Financial Regulatory Agencies

Authors’ note: For this report, the authors use the definition of artificial intelligence (AI) from the 2020 National Defense Authorization Act, which established the National Artificial Intelligence Initiative.¹ This definition was also used by the 2023 “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.”² Similarly, this report makes repeated reference to “Appendix I: Purposes for Which AI is Presumed to be Safety-Impacting and Rights-Impacting” of the 2024 OMB M-24-10 memo, “Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence.”³

Artificial intelligence (AI) is poised to affect every aspect of the U.S. economy and play a significant role in the U.S. financial system, leading financial regulators to take various steps to address the impact of AI on their areas of responsibility. The economic risks of AI to the U.S. financial system include everything from the potential for consumer and institutional fraud to algorithmic discrimination and AI-enabled cybersecurity risks. The impacts of AI on consumers, banks, nonbank financial institutions, and the financial system’s stability are all concerns to be investigated and potentially addressed by regulators. While Governing for Impact (GFI) and the Center for American Progress have extensively researched these existing authorities in consultation with numerous subject matter experts, the goal is to provoke a generative discussion about the following proposals, rather than outline a definitive executive action agenda. Each potential recommendation will require further vetting before agencies act. Even if additional AI legislation is needed, this menu of potential recommendations to address AI demonstrates that there are more options for agencies to explore beyond their current work and that agencies cannot and should not wait to utilize existing authorities to address AI.

The October 2023 “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” assigned executive branch financial regulators AI-related tasks⁴ and specifically encouraged independent regulatory agencies, which cannot be directly tasked by the president, to address the risks of AI:

Independent regulatory agencies are encouraged, as they deem appropriate, to consider using their full range of authorities to protect American consumers from fraud, discrimination, and threats to privacy and to address other risks that may arise from the use of AI, including risks to financial stability, and to consider rulemaking, as well as emphasizing or clarifying where existing regulations and guidance apply to AI, including clarifying the responsibility of regulated entities to conduct due diligence on and monitor any third-party AI services they use, and emphasizing or clarifying requirements and expectations related to the transparency of AI models and regulated entities’ ability to explain their use of AI models.⁵

In March 2024, the U.S. Treasury Department issued a report on AI specific cybersecurity risks in financial services that included the following summary of the AI regulatory landscape:

Financial regulatory agencies generally do not issue regulations or guidance on specific technologies, but instead address the importance of effective risk management, governance, and controls regarding the use of technology, including AI, and the business activities that those technologies support. Regulators have emphasized that it is important that financial institutions and critical infrastructure organizations manage the use of AI in a safe, sound, and fair manner, in accordance with applicable laws and regulations, including those related to consumer and investor protection. Controls and oversight over the use of AI should be commensurate with the risk of the business processes supported by AI. Regulators have noted that it is important for financial institutions to identify, measure, monitor, and manage risks arising from the use of AI, as they would for the use of any other technology. Advances in technology do not render existing risk management and compliance requirements or expectations inapplicable. Various existing laws, regulations, and supervisory guidance are applicable to financial institutions’ use of AI. Although existing laws, regulations, and supervisory guidance may not expressly address AI, the principles contained therein can help promote safe, sound, and fair implementation of AI.⁶

As noted in the Treasury Department’s report, existing laws and regulations clearly apply to the use of AI in the financial services sector. This report for financial regulators highlights 11 relevant existing authorities and the numerous agencies that oversee them in detail below, along with recommendations on how to potentially utilize those authorities to address AI. It should be noted that there is some repetition and overlap in the recommendations for financial services regulators due to the multiple parallel existing statutory authorities. Additionally, these recommendations align with or draw from the AI best practices recommended by the Biden administration’s AI Bill of Rights, the National Institute of Standards and Technology (NIST) AI Risk Management Framework, the 2023 AI executive order, and the Office of Management and Budget (OMB) M-24-10 memorandum on “Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence” issued in March 2024.⁷

AI may affect financial services consumers and the U.S. and international banking and financial systems in various known and unknown ways.⁸ The risks and opportunities of AI for financial services start with similar broad concerns as other areas discussed in this report, including the need for safe and secure systems with clear safeguards to address and mitigate risk, the potential for algorithmic discrimination that perpetuates or exacerbates existing historical inequalities, the potential for fraud and harm to consumers, and the possibility of affecting essential systems.

