AI Risk in Banking: Preparing for Regulator Expectations
Artificial Intelligence in banking isn’t a novelty. What’s new is how fast it’s being deployed, how visible it has become, and how sharply regulatory scrutiny is evolving. As banks accelerate AI use in credit, customer engagement, operations, and risk they are confronting familiar regulatory expectations in new contexts. Effectively, AI is an amplifier of existing risks rather than a wholly novel domain.
Bandwagon Effect
Despite the headlines, there are not yet widespread public-facing AI use cases in banking. A few of the largest institutions are experimenting, but for most, the reality of adoption lags compared to the appearance. At least as of 9/29/25 if you google “AI in banking” the top results are all from consulting groups such as McKinsey, IBM, KPMG, and Boston Consulting Group. While not definitive, there are some assumptions that can be made about this. Why don’t we see JPMC, Capital One, or BofA on there? This gap is creating a bandwagon effect, where banks feel pressure to launch AI capabilities quickly to remain relevant and meet consumer expectations. The danger is that rushing deployments without fully considering risk management, data governance, or explainability can backfire. There is a balancing act between risk management, consumer sentiment, and competitive positioning; missteps are inevitable. One of the best ways to mitigate these risks is through incident response preparedness for AI-specific failures. Security practitioners cannot (and should not) try to halt adoption; instead, they must help the business embrace AI responsibly. That means validating what’s truly happening in the industry and not just taking peer claims at face value. Some research into JPMC’s adoption of GenAI produces a timeline that looks something like this (so keep it in mind as your organization starts this journey and consider the capital the someone like JPMC can put into this timeline as well):
Block GenAI (Day 1)
▼
Partner with someone to develop internal use APIs hosted with Public Cloud Providers (AWS/Azure) and experiment with internal use cases (Day 1 + 6-12 mos)
▼
Develop controls, guardrails, and governance processes (Day 1 + 12-18 mos)
▼
Formalize internal offerings and slowly expand (still internal data only) (Day 1 + 12-18 mos)
▼
Consider small use cases for customer use and customer data with heavy governance and compliance scrutiny (Day 1 + 18-24 mos)
Historical Context: Model Risk Has Long Been Core
In April 2011, the Federal Reserve and the Office of the Comptroller of the Currency (OCC) jointly published Supervisory Letter SR 11-7: Guidance on Model Risk Management. That guidance requires banking organizations to maintain robust policies around model development, implementation, use, validation, governance, and controls. Federal Reserve
Larger banks have had dedicated model risk teams for years, charged with ensuring that models used for credit underwriting, risk measurement, capital estimation, etc., satisfy both quantitative soundness and regulatory fairness.
Regulatory statutes like the Equal Credit Opportunity Act (ECOA) and Fair Lending Act (FLA) demand that decisions (especially denials of credit) be justifiable, non-discriminatory, and explainable. AI and ML models, especially black-box ones, raise special concerns in that respect.
What’s Changing (and What Is Not)
While the core elements of risk oversight remain constant, the rise of AI is pushing them into sharper relief:
| Domain | Long-standing Expectations | AI-Amplified Stress-Points |
|---|---|---|
| Data Management & Access Controls | Banks must have clean, validated input data; strong controls over who can see what. | AI demands large, often heterogeneous datasets; external vendors; risk of over-access; more frequent boundary cases. |
| Software Development Lifecycle (SDLC) | Formal development, testing, version control, documentation. | Faster iterations, continuous deployment, third-party/auto-ML tools; drift and versioning risk. |
| Model Risk Management (MRM) | SR 11-7’s framework: model development, validation, governance. | AI introduces opacity (deep learning, LLMs), harder to validate or trace, especially with large or proprietary base models. |
| General Risk Management | Governance, oversight, policies, audit, ongoing monitoring. | Need for new guardrails: explainability, ethical constraints, fairness assessments, defensive measures vs misuse. |
Regulators are clear: AI doesn’t necessarily create new regulations, but it demands that institutions apply existing obligations with rigor, adapted to new technologies.
Key Challenges: Explainability & Hallucinations
Two AI-specific issues require especially careful management in banking:
Explainability
When AI/ML systems make decisions or provide recommendations that affect consumers e.g., “Do I qualify for a loan?” banks must be able to explain how those decisions are made. Negative decisions implicate fair-lending risk; positive ones implicate credit risk if the model’s decision criteria are not sound.
Models must include explicit guardrails for what is in-scope vs out-of-scope for public-facing interactions or use of customer data, especially for chatbots or conversational AI. For example, avoiding giving definitive credit decisions in conversation, instead deflecting or routing to human channels, keeping in mind that deflections introduce customer satisfaction issues.
The FTC’s recent oversight inquiries (e.g. about protections for children) suggest that regulators expect AI systems to have constraints not only on what they can say, but how they can be manipulated or prompted to go off track.
Hallucinations
A new OpenAI research paper Why Language Models Hallucinate observes that hallucinations occur in large language models partly because training and evaluation systems reward guessing when unsure, rather than admitting uncertainty. This incentive structure leads models to provide plausible-sounding but incorrect information. OpenAI on Hallucinations
In banking, hallucinations are high-stakes: imagining a scenario where internal client notes or non-public data appear in bot responses, or where customers are given false assurances. These are not just theoretical errors, they could lead to regulatory sanctions, reputational damage, or worse.
To mitigate, banks must treat AI systems as another vector in their data risk management framework: ensure segmentation, strong controls, audit trails, and testing (especially adversarial or “what-if” cases). Also, careful prompt design and content filters.
Implications for Supervisory Expectations
Regulators will expect banks to show not only that they’ve thought through these issues, but that they have concrete practices:
Framework Integration: AI risk must be embedded into existing model risk frameworks (e.g. SR 11-7), not siloed. Supervisors will ask how the bank’s AI governance maps to policy, controls, validation, oversight.
Transparency & Demonstrability: How models work, how decision logic is derived, what datasets are used, how fairness is evaluated, how drift is monitored. If the bank uses proprietary or black-box components, how are those mitigated?
Incident Readiness: Because hallucinations or misuses are likely, banks need recovery/mitigation plans: how to detect, respond, and remediate when things go wrong.
Conclusion
AI in banking is, in many ways, a magnifying glass over risks that already exist. Data quality, model validation, governance, and compliance with ECOA and FLA are not new mandates, but their implementation must evolve.
Explainability and hallucinations are two of the most pressing challenges when deploying AI that interacts with customers or makes decisions. Institutions that succeed will be those that translate existing model risk rigor into AI-appropriate frameworks, train their teams (including examiners), build strong guardrails, and operate defensively.
As AI continues to become more central to banking operations, those who treat it as a risk amplifier rather than a risk deviation will be better positioned to drive trust, compliance, and long-term value. At CipherNorth, we have experience bringing together the various departments, policies, and frameworks and adapting them to GenAI use cases. If you’d like to discuss how we can help, schedule a free consultation.