- SR 11-7 — the Federal Reserve and OCC model risk management guidance from 2011 — applies to every AI model used for material decisions. It requires a model inventory, tiered risk classification, independent validation, and ongoing monitoring. Only 44% of banks properly validate their AI models. That is the compliance gap regulators are examining.
- The Massachusetts AG’s July 2025 settlement with Earnest Operations established the enforcement standard: AI underwriting models must be tested for disparate impact before deployment, proxy variables must be identified and reviewed, and adverse action notices must reflect actual model outputs — not a generic checklist. These are acceptance criteria, not post-deployment audits.
- The CFPB has confirmed across three successive circulars that there are no technology exceptions to ECOA. A black-box credit model whose outputs you cannot explain in specific, accurate terms is a compliance violation. Model complexity does not excuse the adverse action notice requirement.
- Voice AI on customer call center interactions requires explicit consent before deployment. Turner v. Nuance and Gladstone v. AWS — both active in 2025 — establish that recording and analyzing customer calls without consent violates state privacy laws even when the purpose is fraud prevention.
- The FSOC’s December 2024 Annual Report flagged AI concentration risk: when most institutions rely on the same vendors for credit scoring, fraud detection, and risk modeling, a correlated failure propagates across the system simultaneously. Model inventory and vendor diversification are governance requirements regulators are actively examining.
- Securities class actions targeting AI misrepresentations doubled between 2023 and 2024. The March 2025 DocGo ruling confirmed these claims survive dismissal motions. External AI capability claims — in investor materials, marketing, and regulatory filings — are legally material and must be covered by your governance program.
Financial services was an early and deep adopter of AI — algorithmic credit scoring, fraud detection, and automated trading all predate the current wave of generative AI by decades. SR 11-7 has applied to financial institution models since 2011. The CFPB’s adverse action notice requirements have been on the books since the Equal Credit Opportunity Act. Fair lending testing is standard practice at regulated institutions.
And yet 2025 produced the first state-level AI fair lending enforcement action in financial services, active litigation over voice AI on bank customer calls, and a continuing surge in AI-washing securities claims. Over 85% of financial firms are actively deploying AI, but only 44% are properly validating their models. The gap between adoption speed and governance rigor is where enforcement risk lives.
For PMs in financial services, the governance landscape is distinctive in three ways: a 14-year-old framework already exists and has examination teeth; the explainability obligation is a hard legal requirement, not a design aspiration; and systemic risk — the amplification of model failures across correlated institutions — is a regulatory concern unique to this sector.
Where AI Is Used in Financial Services
| Function | AI Applications |
|---|---|
| Credit underwriting | Automated loan decisioning, credit scoring, alternative data models, pricing algorithms, limit management. |
| Fraud detection | Transaction monitoring, anomaly detection, identity verification, deepfake detection, behavioral biometrics. |
| Risk management | Credit risk modeling, market risk, liquidity forecasting, stress testing, operational risk. |
| Regulatory compliance | AML/KYC screening, suspicious activity reporting, sanctions screening, regulatory reporting automation. |
| Customer service | Chatbots, virtual assistants, voice AI on call centers, sentiment analysis, complaint routing. |
| Trading and investment | Algorithmic trading, portfolio optimization, ESG scoring, investment recommendations. |
| Operations | Document processing, loan origination automation, claims processing, back-office automation. |
| Marketing | Propensity models, customer segmentation, churn prediction, personalized product offers. |
Three 2025 Cases
Earnest Operations: First State AI Fair Lending Enforcement
On July 10, 2025, the Massachusetts AG announced a $2.5 million settlement with student loan company Earnest Operations LLC — the first state enforcement action specifically targeting AI bias in financial services lending. Earnest’s models used the federal Cohort Default Rate as an underwriting input without testing for discriminatory outcomes. HBCUs and minority-serving institutions have higher CDR rates, so applicants from these schools were penalized for the average behavior of past students regardless of individual creditworthiness. The model also automatically denied applicants without a green card — national origin discrimination under ECOA.
PM lesson: Earnest never tested its models for disparate impact. A published government statistic looked like a neutral financial variable. It was a proxy for the racial composition of the applicant’s institution. Disparate impact analysis is a model acceptance criterion, not a post-complaint audit.
