Background

AI technologies are rapidly advancing, and complex regulations are emerging constantly to keep pace. Different jurisdictions have their own AI regulations, leading to a “patchwork of rules” that financial institutions must navigate. While there is a growing need for AI solutions to address various business challenges, particularly in combatting financial crime through Anti-Money Laundering (AML) and broader compliance efforts, organizations must be cognizant of the obligations they may be subject to such as data privacy, security, algorithm bias, maintaining transparency and explainability in AI decision making, establishing accountability for AI system failures and adhering to specific reporting and auditing requirements.

Business leaders in financial institutions have a responsibility to understand which local, national, and industry-specific regulations and standards for AI apply to their organization. They must identify AI systems, applications, and related vendors used within the organization. Organizations that are rolling out AI capabilities are operating in an environment that combines enormous potential with growing regulatory and ethical complexity. Aiming to leverage significant opportunities for innovation and efficiency while addressing challenges related to compliance, transparency, and trust is crucial. This is especially true in critical areas like AML and fraud detection, where AI can significantly enhance capabilities but also introduce new risks if not properly governed.

AI Regulations and Frameworks

The regulatory landscape for AI in financial services is rapidly evolving and characterized by a complex “patchwork of rules” across diverse jurisdictions. Financial institutions are overseen by various regulatory bodies and must adhere to guidelines issued by them. These include:

United States: 

• Federal Reserve (Fed), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC): These prudential regulators oversee banks and financial institutions, often applying existing model risk management guidance to AI systems and conducting AI focused examinations. The US Treasury Department also shows keen interest in AI for AML compliance.
• Securities and Exchange Commission (SEC) & Commodity Futures Trading Commission (CFTC): Regulate AI use in capital markets, including automated trading algorithms.
• National Credit Union Administration (NCUA): Oversees credit unions, though a Government Accountability Office report highlighted its need for updated model risk management guidance for AI and authority to examine technology service providers. 

European Union (EU): 

• European Commission & EU National Authorities: Oversee the implementation and enforcement of the EU AI Act and Digital Operational Resilience Act (DORA).
• European Supervisory Authorities: Contribute to guidelines and reports on AI use in financial services.

United Kingdom (UK): 

• Financial Conduct Authority (FCA): Has issued non-binding, principles-based guidelines for AI use in financial services, emphasizing fairness, transparency, and accountability.

Other International Bodies: 

• Monetary Authority of Singapore (MAS): Promotes principles like Fairness, Ethics, Accountability, and Transparency (FEAT) for AI governance.
• Various National Central Banks and Financial Regulators: Across APAC (e.g., China, South Korea, Japan) and other regions, national bodies are developing specific regulations or guidelines.

The global landscape features various frameworks and regulatory approaches that impact AI development and deployment:

• National Institute of Standards and Technology (NIST) AI Risk Management Framework (AI RMF): A voluntary framework in the U.S. designed to help organizations manage AI risks and promote trustworthy AI systems throughout their lifecycle (design, development, use, evaluation). It focuses on trustworthiness characteristics like reliability, transparency, fairness, accountability, and security.  It is adaptable and compatible with existing risk management frameworks in the financial sector, serving as a crucial guide for responsible AI adoption even in the absence of prescriptive laws. Key functions include – Govern, Map, Measure, and Manage AI risks.
• General Data Protection Regulation (GDPR) (EU): While not an AI-specific law, GDPR has significant implications for AI due to its focus on data privacy and individual rights. It imposes strict rules on the processing of personal data, which AI systems often rely on. Key Aspects for AI include explicit consent for data processing, grants individuals’ rights like the “right to be forgotten” (requiring AI models to be retrainable or deletable), mandates data protection impact assessments for high-risk processing, and includes provisions related to automated individual decision-making.
• Digital Operational Resilience Act (DORA) (EU): A regulation aimed at strengthening the IT security of financial entities and critical third-party Information and communication technology (ICT) service providers. While not solely AI-focused, it significantly impacts AI systems by ensuring their operational resilience and security within the financial sector.

Key aspects for AI include ICT risk management, incident reporting, digital operational resilience testing, information sharing, and managing third-party ICT risk, including AI vendors.

• United Kingdom (UK’s Principles-Based Approach): The UK favors a principles-based, pro-innovation approach rather than a single overarching AI law. It outlines five core principles: safety, security, and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress. This approach encourages existing regulators (like the FCA) to issue sector specific guidance on how these principles apply, allowing for flexibility but requiring banks to actively interpret and implement these principles in their AI governance.

• Canada (Artificial Intelligence and Data Act – AIDA): Part of Bill C-27, AIDA is currently in committee and proposes a risk-based framework for AI, similar to the EU AI Act, focusing on high-impact AI systems. It aims to regulate AI systems to mitigate potential harm. Once enacted, it will introduce new compliance requirements for financial institutions operating in Canada, particularly for AI systems deemed high impact.

Singapore (FEAT Principles): The Monetary Authority of Singapore (MAS) has published principles for Fairness, Ethics, Accountability, and Transparency (FEAT) to guide responsible AI and data use in the financial sector. These are non-binding but serve as a strong industry expectation.