Several areas of concern are detailed below:

• Prevention of access to financial services: AI-powered systems may prevent consumers from accessing critical financial services⁹ by illegally discriminating against customers, generating incorrect information for their credit reports, or using faulty AI systems to execute transactions. The OMB M-24-10 AI guidance lists AI used by federal agencies for “[a]llocating loans; determining financial-system access; credit scoring; determining who is subject to a financial audit; making insurance determinations and risk assessments; determining interest rates; or determining financial penalties” as potentially rights-impacting.¹⁰
• Algorithmic discrimination that may exacerbate historical inequalities: Massive amounts of data are required to train and run AI-powered systems.¹¹ In the financial services world, such historical data may dangerously reflect long-embedded systemic inequalities, such as redlining, unfair credit denials, and other discriminatory practices. AI systems trained on these historic data run the substantial risk of incorporating these inequities if not addressed proactively.

• AI-enabled fraud: AI is already embraced as a tool to enable advanced fraud against consumers and financial institutions. The use of AI voice cloning¹² and AI-generated fake accounts¹³ are just the tip of the iceberg when it comes to future AI-enabled financial fraud.
• Failure to comply with anti-money laundering requirements: The Bank Secrecy Act and Treasury Department regulations require institutions to submit suspicious activity reports (SARs) whenever customers engage in activity that may be money laundering.¹⁴ Black-box AI systems may fail to report otherwise suspicious activities, leaving banks in violation of the Bank Secrecy Act.
• Threats to safe, secure, and stable financial systems: Integrating AI systems into financial services may pose a risk to the operation of these critical systems, as their sophistication grows along with the lack of transparency into proprietary black-box AI systems and algorithms that provide essential services and upkeep. The 2008 financial crisis proved how important the stability of the broader financial system is for a growing economy; yet AI and the commercial cloud computing that provides advanced AI pose risks that could negatively affect financial stability. Indeed, the Financial Stability Oversight Council has identified AI as a “vulnerability” within the U.S. financial system.¹⁵ For example, a bank’s use of the same or similar data for AI-based risk management models, AI-enabled network effects, or unregulated AI service providers may pose systemic risks.¹⁶

Although certainly not exhaustive, these known risks affect at least three main categories of stakeholders in the financial sector:

1. Customers: Banks and other financial services providers may illegally discriminate against customers when making lending decisions with unknowingly biased AI systems.¹⁷ Banks’ and lenders’ retail and institutional customers are also at risk of faulty AI systems that fail to accurately respond to their inquiries, accurately assess their credit worthiness, or execute transactions.¹⁸ Similarly, brokers’ customers face losses from transactions that AI systems fail to execute.¹⁹ Financial institutions also serve as a wealth of information about customers, which is necessary for AI systems to operate, and may be liable for customer losses stemming from AI-enabled fraud.²⁰
2. Banks: The core purpose of bank regulation is to ensure banks’ safety and soundness,²¹ and AI could put this at risk. Banks face potential operational failures from AI-enabled cyberattacks that can evade their information technology (IT) defenses,²² runs from depositors’ use of AI for treasury management,²³ and losses from banks’ own opaque and faulty AI-based risk management systems.²⁴
3. Securities brokers and futures commission merchants, securities and derivatives exchanges, and other market intermediaries: In addition to banks, the nonbank financial institutions that comprise the capital markets are also poised to use AI systems that may pose risks to firms’ financial health and that of markets overall. Brokers may be liable for trades that AI systems failed to execute or misexecuted, and investment advisers and brokers may be liable for AI systems that fail to offer conflict-free advice or advice in the clients’ best interests.²⁵ Exchanges may face operational failures from their AI-based matching software or experience flash crashes stemming from erroneous high-frequency trading.²⁶ Additionally, clearinghouses relying on AI systems that fail may be unable to novate trades, putting the markets at risk of requiring bailouts.²⁷

