Blog

AI Governance for Financial Services: OCC, NYDFS, CFPB, and Fed Expectations

Understand what OCC, NYDFS, CFPB, and the Federal Reserve actually require from bank AI programs — and how to map your governance controls across all four regulators before your next exam.

14 min read

Financial institutions deploying AI are not answering to one regulator. They are answering to several simultaneously — each with its own examination priorities, documentation expectations, and enforcement appetite. OCC AI governance guidance, Federal Reserve supervisory expectations, NYDFS circular requirements, and CFPB fair-lending scrutiny do not form a single coherent framework. They overlap, conflict at the margins, and leave compliance teams responsible for reconciling the gaps. This post maps what each regulator actually expects, what examiners look for on the ground, and how to build a governance program that satisfies all four without duplicating every control.


The Multi-Regulator Reality: Who Is Watching AI in Banking Right Now

The AI governance regulatory environment in 2024 is not a single rulebook. It is a stack of guidance documents, supervisory letters, circular letters, and enforcement signals from agencies that were designed for different purposes and that coordinate imperfectly. At the federal prudential level, the OCC and the Federal Reserve supervise AI risk as an extension of existing safety-and-soundness frameworks — primarily model risk management under SR 11-7 / OCC 2011-12. The CFPB approaches AI through a consumer protection lens, treating algorithmic decision-making as a fair-lending and UDAAP issue. At the state level, NYDFS has moved faster than most federal agencies, issuing a circular letter in 2024 that imposes specific AI governance requirements on New York-licensed insurers and, by extension, signals expectations for banks operating under its charter. For AI compliance in financial services, the practical consequence is that a large regional bank might simultaneously face OCC model risk guidance, Fed supervisory expectations from SR 11-7, CFPB adverse action and UDAAP scrutiny, and NYDFS circular letter requirements — each using different terminology, emphasizing different controls, and enforced by examiners with different training. A governance program designed to satisfy one regulator is unlikely to satisfy all four without deliberate cross-mapping.


OCC and Federal Reserve AI Risk Management Expectations

The OCC and the Federal Reserve have not issued AI-specific regulations. What they have done is extend existing model risk management frameworks — SR 11-7 (Federal Reserve) and its OCC counterpart, OCC Bulletin 2011-12 — to cover machine learning and AI systems explicitly.

What SR 11-7 and OCC 2011-12 require in practice:

Both frameworks require that models be subject to independent validation before deployment, that validation be proportionate to model complexity and materiality, and that ongoing monitoring detect performance degradation over time. For AI systems, this creates several specific challenges that traditional model risk programs were not designed to handle:

  • Explainability requirements. SR 11-7 requires that model developers be able to explain how a model produces outputs. For complex ML models — gradient boosting, neural networks, large language models — this is technically non-trivial. Examiners have cited institutions for deploying models where the validation team could not produce a coherent conceptual soundness narrative.
  • Data lineage and training documentation. OCC AI governance guidance, as expressed through examination findings, expects banks to document training data sources, preprocessing decisions, and known data quality limitations. Institutions that cannot produce this documentation at examination face findings in the model inventory and validation categories.
  • Third-party model risk. Both the OCC and the Fed have been explicit that purchasing a model from a vendor does not transfer model risk responsibility. Banks are expected to validate third-party AI models with the same rigor applied to internally developed ones — a requirement that many institutions have not operationalized for fintech vendor relationships.

Federal Reserve AI risk management expectations have been reinforced through the Fed’s participation in the 2021 interagency RFI on financial institutions’ use of AI/ML, issued jointly with the OCC, FDIC, NCUA, and CFPB. The interagency engagement reinforced that existing model risk management principles apply to AI and ML models and that institutions should not treat AI as categorically different from other quantitative tools for governance purposes.

  • What examiners actually cite: AI governance exam findings at banks supervised by the OCC and Fed most commonly involve gaps in model inventory completeness (AI tools not captured as models), inadequate independent validation for high-complexity models, and monitoring programs that track accuracy but not fairness or distributional shift.

