Blog

NYDFS AI Guidance vs SEC AI Guidance: A Multi-Regulator Compliance Guide

CCOs, CISOs, and CROs at NY-regulated banks and registered investment advisers face overlapping AI mandates from NYDFS, SEC, OCC, CFPB, and the Fed. Here is how the requirements compare — and how to build one program that satisfies all of them.

13 min read

If you are a CCO, CISO, or CRO at a New York-regulated bank that also holds a registered investment adviser license, you are not answering to one AI regulator. You are answering to several — simultaneously, with partially overlapping and occasionally conflicting expectations. The comparison between NYDFS AI guidance vs SEC AI guidance is no longer an academic exercise. It surfaces in examination prep, board reporting, and vendor contract negotiations every quarter. This guide breaks down what each major regulator actually requires, where the frameworks align, where they create friction, and how to design a single AI governance program that holds up across all of them.


Why Financial Firms Now Answer to Multiple AI Regulators Simultaneously

The multi-regulator AI compliance banking environment did not arrive with a single announcement. It developed through a series of guidance documents, examination priorities letters, and supervisory expectations that each agency issued on its own timeline, using its own vocabulary, and aimed at its own supervised population. NYDFS issued its AI cybersecurity guidance targeting state-chartered banks, insurance companies, and licensed financial services firms operating in New York. The SEC published its 2024 marketing rule enforcement actions and its 2025 examination priorities, both of which named artificial intelligence as a focus area for registered investment advisers and broker-dealers. The OCC, CFPB, and Federal Reserve have each issued their own model risk, fair lending, and third-party risk guidance that applies to AI systems whether or not those documents use the word "artificial intelligence" explicitly. The result: a firm that is both NYDFS-regulated and SEC-registered — a common profile for regional banks with wealth management arms — must satisfy frameworks written by different agencies, for different primary audiences, under different statutory authorities. No agency coordinates its examination calendar with the others, no joint framework exists, and no examiner will accept "we were focused on the other regulator" as a satisfactory explanation for a gap. The SEC artificial intelligence compliance requirements are framed primarily around investor protection, disclosure accuracy, and conflicts of interest. NYDFS frames its expectations primarily around cybersecurity risk, third-party vendor oversight, and the integrity of systems that process nonpublic information. These are different lenses on the same underlying technology — and a firm that optimizes only for one lens will have visible blind spots when the other examiner arrives.


NYDFS, SEC, OCC, CFPB, and Federal Reserve: What Each Regulator Actually Requires

Understanding the full landscape requires looking at each agency’s expectations on their own terms before comparing them.

  • NYDFS expects covered entities to treat AI systems as a category of technology risk subject to the same governance rigor as any other critical system. The October 2024 NYDFS industry letter on cybersecurity risks from AI — covered in detail in NYDFS AI Cybersecurity Guidance: What Banks and Financial Institutions Must Know — requires boards and senior management to understand AI-related risks, mandates written policies for AI use and third-party AI vendor oversight, and places explicit expectations on the CISO to assess AI tools for cybersecurity exposure. The guidance is not a checklist — it is a principles-based framework that examiners will interpret through the lens of your existing cybersecurity program maturity.
  • SEC expectations flow through three enforcement channels. The SEC AI governance framework for investment advisers is built on the Investment Advisers Act’s fiduciary standard, the 2023 proposed predictive data analytics rule, and annual examination priorities letters that have named AI use in investment recommendations, marketing materials, and compliance programs as active review areas. For CCOs, the practical implication is that any AI system touching client communications, portfolio construction, or performance reporting is subject to scrutiny for accuracy, disclosure, and conflict-of-interest management.
  • OCC AI governance guidance is embedded primarily in the interagency model risk management guidance (SR 11-7 / OCC 2011-12) and the 2021 Request for Information on AI. The OCC expects national banks to apply model risk management discipline — validation, ongoing monitoring, documentation of assumptions and limitations — to AI models with the same rigor applied to traditional statistical models. The agency has also signaled, through its examination handbook updates, that third-party AI vendors do not reduce a bank’s accountability for model performance.
  • CFPB AI compliance expectations center on fair lending and adverse action notice requirements. The CFPB has been explicit that automated underwriting systems and AI-driven credit decisioning tools must produce explanations that satisfy the Equal Credit Opportunity Act and Fair Credit Reporting Act adverse action notice requirements. The agency’s 2022 circular on adverse action makes clear that "the algorithm decided" is not a compliant explanation for a credit denial.
  • Federal Reserve AI risk management expectations are embedded in its supervisory guidance on model risk management, its large financial institution rating system, and its horizontal reviews of technology risk. The Fed has not issued a standalone AI governance framework, but its examiners apply SR 11-7 to AI models and have increasingly asked about board-level AI risk oversight in large bank examinations.

Where the Requirements Overlap — and Where They Conflict

Every regulator on this list expects documented governance, board or senior management accountability, third-party vendor oversight, and ongoing monitoring of AI system performance. The overlap is substantive. A firm that has built a mature model risk management program aligned to SR 11-7 has a defensible foundation with the OCC, the Fed, and — with some translation work — NYDFS. The conflicts are equally significant, and they create practical compliance tension for firms subject to multiple frameworks.