The 2022 White House AI Bill of Rights, which was the basis of much of the 2023 executive order on AI, noted that AI or automated systems could “have the potential to meaningfully impact the American public’s rights, opportunities, or access to critical resources or services” and that critical resources or services included financial services.²⁸

The 2023 AI executive order outlines eight policies and principles for AI for the Biden administration’s approach to AI, including that AI must be “safe and secure,” “[promote] responsible innovation, competition, and collaboration,” and “[advance] equity and civil rights,” as AI “systems deployed irresponsibly have reproduced and intensified existing inequities, caused new types of harmful discrimination, and exacerbated online and physical harms.” The guidance specifically highlights the need to “enforce existing consumer protection laws and principles and enact appropriate safeguards against fraud, unintended bias, discrimination, infringements on privacy, and other harms from AI,” emphasizing the need for protections in “financial services.”²⁹

The executive order also required the secretary of the treasury to “issue a public report on best practices for financial institutions to manage AI-specific cybersecurity risks” and provides financial services and housing directives for the CFPB.³⁰ Finally, the order highlights the direction it hopes independent regulatory agencies not under the direct authority of the president will take on AI, noting:

Independent regulatory agencies are encouraged, as they deem appropriate, to consider using their full range of authorities to protect American consumers from fraud, discrimination, and threats to privacy and to address other risks that may arise from the use of AI, including risks to financial stability, and to consider rulemaking, as well as emphasizing or clarifying where existing regulations and guidance apply to AI, including clarifying the responsibility of regulated entities to conduct due diligence on and monitor any third-party AI services they use, and emphasizing or clarifying requirements and expectations related to the transparency of AI models and regulated entities’ ability to explain their use of AI models.³¹

The OMB M-24-10 AI guidance notes that AI used by federal agencies should be automatically presumed rights-impacting if used for “[a]llocating loans; determining financial-system access; credit scoring; determining who is subject to a financial audit; making insurance determinations and risk assessments; determining interest rates; or determining financial penalties (e.g., garnishing wages or withholding tax returns).”³²

The financial regulatory agencies have been working on addressing AI in a variety of ways.

The Consumer Financial Protection Bureau (CFPB) has been one of the most proactive federal agencies on the issue.³³ Director Rohit Chopra has made statements warning about the myriad risks of AI, including that its need for large datasets and computing power could result in a natural oligopoly: “There could be a handful of firms, and just to be honest, a handful of individuals who ultimately have enormous control over decisions made throughout the world.”³⁴ Chopra has also expressed concern that AI “magnifies disruptions in a market that turn tremors into earthquakes”³⁵ and that AI could be used for illegal and discriminatory lending decisions.³⁶

Accordingly, the CFPB has provided market participants with various guidance about how AI may and may not be used. The CFPB explained that federal law does “not permit creditors to use complex algorithms when doing so means they cannot provide the specific and accurate reasons for adverse actions.”³⁷ It has also warned that creditors may not “rely on overly broad or vague reasons to the extent that they obscure the specific and accurate reasons relied upon.”³⁸ The CFPB has criticized credit reporting agencies’ use of AI screening tools.³⁹ In conjunction with the U.S. Department of Justice, Equal Employment Opportunity Commission, and Federal Trade Commission, the CFPB warned that AI systems “have the potential to produce outcomes that result in unlawful discrimination” and that “[e]xisting legal authorities apply to the use of [AI] just as they apply to other practices.”⁴⁰ The CFPB has also penalized firms for relying on faulty automated compliance systems. The bureau ordered Wells Fargo to pay $3.7 billion for compliance failures that resulted in wrongful home foreclosures, car repossessions, and lost benefit payments⁴¹ and ordered Hello Digit to pay a $2.7 million fine for causing users to be charged overdraft fees.⁴² It is reportedly increasing examinations of AI systems.⁴³

