What Financial Services Regulators Actually Want on AI Governance in 2026

What financial services regulators actually expect on AI

Across major jurisdictions in 2026, financial services regulators have moved from policy statements about AI to operational expectations they will examine and enforce. The expectations are now specific enough that you can read them, map them to your organisation, and identify gaps. This article translates the regulatory expectations into what financial services firms — banks, insurers, asset managers, fintechs — actually need to have in place.

The expectations are remarkably consistent across regulators. The substance — what regulators want — is converging on a common set of requirements even where the legal framework differs.

The common substantive expectations

Six themes recur across APRA's 30 April 2026 industry letter, the ECB's July 2025 Supervisory Guide on Internal Models, the Federal Reserve's SR 26-2 of 17 April 2026, ASIC's October 2024 REP 798, MAS's proposed November 2025 AI Risk Management Guidelines, the FCA's evolving Consumer Duty AI approach, and the HKMA's 2025-2026 AI circulars:

1. Board AI literacy. Boards must have enough understanding of AI to provide effective challenge. APRA names this explicitly. The Federal Reserve expects directors to engage substantively with model risk including AI/ML. The FCA SM&CR framework places personal accountability on Senior Managers including for AI risk.

2. AI inventory and lifecycle management. Regulators expect firms to know what AI is in production, who owns it, what risk classification applies, and where it sits in the AI lifecycle. APRA, ECB, and the Federal Reserve all converge on inventory as a baseline requirement.

3. Risk classification and tiered controls. AI systems should be classified by materiality and risk, with control rigour proportional to classification. SR 26-2 implements materiality-tiered control; APRA's expectations for high-risk versus standard AI mirror this; ECB extends MRM expectations to all models including AI/ML.

4. Independent validation. Material AI systems require independent validation — conceptual soundness, ongoing monitoring, outcome analysis. The Federal Reserve's SR 26-2 codifies this; ECB's Supervisory Guide applies it to AI/ML; APRA expects continuous validation rather than point-in-time assurance.

5. Third-party AI risk. AI vendor relationships are treated as material third-party risk requiring full operational resilience oversight. APRA CPS 230 explicitly captures AI vendors. DORA captures AI as ICT third-party services in EU financial services. ECB's outsourcing guidance reinforces this.

6. Human oversight and contestability. AI-driven customer decisions must allow for meaningful human review. The FCA's Consumer Duty creates ongoing obligation to monitor AI-driven customer outcomes. ASIC's REP 798 expects similar in Australian financial services. GDPR Article 22 (Articles 22A-D under UK DUAA) applies in EU and UK markets.

APRA's specific expectations (Australia)

APRA's 30 April 2026 industry-wide letter to authorised deposit-taking institutions, insurers, and superannuation entities crystallised expectations. Four gaps named: AI inventory and lifecycle management; identity and access management for non-human actors (AI agents); supplier risk concentration and opacity; change management for dynamic AI systems. Board minimum expectation in force from 30 April 2026: enough AI literacy to set strategic direction and provide effective challenge and oversight. CPS 230 (1 July 2025 in force, amendments 1 July 2026): material service provider framework applies to AI vendors — AI vendors are not in the limited NTSP exempt categories. Adversarial testing — prompt injection, jailbreak, data exfiltration — expected for material AI.

Federal Reserve/OCC/FDIC expectations (US)

SR 26-2 (17 April 2026), the joint Fed/OCC/FDIC supervisory guidance on model risk management, applies to large banks ($30bn+ in assets). Materiality-tiered approach replaces uniform expectations. Risk-based monitoring replaces annual revalidation. Critically, Footnote 3 explicitly excludes generative AI and agentic AI from SR 26-2's scope — institutions must develop separate governance frameworks for GenAI and AI agents. This is a major operational implication: a bank cannot simply extend its SR 11-7 framework to cover GenAI.

The FTC remains active on AI deception and unfair practice. CFPB has been active on AI in credit (adverse action notices, disparate impact). The OCC, SEC, and CFTC have been issuing AI-specific guidance through 2025-2026.