Voice AI Consent Litigation
Two federal lawsuits active through 2025 target financial institutions’ use of AI on customer call center interactions. Turner v. Nuance Communications (N.D. Cal.) alleged Nuance’s voice AI recorded calls for authentication and fraud prevention without consent under the California Invasion of Privacy Act. Gladstone v. Amazon Web Services (W.D. Wash.) alleged a bank used AWS AI to analyze voice recordings for sentiment and behavioral patterns without consent. Both cases proceeded past initial motions.
PM lesson: Any AI that processes customer voice data — for fraud prevention, sentiment analysis, authentication, or quality assurance — requires a consent framework before deployment. A legitimate business purpose does not substitute for consent.
AI Washing: The DocGo Ruling
In March 2025, the Southern District of New York denied a motion to dismiss in SEC v. DocGo Inc., where the company had misled investors about its proprietary AI system. Securities class actions targeting AI misrepresentations doubled between 2023 and 2024. FINRA requires member firms to treat AI-generated content as regulated communications when applicable to client interactions.
PM lesson: External AI claims are legally material. Investor presentations, earnings calls, product marketing, and regulatory filings that describe AI capabilities must accurately reflect what is deployed. Governance programs must cover external communications, not just deployment.
The Regulatory Landscape
| Framework | What It Requires for AI |
|---|---|
| SR 11-7 (Fed/OCC, 2011; FDIC 2017) | Every AI model used for material decisions requires: model inventory entry, risk tiering, independent validation, ongoing monitoring, and lifecycle documentation. The average bank now uses 175 models; large banks 300+. OCC has explicitly confirmed AI tools fall within the MRM framework. |
| ECOA / Regulation B / CFPB | Specific, accurate adverse action notices regardless of model complexity (Circulars 2022-3, 2023-3, August 2024). No technology exceptions. Generic explanations violate Regulation B. LDA (less discriminatory alternative) standard applies: if a less discriminatory model would serve the same purpose, using a more discriminatory one is not legally defensible. |
| EU AI Act (full compliance August 2, 2026) | Annex III Article 5(b): credit scoring AI is high-risk. Full Chapter III obligations: risk management, data governance, technical documentation, human oversight with override capability, post-market monitoring. DORA applies in parallel for operational resilience. |
| FSOC Systemic Risk Designation (December 2024) | Elevated AI as an explicit systemic risk concern. Flagged AI concentration risk: correlated institutional reliance on the same vendors means a failure propagates simultaneously. Examiners will increasingly ask about third-party AI concentration. |
| FINRA (2026 Annual Report) | FINRA rules are technologically neutral and apply to GenAI. Supervision, communications, recordkeeping, and fair dealing standards apply to AI outputs. AI-generated content that constitutes customer communication must be reviewed and retained per applicable rules. |
Risk Classification for Financial Services AI
| Risk Level | Examples | Governance Intensity |
|---|---|---|
| Critical | Credit underwriting, pricing models, fraud detection with adverse customer action, regulatory capital models | Full SR 11-7: model inventory, independent validation, ongoing monitoring, documentation, MRM oversight, examiner-ready records. |
| High | Customer-facing chatbots, AML/KYC screening, collections AI, voice AI on customer calls | Robust governance: SR 11-7 documentation, consent framework, compliance review of outputs, fair lending testing. |
| Medium | Internal analytics, marketing segmentation, back-office automation with no customer impact | Standard governance: model inventory entry, documentation, performance monitoring. |
| Lower | Productivity tools, document summarisation with no decision output | Basic documentation, data governance review. |
Required Documentation
| Document | Purpose |
|---|---|
| Model inventory | All AI models: purpose, risk tier, SR 11-7 classification, validation status, owner, last review date. |
| Model development documentation | Design choices, training data sources, known limitations, intended use — the SR 11-7 conceptual soundness requirement. |
| Validation reports | Independent validation results: performance testing, back-testing, bias testing by demographic subgroup. |
| Adverse action notice mapping | For each credit model: the specific reasons the model can produce and how they map to ECOA-compliant notice language. |
| Fair lending testing records | Disparate impact analysis, proxy variable review, LDA analysis, and mitigation documentation. |
| Vendor AI assessments | Due diligence records: validation documentation, bias testing, audit rights, model update notifications. |