At the Treasury Department, Graham Steele, while serving as assistant secretary for financial institutions in October 2023, gave a speech detailing how AI can affect banking, consumer finance, and insurance markets and emphasizing the importance of AI providers engaging in responsible innovation.⁴⁴ In addition, the Treasury Department appointed a chief artificial intelligence officer as required by the 2023 executive order on AI.⁴⁵ The Financial Stability Oversight Council (FSOC), which is chaired by the treasury secretary, has identified AI as a potential risk to the financial system and has issued recommendations to the other regulators to monitor AI’s development in their respective jurisdictions.⁴⁶ In a February 2024 testimony before the U.S. House Committee on Financial Services, Treasury Secretary Janet Yellen noted that the FSOC was “closely monitoring the increasing use of artificial intelligence in financial services, which brings potential benefits such as reducing costs and improving efficiencies and potential risks like cyber and model risk.”⁴⁷ And in March 2024, the Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection issued a report in response to requirements from the 2023 executive order on AI, entitled “Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector.”⁴⁸ While focusing on the AI-specific risk of cybersecurity, the “Next Steps: Challenges & Opportunities” chapter contains a small section that notes “Regulation of AI in Financial Services Remains an Open Question” according to those interviewed for the report.⁴⁹

The federal banking agencies have also begun tackling AI, albeit at a slower pace.⁵⁰ The Office of the Comptroller of the Currency (OCC) formed an Office of Financial Technology.⁵¹ The Federal Deposit Insurance Corporation (FDIC) created FDITech, a tech lab, though it recently reduced its public-facing role.⁵² Four federal reserve banks—San Francisco, New York, Atlanta, and Boston—have also set up offices to study financial innovation and AI.⁵³ These efforts are intended to focus, in part, on how regulators can use AI to assist in regulating financial institutions as well as to better understand how banks are using AI in their activities. These agencies have also jointly issued a request for information on financial institutions’ uses of AI⁵⁴ and have proposed a rule to impose heightened standards for the use of home appraisals conducted using algorithms.⁵⁵

The Securities and Exchange Commission (SEC) is quickly evaluating how regulated institutions use AI in capital markets. Chairman Gary Gensler has given a plethora of speeches discussing the possible harms of AI,⁵⁶ including in a March 2024 interview with Politico in which he warned of a potential financial crisis caused in part by AI.⁵⁷ In addition, the agency has launched a Strategic Hub for Innovation and Financial Technology (FinHub) that focuses, in part, on AI generally in the securities markets.⁵⁸ The SEC proposed a rule to address risks posed to investors from conflicts of interest associated with using predictive data analytics.⁵⁹ With regard to investment advisers, the SEC’s examinations division has begun soliciting information about advisers’ uses of AI.⁶⁰ SEC staff have issued guidance⁶¹ and a risk alert⁶² addressing robo-advisers that use algorithms to make investment recommendations.

The Financial Industry Regulatory Authority (FINRA), the self-regulatory organization for securities brokers,⁶³ formed an Office of Financial Innovation to coordinate fintech efforts that include AI⁶⁴ and published a white paper on AI in the securities industry.⁶⁵

The Commodity Futures Trading Commission (CFTC) issued “A Primer on Artificial Intelligence in Financial Markets” in 2019 that discusses, among other things, how the CFTC could leverage AI to better regulate its markets.⁶⁶ More recently, the agency created an enforcement division task force focused on emerging technologies, including AI,⁶⁷ and its Technology Advisory Committee created a panel to evaluate “responsible artificial intelligence.”⁶⁸ The CFTC’s commissioners have given speeches on the need for the agency to regulate AI.⁶⁹

The Biden administration’s work on AI is ongoing, but the AI Bill of Rights, the NIST AI Risk Management Framework, the 2023 executive order on AI, and the OMB M-24-10 AI guidance have highlighted key AI risk mitigation practices to be further developed.⁷⁰ Due to parallel statutory authorities across multiple agencies, many of these recommendations are referenced repeatedly in the sections below.