ECB and EBA expectations (EU)

ECB's Supervisory Guide on Internal Models (25 July 2025) was the major shift — MRM expectations now apply to all models including AI/ML, not just regulatory internal models. Chapter 9 specifically addresses ML models: data governance, hyperparameter tuning, model drift, explainability, IT infrastructure. ECB's 2026 focus: GenAI, third-party concentration, operational resilience. AI workshops with 9 European countries in 2025 revealed that banks expected fraud detection AI to be low-risk under the EU AI Act — ECB did not endorse that view. No banks reported GenAI in credit scoring (development time, cost, trust).

EU AI Act applies directly. High-risk AI (employment, credit, biometric) obligations from 2 December 2027 (post-Digital Omnibus). EBA continues to issue guidance on AI in supervisory expectations.

FCA expectations (UK)

No standalone AI rulebook. Consumer Duty (introduced July 2023, fully effective July 2024) is the primary FCA framework. The Mills Review (January 2026) categorised AI use into assistive, advisory, autonomous — recommendations due summer 2026. SM&CR personal accountability: SMF24 (Chief Operations), SMF4 (Chief Risk), SMF16 (Compliance) carry AI risk personally. FCA AI Lab: Supercharged Sandbox (Cohort 1 with 23 firms); AI Live Testing Cohort 2 commencing April 2026. PS25/22 targeted support framework active April 2026.

MAS expectations (Singapore)

MAS proposed AI Risk Management Guidelines November 2025 — comprehensive draft covering board oversight, AI inventories, risk assessments, lifecycle controls, fairness, transparency, human oversight, third-party risk management. MAS Technology Risk Management (TRM) Guidelines already legally binding for financial institutions and incorporate Singapore's Model AI Governance Framework as binding AI risk control requirements. MAS FEAT Principles (Fairness, Ethics, Accountability, Transparency) remain foundational.

HKMA, BaFin, and other expectations

HKMA issued circular 19 November 2025 on AML AI feasibility (48 AIs had completed studies). HKMA 16 March 2026 circular addressed AI for sanctions screening. Hong Kong's SFC issued GenAI LLM circular to Licensed Corporations. PCICSO gazetted 28 March 2025, in force 1 January 2026. Germany's BaFin integrates AI into MaRisk; ECB Supervisory Guide applies to German significant institutions.

What firms should have in place by August 2026

Across jurisdictions, the practical compliance position by August 2026 should include:

An AI inventory and risk classification covering all AI systems in production, with named business owners and risk tiers.

Board-level AI governance with named accountability, regular reporting, AI literacy programme for directors, board-approved AI risk appetite statement.

An AI risk framework aligned with applicable regulators — APRA CPS 230 + CPS 234 for Australia; SR 26-2 for US large banks; ECB Supervisory Guide for EU significant institutions; FCA Consumer Duty for UK; MAS TRM Guidelines for Singapore.

Independent validation processes for material AI with documented methodologies, monitoring metrics, and outcome analysis.

Updated vendor contracts reflecting CPS 230, DORA, AI Act, and other applicable third-party risk requirements.

Adversarial testing for high-risk AI — prompt injection, jailbreak, data exfiltration testing should be documented and repeated.

Incident reporting and response mechanisms that explicitly include AI-specific scenarios.

Customer outcomes monitoring for AI affecting customers — Consumer Duty in UK, ADM transparency in Australia (10 Dec 2026), CFPB ECOA monitoring in US.

Documentation discipline — model documentation, decision logic, testing records, monitoring data. Regulators will examine evidence of compliance, not just policies on intranets.

The honest assessment

Most regulated financial services firms have policies that look right on paper. What regulators are looking for in 2026 is operational evidence — that the AI governance framework is implemented, monitored, and producing measurable outcomes. The gap between "we have an AI policy" and "we have demonstrable AI governance" is where most examination findings will sit. Closing that gap is the work of 2026.

Primary sources: Federal Reserve SR 26-2 · APRA · FCA AI Approach · MAS Singapore