Finance AI Assurance Snapshot (2025)

Artificial intelligence has moved far beyond pilots in finance. It now supports fraud detection, credit decisions, portfolio research, and compliance. Regulators are intensifying oversight, not to slow adoption, but to ensure models meet existing legal and risk standards. (U.S. Department of the Treasury)

The regulatory lens

In the United States, the SEC’s Division of Examinations listed artificial intelligence in its 2025 exam priorities for advisers and broker-dealers, signaling scrutiny of both model governance and how firms market AI capabilities. (SEC)

In Europe, the EU AI Act entered into force in August 2024. Creditworthiness assessment and similar finance use cases fall into the Act’s “high-risk” bucket, which triggers obligations for documentation, human oversight, testing, and governance. Core compliance dates begin phasing in before full obligations in 2026 and beyond. (EIOPA, McCann Fitzgerald, Artificial Intelligence Act)

Global bodies are also sharpening their views. The Financial Stability Board warned that widespread AI adoption introduces monitoring gaps and potential systemic vulnerabilities, while IOSCO highlighted investor-protection and market-integrity risks as AI penetrates capital markets. (Financial Stability Board, Iosco)

Treasury’s 2024 Request for Information, and its follow-on report, confirmed that AI is already embedded across fraud, AML, underwriting, and compliance, and called for continued inter-agency coordination. (Federal Register, U.S. Department of the Treasury)

Core risk areas

Inaccuracy. Inaccurate outputs create legal and consumer-harm exposure, particularly in credit. U.S. lenders must give specific and accurate adverse-action reasons, even when decisions involve complex or AI-driven models. The GAO also flagged explainability and accuracy gaps as a supervisory concern in credit contexts. (Consumer Financial Protection Bureau, Government Accountability Office)

Reality check on model quality: even the leading foundation models still report substantial error rates on factuality and hallucination benchmarks. AIMon’s “Un-leaderboard” collates developers’ own system-card metrics, showing error rates that underscore why accuracy testing and guardrails remain essential in regulated workflows. (AIMon Labs)

Deviation from instructions. Adaptive systems can drift or behave outside intended purpose. The EU AI Act requires clear intended-use definition and ongoing monitoring, while U.S. exam priorities emphasize governance that keeps tools operating within policy. (Artificial Intelligence Act, SEC)

Bias. Algorithmic discrimination in lending remains a top concern. The CFPB has clarified that using complex or AI-enabled underwriting does not excuse failure to provide accurate, specific reasons for credit denials. (Consumer Financial Protection Bureau)

Explainability. U.S. law requires adverse-action notices that explain “why,” and the EU AI Act places transparency and documentation at the center of high-risk AI obligations. If a model cannot support an explanation, that is a compliance problem, not just a technical limitation. (Consumer Financial Protection Bureau, Artificial Intelligence Act)

Vendor and third-party risk. Buying AI does not outsource accountability. Treasury’s RFI and report surface dependence on third-party AI providers, while GAO calls out gaps in NCUA’s tools for supervising vendor-delivered AI at credit unions. Regulated firms still need due diligence, controls, and audit trails for vendor models. (Federal Register, U.S. Department of the Treasury, Government Accountability Office)

Safety (systemic risk). Authorities warn that correlated models and similar strategies can amplify volatility and create herding effects. Safety in finance includes market-wide stability, not just user-level harm. (Financial Stability Board, Iosco)

Security. AI expands the attack surface. In 2024 the SEC amended Regulation S-P to require stronger safeguards and customer breach notifications for covered institutions; these requirements apply regardless of whether an incident originates in an AI component. (SEC)

Consumer and investor protection

The SEC’s first “AI-washing” actions against Delphia and Global Predictions show that misrepresenting AI capabilities can violate the Marketing Rule and draw enforcement. Courts and enforcement staff are also treating deceptive AI claims as material to investors, and media coverage shows securities class actions referencing AI doubled in 2024. (SEC, Reuters)

In the UK, the FCA continues a principles-based, outcomes-focused approach, stressing accountability and governance over prescriptive AI rules, which it argues can become outdated quickly. (FCA, Reuters)

Adoption signals and coordination

Treasury’s RFI process and its December 2024 report document widespread AI use across U.S. financial services, plus the need for coordination among regulators as adoption accelerates. (Federal Register, U.S. Department of the Treasury)

Early enforcement lessons

Enforcement and examinations are already incorporating AI. The SEC has acted where firms overstated AI in marketing and disclosures. Coverage from mainstream outlets and legal trackers shows escalating scrutiny of “AI washing,” together with a rise in class-action filings that cite misleading AI statements. (SEC, Thomson Reuters, Reuters)

Looking ahead

Key EU AI Act obligations for high-risk systems phase in before full effect in 2026 and later, while U.S. regulators continue to use existing tools in securities, consumer, and safety rules to oversee AI. Firms should expect more guidance and more targeted exams, plus attention to next-wave risks like gen-AI in trading, synthetic-data pipelines, and prompt-injection or data-poisoning attacks. (Artificial Intelligence Act, Financial Stability Board)

Bottom line: treat AI as a core control. Build proof of accuracy, fairness, explainability, security, and governance into every model lifecycle, including vendor systems, and be ready to show it to examiners. (SEC, Consumer Financial Protection Bureau).

---