13 posts tagged with "Financial Services"

FINRA and the SEC have moved from observation to active expectation on AI. FINRA's 2024 AI in Financial Services report outlined specific examination focus areas. The SEC's 2024 guidance on AI use in investment advice created new conflicts of interest disclosure requirements. And FINRA Rule 3110's supervision requirement applies to AI systems used in client-facing functions as fully as it does to human representatives.

If you're a broker-dealer or investment adviser using AI agents for client communication, suitability analysis, order routing, or research, the regulatory expectations are clear and increasingly examined.

The UK made a deliberate choice not to copy the EU AI Act. After Brexit, the government opted for a cross-regulator, sector-specific, principles-based approach to AI regulation — lighter-touch by design, aiming to position the UK as a pro-innovation AI jurisdiction.

In practice, "lighter-touch" doesn't mean "ungoverned." It means the rules live inside sector regulators — the FCA, ICO, PRA, CMA — rather than in a single prescriptive statute. For AI teams building products for the UK market, understanding this distributed regulatory structure is essential.

A global financial services company operating in New York, London, Frankfurt, Sydney, and Singapore doesn't get to choose which regulations apply. They all apply simultaneously. SOX + GDPR + HIPAA + MiFID II + FCA + DORA + NIS2 + AML + PCI-DSS + ISO 27001 + NIST CSF + SOC 2.

The question isn't "which ones do we need to comply with." The question is "how do we build a single governance architecture that satisfies all of them without creating 12 separate compliance silos."

The answer is that most frameworks require the same underlying controls — they just describe them differently and attach different evidence requirements.

Two US financial privacy regulations updated significantly in 2023: the FTC's Safeguards Rule under GLBA (effective June 2023) and New York DFS's 23 NYCRR 500 cybersecurity regulation (effective November 2023). Both have teeth that the originals lacked — and both attach personal liability to individuals for compliance failures.

If you're a US financial institution, non-bank financial company, or mortgage servicer, and you're deploying AI agents that touch customer financial data, both regulations apply.

ESG investing has generated its own regulatory stack: SFDR (Sustainable Finance Disclosure Regulation) requires fund managers to classify products under Article 6, 8, or 9 and disclose how sustainability factors are integrated. CSRD (Corporate Sustainability Reporting Directive) requires large EU companies to report on sustainability using ESRS (European Sustainability Reporting Standards).

Both regulations increasingly involve AI: ESG scoring models, portfolio screening algorithms, automated ESRS data collection, and natural language processing of sustainability disclosures. Where AI is involved, the governance and audit requirements of these regulations apply to the AI layer.

PCI-DSS 4.0 became the mandatory standard on March 31, 2024. Version 3.2.1 is retired. Among the significant changes in v4.0: expanded requirements for automated and AI-driven systems operating within or adjacent to the Cardholder Data Environment (CDE).

If your AI agent handles, routes, processes, or queries payment card data — primary account numbers (PANs), CVVs, cardholder names, expiration dates — PCI-DSS 4.0 applies to both the agent and its infrastructure.

DORA — the Digital Operational Resilience Act — became applicable on January 17, 2025. It applies to EU financial entities (banks, investment firms, insurance companies, payment institutions, crypto-asset service providers) and their critical ICT third-party service providers.

If you're an AI vendor providing services to EU financial institutions, or an EU financial institution running your own AI agents, DORA's ICT risk management framework applies to those AI systems.

Brazil's LGPD (Lei Geral de Proteção de Dados) came into force in September 2020. After a grace period, ANPD (Autoridade Nacional de Proteção de Dados) began issuing enforcement actions in 2023. The fines are real, the investigations are real, and the pattern of enforcement is becoming clear.

If your AI agents process personal data of Brazilian residents — including purchasing behavior, CPF numbers, location data, or any other information that identifies an individual — LGPD applies regardless of where your company is headquartered.

SOX Section 302 requires the CEO and CFO to personally certify that financial reports are accurate and that they've reviewed the controls over financial reporting. Section 906 makes false certifications a criminal offense — up to 20 years in prison.

When an AI agent is generating financial reports, running disclosure checks, or preparing SEC filings, those certifications still apply. The executives signing them need to be able to vouch for the process that produced the numbers.

That's only possible if the AI's actions are auditable, the outputs are traceable to specific data sources, and a human reviewed the result before it was filed.

MiFID II Article 17 was written specifically for algorithmic trading. It predates large language models, but its requirements translate directly to AI trading agents: you need a kill switch, an algo register, annual conformity testing, and an audit trail that covers every order generated by the algorithm.

The FCA's equivalent rules in the UK (post-Brexit) mirror MiFID II Article 17 almost exactly. If you operate in both jurisdictions, you're dealing with two regulators but essentially the same requirements.