NYDFS and CFPB: State-Level and Consumer-Facing AI Requirements

While the OCC and Fed focus on safety-and-soundness, NYDFS and the CFPB approach AI from different angles — and their requirements are, in some respects, more operationally demanding.

NYDFS AI Governance Requirements

In 2024, NYDFS issued Insurance Circular Letter No. 7 (2024), directed at insurers but widely read as a signal of expectations for all NYDFS-regulated entities. The circular letter requires that regulated entities using external consumer data and information sources (ECDIS) or AI in underwriting or pricing decisions establish governance frameworks that include board-level accountability, bias testing, and documentation of how AI systems comply with anti-discrimination law. NYDFS AI governance requirements are notable for several reasons. First, they require pre-deployment bias testing — not just post-deployment monitoring. Second, they require that governance documentation be available for regulatory review, which means it must exist in a form that survives examination, not just internal review. Third, NYDFS has demonstrated willingness to act: its enforcement history on cybersecurity signals that it will use its examination authority on AI governance once its examiners are trained and its guidance matures. For banks with NYDFS charters or significant New York operations, NYDFS requirements layer on top of federal prudential expectations — creating a documentation burden that requires deliberate coordination.

CFPB AI Compliance Expectations

The CFPB’s approach to AI compliance is grounded in existing statutory authority: the Equal Credit Opportunity Act (ECOA), the Fair Housing Act, and the prohibition on unfair, deceptive, or abusive acts or practices (UDAAP) under Dodd-Frank. CFPB AI compliance expectations center on two issues. First, adverse action notice requirements: when an AI model denies credit or takes adverse action, the institution must provide specific reasons. The CFPB has been explicit that "the model said no" is not a compliant adverse action notice. Institutions using complex ML models for credit decisions must be able to generate specific, accurate, and model-consistent adverse action reasons — a technical requirement that many model vendors do not solve out of the box. Second, the CFPB has signaled through supervisory guidance and public statements that disparate impact analysis applies to AI-driven credit decisions regardless of whether the model uses protected class variables directly. Institutions that cannot demonstrate fair-lending testing of their AI models — including analysis of proxy variables — face examination risk. Bank AI governance enforcement actions to date have been relatively limited in the AI-specific category, but the CFPB’s Circular 2022-03 on adverse action notifications for complex algorithms, combined with its examination procedures for fair lending, creates a clear enforcement pathway. The SEC AI risk disclosure requirements, while directed at investment advisers and public companies rather than banks, reinforce the broader regulatory direction: regulators across the financial system expect AI risks to be identified, documented, and disclosed.


What Bank Examiners Actually Look For: A Bank Examiner AI Governance Checklist

Regulatory guidance describes what is required in principle. Examination findings describe what actually gets cited. The gap between the two is where most institutions are exposed. The following bank examiner AI governance checklist reflects what examiners across OCC, Fed, NYDFS, and CFPB examinations have actually cited — or are increasingly likely to cite.

Model Inventory and Classification

  • All AI and ML systems are captured in the model inventory, including vendor-provided tools and models embedded in third-party platforms
  • Each model is classified by risk tier (materiality and complexity), with documented rationale for the classification
  • Models used in consumer-facing decisions (credit, pricing, servicing) are flagged for CFPB and NYDFS-specific review requirements

Validation and Independent Review

  • Independent validation has been completed for all production models, proportionate to risk tier
  • Validation documentation includes conceptual soundness review, outcome analysis, and limitations disclosure
  • Third-party and vendor models have been validated internally or through a qualified third party — not accepted on vendor documentation alone

Bias and Fair-Lending Testing

  • Pre-deployment disparate impact testing has been conducted for all models used in credit, pricing, or underwriting decisions
  • Adverse action reason generation has been tested for accuracy and ECOA compliance
  • Ongoing monitoring includes fairness metrics, not only accuracy or performance metrics

Documentation and Audit Trail

  • Model development documentation (data sources, preprocessing, training decisions) is complete and retrievable
  • Change management records exist for model updates, retraining, and version changes
  • Governance decisions (approvals, exceptions, escalations) are documented with timestamps and accountable individuals

For a deeper treatment of what auditors and examiners expect from AI documentation specifically, see AI Audit Trail Requirements: What Regulators Actually Expect.

