Blog

Multi-Regulator AI Compliance for Banks: OCC, CFPB, Federal Reserve, and SEC Requirements

OCC AI governance guidance, CFPB expectations, Federal Reserve SR letters, and SEC disclosure requirements — how banks build one AI compliance program for all four regulators.

12 min read

Banks deploying AI don’t answer to one regulator. They answer to four — sometimes five — simultaneously, and each agency approaches OCC AI governance guidance, consumer protection, and disclosure obligations from a different angle. For a Chief Compliance Officer or Chief Risk Officer at a regional bank, that means a single credit-decisioning model can draw scrutiny from the OCC on model risk grounds, from the CFPB on fair lending grounds, from the Federal Reserve on safety-and-soundness grounds, and from the SEC if the institution has a registered investment adviser or broker-dealer arm. This post maps what each regulator actually expects, where their requirements overlap, and how to build one defensible program instead of four parallel ones.

RelatedAI Governance for Regional Banks and Credit Unions


The Multi-Regulator Reality: Why Banks Face Simultaneous AI Oversight

The AI governance regulatory landscape has shifted from voluntary principles to active examination. Agencies are no longer waiting for Congress to pass comprehensive AI legislation — they are asserting jurisdiction through existing statutory authority and supervisory guidance.

The practical result for multi-regulator AI compliance in banking is a coordination problem. The OCC supervises national banks and federal savings associations for safety and soundness. The Federal Reserve supervises bank holding companies and state member banks. The CFPB holds supervisory and enforcement authority over consumer financial products regardless of charter type. The SEC regulates registered investment advisers and broker-dealers, including those housed inside bank holding company structures. A mid-sized regional bank with a wealth management subsidiary can be simultaneously subject to all four.

Each agency has issued guidance, exam priorities, or enforcement signals that touch AI. None of them have issued a single unified rule. That regulatory gap creates the primary compliance risk for multi-charter institutions.


OCC and Federal Reserve AI Governance Expectations: Safety, Soundness, and Model Risk

OCC AI governance guidance is anchored in the interagency model risk management framework established by SR 11-7 / OCC Bulletin 2011-12, which the agencies have explicitly extended to cover machine learning and AI models. The OCC’s guidance on model risk management and its subsequent examination procedures make clear that AI models are models — and that the validation, documentation, and governance requirements that apply to traditional statistical models apply with equal or greater force to complex AI systems.

Federal Reserve AI risk management expectations follow the same SR 11-7 foundation, supplemented by the Fed’s supervisory guidance on model risk management for large financial institutions and the 2021 interagency RFI on financial institutions’ use of AI/ML issued jointly by the OCC, Federal Reserve, FDIC, NCUA, and CFPB. That joint RFI is, in our reading, the clearest cross-agency signal that AI governance is a shared supervisory priority, not a single-agency concern.

What do AI governance exam findings at banks actually look like? Examiners have cited:

  • Inadequate model inventory. Banks that cannot produce a complete inventory of AI models in production — including vendor-supplied models — are flagged immediately. The OCC expects institutions to know what models they are running, who owns them, and what decisions they influence.
  • Weak validation for third-party models. Purchasing a model from a vendor does not transfer model risk. Examiners expect banks to validate vendor models with the same rigor applied to internally developed ones, including independent challenge of model assumptions.
  • Missing ongoing monitoring. AI models can drift. Examiners look for evidence that performance monitoring is continuous, not point-in-time, and that thresholds for model recalibration or retirement are defined in advance.
  • Insufficient AI governance documentation. Boards and senior management are expected to receive regular reporting on model risk. Examiners review board minutes and management committee records to confirm that AI risk is surfaced at the right level.

Bank AI governance enforcement actions have been relatively rare in the AI-specific context, but the OCC’s broader model risk enforcement history — including matters requiring attention (MRAs) and matters requiring immediate attention (MRIAs) — demonstrates that documentation gaps and validation failures are treated as supervisory deficiencies, not minor findings.


CFPB AI Compliance Expectations: Fair Lending, UDAAP, and Explainability

CFPB AI compliance expectations operate on a different axis than the OCC’s safety-and-soundness framework. The Bureau’s authority runs through the Equal Credit Opportunity Act (ECOA), the Fair Housing Act, and the Dodd-Frank prohibition on unfair, deceptive, or abusive acts or practices (UDAAP). All three apply to AI-driven decisions in ways that create concrete AI compliance requirements for banks.

The CFPB’s circular on adverse action notices made the explainability obligation explicit: when a creditor uses a complex algorithm to make a credit decision, it must still provide the specific reasons for adverse action. “The algorithm said no” is not a compliant explanation. This requirement forces banks to maintain AI systems that can produce human-readable, legally defensible explanations for individual decisions — not just aggregate model performance statistics.

On UDAAP, the CFPB has signaled that AI systems producing discriminatory outcomes — even without discriminatory intent — can constitute unfair or abusive practices. Consumer harm is the operative standard, not intent. For AI regulatory compliance purposes, this means banks must monitor their AI systems for disparate impact on protected classes, even when the model does not use protected characteristics as inputs.

