U.S. Bank Regulators Intensify AI Oversight Without New Rules

U.S. banking regulators are significantly increasing their oversight of artificial intelligence systems deployed by financial institutions, according to sources familiar with the matter, as reported by Reuters. The Office of the Comptroller of the Currency and the Federal Reserve have begun pressing banks during routine examinations to detail how they use AI in high-risk areas including lending decisions, customer verification, and sanctions screening.

The heightened scrutiny comes as banks rapidly expand AI applications beyond basic virtual assistants into complex functions like regulatory monitoring and credit underwriting. Rather than imposing new AI-specific regulations, supervisors are leveraging existing frameworks for model risk management, third-party oversight, and consumer protection to assess how institutions manage the emerging technology.

What regulators are asking

During bank examinations, supervisors are now asking detailed questions about AI governance structures, according to three sources who spoke to Reuters. These inquiries cover whether banks have implemented "kill switches" that allow immediate system shutdowns, how firms safeguard client data, and what controls prevent AI models from accessing or inferring information beyond authorized limits.

Regulators are particularly concerned about ensuring AI systems don't exceed their intended scope, especially as models are designed to extract and connect information across multiple systems. This raises significant risks around privacy, confidentiality, and regulatory compliance.

Human oversight mechanisms are another focus area. Supervisors want clarity on who has authority to intervene when AI systems malfunction or produce problematic outputs, and what guardrails limit how models behave.

Vendor risk takes center stage

A major area of regulatory attention is third-party risk management. As banks increasingly rely on external providers for AI tools, regulators are questioning whether these vendors and their subcontractors meet the same governance and security standards required of the banks themselves.

Supervisors are also asking whether banks have developed exit strategies in case of security breaches with vendor systems—a growing concern as AI becomes more deeply embedded in core banking operations.

The regulatory approach reflects broader concerns about cybersecurity vulnerabilities. The Treasury and banking agencies are examining risks posed by advanced systems, including Anthropic's frontier AI model Mythos, which cybersecurity experts say could exploit vulnerabilities in legacy banking technology infrastructure.

Why it matters

The regulatory intensification signals that AI oversight in banking will remain principles-based rather than prescriptive in the near term, giving institutions flexibility but also uncertainty. For banks, this means existing risk management frameworks must stretch to cover rapidly evolving AI capabilities—a challenge when the technology advances faster than traditional regulatory cycles. The focus on vendor risk and data access controls suggests that third-party AI providers will face increasing scrutiny, potentially affecting procurement decisions and partnership structures across the industry.

The pace problem

Regulators themselves acknowledge the challenge of keeping up with AI's velocity. The technology is advancing at a pace that exceeds traditional regulatory learning and rulemaking cycles, raising concerns that formal guidance could become outdated quickly once issued.

In April, the OCC, Federal Reserve, and Federal Deposit Insurance Corporation announced plans for a formal request for information on banks' use of AI, including generative and agentic systems. While such requests don't impose new rules, they help agencies gather input before deciding whether to act.

Federal Reserve Vice Chair for Supervision Michelle Bowman acknowledged in a May speech that while existing risk-management frameworks currently guide banks' AI use, regulators "should assess whether our supervisory guidance is fit for the future."

For now, supervisors are focused on gathering information and understanding industry practices rather than restricting specific AI applications. The sources indicated that AI use is now part of every bank examination conversation.

These details were first reported by Reuters correspondent Nupur Anand.