  • Documentation standards differ. NYDFS cybersecurity examinations tend to focus on whether policies exist, whether they are current, and whether evidence of implementation is available. SEC examinations of registered investment advisers focus more on whether disclosures to clients accurately describe how AI is used in the investment process. A document that satisfies one examiner’s request may not satisfy the other’s.
  • Third-party risk scope differs. NYDFS third-party AI vendor oversight requirements focus on cybersecurity controls at the vendor and contractual rights to audit. The OCC’s third-party risk guidance (OCC 2023-17) requires a full lifecycle risk assessment that includes strategic fit, financial condition, and operational resilience — a broader scope than cybersecurity alone. A vendor contract that passes NYDFS review may still have gaps from an OCC perspective.
  • Explainability requirements differ in audience. CFPB adverse action notice requirements demand consumer-facing explanations of AI-driven credit decisions. NYDFS and SEC explainability expectations are directed at internal governance — can your risk team and your examiners understand how the model works? A firm that conflates these standards may over-engineer consumer disclosures while under-documenting internal model logic, or vice versa.
  • Examination timing is not coordinated. An NYDFS examination and an SEC examination can overlap in the same calendar year. Firms that maintain separate compliance programs for each regulator — rather than a unified governance framework with regulator-specific mapping — face duplicative work and inconsistent answers across examinations.

Exam Findings and Enforcement Signals Across Regulators

Enforcement actions and examination findings are the clearest signal of what regulators actually prioritize when they arrive on-site.

  • SEC enforcement has focused on AI-related misrepresentation in marketing materials. The agency’s March 2024 settled actions against Delphia (USA) Inc. and Global Predictions Inc. for misleading AI claims in client-facing materials — sometimes called “AI washing” — establish that the SEC will treat inflated AI capability claims as violations of the Advisers Act’s antifraud provisions. For CCOs, this means marketing review workflows need to include AI capability claims as a specific review category, not just general performance claims.
  • NYDFS examination findings in cybersecurity examinations have consistently cited gaps in third-party vendor oversight, insufficient documentation of risk assessments, and board-level governance that is nominal rather than substantive. As AI systems become a larger share of the technology footprint at NYDFS-regulated firms, these same finding categories are being applied to AI-specific controls.
  • OCC and Fed horizontal reviews of model risk management have found that many banks have not updated their model inventories to include AI and machine learning models, particularly those deployed by third-party vendors. A model that is not in the inventory is not being validated, monitored, or governed.
  • CFPB supervisory activity has produced findings against lenders whose AI-driven adverse action notices failed to provide specific and accurate reasons for credit denials. These AI governance case studies in financial services are instructive because they show that the compliance failure was not in the model itself — it was in the governance layer that was supposed to ensure the model’s outputs were translated into compliant consumer communications.
  • Bank AI governance enforcement actions remain relatively limited in number, but the trajectory is clear. Regulators across all five agencies named AI governance as a current examination priority in their most recent supervisory communications — not a future one.

Building One AI Governance Program That Satisfies All Your Regulators

The firms that manage multi-regulator AI compliance most effectively are not maintaining five separate compliance programs. They are maintaining one AI governance framework with a regulatory mapping layer that translates core program elements into each regulator’s vocabulary and documentation format. The architecture of that unified program has four components.

  • First, a single AI model and system inventory. Every AI system in production — whether built internally, purchased from a vendor, or accessed via API — needs to be in one inventory with consistent metadata: use case, data inputs, model type, deployment date, last validation date, business owner, and applicable regulatory frameworks. This inventory is the foundation for every other governance activity and the first thing every examiner requests.
  • Second, a tiered risk classification. Not every AI system carries the same regulatory risk. An AI tool used for internal document summarization carries different risk than an AI model used in credit underwriting or investment recommendations. A tiered classification system — high, medium, low — allows the firm to apply proportionate governance: full SR 11-7 validation and ongoing monitoring for high-risk models, lighter-touch documentation for low-risk tools. This satisfies OCC AI governance guidance, CFPB AI compliance expectations, and NYDFS expectations simultaneously, because all three accept a risk-proportionate approach.
  • Third, a regulatory mapping matrix. For each core governance control — model validation, third-party vendor oversight, board reporting, adverse action notice review, cybersecurity risk assessment — the matrix identifies which regulators require it, what their specific documentation expectations are, and where a single artifact can satisfy multiple requirements. This eliminates duplicative work and reduces the risk of inconsistent answers across examinations.
  • Fourth, a board and senior management reporting cadence. Every regulator on this list expects board-level AI risk oversight. The specific form varies — NYDFS focuses on cybersecurity risk, the SEC focuses on fiduciary and disclosure risk, the OCC and Fed focus on model risk — but the underlying expectation is consistent: the board needs to understand the firm’s AI risk profile and receive regular reporting on it. A quarterly AI risk report structured to address each regulator’s specific concerns satisfies this expectation across all frameworks.

For firms subject to NYDFS specifically, the NYDFS AI Cybersecurity Guidance Compliance pillar provides the detailed framework for building out the NYDFS-specific layer of this program. For the SEC layer, examination priorities and specific adviser obligations are covered in SEC AI Examination Priorities 2026: What Investment Advisers Need to Know. For the foundational governance architecture, AI Governance Framework for Regional Banks and Credit Unions provides the structural model. And for CCOs and CISOs working through internal responsibility allocation, CCO and CISO Guide to AI Governance Responsibilities Under NYDFS addresses the organizational design questions directly. Firms that mapped their regulatory obligations, built a unified inventory, and established board reporting before any examiner asked are the ones entering 2025 examination cycles without remediation backlogs.


  • Ready to assess where your AI governance program stands across all your regulators? Download our Multi-Regulator AI Governance Readiness Checklist — a structured assessment that maps your current controls against NYDFS, SEC, OCC, CFPB, and Federal Reserve expectations in one document, so you can identify gaps before your next examination cycle begins.
Brine

Build, hire, and govern every AI system in your environment.

Describe a workflow in plain English and Brine builds it, runs it on your data, and governs every step — costing and attributing each action to its agent and model, with a pre-dispatch cap that holds a step before it overspends and a signed audit trail as standard.

Scope a pilot More resources