financial services

AI agent readiness in financial services

Financial services is adopting agents in exactly the places regulators watch most closely: customer communication, claims and disputes, credit operations, and compliance itself. The institutions moving fastest are not the ones with the best models — they are the ones whose control environment already knew how to absorb a new kind of actor.

Adoption drivers

Specific risks

Unexplainable decisions in regulated processes

Credit, collections, and claims decisions carry explanation obligations. An agent that influences these decisions without producing reconstructable reasoning creates a gap between what the institution did and what it can demonstrate — which, under fair-lending and conduct rules, is itself a finding.

Record-keeping gaps

Books-and-records obligations do not exempt software. An agent that communicates with customers or moves money without writing to retained, tamper-evident records puts the institution out of compliance regardless of whether any individual action was wrong. Wiring agent actions into existing books-and-records pipelines at build time is far cheaper than retrofitting compliant capture after a deficiency letter.

Third-party and model risk

Model risk management frameworks (SR 11-7 and kin) were built for quantitative models with stable behaviour. Agents that change with every provider update strain the validation cycle, and supervisors increasingly expect agents to be in scope of MRM inventories. The practical move is to extend the existing MRM inventory to agents now, before an examiner asks why they were not in it.

Regulatory context

Readiness checklist

  • Every agent touching customer outcomes is in the model/agent inventory with an owner and validation status
  • Agent actions on accounts, payments, or communications write to books-and-records-grade storage
  • Decisions with explanation obligations have reconstructable traces linking inputs to outputs
  • Human approval gates cover irreversible financial actions above defined thresholds
  • Agent identities are distinct, and access reviews include agents alongside human users
  • The kill path for each customer-facing agent is tested and timed

Frequently asked questions

Are AI agents regulated in financial services?

Yes, increasingly. Agents that use LLMs are being pulled into model risk management (SR 11-7 and kin), their communications and transactions fall under books-and-records rules (SEC 17a-4, FINRA), and credit and certain insurance uses are high-risk under the EU AI Act. Fair-lending and GDPR explanation rights also apply when agents touch customer outcomes.

What is the biggest AI agent risk for a bank or financial institution?

Unexplainable decisions in regulated processes. Credit, collections, and claims decisions carry explanation obligations, so an agent that influences them without producing reconstructable reasoning creates a gap between what the institution did and what it can demonstrate — which, under fair-lending and conduct rules, is itself a finding.

How should a financial-services firm prepare for AI agents?

Put every agent touching customer outcomes in the model and agent inventory with an owner and validation status, wire agent actions into books-and-records-grade storage, keep reconstructable traces for decisions with explanation obligations, gate irreversible financial actions above a threshold behind human approval, and give agents distinct identities included in access reviews.

Find out where your organisation stands on agent readiness.

Take the assessment →