NEW YORK — In a supervisory development seems likely to also reach even further into credit union oversight, federal banking regulators are increasing their oversight of how banks use artificial intelligence, as the rapidly evolving technology becomes more deeply embedded in lending, compliance and customer-service operations, according to a new report.
As the CU Daily has previously reported, within credit unions there has already been discussion of some AI-related issues around compliance, as well as the potential for litigation around how data is handled.
The Federal Reserve and the Office of the Comptroller of the Currency have begun using routine bank examinations to gather more detailed information about how financial institutions deploy AI, particularly in higher-risk areas such as credit underwriting, know-your-customer verification, sanctions screening and other compliance functions, according to Reuters, which cited sources close to the issue.
The report added that regulators are not yet imposing new AI-specific requirements. Instead, they are seeking a better understanding of how banks are using the technology and how institutions are managing associated risks.
Sources told Reuters that examiners are asking banks to document where AI is being used, how customer data is protected and what governance controls are in place.
Areas of Scrutiny
Areas of focus reportedly include:
- Human oversight of AI systems
- Internal guardrails governing AI behavior
- Data-access controls and privacy protections
- Third-party vendor management
- Exposure to subcontractors used by AI providers
- Contingency plans for system failures
- “Kill switches” that allow institutions to disable AI systems if necessary
One source told Reuters that discussions surrounding AI have become a standard component of virtually every bank examination.
Particular Area of Concern
Reuters reported that regulators are particularly concerned about ensuring AI systems do not access or infer information beyond authorized limits, creating potential privacy, confidentiality and compliance risks. Examiners are also reviewing whether banks have clearly defined authority structures for intervening when AI systems behave unexpectedly.
Another major area of scrutiny involves third-party providers. Reuters reported that regulators are questioning how banks ensure outside vendors — and the vendors’ subcontractors — maintain governance, security and risk-management standards comparable to those required of the banks themselves.
Exit Strategies in Place?
Sources told Reuters that regulators are also asking whether institutions have exit strategies in place should an AI vendor experience a security breach or operational failure.
The increased oversight comes as AI adoption accelerates throughout the financial services industry. Banks have expanded their use of AI from customer-facing virtual assistants to more sophisticated applications involving regulatory compliance, fraud detection and lending decisions.
Reuters reported that regulators are relying primarily on existing supervisory frameworks — including model risk management, third-party risk oversight and consumer protection requirements — rather than developing new AI-specific rules.
Federal regulators have already publicly signaled heightened attention to AI. Reuters noted, and the CU Daily also reported, that the Government Accountability Office reported last year that banking regulators were assessing AI-related risks in financial services. In April, the OCC, Federal Reserve and Federal Deposit Insurance Corp. announced plans to seek industry input on the use of AI, including generative and agentic AI systems.
Other Risks Being Evaluated
Reuters also reported that regulators and the U.S. Treasury Department are evaluating cybersecurity risks associated with emerging AI technologies and assessing whether financial institutions are adequately prepared to address those threats.
According to Reuters, regulators face a challenge of their own: the speed of AI development. Sources said the technology is advancing much faster than the traditional pace of regulatory learning and rulemaking, raising concerns that any formal guidance could quickly become outdated.
As a result, Reuters reported that regulators are expected to continue relying on broad, principles-based supervision rather than prescriptive rules, at least in the near term.
