NEW YORK, June 12: U.S. banking regulators are increasing oversight of how lenders deploy artificial intelligence as technological advances permeate the industry and pressure companies on everything from data access and governance controls to risks posed by third-party vendors, according to people familiar with the situation.
Banks have rapidly adopted artificial intelligence in recent years, expanding its use from virtual assistants to more complex functions such as regulatory oversight and credit underwriting, and attracting the attention of regulators.
Regulators are increasing their oversight as the use of AI accelerates across financial services, exposing the sector to cybersecurity and fraud risks. For now, their approach is to closely monitor, with the aim of gaining a better understanding of how banks are implementing this technology.
The Office of the Comptroller of the Currency and the Federal Reserve have begun requiring banks during their regular bank examinations to plan how they will use AI technology in high-risk areas such as lending, verified customer checks and sanctions review, according to three people familiar with the matter.
Supervisors are asking detailed questions about how banks use vendors, how they protect customer data and whether they have controls such as “kill switches,” the people said. The company is also looking at governance frameworks such as guardrails and human oversight, third-party risk and vendor oversight, subcontractor exposure and contingency plans in the event of an outage, the people said.
Conversations about the use of AI are part of every bank review, one of the people said.
Discussions will take place through both written and oral channels. Regulators are not yet prescriptive, but are trying to better understand how banks are using the technology, the people said.
The sources declined to be identified because the discussions are private. The OCC, which regulates U.S. banks, did not respond to requests for comment, while the Federal Reserve declined to comment.
US banking regulators have publicly suggested greater oversight of lenders’ use of artificial intelligence. Last year, the Government Accountability Office announced that regulators were assessing AI risks in financial services.
In April, the OCC announced that the OCC, the Federal Reserve, and the Federal Deposit Insurance Corporation plan to provide formal information on banks’ use of AI, including generation and proxy systems. Such requests do not impose new rules, but they help agencies gather input before deciding whether to take action.
Regulators are looking to assess how banks are tackling rapidly evolving systems like Anthropic’s frontier AI model Mythos. Cybersecurity experts say the system poses significant challenges to the banking industry and its legacy technology systems because of the potential for cyber vulnerabilities to be exploited.
The U.S. Treasury Department and regulators are also investigating the cybersecurity risks posed by new artificial intelligence models and how financial companies are prepared to address them.
Scrutiny of the system
For now, regulators are focused on gathering information and evaluating industry practices rather than restricting specific uses, the people said.
Instead of issuing new AI-specific rules, regulators are relying on existing frameworks such as model risk management, third-party risk oversight and consumer protection laws to assess how banks are managing emerging technologies, the people said.
The main concern of regulators is to ensure that AI systems do not exceed their intended behavior or access, the people said. Regulators are investigating whether tools can access or infer data beyond the allowed limits, especially since AI models are designed to extract and connect information across systems. Officials say this raises privacy, confidentiality and regulatory compliance risks.
Lenders are being asked to demonstrate what controls they have in place, including guardrails that limit how their models work and what data they can access, it added. All three people said regulators are also focusing on human oversight, “kill switches” that allow companies to shut down systems if necessary, and clarifying who has the authority to intervene.
Another key area of investigation is vendor risk. As banks increasingly rely on third-party providers for AI tools, regulators are questioning how companies ensure these vendors and their subcontractors meet the same governance and security standards as the banks themselves, the three people said.
Regulators are also asking whether banks have an exit strategy in the event of a security breach in a vendor’s systems, one of the people said, a concern that has grown as the use of AI becomes embedded in various banking systems.
At the same time, the speed at which AI is evolving is proving challenging for regulators themselves. The technology is advancing far faster than traditional regulatory learning and rule-making cycles, raising concerns that even formal guidance could quickly become outdated, three people familiar with the matter said.
As a result, authorities are expected to rely on broad principles-based supervision rather than prescriptive rules for the time being, although this is potentially subject to change.
“Currently, banks rely on their existing risk management frameworks to guide their use of AI,” Michelle Bowman, the Federal Reserve’s vice chair for oversight, said in a speech in May. “While these supervisory tools are intended to help banks apply sound governance and risk management, we need to assess whether our supervisory guidance is suitable for the future.”
