Banks face AI model risk

Banks are treating generative artificial intelligence less like a novelty and more like a model-risk problem that can reach core banking decisions. (risk.net) A large language model is software trained on vast amounts of text to predict the next word, which lets one system draft emails, summarize documents, answer questions and write code. Banks are testing those tools for jobs ranging from customer support to compliance and credit work. (ecb.europa.eu) (risk.net) That creates a governance problem because bank model controls were built for narrower tools with a defined purpose, data set and owner. The Federal Reserve and Office of the Comptroller of the Currency’s 2011 model-risk guidance centers on validation, documentation and governance for quantitative models used in decision-making. (federalreserve.gov) (occ.gov) Generative systems blur those boundaries because one bot can handle dozens of tasks and change behavior with a new prompt, plug-in or vendor update. Risk.net reports banks are struggling to define where the model starts and stops, which uses are allowed and how to audit what happened after the fact. (risk.net) Supervisors are seeing the same shift. In a joint 2024 survey, the Bank of England and Financial Conduct Authority said 75% of firms were already using artificial intelligence, another 10% planned to within three years, and foundation models made up 17% of reported use cases. (bankofengland.co.uk) (fca.org.uk) The survey also found 33% of use cases relied on third parties, while the top three providers accounted for 73% of cloud providers, 44% of model providers and 33% of data providers. Only 34% of firms said they had a “complete understanding” of the artificial intelligence they used, while 46% reported only a partial understanding. (bankofengland.co.uk) (fca.org.uk) Those numbers point to three concrete bank worries: hidden vendor dependencies, weak explainability and thin audit trails. If a chatbot helps draft a credit memo, flags fraud or summarizes a policy, a bank still has to show who approved the use, what data went in and how errors are caught before they reach a customer or regulator. (bankofengland.co.uk) (nist.gov) Regulators have not replaced the old model-risk rulebook, but banks are already stretching it over new systems. Federal Reserve guidance says model risk rises from bad outcomes or misuse, and the National Institute of Standards and Technology’s Artificial Intelligence Risk Management Framework tells firms to map, measure, manage and govern those risks across the full life cycle. (federalreserve.gov) (nist.gov) Europe is adding a second layer of pressure. The European Union’s Artificial Intelligence Act began phasing in obligations after it entered into force in 2024, and the Commission published guidelines on prohibited practices on February 4, 2025, while broader rules for general-purpose and other systems are being applied in stages. (digital-strategy.ec.europa.eu) (dlapiper.com) For banks, the immediate question is no longer whether employees will use assistant-style artificial intelligence. It is whether compliance, risk and audit teams can pin down what each bot is permitted to do before a flexible tool becomes an uncontrolled model. (risk.net)