Practical AI compliance requirements banks should address for CFPB purposes:

  1. Adverse action reason codes that are model-specific and auditable, not generic.
  2. Disparate impact testing conducted at regular intervals and documented in model risk files.
  3. UDAAP risk assessments for AI use cases that touch consumer-facing decisions, including pricing, servicing, and collections.
  4. Vendor oversight — outsourcing a consumer-facing function to a fintech partner does not transfer the bank’s UDAAP liability.

SEC AI Risk Disclosure Requirements: What Registered Entities Must Document

For bank holding companies with registered investment adviser (RIA) or broker-dealer subsidiaries, SEC AI risk disclosure requirements add a fourth compliance layer. The SEC’s examination priorities and recent enforcement activity make clear that the agency is focused on two areas: whether firms are disclosing AI-related risks accurately to clients and investors, and whether AI-driven investment processes are consistent with fiduciary obligations.

The SEC’s proposed rules on conflicts of interest in predictive data analytics — which would require broker-dealers and investment advisers to evaluate and neutralize conflicts created by AI and algorithmic tools — signal the direction of travel even before final rules take effect. In the interim, the SEC’s Division of Examinations has included AI and machine learning in its annual examination priorities, with a focus on:

  • Disclosure accuracy. Do Form ADV disclosures and client agreements accurately describe how AI is used in investment decision-making, portfolio construction, or client communication?
  • Supervision of AI tools. Are AI-driven recommendations subject to the same supervisory review as human-generated recommendations?
  • AI governance documentation requirements. Can the firm produce records demonstrating that AI tools were evaluated for conflicts, tested for accuracy, and monitored for performance?

Bank AI governance enforcement actions in the SEC context have included cases where firms made materially misleading statements about their use of AI — describing processes as “AI-driven” when they were largely manual, or vice versa. The SEC treats AI-washing as a disclosure violation, not merely a marketing problem — the agency’s March 2024 settled actions against Delphia (USA) Inc. and Global Predictions Inc. are the canonical examples.

RelatedSEC AI Examination Priorities 2026: What Investment Advisers and Broker-Dealers Must Know


Building a Single AI Governance Program That Satisfies All Four Regulators

Managing four separate compliance programs for four regulators produces documentation inconsistencies, resource duplication, and gaps that examiners exploit. Multi-regulator AI compliance in banking is most defensible when organized around a single governance architecture that maps to each agency’s requirements.

A unified program should be structured around five components:

1. A Comprehensive AI Model Inventory

Every AI system in production — including vendor-supplied tools, embedded models in core banking platforms, and models used by subsidiaries — belongs in a centralized inventory. The inventory should capture: model purpose, data inputs, decision outputs, business owner, validation status, and the regulatory frameworks that apply. This single artifact satisfies the OCC’s model inventory expectations, the CFPB’s need to identify consumer-facing AI, and the SEC’s requirement to document AI tools used in investment processes.

2. Tiered Risk Classification

Not every AI model carries the same regulatory risk. A model that determines mortgage eligibility carries ECOA, UDAAP, and OCC model risk exposure simultaneously. A model that optimizes branch staffing schedules carries almost none. A tiered risk classification framework — aligned with SR 11-7 principles — allows governance resources to concentrate where regulatory exposure is highest.

3. Validation and Ongoing Monitoring

Independent model validation, conducted by staff or functions separate from model developers, is a non-negotiable expectation across all four regulators. For AI models, validation should include: conceptual soundness review, data quality assessment, performance testing on out-of-sample data, and disparate impact analysis. Ongoing monitoring should be continuous, with defined thresholds that trigger recalibration or escalation.

4. Explainability and Adverse Action Infrastructure

CFPB explainability requirements and SEC disclosure obligations both demand that institutions can explain what their AI systems are doing at the individual decision level. Building explainability infrastructure — whether through interpretable models, post-hoc explanation methods, or human-in-the-loop review — also supports the OCC’s expectation that management understands the models it relies on.

5. Board and Senior Management Reporting

AI governance documentation requirements across all four regulators converge on one point: boards and senior management must be informed. Governance programs that live entirely in the first line of defense, without regular reporting to risk committees and boards, will fail examination. Establish a reporting cadence that surfaces model inventory status, validation findings, monitoring alerts, and regulatory developments to the appropriate governance bodies.

RelatedNYDFS AI Cybersecurity Guidance: Compliance Requirements and Implementation Roadmap

For practitioner perspectives on multi-regulator AI compliance from the financial services advisory side, see the Neutral Partners blog.

Brine

Build, hire, and govern every AI system in your environment.

Describe a workflow in plain English and Brine builds it, runs it on your data, and governs every step — costing and attributing each action to its agent and model, with a pre-dispatch cap that holds a step before it overspends and a signed audit trail as standard.

Scope a pilot More resources