AI Banking Regulation: US Tightens Oversight Now

US banking regulators such as the Federal Reserve and the OCC now consider AI a routine part of every bank examination. They aren't inventing new, AI-specific rules, but using existing tools - things like model risk management and third-party vendor oversight - to ask banks hard questions. So where is AI really being used?

Can it access data it shouldn't? If things go south does the bank have a real " kill switch "? And how well do the vendors and their own subcontractors stand up to security standards?

The big issue here is velocity. AI is moving so fast that any new regulation could be obsolete before it is finalized, so regulators are sticking with broad, principles-based supervision for now rather than locking things into rigid rules.

There’s also increasing concern about how the big new AI models interact with the older, legacy tech that continues to power a lot of the banking industry, creating new cybersecurity risks no one saw coming.

Meanwhile, the OCC, Fed, and FDIC are putting together a formal request for information on how banks are using generative and agentic AI. It’s an early step, but one that could eventually lead to more concrete rules down the road.

Key Focus Areas of AI Banking Regulation

There's a quiet conversation happening inside America's biggest banks right now, and most customers have no idea it's going on. Every time examiners from the Federal Reserve or the Office of the Comptroller of the Currency walk into a bank for a routine check-up, AI has become part of the discussion. Not as a side note. Not as something tucked into an appendix. It's now a standing item on the agenda every single time.

That's a big shift, and it tells you something important about where things are headed.

How We Got Here

A few years ago, if a bank mentioned artificial intelligence, people pictured a chatbot answering basic questions on a banking app, maybe something that could tell you your account balance or help you reset a password. Harmless stuff. Low stakes.

That's not where things stand anymore.

Banks have moved AI into the engine room. It's now helping decide who gets approved for a loan and who doesn't. It's scanning transactions for signs of money laundering. It's flagging customers for sanctions screening. It's even being used to help banks keep tabs on their own regulatory compliance, which is a strange kind of irony when you think about it: using AI to watch the rules while also being watched for how that AI itself behaves.

This rapid expansion happened fast, faster than most outside observers realized. And it happened largely behind the scenes, inside systems that customers never see and rarely think about. But regulators noticed. And once regulators notice something moving quickly through the financial system, they start asking questions.

What Regulators Are Actually Asking

Picture an examiner sitting across the table from a bank's risk management team. A few years ago, that conversation might have focused on loan portfolios, capital reserves, or cybersecurity basics. Now, increasingly, part of that conversation sounds like this:

Walk us through where you're using AI. Show us the map. Where does it touch lending decisions? Where does it touch customer verification? Where does it touch sanctions screening?

That's not a hypothetical. According to people familiar with these examinations, this kind of mapping exercise has become a standard part of how the OCC and the Fed review banks, particularly in the areas considered higher-risk: lending, know-your-customer checks, and sanctions compliance.

But the questions don't stop at "where." They go deeper into "how" and "what if."

How does the bank control what data its AI tools can see and touch? What happens if something goes wrong? Does the bank actually have a way to shut the system down quickly? Who has the authority to make that call, and how fast can they act?

These aren't abstract policy questions. They're operational questions, the kind that get answered by pointing to actual documentation, actual processes, actual people with actual job titles and actual authority.

The Data Question Nobody Talks About Enough

Here's something that doesn't get discussed much outside of compliance circles, but it sits at the heart of why regulators are so focused on AI right now.

AI systems are designed to find connections. That's literally what makes them useful. Feed them enough information, and they'll start linking pieces together in ways a human might never think to do, spotting patterns across datasets, drawing inferences, and filling in gaps.

In most contexts, that's the whole point, and it's a good thing.

But inside a bank, that same capability becomes a potential problem. Banks are bound by strict rules about who can access what information and why. A loan officer in one department generally shouldn't have visibility into a customer's information held by a completely different part of the bank, unless there's a legitimate reason.