How Financial Institutions Should Determine Applicable Regulations and Best Practices

Global financial institutions must adopt a sophisticated approach to identify and apply relevant AI compliance obligations:

• Jurisdictional Footprint: The most fundamental step is understanding where the financial institution operates, where its customers are located, and where data is processed or stored. AI systems are often subject to the laws of both the jurisdiction where they are developed/deployed and where their outputs are used or impact individuals.

• Nature of AI Use Cases: The specific application of AI significantly influences the regulatory burden. “High-risk” AI systems, such as those used for credit scoring, fraud detection, anti-money laundering (AML), or critical decision-making processes, face much stricter requirements than lower-risk applications (e.g., internal administrative AI).

• Existing Legal Frameworks: Financial institutions must integrate AI compliance with existing laws related to data privacy (e.g., GDPR, CCPA), consumer protection (e.g., fair lending laws like ECOA, UDAAP), and financial stability. Regulators often interpret existing laws to apply to AI outputs and processes.
• Outcomes-Based Approach: Regulators are increasingly focusing on the outcomes produced by AI systems rather than solely on their internal technical complexities. Financial institutions must ensure that AI-driven decisions align with principles of fairness, transparency, and non-discrimination, regardless of the underlying algorithms.

• Industry Guidance and Best Practices: Adopting voluntary frameworks like the NIST AI Risk Management Framework (AI RMF) and engaging with industry consortia and regulatory sandboxes helps them anticipate future mandates and align with evolving best practices.

• Third-Party Vendor Management: Given the reliance on third-party AI solutions, financial institutions must extend their due diligence to ensure that vendor practices align with their own regulatory obligations and risk appetite.

Effective AI governance and compliance in financial services are built upon a foundation of responsible AI guiding principles. These principles serve as a compass, ensuring that AI systems are developed and deployed ethically and in alignment with stringent regulatory requirements, particularly in AML and financial crime prevention:

Global AI Mandates and Their Impact on Global Financial Institutions

The United States employs a sectoral strategy, relying on existing agency powers and executive orders, such as Biden Administration’s Executive Order 14110, without a single overarching federal AI law. In contrast, the European Union leads with the EU AI Act, the world’s first comprehensive AI law, which utilizes a risk-based approach imposing stringent requirements on high-risk AI systems with extraterritorial reach. The United Kingdom favors a more principles-based, pro-innovation stance, encouraging sector-specific guidance from existing regulators rather than a unified AI law. China operates under a more restrictive regime, implementing regulations on algorithmic systems, deep synthesis, and Generative AI, often requiring security assessments aligned with government values. Other nations like Canada, South Korea, Japan, and Singapore are also developing or have introduced various forms of AI legislation or national strategies, ranging from comprehensive acts to voluntary guidelines.

The lack of globally harmonized AI regulations presents significant challenges for global financial institutions operating across multiple jurisdictions: 

• Increased Compliance Costs: Global financial institutions face higher expenditure in monitoring and adhering to diverse, often conflicting, regulatory requirements across different jurisdictions.
• Operational Complexity: Managing AI systems to satisfy multiple, distinct sets of rules complicates development, deployment, and ongoing governance processes.
• Slowed Innovation: The need to comply with varied regulations can delay the adoption and scaling of AI initiatives, as systems must be adapted or re-engineered for each market.
• Risk of Non-Compliance: The fragmented landscape increases the likelihood of inadvertently breaching a regulation in one jurisdiction, leading to significant fines and reputational damage.
• Challenges in Achieving Enterprise-Wide Consistency: It becomes difficult to implement a unified AI governance framework or standardized AI models across the entire organization.
• Third-Party Risk Management: Global financial institutions often rely on external AI vendors, adding another layer of complexity in ensuring these vendors comply with regulations across all relevant operating regions.
• Need for Agile Compliance Frameworks: Financial institutions must develop flexible, modular compliance platforms that allow for jurisdiction-specific rule sets, dynamic thresholds, and localized reporting, while maintaining a unified risk management baseline. 

AI Compliance Strategy Challenges

Organizations, particularly financial institutions, face several significant challenges in developing and implementing an AI compliance strategy:

• Rapidly Evolving Regulations: AI regulations are emerging and evolving rapidly globally, making it difficult for organizations to keep pace and integrate them into existing AML and compliance frameworks.
• Data Privacy and Security Concerns: AI applications involve the processing of vast amounts of sensitive data, including Personally Identifiable Information (PII) and Protected Health Information (PHI), raising significant concerns about data privacy and security. The risk of data confidentiality and integrity from inputting sensitive data or using unverified AI outputs is substantial.
• Ethical Implications and Bias: AI can have significant ethical implications, such as bias and discrimination, particularly in areas like credit scoring, risk assessment, and customer due diligence. AI applications must include checks and balances to ensure unbiased results and fair representation, as bias in data input or algorithms can lead to discriminatory outcomes.
• Implementing a Prioritized Strategy: Effectively implementing an AI compliance strategy with prioritized tasks and initiatives that align with both AI governance and existing AML/compliance programs is a key challenge.
• Limited Visibility and Control: Many financial institutions struggle with limited visibility and control over their AI deployments, making it difficult to assess and manage associated risks effectively.
• Lack of Actionable Guidance: Despite declarations for responsible AI, many organizations lack concrete, actionable guidance on how to operationalize these principles within their compliance functions.
• Absence of AI Governance Functions: Compliance concerns often stem from the absence of robust AI governance functions, leading to a lack of confidence in compliance posture.
• Measuring Progress: Establishing effective metrics to measure the progress and effectiveness of the AI compliance strategy, particularly in terms of reducing false positives in AML or improving detection rates, remains a significant challenge.

