamics are striking. Training a frontier model like GPT-4 costs approximately USD 78 million, while Google’s Gemini Ultra required an estimated USD 191 million — costs that effectively limit foundation model development to the largest technology companies. Stanford’s data confirms that 97 of 163 foundation models developed between 2019 and 2023 were created by just four companies: Google, OpenAI, Meta, and Microsoft. This concentration creates a web of dependencies where a disruption to a single cloud-AI provider could simultaneously affect thousands of financial institutions globally.

The regulatory response to third-party AI concentration is evolving. The predominant approach is indirect: financial regulators hold the regulated institution responsible for managing its third-party risks, requiring due diligence, contractual protections, and ongoing monitoring. However, several jurisdictions are moving toward direct oversight of critical third parties. The EU’s Digital Operational Resilience Act (DORA) establishes a framework for designating and supervising critical ICT third-party service providers, and the FSB’s 2023 toolkit provides a comprehensive framework for managing third-party risks in financial services. The key regulatory challenge is ensuring accountability when a financial institution cannot fully understand or validate a proprietary AI model provided by a third party — a situation that current shared responsibility models do not adequately address. For deeper analysis of how technology dependencies create regulatory challenges, see our coverage of digital operational resilience in the financial sector.

New Players, New Models, New Regulatory Gaps

The proliferation of AI-powered financial services by non-traditional providers creates regulatory perimeter challenges that existing frameworks were not designed to address. Fintech lenders use AI-driven credit scoring to reach underserved markets, big tech companies leverage their vast data ecosystems to offer lending and payment services, and Banking-as-a-Service (BaaS) models create multi-layered arrangements where the entity interacting with the customer may be several steps removed from the regulated bank.

Big technology companies occupy a uniquely complex position in this landscape. They simultaneously serve as AI and cloud infrastructure providers to financial institutions and as direct competitors offering financial products. Ping An, which ranked second globally with 1,564 generative AI patent applications according to WIPO, employs over 20,000 technology developers and 3,000 scientists — illustrating how the line between technology company and financial conglomerate continues to blur. This dual role creates conflicts of interest and informational asymmetries that single-purpose financial regulation struggles to address.

Embedded insurance and embedded finance models further complicate the regulatory picture. When a consumer purchases travel insurance through an AI-powered recommendation at checkout on an e-commerce platform, the accountability chain spans the insurer, the platform operator, the AI model provider, and potentially additional intermediaries. The BIS FSI report identifies this fragmentation of the financial services value chain as a key area requiring enhanced regulatory attention, particularly regarding consumer protection, complaints handling, and liability allocation. Activity-based regulation — which imposes requirements based on the financial service being provided regardless of the entity’s legal form — is gaining support as a complementary approach, but implementation challenges remain significant, especially across jurisdictions.

Governance and Organizational Readiness for AI

Effective governance is the foundation upon which all other aspects of regulating AI in financial services depend. The BIS FSI report emphasizes that boards and senior management bear ultimate accountability for AI-related decisions across the entire lifecycle — from conception and data selection through development, deployment, monitoring, and decommissioning. However, a significant gap exists between this expectation and organizational reality.

Human oversight requirements are evolving along a spectrum. The concepts of human-in-the-loop (a human approves every AI decision), human-on-the-loop (a human monitors AI decisions and can intervene), and human-in-control (a human can override or shut down AI systems) represent different balances between safety and efficiency. Qatar’s Central Bank has mandated a “stop button” mechanism for high-risk AI applications, while most other jurisdictions leave the appropriate level of human oversight to institutional risk assessment. The trade-off is real: excessive human intervention undermines the efficiency gains that justify AI adoption, while insufficient oversight exposes institutions and consumers to uncontrolled algorithmic risk.

The AI skills gap compounds governance challenges. Financial institutions need expertise across data science, model development, risk management, and internal audit — yet attracting and retaining AI talent in competition with technology companies is difficult. Supervisors themselves face the same challenge: effectively overseeing AI in financial services requires regulatory staff who understand both financial risk and AI technology. Leading institutions are responding by establishing dedicated AI committees at the senior management level, creating comprehensive use case and risk registries, and building “AI factory” operational models that centralize governance while enabling business-line agility. As our analysis of AI governance in financial institutions explores, the organizational structures that emerge in the next two to three years will likely define how effectively the industry manages AI risk for a generation.

The Path Forward: Adaptive Regulation for AI in Finance

The BIS FSI’s comprehensive analysis points toward a clear conclusion: the financial sector does not need to build AI regulation from scratch, but it does need to build intelligently on existing foundations. Current financial regulations — spanning governance, risk management, consumer protection, model validation, third-party oversight, operational resilience, and cybersecurity — already capture the vast majority of AI-related risks. The task is targeted enhancement, not wholesale reinvention.

Six areas demand priority attention. First, governance frameworks need AI-specific roles and responsibilities that span the complete model lifecycle, with clear escalation paths and accountability structures. Second, AI expertise requirements should be codified for boards, senior management, risk functions, and internal audit. Third, model risk management guidance must evolve to address AI-specific challenges including explainability technique selection, generative AI validation, and continuous monitoring of model drift. Fourth, data governance standards need strengthening to address AI-specific issues including training data bias, synthetic data use, and the privacy implications of large-scale data processing.

Fifth, the regulatory perimeter for new players — fintechs, big techs, and entities operating through BaaS and embedded finance models — must be clarified to ensure that identical financial activities receive consistent regulatory treatment regardless of the provider’s legal form. Sixth, direct oversight mechanisms for critical third-party AI and cloud service providers need development, moving beyond the current indirect model that places the entire accountability burden on financial institutions with limited visibility into proprietary systems.

Perhaps most importantly, international coordination on an agreed AI lexicon and taxonomies would reduce regulatory fragmentation and help both institutions and supervisors navigate a landscape where AI systems frequently operate across borders. The absence of a globally accepted definition of AI for financial regulatory purposes remains a fundamental obstacle to effective data collection, risk identification, and cross-jurisdictional supervisory cooperation. As AI in financial services moves from experimentation to operational ubiquity — with spending on track to nearly triple by 2027 and energy consumption expected to match that of Austria or Finland by 2026 — the window for establishing adaptive, coherent regulatory frameworks is narrowing. The institutions and jurisdictions that act decisively now will shape the governance architecture for AI-driven financial services for decades to come.