Financial Services Already Had AI Governance — They Just Called It Model Risk
Banking is the one industry where AI governance isn't a greenfield exercise. The Federal Reserve and OCC issued Supervisory Guidance on Model Risk Management — SR 11-7 — back in 2011, long before "AI governance" entered the regulatory lexicon. Every quantitative model used in decision-making at a supervised institution requires independent validation, ongoing monitoring, and documentation.
The problem: SR 11-7 was written for logistic regressions and Monte Carlo simulations. Gradient-boosted trees, transformer-based credit models, and large language models used in customer service don't fit neatly into a framework designed for interpretable statistical models. The core principles still apply — independent validation, ongoing performance monitoring, clear documentation — but the implementation details break down when you can't explain why the model made a specific decision.
Financial institutions that recognize this gap have an advantage. Those that try to force AI into legacy model risk frameworks without adaptation are accumulating regulatory risk they can't see.
SR 11-7 in the Age of Machine Learning
SR 11-7 defines a model as "a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates." Modern AI systems meet this definition. The three pillars — model development, validation, and governance — apply directly, but each demands adaptation.
Model development under SR 11-7 requires documentation of the theoretical basis, data inputs, and assumptions. For an AI credit model, this means documenting training data provenance, feature engineering decisions, hyperparameter selection rationale, and the specific performance metrics used during development. The traditional "model documentation" template doesn't have fields for training/validation/test splits, data drift thresholds, or feature importance rankings. You need to build them.
Model validation requires independent, objective review. For AI models, validation must include testing on out-of-sample and out-of-time data, sensitivity analysis across protected class subgroups, assessment of model stability over time, and evaluation of the model's behavior at decision boundaries. A validator who can audit a Cox proportional hazards model may lack the expertise to validate a neural network. Institutions need validation teams with machine learning competency — or they need to source it externally.
Ongoing monitoring is where AI models diverge most from traditional models. Statistical models are relatively stable. AI models drift. Training data distributions shift. Feature relationships evolve. SR 11-7 requires monitoring that compares model outputs to actual outcomes. For AI, this means automated drift detection, performance degradation alerts, and defined retraining triggers.
Fair Lending: Where AI Bias Becomes a Federal Violation
The Equal Credit Opportunity Act (ECOA) prohibits discrimination in lending. The CFPB enforces this through both disparate treatment and disparate impact theories. An AI model doesn't need to intentionally discriminate to violate ECOA — it just needs to produce outcomes that disproportionately harm a protected class without legitimate business justification.
The CFPB has been aggressive. In September 2022, the bureau issued guidance clarifying that lenders using AI models must still provide specific, accurate reasons when denying credit — the generic "your application did not meet our criteria" doesn't satisfy adverse action notice requirements under ECOA and the Fair Credit Reporting Act. Lenders must identify the actual factors that drove the denial, even when those factors emerge from a complex model.
Enforcement actions have followed. In October 2024, the CFPB fined Apple $25 million and Goldman Sachs $45 million for Apple Card failures that included algorithmic accountability failures. In July 2025, the Massachusetts Attorney General settled a fair lending action against a student loan company whose AI underwriting models produced unlawful disparate impact based on race and immigration status.
Most consent orders from these actions require extensive operational changes: independent monitors for two to five years, pre-approval requirements for any AI model changes, ongoing regulatory reporting, customer remediation programs, and expanded compliance staffing. The cost of remediation dwarfs the fines.
For compliance officers, the mandate is clear: every AI model that touches a credit decision needs bias and fairness testing before deployment and on an ongoing basis. Test for disparate impact across all protected classes. Search for less discriminatory alternatives. Document everything. The CFPB has stated that "there are no exceptions to the federal consumer financial protection laws for new technologies."