| Monitoring reports | Ongoing performance tracking, model drift detection, examiner-ready performance history. |
Vendor Due Diligence
| Area | Questions to Ask |
|---|---|
| Model documentation | Can the vendor provide development documentation meeting SR 11-7 standards, including training data description, known limitations, and intended use boundaries? |
| Fair lending testing | Has the vendor conducted disparate impact analysis across relevant demographic groups? Can they provide results by race, ethnicity, sex, and national origin? |
| Adverse action notices | Can the model produce specific, ECOA-compliant adverse action reasons for each denial? What is the process for mapping model outputs to notice language? |
| Model updates | What is the change management process? What constitutes a material model change requiring notification and re-validation? |
| Audit rights | Will the vendor cooperate with a regulatory examination that involves their model? Can the institution audit validation documentation and testing results? |
| Concentration risk | Do other institutions in our competitive set use this same model? What is the vendor’s plan for simultaneous model failures across clients? |
PM Responsibilities by Phase
| Phase | Key Actions |
|---|---|
| Planning | Classify every AI system against the SR 11-7 tiering framework. Identify applicable regulations: ECOA/Regulation B for credit AI, FINRA for customer-facing content, EU AI Act for EU exposure, state privacy laws for voice AI. Include model validation, fair lending testing, adverse action notice mapping, and examiner-ready documentation as formal project deliverables. |
| Development and Procurement | For vendor AI: conduct SR 11-7-aligned due diligence before contract execution. Design adverse action notice mapping before model completion. Complete proxy variable analysis before fair lending testing. For voice AI: design consent workflows and confirm state privacy law compliance. |
| Deployment | Confirm SR 11-7 documentation is complete and examiner-ready before go-live. Validate that monitoring is operational before go-live. Brief model users on limitations, override authority, and documentation requirements. |
| Post-Deployment | Conduct first formal monitoring review at 90 days. Run annual re-validation including fresh fair lending testing with current production data. Update model inventory within 30 days of any material model change. |
Right-Sizing for Your Situation
For PMs new to financial services AI governance. Covers SR 11-7 model inventory and tiering basics, ECOA adverse action notice requirements for credit AI, minimum fair lending testing methodology, and consent framework essentials for customer communications AI.
For PMs building repeatable governance programs. Comprehensive SR 11-7 implementation framework, fair lending testing methodology including proxy variable analysis and LDA testing, vendor due diligence templates, adverse action notice mapping process, and EU AI Act Annex III compliance roadmap.
For PMs in mature financial institutions. Integrating AI governance with existing MRM programs, enterprise model inventory management, FSOC concentration risk assessment, examiner preparation, and DORA operational resilience integration for EU-regulated entities.
Framework References
Federal Reserve / OCC SR 11-7: Supervisory Guidance on Model Risk Management (April 2011, FDIC adopted 2017) — Model inventory, independent validation, ongoing monitoring, and documentation for all models in material decisions. Applies to AI and ML per OCC Comptroller’s Handbook.
CFPB Circular 2022-3, Circular 2023-3, and August 2024 Treasury Comment — ECOA adverse action notice requirements apply regardless of model complexity; generic explanations violate Regulation B; LDA standard applies; deploying AI producing disparate impact constitutes a discriminatory policy.
EU AI Act (Reg. (EU) 2024/1689) — Annex III Article 5(b) (credit scoring as high-risk), Article 13 (transparency), Article 14 (human oversight). Full compliance required August 2, 2026. DORA applies for operational resilience.
Massachusetts AG v. Earnest Operations LLC (July 10, 2025) — First state AI fair lending enforcement action. Proxy variable analysis and disparate impact testing required before deployment; training on biased human decisions without controls violates fair lending law.
FSOC Annual Report 2024 (December 2024) — Elevated AI as a systemic risk focus. Flagged concentration risk from correlated institutional reliance on the same vendors and models.
NIST AI RMF 1.0 — MEASURE 2.11 (proxy variable analysis, subgroup bias testing), MEASURE 2.9 (explainability), MANAGE 3.1 (third-party AI risk), MANAGE 4.1 (continuous monitoring).
This article is part of AIPMO’s Financial Services series. See also: Model Risk Management and SR 11-7 | Fair Lending and Credit AI | GenAI in Financial Services