US AI Regulation for Financial Services

An examiner-ready map of US AI rules for banks and insurers: SR 11-7, the NAIC AI Model Bulletin, NIST AI RMF, and OCC/Fed/FDIC expectations.

The United States has no single AI act for financial services. Instead it governs AI the way it governs most things in finance: through existing law and principles-based regulator guidance, applied institution-by-institution through supervision and examination. For anyone deploying agentic AI in financial services, that means there is no one rulebook to comply with — there is a map of overlapping expectations, and your program has to answer to all of it.

Diagram of the US AI regulation map for financial services: banking is governed by SR 11-7 / OCC model-risk guidance and CFPB/ECOA fair-lending rules; insurance by the NAIC AI Model Bulletin and state insurance departments; cross-cutting frameworks include the NIST AI RMF, the Treasury FS AI RMF, and NYDFS.

Banking

Model risk. SR 11-7 set the long-standing expectations for model development, validation, and governance. The revised OCC 2026-13 / SR 26-02 updates that guidance — and explicitly places generative and agentic AI outside its scope, which is why model risk management for agentic AI now leans on other frameworks.
Fair lending. ECOA and Regulation B require explainable adverse-action reasons; CFPB Circular 2022-03 confirms this holds even for complex algorithms — the basis for explainable AI in lending.

Insurance

Insurance is regulated at the state level, coordinated through the NAIC. The NAIC Model Bulletin on the Use of AI Systems by Insurers, adopted December 2023 and since enacted by roughly half the states, sets principles-based expectations: a written AI Systems program proportionate to risk, governance and accountability, third-party vendor diligence, and a focus on avoiding unfair discrimination. It is explicitly aligned with the NIST framework. See agentic AI in insurance for how this plays out in underwriting and claims.

Cross-cutting frameworks

NIST AI RMF — the Govern/Map/Measure/Manage core that both banking and insurance guidance point to.
US Treasury Financial Services AI RMF (February 2026) — a sector-specific adaptation of NIST for financial institutions.
NYDFS — AI-related cybersecurity and third-party-risk expectations under 23 NYCRR Part 500.

What this means for your program

There is no checkbox. A defensible US AI program maps to all three layers at once — model risk, the relevant sector rules, and the cross-cutting frameworks — and proves it with explainability and a complete audit trail. Build governance in from the start, and treat each examiner conversation as one your system was designed to pass.

Regulatory specifics change; confirm the current position with your compliance and legal teams before relying on any detail here.

Talk to BlackGrid about an agentic AI program built to satisfy US financial-services regulation.

Frequently asked questions

Is there a US AI law for financial services?

There is no single federal AI act. The US governs AI in finance through existing law (fair lending, consumer protection, model risk) plus principles-based regulator guidance — applied institution-by-institution through supervision and examination. That makes the landscape a map of overlapping rules rather than one statute.

What rules apply to AI in banking?

Model risk management guidance (SR 11-7, revised by OCC 2026-13), fair-lending law (ECOA / Regulation B) with CFPB's adverse-action expectations, and OCC / Federal Reserve / FDIC supervisory expectations. The revised model-risk guidance places generative and agentic AI outside its scope, shifting weight to voluntary frameworks.

What governs AI in insurance?

The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (adopted December 2023), which individual state insurance departments adopt. It is principles-based, expects a written AI Systems program, aligns with the NIST AI RMF, and emphasizes avoiding unfair discrimination.

How does the US approach differ from the EU AI Act?

The EU AI Act is a comprehensive, risk-tiered statute with explicit high-risk categories and obligations. The US relies on principles-based guidance plus existing law applied through supervision. A firm operating in both has to satisfy the EU's prescriptive regime and the US's examiner-driven one.