Artificial Intelligence: Use and Oversight in Financial Services

Summary

This GAO report delivers the first comprehensive federal analysis of how AI is actually being deployed across America's financial sector—and whether regulators are keeping pace. Released in 2024, it cuts through the hype to examine real-world AI implementations at banks, credit unions, and fintech companies, while evaluating how agencies like the Fed, FDIC, and OCC are adapting their oversight approaches. Rather than proposing new regulations, the report reveals how existing financial laws and examination processes are being stretched to cover AI risks, offering crucial insights for institutions navigating this regulatory gray area.

What makes this different

Unlike theoretical AI governance frameworks, this report is grounded in actual regulatory examinations and industry practices. The GAO conducted extensive fieldwork with financial institutions and interviewed examiners who are literally walking into banks to assess AI systems. This isn't policy speculation—it's documentation of what's happening right now in examination rooms and compliance departments across the financial sector.

The report also breaks new ground by mapping how traditional banking regulations (think Fair Credit Reporting Act, Equal Credit Opportunity Act, Bank Secrecy Act) are being applied to AI systems. It's the missing link between abstract AI principles and concrete regulatory enforcement.

Key regulatory findings

Existing laws are doing heavy lifting: Federal financial regulators aren't creating AI-specific rules. Instead, they're applying decades-old consumer protection, safety and soundness, and anti-money laundering laws to AI systems. The report details exactly how this translation works in practice.

Risk-based examination evolution: Bank examiners are developing new techniques to assess AI risks during routine examinations. The report documents emerging examination practices, from model validation requirements to bias testing protocols.

Regulatory coordination gaps: While multiple agencies oversee AI in finance, the report identifies coordination challenges between prudential regulators, consumer protection agencies, and state regulators—particularly important for fintech companies that may fall under different jurisdictions.

Vendor risk management spotlight: With most financial institutions using third-party AI systems rather than building their own, the report highlights how vendor oversight has become a critical regulatory focus.

The compliance reality check

Financial institutions will find practical insights into what regulators are actually examining. The report reveals that examiners are focusing heavily on:

• Governance structures: How boards and senior management oversee AI initiatives
• Risk management processes: Integration of AI risks into existing enterprise risk frameworks
• Model validation practices: Extending traditional model risk management to AI systems
• Consumer impact assessments: Documentation of potential discriminatory effects
• Incident response capabilities: Preparedness for AI system failures or unexpected behaviors

The report also documents common compliance gaps regulators are finding, providing a roadmap for strengthening AI governance programs.

Who this resource is for

Financial institution executives and risk managers who need to understand regulatory expectations and examination priorities for AI implementations.

Compliance officers and legal teams at banks, credit unions, and fintech companies seeking concrete guidance on how existing regulations apply to AI systems.

Financial services consultants and advisors helping clients navigate AI governance requirements and regulatory compliance.

Federal and state financial regulators looking for comprehensive analysis of current oversight approaches and potential gaps.

Policy researchers and academics studying the intersection of AI governance and financial regulation, particularly the adaptation of existing regulatory frameworks to emerging technologies.

Quick reference: Agency approaches

• Federal Reserve: Emphasizes AI integration into existing supervision and regulation framework
• FDIC: Focuses on safety and soundness implications, particularly for community banks
• OCC: Highlights operational risk management and third-party vendor oversight
• CFPB: Concentrates on consumer protection and fair lending compliance
• FinCEN: Examines AI use in anti-money laundering and suspicious activity monitoring

The report provides detailed breakdowns of each agency's specific examination priorities and enforcement actions related to AI systems.