Now imagine an AI tool that's been trained or connected in a way that lets it quietly pull information across those boundaries, not because anyone intended it to, but because that's simply how these systems are built to operate. Suddenly you've got a privacy and confidentiality problem that nobody explicitly created, but that exists anyway.

This is exactly the kind of thing regulators are now probing. Can the tool access information it shouldn't? Can it infer things about a customer that it was never authorized to know? And if so, who's responsible for catching that before it becomes a real compliance failure?

The Vendor Problem

Here's another piece of this puzzle that's easy to overlook: most banks don't build their own AI systems from scratch. They buy them, license them, or plug into platforms built by outside technology companies.

That makes sense. Building cutting-edge AI in-house is expensive and difficult, and most banks would rather focus on banking. But it also means that a huge amount of risk now sits with companies the bank doesn't fully control.

And it doesn't stop there. Those vendors often rely on their own subcontractors. So now you've got a chain: the bank, its AI vendor, and that vendor's subcontractors, each one a potential weak link.

Regulators are asking banks some pointed questions about this chain. Do you actually know what your vendors are doing? Are they held to the same standards you'd hold yourself to? What about the subcontractors two or three steps removed? Do you even have visibility into them?

And then there's the question that might matter most of all: if something goes badly wrong with a vendor's AI system, a security breach, a malfunction, or anything that puts customer data or bank operations at risk, does the bank have a real exit plan? Can it pull the plug on that vendor relationship quickly, or is it stuck, dependent on a system it no longer trusts but can't easily replace?

These aren't theoretical concerns anymore. As AI tools become more deeply woven into how banks operate day to day, the cost of being stuck with a problematic vendor goes up significantly.

A New Kind of Cybersecurity Headache

There's also a newer wrinkle in all of this, one tied to just how fast frontier AI models are advancing.

Cybersecurity experts have started raising concerns about how powerful new AI systems, including advanced models like Anthropic's Mythos, interact with the kind of legacy technology that still runs much of the banking industry. A lot of banking infrastructure wasn't built with today's AI capabilities in mind. Some of it is decades old, patched together over time, held up by systems that were never designed to face the kind of sophisticated, AI-assisted threats that are now possible.

When you put a cutting-edge AI model anywhere near that kind of aging infrastructure, you create new openings, new vulnerabilities that didn't exist before, simply because the old systems were never built to defend against this level of capability.

The U.S. Treasury and other regulators are looking closely at this exact issue: how prepared is the financial industry, really, for the cybersecurity implications of increasingly powerful AI models? It's one thing to ask whether a bank's own AI tools are safe. It's another to ask whether the broader threat landscape has shifted in ways the industry hasn't caught up to yet.

Why Regulators Aren't Writing New Rules (Yet)

You might expect that with all this scrutiny, new AI-specific regulations would be right around the corner. Strict rules. New checkboxes. New forms to fill out.

That's not what's happening, at least not yet.

Instead, regulators are leaning on the tools they already have. Model risk management frameworks that have existed for years, originally designed for things like statistical models used in lending decisions, are now being stretched to cover AI systems too. Third-party risk oversight rules, the kind that govern how banks manage outside vendors generally, are being applied to AI vendors specifically. Consumer protection laws that predate AI by decades are being read with AI applications in mind.

There's a reason for this approach, and it comes down to something almost every industry watcher agrees on: AI is moving too fast for traditional rulemaking to keep up.

Writing new regulations takes time. It involves proposals, public comment periods, revisions, more comment periods, and finally a final rule. By the time that process wraps up, often a year or more after it starts, the technology it was written to address may have already changed dramatically. A rule built around today's AI capabilities could be outdated before it even takes effect.

So for now, the approach is what regulators call "principles-based supervision." Instead of saying "you must do X, Y, and Z," the message is closer to "show us that you understand your risks and that you have reasonable controls in place to manage them." It's flexible by design, which makes sense given how quickly things are changing, but it also means banks have to use real judgment rather than just following a checklist.