Beyond the direct challenges, several common obstacles hinder effective AI governance and compliance in financial institutions:

• Limited Visibility into AI Systems
• Adapting to Progressive Business Needs
• Ambiguity of Responsibility
• Employee Resistance
• Lack of Responsible AI Guiding Principles
• Absence of a Controls Library
• Skills Shortage
• Insufficient Communication and Knowledge Management
• Fragmented Accountability in Third-Party AI
• Advancing AI Maturity
• Integration with Legacy Systems

How Matrix Can Support to Develop an AI Compliance Strategy and Roadmap

Matrix adopts a strategic and comprehensive approach to AI Governance and Compliance, specifically tailored for the complexities of financial services. Our approach is rooted in industry best practices and focuses on actionable steps for aligning with global AI standards and financial regulations, including AML and broader compliance frameworks.

Matrix, with its deep expertise in financial crime, risk solutions, and compliance, is uniquely positioned to assist financial institutions in developing and implementing robust AI compliance strategies and roadmaps. Our support extends to every phase of this critical journey, ensuring that AI deployments enhance, rather than compromise, your AML and regulatory posture:

• AI Governance Framework: Matrix can establish an AI governance framework that provides a holistic approach to managing, monitoring, and controlling the effective and ethical use and development of AI systems for financial crime. This includes defining responsible development, ensuring alignment with organizational objectives, and integrating AI governance into existing financial crime compliance and risk management processes. 
• Enhance AML Compliance Framework: Matrix empowers financial institutions to enhance their AI compliance strategy and roadmap by implementing AI-powered third-party solutions for real-time AML transaction monitoring, improved KYC/CDD, efficient SAR generation, and accurate sanctions screening. These solutions leverage intelligent automation and advanced analytics to reduce false positives, detect complex financial crime patterns, and streamline investigations, bolstering regulatory adherence and operational efficiency.

• Intended Purposes and Visibility are Critical: We start by thoroughly documenting and understanding the intended purposes and operational mechanisms of all AI systems in your organization. This is not just a checkbox but the compass that guides AI systems toward trustworthiness, accountability, and regulatory alignment, particularly crucial for auditable AML processes.
• Manage Complexity with Structure and Avoid Duplicating Effort: We tackle evolving and overlapping regulations by aligning cross-functional leadership (including compliance, legal, IT, and business units), engaging experts, and implementing a structured compliance framework. This helps prioritize and address obligations effectively. If your organization’s obligations mirror or are less stringent than those already mapped, leverage the existing framework to save time and focus on the implementation of controls.

• Data Unification and Quality for AI: Financial institutions often grapple with fragmented data across multiple systems. Matrix can help to unify this scattered information, providing a comprehensive view of customer behavior and transaction patterns essential for effective AI models in AML. We also assist in establishing robust data governance frameworks to ensure data cleanliness and reliability, which is foundational for AI success.

• Ensuring Explainability and Auditability: Recognizing the regulatory demand for transparency, we support the development and implementation of transparent AI systems. This includes ensuring that AI models used for compliance (e.g., in alert scoring or AML alert generation) can explain their decision-making processes, providing clarity to regulators and auditors. 
• Cost Efficiency and Value Creation: By implementing well defined AI compliance strategies with our support, financial institutions can achieve significant cost savings through automation of labor-intensive tasks (e.g., transaction screening, alert prioritization) and reallocate resources towards strategic decision making and complex investigations. This also contributes to improved operational excellence and reduced exposure to regulatory fines and reputational damage.
• Metrics for Success: We help establish key metrics to measure the value of your AI compliance strategy, such as reduction in false positives, decrease in investigation times, improved regulatory filing accuracy, and overall reduction in compliance management efforts.

Conclusion

As AI continues to reshape the financial services landscape, effective AI governance and compliance are no longer optional but foundational pillars for responsible innovation, robust financial crime prevention, and sustained success. Financial institutions that proactively address the evolving regulatory environment and integrate ethical considerations into their AI strategies will be best positioned to mitigate risks, enhance their AML capabilities, build stakeholder trust, and unlock the full transformative potential of AI. The approach utilized by Matrix, aligns with industry best practices, will enable businesses to anticipate and address regulatory requirements proactively by adopting a strategic approach and the right tools to navigate this landscape successfully.

Matrix stands as a trusted partner, offering the deep expertise, specialized frameworks, and proven methodologies necessary to navigate this complex terrain. By collaborating with Matrix, your organization can develop a robust AI compliance strategy and roadmap that not only ensures regulatory adherence and strengthens your AML posture but also enables a confident and responsible embrace of the AI future.