These efforts include, but are not limited to, the following:

• Required minimum risk management practices for AI use that is deemed safety-impacting or rights-impacting: The OMB M-24-10 AI guidance requires minimum risk management practices for federal agencies that utilize AI for certain purposes presumed to be safety-impacting or rights-impacting.⁷¹ These steps, including AI impact assessments and other requirements, could be repurposed for use beyond federal agencies, such as at banks or financial services institutions.
• AI audits: The development of an independent third-party AI auditing ecosystem is being explored to ensure effective risk management and compliance with AI systems.⁷² AI audits in this context can include both the data used to train AI systems and the AI systems themselves, including their source code. The audits would also include third parties utilizing AI for banks or other financial institutions as vendors or contractors. In all cases, regulators should set out guidelines for appropriate conflict checks and firewall protocols for auditors.
• Explainability and legibility: The 2022 AI Bill of Rights⁷³ made “notice and explanation” a key principle for the safe use of AI, noting that people “should know that an automated system is being used and understand how and why it contributes to outcomes that impact you” and that automated systems should “provide clear, timely, understandable, and accessible notice of use and explanations.”⁷⁴ The 2023 AI executive order noted that “requirements and expectations related to the transparency of AI models and regulated entities’ ability to explain their use of AI models” should be a priority for independent agencies, including independent financial regulators.⁷⁵ This expectation for explainability and legibility is also reflected in the OMB M-24-10 AI guidance for federal agencies using or procuring AI, which notes: “Explanations might include, for example, how and why the AI-driven decision or action was taken. This does not mean that agencies must provide a perfect breakdown of how a machine learning system came to a conclusion, as exact explanations of AI decisions may not be technically feasible. However, agencies should still characterize the general nature of such AI decisions through context such as the data that the decision relied upon, the design of the AI, and the broader decision-making context in which the system operates. Such explanations should be technologically valid, meaningful, useful, and as simply stated as possible, and higher-risk decisions should be accompanied by more comprehensive explanations.”⁷⁶

  Financial regulators should collaborate with others in the public and private sector as they develop best practices for explanation and legibility.

• AI red-teaming: The 2023 AI executive order defined AI “red-teaming” as “a structured testing effort to find flaws and vulnerabilities in an AI system, often in a controlled environment and in collaboration with developers of AI.”⁷⁷ Red-teaming has emerged as a method to test AI that is embraced by leading generative AI companies⁷⁸ and has been a focus of the White House in voluntary commitments,⁷⁹ the executive order, and the OMB M-24-10 AI guidance.⁸⁰ This can also include red team/blue team exercises, whereby the blue team defends the systems against the simulated penetrations,⁸¹ or “violet-teaming,” which attempts to address broader systemic societal issues in adversarial testing.⁸²
• Cybersecurity and AI risk management: The Biden administration has made cybersecurity a key focus, with efforts that include the 2023 National Cybersecurity Strategy.⁸³ The 2023 executive order on AI also prominently mentions cybersecurity throughout. Similarly, AI risk management has been an early focus of voluntary and mandated AI efforts from the U.S. government, including the NIST AI Risk Management Framework and the OMB M-24-10 AI guidance.⁸⁴

This section explains how various statutes enforced by the federal financial regulators could be used to regulate AI. This list is by no means exhaustive.

Relevant agencies: Treasury Department, Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, National Credit Union Administration, Securities and Exchange Commission, Commodity Futures Trading Commission

The Bank Secrecy Act (BSA), enacted in 1970, is designed to combat money laundering and financial crimes.⁸⁵ The BSA and regulations promulgated thereunder require financial institutions to maintain records and report certain transactions indicative of money laundering or other illicit activities.⁸⁶ Under these regulations, banks and other financial institutions must verify the identity of all customers, keep detailed records of cash transactions exceeding $10,000, and report suspicious transactions to the Financial Crimes Enforcement Network (FinCEN).⁸⁷ By mandating these reporting requirements, the BSA aims to enhance transparency in financial dealings, detect potential illegal activities, and safeguard the financial system’s integrity.⁸⁸

The broad statutory authority allows the treasury secretary and banking and financial regulators to promulgate regulations requiring institutions to create and implement a wide variety of anti-money laundering programs.⁸⁹

Relevant agencies: Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, National Credit Union Administration, Securities and Exchange Commission, Commodity Futures Trading Commission, Consumer Financial Protection Bureau

