AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

· CMP-010High effort

AI Use in Regulatory Reporting and Risk Modeling

Map all AI system use cases in regulatory reporting, stress testing, and risk modeling to supervisory expectations, and document how AI outputs are validated before submission to regulators.

Objective

Ensure AI systems used in regulatory reporting or risk modeling are identified, mapped to applicable supervisory expectations, and subject to validation controls that meet or exceed examiner requirements.

Maturity Levels

1

Initial

AI use in regulatory reporting is not systematically tracked. AI tools are used opportunistically without formal validation.

2

Developing

Major AI uses in reporting are known informally, but a complete inventory has not been documented and supervisory expectations have not been reviewed.

3

Defined

A register maps every AI system used in regulatory reporting or risk modeling to applicable supervisory guidance. Validation documentation exists for each system.

4

Managed

AI use in regulatory reporting is reviewed annually by Model Risk Management and internal audit. Validation findings are tracked to remediation. Regulators have been proactively notified of material AI uses where required.

5

Optimizing

AI validation methodology is benchmarked against leading-practice supervisory guidance (SR 11-7, ECB model risk guidance, MAS FEAT). Engagement with examiners includes advance discussion of AI model governance approaches.

Evidence Requirements

What an auditor or assessor would expect to see for this control.

  • AI use in regulatory reporting register listing every system, its regulatory application, applicable supervisory guidance, validation status, and last validation date.
  • Validation documentation meeting applicable supervisory standard (SR 11-7, ECB, or equivalent) for each AI model in scope.
  • Evidence of regulatory notification or disclosure where material AI use in reporting has been introduced or materially changed.

Implementation Notes

Key steps

  • Inventory all AI uses in regulatory-facing processes:

    • Credit risk models (stress tests, DFAST/CCAR scenarios, IFRS 9/CECL calculations)
    • AML/transaction monitoring models
    • Fraud detection
    • Capital modeling
    • Regulatory reporting (automated data extraction, report generation, reconciliation)
    • Insurance actuarial modeling
    • Investment risk analytics

  • For each identified use, document: model description, use in regulatory context, applicable supervisory guidance, validation approach, and last validation date.

  • Map each use to applicable supervisory expectations:

    • US banks: SR 11-7 model risk management guidance applies to all models including AI/ML.
    • EU banks: ECB Guide on internal models; EBA Guidelines on internal governance.
    • Singapore: MAS FEAT Principles for AI in financial services.
    • Insurance: State insurance commissioner AI model expectations (varies by state).
    • AML: FATF AI guidance; FinCEN expectations on AI in suspicious activity monitoring.

  • Validate AI models used in regulatory reporting to the applicable standard. For SR 11-7: conceptual soundness review, outcome analysis, benchmarking, sensitivity analysis.

  • Notify regulators proactively where material AI use changes occur in regulatory-facing models. Some supervisors require advance notice before live deployment.

Common gaps

  • Treating AI in regulatory reporting as outside the scope of model risk management because it is used for report generation rather than directly in decisions.
  • Not extending SR 11-7 governance to machine learning models added to existing reporting pipelines.
  • Using vendor-supplied AI models in regulatory reporting without obtaining model documentation from the vendor.

Example Implementation

AI Use in Regulatory Reporting Register (excerpt)

SystemRegulatory UseSupervisory StandardValidation StandardLast ValidatedExaminer NotifiedStatus
ML credit loss modelCECL expected loss estimation (10-K disclosure)SR 11-7 + FASB ASC 326SR 11-7 full validation2025-09Yes — OCC 2025-10Live
AML transaction monitoring AISAR filing triggerSR 11-7 + FinCEN guidanceSR 11-7 conceptual soundness + outcome analysis2025-11Yes — FinCEN advisoryLive
Report generation LLMAutomated MD&A drafting (human reviews)FTC + SEC guidanceOutput accuracy review + human sign-off logMonthlyNo — not material changeLive — enhanced review
Stress test scenario AIDFAST adverse scenario generation (input to approved model)SR 11-7Benchmarking against historical scenarios2025-06Yes — Fed 2025-07Live

Control Details

Control ID
CMP-010
Domain
Typical owner
Risk / Compliance / Model Risk Management
Implementation effort
High effort
Agent-relevant
No

Tags

regulatory reportingmodel risk managementfinancial services AIsupervisory expectationsSR 11-7

Mapped Regulations

FATF AI Anti-Money Laundering GuidancePrinciples to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of Artificial Intelligence and Data Analytics in Singapore's Financial Sector

Related Controls

CMP-001Multi-Jurisdiction AI Regulatory Compliance MappingHOC-001AI System Risk ClassificationMON-003AI Bias and Fairness MonitoringALC-005Regulatory Audit ReadinessALC-002High-Risk AI Audit Trail

Related Playbook

How do we disclose AI governance maturity to investors and regulators?Who owns AI governance within the organization?How do we build an AI governance program from scratch?What do we do when an AI system causes harm or fails?How do we govern AI models from preview release through retirement?How do we build and maintain an AI model registry?How do we govern our AI supply chain and manage upstream model dependencies?How do we inventory and classify AI systems by risk level?What does audit-ready AI documentation look like in practice?How do we report AI risk to the board and audit committee?How do we build director-level AI literacy for effective board oversight?How do we comply with the EU AI Act?How do we manage third-party AI vendors safely throughout the vendor lifecycle?How do we measure and mitigate algorithmic bias?What is our process for model drift monitoring?How do we build and maintain a multi-framework AI risk register?How do we map AI compliance obligations across multiple jurisdictions?How do we prepare for AI regulation over the next 12 months?What are our obligations under emerging AI regulations?How do we ensure third-party AI vendors meet our standards?How do we apply a three lines of defense model to AI risk?How do we monitor voluntary AI safety commitments and respond when they change?