Federal banking supervisors are intensifying their oversight of artificial intelligence implementation at financial institutions as the technology becomes increasingly prevalent throughout the industry, according to individuals with knowledge of the regulatory activities.
Financial institutions have quickly embraced artificial intelligence technology in recent years, extending its application beyond simple virtual assistants to sophisticated operations including regulatory compliance monitoring and loan underwriting processes, which has attracted increased regulatory attention.
Supervisors are enhancing their oversight as AI adoption accelerates throughout financial services, creating new vulnerabilities to cybersecurity threats and fraudulent activities. Currently, their strategy involves maintaining close observation to gain deeper insight into how financial institutions are implementing this technology.
The Office of the Comptroller of the Currency and the Federal Reserve have begun incorporating AI technology mapping requirements into their standard bank examinations, particularly for high-risk applications such as lending operations, customer identification procedures, and sanctions screening processes, according to three individuals familiar with these developments.
Banking supervisors are requesting comprehensive information about vendor relationships, customer data protection measures, and the presence of safety mechanisms such as emergency shutdown capabilities, these individuals reported. They are also investigating governance structures, including protective measures and human supervision, third-party risk management and vendor oversight, subcontractor exposure levels, and backup plans for system failures.
AI technology discussions have become a standard component of every banking examination, one individual noted.
These conversations occur through both written documentation and verbal communications. Supervisors are not yet providing specific directives but are working to gain better comprehension of how banks implement the technology, the individuals explained.
The individuals requested anonymity due to the confidential nature of these discussions. The OCC, which oversees U.S. banks, did not provide a response to comment requests, while the Fed declined to comment.
U.S. banking supervisors have publicly indicated increased scrutiny of financial institutions’ artificial intelligence usage. Last year, the Government Accountability Office reported that supervisors had informed them of their ongoing assessment of AI risks within financial services.
In April, the OCC announced that it, along with the Fed and the Federal Deposit Insurance Corporation, intended to issue a formal information request regarding banks’ AI usage, including generative and agentic systems. Such requests do not create new regulations but assist agencies in collecting information before determining potential actions.
Supervisors are attempting to evaluate how banks are managing rapidly evolving systems such as Anthropic’s frontier AI model Mythos. Cybersecurity specialists indicate that this system presents substantial challenges to the banking sector and its existing technology infrastructure due to its capacity for exploiting cyber weaknesses.
The U.S. Treasury and supervisors are also reviewing the cybersecurity threats the new artificial intelligence model creates and evaluating how well financial firms are prepared to address them.
Currently, supervisors are concentrating on information collection and industry practice evaluation rather than limiting specific applications, individuals reported.
Rather than creating new regulations specifically designed for AI, the agencies are utilizing existing frameworks including model risk management, third-party risk supervision, and consumer protection regulations to evaluate how banks are managing the emerging technology, the individuals stated.
A primary concern for supervisors is ensuring that AI systems do not exceed their intended functions or access levels, the individuals noted. Supervisors are investigating whether tools can access or deduce information beyond authorized parameters, particularly since AI models are designed to extract and connect information across multiple systems. This creates risks regarding privacy, confidentiality, and regulatory compliance, according to these individuals.
Financial institutions are being required to demonstrate their control measures, including protective barriers that restrict model behavior and data access capabilities, they continued. Supervisors are also emphasizing human supervision and emergency shutdown mechanisms that enable firms to halt systems when necessary, along with clear authority structures for intervention, all three individuals confirmed.
Another significant oversight area involves vendor risk. As banks increasingly depend on third-party providers for AI tools, supervisors are questioning how firms ensure these vendors and their subcontractors maintain the same governance and security standards as the banks themselves, the three individuals reported.
Supervisors are also inquiring whether banks have contingency plans if security breaches occur with vendor systems, one individual noted, a growing concern as AI usage becomes more integrated into various banking operations.
Simultaneously, the rapid pace of AI advancement is creating challenges for supervisors themselves. The three individuals indicated that the technology is progressing at a rate that significantly exceeds traditional regulatory learning and rulemaking cycles, creating concerns that formal guidance, when released, could quickly become obsolete.
Consequently, authorities are expected to continue relying on broad, principles-based supervision rather than detailed regulations, though this approach could potentially change.
“Today, banks are relying on existing risk-management frameworks to guide their use of AI,” Federal Reserve Vice Chair for Supervision Michelle Bowman said in a speech in May. “While these supervisory tools are intended to support banks in applying sound governance and risk management, we should assess whether our supervisory guidance is fit for the future.”