Enacted in 1999, the Gramm-Leach-Bliley Act (GLBA) proclaimed it “the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”⁹⁰ Accordingly, 15 U.S.C. § 6802 provides that “a financial institution may not … disclose to a nonaffiliated third party any nonpublic personal information” unless it has first provided consumers notice.⁹¹

The GLBA requires the banking and financial regulators to “establish appropriate … administrative, technical, and physical safeguards” for institutions that 1) “insure the security and confidentiality of customer records and information”; 2) “protect against any anticipated threats or hazards to the security or integrity of such records”; and 3) “protect against unauthorized access to or use of [customer information].”⁹² Under this authority, the federal banking regulators have implemented interagency guidelines for establishing information security standards⁹³ and issued IT and cybersecurity risk management guidance.⁹⁴

Relevant agency: Consumer Financial Protection Bureau

The Equal Credit Opportunity Act (ECOA) was enacted to prevent discrimination in credit granting. The ECOA makes it “unlawful for any creditor to discriminate against any applicant” for credit “on the basis of race, color, religion, national origin, sex or marital status, or age” or “because all or part of the applicant’s income derives from any public assistance program.”⁹⁷ The ECOA requires creditors to provide reasons for credit denials and grants applicants the right to challenge any decision perceived as discriminatory. Its fundamental goal is to promote fair and equal access to credit for all qualified individuals, fostering a more inclusive and equitable financial landscape.

The ECOA allows the Consumer Financial Protection Bureau to “prescribe regulations to carry out the purposes of [the act],” including those it believes “are necessary or proper to effectuate [the ECOA’s purposes], to prevent circumvention or evasion thereof, or to facilitate or substantiate compliance therewith.”⁹⁸ It also requires firms to provide “[e]ach applicant against whom adverse action is taken [with] a statement of reasons for such action.”⁹⁹

Relevant agency: Consumer Financial Protection Bureau

Recognizing that “the banking system is dependent upon fair and accurate credit reporting” and that “inaccurate credit reports directly impair the efficiency of the banking system,” Congress enacted the Fair Credit Reporting Act (FCRA) in 1970.¹⁰⁶ The FCRA generally covers all entities that help create, provide, and use consumer reports and allows the Consumer Financial Protection Bureau to regulate those activities. For example, the FCRA prohibits entities that furnish information to consumer reporting agencies (CRAs) from reporting information that they know have errors, mandating they correct and update false information, and allows the CFPB to craft regulations prescribing policies and procedures that must be followed.¹⁰⁷ For CRAs themselves, the FCRA excludes particular information from reports and requires agencies to describe to users the key factor in credit score information.¹⁰⁸ And for users of consumer reports—which include lenders, employers, and landlords—the FCRA prescribes responsibilities if they take adverse actions based on report information and allows the CFPB to regulate how users provide consumers with credit decision notices and the information contained in such notices.¹⁰⁹ The CFPB may also regulate the procedures for instances where consumers wish to dispute the accuracy of information in reports.¹¹⁰ The Federal Trade Commission, CFPB, and other agencies have administrative enforcement authority.¹¹¹

Using this regulatory authority, the CFPB has issued regulations creating and requiring firms to use model forms and disclosures,¹¹² requiring furnishers of information to “establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information [provided to credit reporting agencies],”¹¹³ and requiring users of credit reports to disclose to consumers when their credit report has been used as a means for determining their risk.¹¹⁴

Relevant agencies: Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation

Enacted to undo the pernicious effects of redlining,¹²² the Community Reinvestment Act (CRA) encourages banks to meet the credit needs of the communities in which they operate, particularly low- and moderate-income neighborhoods. The CRA requires banks to actively engage in lending, investment, and service activities in these underserved communities by mandating periodic evaluations of banks’ performance in meeting the community’s credit needs.¹²³ The CRA grants federal banking regulators the authority to regulate banks’ compliance with the law.¹²⁴

The CRA does not allow regulators to change banks’ lending decisions, only to decide how it will evaluate whether banks comply with the act. The regulators’ rules allow banks to submit strategic plans for complying with the CRA¹²⁵ and establish assessment areas for determining compliance.¹²⁶

Relevant agency: Consumer Financial Protection Bureau

Following the great financial crisis of 2007–2008, Congress enacted the Consumer Financial Protection Act (CFPA) as Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010. Among other things, the CFPA created the Consumer Financial Protection Bureau to ensure fairness, transparency, and accountability in providing consumer financial products and services by regulating those products and services and enforcing the nation’s consumer financial protection laws.¹²⁷ The Consumer Financial Protection Bureau regulates various financial sectors, including banks, credit unions, mortgage servicers, payday lenders, and debt collectors, striving to educate consumers and monitor financial practices.