Federal Reserve Vice Chair for Supervision Michelle Bowman captured this tension well in a speech back in May, acknowledging that banks are currently relying on their existing risk management frameworks to guide AI use, while also raising an open question about whether those frameworks are actually built for what's coming.

That's a notable thing for a top regulator to say publicly. It's an acknowledgment that the current approach might work for now, but nobody's entirely sure it'll hold up for what's next.

The Bigger Picture: A Formal Process is Coming

This isn't just informal chatter happening behind closed doors forever. There's an actual process taking shape.

Earlier this year, the OCC indicated that it, along with the Federal Reserve and the FDIC, planned to issue a formal request for information regarding how banks use AI, including generative AI and the newer category of "agentic" AI systems, tools that don't just respond to prompts but can take actions and make decisions somewhat independently.

A request for information isn't a new rule. It doesn't create new requirements overnight. But it's a meaningful step. It's how regulators gather input from the industry before deciding what, if anything, needs to change. Think of it as regulators doing their homework, talking to the people actually using these tools day to day, before drafting anything formal.

This kind of process also gives banks a chance to shape the conversation, to explain what's actually happening on the ground, what challenges they're facing, and what kind of guidance would actually be useful versus what might just create paperwork without making anything safer.

What This Means If You're Not a Bank Executive

If you're reading this and thinking "I don't work in banking compliance, why does this matter to me," here's the honest answer: this affects pretty much everyone who has a bank account, takes out a loan, or interacts with the financial system in any way.

When a bank uses AI to decide whether you qualify for a mortgage, that AI's behavior matters to you directly. When a bank's AI-powered fraud detection system flags your account by mistake, the controls behind that system matter to you. When a data breach happens because a vendor's AI tool had access to more information than it should have, your personal information could be part of what's exposed.

The regulatory conversation happening right now, quiet as it is, is really about making sure the systems that increasingly make decisions about your financial life are built with appropriate guardrails, overseen by people who can actually intervene when something goes wrong, and connected to vendors who meet real standards rather than just convenient ones.

What Happens Next

Nobody knows exactly how this plays out, and that's part of what makes this moment interesting. The technology keeps advancing. New AI capabilities keep emerging, often faster than anyone expected even a year earlier. Regulators are trying to build understanding now, through examinations, conversations, and information-gathering, so that whenever they do decide to act more formally, they're acting with a real grasp of how these systems actually work in practice, not just how they're described in a press release.

For banks, the message right now is pretty clear, even if it's not written down as a formal rule: get your house in order. Know where AI is being used across your organization. Understand what data it touches and why. Make sure you can actually shut things down if you need to. Know your vendors, and know your vendors' vendors. Because even though the formal rules haven't arrived yet, the questions are already being asked, and "we'll figure that out later" isn't really an acceptable answer when an examiner is sitting across the table asking you to walk them through it right now.

The age of AI in banking has arrived faster than the rulebook could keep pace with it. For the moment, that gap is being filled with careful observation, pointed questions, and a lot of existing tools being asked to do new jobs. Whether that's enough, or whether something more formal eventually has to take its place, is a question regulators themselves seem to be asking out loud. And that, in itself, says a lot about where this is headed.

·         ISO 42001 AI governance certification, support to build a solid AI management framework

·         SOC 2 audits and gap assessments to get exam-ready ahead of regulatory checks

·         Virtual CISO services for guidance without needing a full in-house security leader

·         Risk and vulnerability management to spot weak points early

·         Penetration testing and red teaming to stress-test AI and legacy systems

·         Incident response support, including kill switch and contingency readiness

·         Cyber threat intelligence to stay ahead of emerging AI-driven risks

·         M&A vendor security due diligence for safer third-party partnerships

With over a decade of cybersecurity experience and a presence across multiple countries, Hoplon Infosec offers a fairly comprehensive toolkit for banks looking to get ahead of this regulatory shift.

Radia writes about banking regulation, cybersecurity, and AI policy, helping readers make sense of how emerging tech is reshaping financial oversight.