U.S. banking regulators are increasing their scrutiny of how lenders use artificial intelligence as the emerging technology spreads throughout the sector.
They are pressing companies on issues ranging from data access and governance controls to risks posed by third-party vendors.
In recent years, banks have quickly embraced artificial intelligence, extending its use from virtual assistants to more intricate tasks like credit underwriting and regulatory monitoring, attracting regulators’ attention.
As the usage of AI spreads throughout the financial services industry, regulators are increasing their oversight, putting the industry at risk for fraud and cybercrime. For the time being, their strategy is to monitor closely to gain a deeper comprehension of how banks are implementing the technology.
The Federal Reserve and the Office of the Comptroller of the Currency have started asking banks to lay out how they utilize AI technology in higher-risk areas, including lending, know-your-customer checks, and sanctions screening, during normal bank audits.
Supervisors are questioning banks in-depth about how they use vendors, protect customer data, and whether they have safeguards like “kill switches.”
They are also looking into governance frameworks that include human monitoring and guardrails, third-party risk and vendor oversight, subcontractor exposure, and backup plans in case of failures.
According to one of the reports, every bank test includes a discussion about the application of AI.
Both written and spoken channels are being used for the conversations. Regulators are trying to better understand how banks are utilizing the technology rather than being prescriptive just yet.
The usage of AI by lenders has come under increased scrutiny from U.S. financial regulators. According to the Government Accountability Office, authorities informed it last year that they are evaluating the dangers associated with AI in the financial services industry.
The Federal Deposit Insurance Corporation, the Fed, and the OCC said in April that they will be formally requesting data on banks’ usage of AI, particularly generative and agentic systems. Such a request helps agencies get feedback before determining whether to take action, but it does not impose new regulations.
Regulators are attempting to evaluate how banks are handling rapidly developing systems like Anthropic’s frontier AI model Mythos.
According to cybersecurity experts, the system’s ability to exploit cyber vulnerabilities presents serious issues for the banking sector and its legacy IT systems.
The cybersecurity threats raised by the new artificial intelligence model and the readiness of financial firms to address them are also being investigated by the U.S. Treasury and authorities.
SYSTEMS’ SCRUTINY
Supervisors are currently more concerned with collecting data and evaluating industry operations than limiting certain usage.
The regulators are using pre-existing frameworks, such as model risk management, third-party risk oversight, and consumer protection legislation, to evaluate how banks are handling the new technology rather than creating new regulations, particularly for AI.
Making sure AI systems don’t go beyond what they are intended to accomplish or access is a major concern for supervisors.
Since AI models are built to gather and integrate information across systems, regulators are investigating whether tools can access or infer data beyond permitted limitations.
This increase concerns related to secrecy, privacy, and rule compliance.
Lenders are expected to demonstrate the controls they have in place, such as guardrails that restrict the behavior of models and the data they can access.
Supervisors are also concentrating on human monitoring, “kill switches” that let businesses shut down systems as needed, and clarity over who has the power to step in.
Vendor risk is another important issue under investigation, as banks depend more and more on third-party providers for AI technologies. Authorities are asking how companies make sure these vendors and their own subcontractors adhere to the same security and governance standards as the banks.
Regulators are also inquiring about banks’ escape plans in the event of a safety breach with the vendor’s system. This is an increasing issue as the use of AI gets more integrated into different bank systems.
However, regulators themselves are finding it difficult to keep up with the speed at which AI is developing. The speed at which technology is developing is significantly faster than the conventional cycle of regulatory learning and rulemaking, which raises concerns that formal guidance may soon become out of date.
Authorities are therefore expected to rely on broad, principles-based oversight rather than prescriptive rules for the time being, but this may change.
“Today, banks are relying on existing risk-management frameworks to guide their use of AI,” Michelle Bowman, vice chair for supervision at the Federal Reserve, stated in a May address.
“While these supervisory tools are intended to support banks in applying sound governance and risk management, we should assess whether our supervisory guidance is fit for the future.”