One of the most potent authorities provided to the CFPB is its authority to “take any action authorized … to prevent a covered person or service provider from committing or engaging in an unfair, deceptive, or abusive act or practice under Federal law in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.”¹²⁸ Under this so-called UDAAP authority, the CFPB may also write regulations “identifying as unlawful” particular acts or practices and “may include requirements for the purpose of preventing such acts or practices.”¹²⁹ In other words, the CFPB can regulate consumer financial service providers to ensure their activities are not unfair, deceptive, or abusive.

Relevant agencies: Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, National Credit Union Administration

The Federal Deposit Insurance Act (FDIA) and the Federal Credit Union Act (FCUA) are two of the core statutes that permit banking and credit union regulators to ensure the safety and soundness of institutions under their respective jurisdictions.¹³⁶ The Bank Holding Company Act (BHCA) similarly provides the Federal Reserve with many of the same authorities for bank holding companies. Under these statutes, banking regulators are required to prescribe standards relating to “internal controls, information systems, and internal audit systems” as well as any “other operational and managerial standards as the agency determines to be appropriate.”¹³⁷ The National Credit Union Administration (NCUA) is required to “promulgate rules establishing minimum standards … of security devices and procedures.”¹³⁸ Regulators may also enforce prohibitions against activities that are unsafe or unsound.¹³⁹

Pursuant to these authorities, regulators have issued a wide array of regulations and guidance designed to ensure financial institutions adhere to the highest operational standards. For example, they have issued guidelines establishing standards for safety and soundness covering loan documentation, credit underwriting, and asset quality.¹⁴⁰ They have also issued information security standards “for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”¹⁴¹ Regulators routinely examine institutions to ensure adherence to heightened standards and to identify unsafe or unsound activities and issue a host of guidance identifying risky acts and practices that institutions may consider addressing.¹⁴²

Relevant agency: Financial Stability Oversight Council

The Dodd-Frank Act (DFA), enacted following the great financial crisis of 2007–2008, created the Financial Stability Oversight Council to “identify risks to the financial stability of the United States” and “respond to emerging threats to the stability of the United States financial system.”¹⁴⁵ Among the authorities the DFA granted to the FSOC is the ability to designate financial market utilities (FMUs) as systemically important and subject to supervision and regulation by the Federal Reserve. Under statute, FMUs are “any person that manages or operates a multilateral system for the purpose of transferring, clearing, or settling payments, securities, or other financial transactions among financial institutions or between financial institutions and the person.”¹⁴⁶

To designate FMUs, the FSOC can merely determine that they “are, or are likely to become, systemically important.”¹⁴⁷ To make this determination, the FSOC is statutorily required to consider five factors: 1) “the aggregate monetary value of transactions processed by the financial market utility”; 2) “the aggregate exposure of the financial market utility … to its counterparties”; 3) “the relationship, interdependencies, or other interactions of the financial market utility … with other financial market utilities or payment, clearing, or settlement activities”; 4) “the effect that the failure of or a disruption to the financial market utility … would have on critical markets, financial institutions, or the broader financial system”; and 5) “any other factors that the Council deems appropriate.”¹⁴⁸ In the FSOC’s rules detailing its process for designating FMUs, it provides that it makes “two critical determinations” in deciding whether to act: first, “whether the failure of or a disruption to the functioning of the FMU now or in the future could create, or increase, the risk of significant liquidity or credit problems spreading among financial institutions or markets”; second, “whether the spread of such liquidity or credit problems among financial institutions or markets could threaten the stability of the financial system of the United States.”¹⁴⁹ Using this authority, the FSOC has designated eight FMUs, all clearinghouses.¹⁵⁰