Accountability Structures

  • A named individual or committee holds accountability for AI governance at the second-line level
  • Board or senior management reporting on AI risk exists and is documented
  • Escalation paths for model risk exceptions are defined and have been used

For guidance on structuring these accountability layers, see Enterprise AI Governance: Roles, Committees, and Accountability Structures.


Mapping Your AI Governance Program Across All Four Regulators

Most institutions did not build their AI governance program with four regulators in mind simultaneously. They built it around SR 11-7, or around a CFPB fair-lending review, or in response to a specific NYDFS inquiry. The result is a program with uneven coverage — strong in model validation, weak in adverse action documentation, or vice versa. The table below provides a side-by-side gap-analysis framework. For each governance domain, it identifies which regulator has the strongest expectation and where the common gaps appear.

Governance DomainOCC / Fed (SR 11-7)CFPBNYDFS
Model inventoryRequired; all modelsConsumer-decision models priorityAll AI in consumer applications
Independent validationRequired; risk-tieredImplied through fair-lending examRequired; pre-deployment for ECDIS
Bias / fairness testingNot explicitly requiredRequired; disparate impactRequired; pre-deployment
Adverse action documentationNot primary focusRequired; specific reasonsRequired for underwriting AI
Board accountabilityRequired (model risk governance)Not explicitRequired; named accountability
Third-party model riskRequired; same standard as internalApplies to vendor modelsApplies to ECDIS vendors
Ongoing monitoringRequired; performance + driftRequired; fairness metricsRequired; periodic review

Start with your model inventory. Every model that appears in a consumer-facing decision is subject to CFPB and NYDFS scrutiny in addition to OCC/Fed model risk requirements. For each such model, confirm that: (1) independent validation exists and is documented, (2) pre-deployment bias testing was conducted and the results are on file, (3) adverse action reason generation has been tested for ECOA compliance, and (4) a named individual owns the model’s ongoing governance. For models that are not consumer-facing — internal risk models, fraud detection, operational tools — the primary framework is OCC/Fed model risk management. The documentation requirements are the same; the fairness testing requirements are lower. The most common gap in multi-regulator AI compliance banking is not that institutions lack controls. It is that controls exist in silos: the model risk team owns validation, the fair-lending team owns disparate impact testing, and neither team has a shared documentation layer that satisfies both sets of examiners. Building that shared layer — a single governance record per model that captures validation, fairness testing, adverse action logic, and accountability — is the practical work of cross-regulator AI governance. For a structured approach to building that program from the ground up, the AI Audit Readiness: The Complete Checklist for Regulated Organizations provides a cross-framework checklist that maps to OCC, Fed, CFPB, and NYDFS requirements simultaneously. If your institution is evaluating which governance framework to anchor your program to — ISO 42001, NIST AI RMF, or another standard — AI Governance Frameworks Compared: ISO 42001, NIST AI RMF, and EU AI Act covers the tradeoffs in detail. For compliance officers preparing to brief senior leadership or the board on AI governance program status, How to Present AI Governance to Your Board: A CCO/CISO Guide provides a practical structure for that conversation.


The regulatory picture for AI governance in 2024 keeps adding complexity, not subtracting it. The OCC and Fed are extending SR 11-7 to cover more AI use cases. The CFPB is using existing UDAAP and ECOA authority more aggressively. NYDFS is building examination capacity. Banks that treat each agency’s expectations as a separate compliance project will keep patching gaps after exams find them. Those that build a unified documentation layer — one governance record per model that travels across all four regulatory frameworks — spend less time in remediation and more time on the work that actually reduces risk.

  • Map your AI governance program against examiner expectations before your next exam does it for you. Start with the AI Governance Audit Readiness framework.
Brine

Build, hire, and govern every AI system in your environment.

Describe a workflow in plain English and Brine builds it, runs it on your data, and governs every step — costing and attributing each action to its agent and model, with a pre-dispatch cap that holds a step before it overspends and a signed audit trail as standard.

Scope a pilot More resources