EU AI Act: Creditworthiness as High-Risk
Annex III of the EU AI Act explicitly classifies AI systems "intended to be used to evaluate the creditworthiness of natural persons or establish their credit score" as high-risk — with a narrow exception for fraud detection. This means any AI-driven credit scoring model serving EU residents must meet the full suite of high-risk obligations by August 2, 2026: a risk management system, data governance requirements, technical documentation, transparency to users, human oversight provisions, and accuracy and robustness standards.
For global banks, this creates a compliance bifurcation. Your US credit models operate under SR 11-7 and ECOA. Your EU-facing models add the AI Act layer. The good news: there's significant overlap. SR 11-7's validation and documentation requirements address much of what the AI Act demands. The gaps are in transparency (the AI Act's Article 13 requirements go beyond SR 11-7's documentation standards) and human oversight (Article 14 requires specific mechanisms for human intervention that SR 11-7 treats more generically).
The EU's Digital Operational Resilience Act (DORA), which entered application in January 2025, adds another dimension. DORA requires financial entities to maintain comprehensive ICT risk management frameworks, including for AI systems that support critical functions. AI model infrastructure — training pipelines, inference endpoints, monitoring systems — falls under DORA's operational resilience requirements.
BSA/AML: AI Monitoring Under Regulatory Scrutiny
AI-powered transaction monitoring for Bank Secrecy Act and Anti-Money Laundering compliance represents both the biggest opportunity and the biggest governance challenge. Legacy rule-based systems generate false positive rates between 90% and 95%, consuming enormous investigation resources. Machine learning models can reduce false positives by 80% to 90% while detecting 70% to 90% more suspicious activity.
FinCEN has encouraged innovation in AML compliance since 2018. But the regulatory expectation hasn't changed: your monitoring system must remain "reasonably designed" to detect suspicious activity and sanctions violations. An AI model that reduces false positives is valuable. An AI model that misses a sanctions violation because its training data didn't include that pattern is a BSA violation.
The governance challenge is explainability. When a Suspicious Activity Report is filed, examiners and law enforcement need to understand why the activity was flagged. "The model scored it above the threshold" is insufficient. Your AML AI governance program needs to produce human-interpretable explanations for each alert, maintain audit trails from alert generation through disposition, document model performance metrics including false negative estimation, and demonstrate that the model covers all required typologies.
Trading Algorithms and Market Manipulation Risk
Algorithmic trading introduces a different model governance challenge: speed. A trading algorithm executes thousands of orders per second. A governance failure doesn't produce a slow accumulation of bias — it produces a market disruption.
The SEC's Market Access Rule (Rule 15c3-5) requires broker-dealers to maintain risk management controls for market access, including automated pre-trade risk controls. When those controls involve AI — adaptive order routing, predictive market making, sentiment-driven trading — governance must include real-time monitoring with kill switches, pre-deployment stress testing across historical scenarios, and change management controls that prevent unauthorized model updates from reaching production.
Structuring a Financial Services AI Governance Program
Financial institutions have an advantage: they already have model risk management infrastructure. The challenge is extending it.
Map every AI system to its regulatory surface area. A single credit scoring model might touch SR 11-7 model risk management, ECOA fair lending requirements, EU AI Act high-risk obligations, DORA operational resilience requirements, and state-level algorithmic accountability laws. Each creates documentation, testing, and monitoring obligations. Overlap them where possible, but don't assume that satisfying one satisfies all.
Build AI governance into your three lines of defense. First line: model developers and business owners maintain documentation and perform initial validation. Second line: model risk management performs independent validation and ongoing monitoring. Third line: internal audit assesses the entire framework's effectiveness.
Invest in explainability tooling. SR 11-7, ECOA adverse action requirements, BSA/AML investigation documentation, and the EU AI Act's transparency obligations all demand that you can explain what your models do and why. SHAP values, LIME, and counterfactual explanations aren't research curiosities — they're compliance requirements. The institutions that extend their existing model risk discipline to cover AI, rather than treating it as a separate workstream, will navigate this most efficiently.
See how Starkguard maps AI governance to financial services requirements.