In a March 2024 interview with Politico, SEC Chair Gary Gensler warned about the dangers of concentration with AI and financial systems: “We have set up a lot of our systems of oversight and rules around regulating individual entities or activities, whether it’s bank regulators, insurance regulators, securities regulators, commodities regulators.” Gensler added that it was important to be “thinking about [AI] across all the entities — are they potentially all using the same base model or base data?”¹⁵¹ He also noted the threat of AI concentration in the financial system, saying: “I would be quite surprised if in the next 10 or 20 years a financial crisis happens and there wasn’t somewhere in the mix some overreliance on one single data set or single base model somewhere.”¹⁵²

While AI usage has yet to reach levels that justify designation as FMUs, if AI has the impact and widespread adoption predicted by some, then that future designation may be warranted.

Relevant agency: Securities and Exchange Commission

The Securities Exchange Act of 1934, or “1934 Act,” is a cornerstone of securities regulation in the United States, enacted to ensure transparency, integrity, and fairness within the securities markets.¹⁵⁶ The 1934 Act created the Securities and Exchange Commission to regulate the markets and enacted rules governing the secondary trading of securities. It aims to protect investors by mandating the disclosure of crucial financial information, preventing fraudulent practices such as insider trading and market manipulation, and overseeing the operations of securities exchanges.

The 1934 Act governs, and allows the SEC to regulate, brokers, exchanges and alternative trading systems, and clearinghouses, among other institutions. It broadly enables the SEC “to make such rules and regulations as may be necessary or appropriate to implement [the act].”¹⁵⁷ In addition, the 1934 Act provides the SEC with authority to enact regulations specific to different market participants or registered entities. For example, Section 15 of the act, permits the SEC to “establish minimum financial responsibility requirements” and “standards of operational capability” for brokers,¹⁵⁸ which it has used to enact net capital requirements,¹⁵⁹ risk management practices,¹⁶⁰ and an array of information technology standards.¹⁶¹ Furthermore, the combination of sections 6, 11A, 15A, and 17A permits the SEC to “facilitate the establishment of a national market system for securities” by allowing it to enact rules requiring exchanges and clearinghouses to “[have] the capacity to . . . carry out the purposes of [the act].”¹⁶² Under these authorities, the SEC enacted Regulation Systems Compliance and Integrity, a comprehensive information technology regulation that requires these entities to “establish written policies and procedures” that “ensure that their systems have levels of capacity, integrity, resiliency, availability, and security” and “[create] business continuity and disaster recovery plans.”¹⁶³

Relevant agency: Securities and Exchange Commission

The Investment Advisers Act (IAA) regulates the activities of firms providing investment advice to clients. Under the IAA, investment advisers must register with the Securities and Exchange Commission if they manage assets above certain thresholds, becoming registered investment advisers (RIAs); comply with SEC regulations; and adhere to a fiduciary duty vis-à-vis their clients. Under the IAA, the SEC may regulate how firms safeguard client assets over which they have custody¹⁶⁹ and may “promulgate rules prohibiting or restricting certain sales practices, conflicts of interest, and compensation schemes for brokers, dealers, and investment advisers that the Commission deems contrary to the public interest and the protection of investors.”¹⁷⁰

Relevant agency: Commodity Futures Trading Commission

The Commodity Exchange Act (CEA) regulates the trading of commodity futures and other derivatives to ensure fair and efficient markets while preventing fraud and manipulation. The CEA created the Commodity Futures Trading Commission to oversee these markets, which requires the registration and regulation of various registrants, trading platforms, and clearinghouses. Originally enacted to protect farmers and ranchers in hedging their risks, the CEA now also covers trades worth trillions of dollars of value.

The CEA allows the CFTC to “make and promulgate such rules and regulations as, in the judgment of the Commission, are reasonably necessary to effectuate any of the provisions or to accomplish any of the purposes of [the act].”¹⁷² In addition, the CFTC has specific grants of regulatory authority over different market participants. For example, the CFTC may “prescribe rules applicable to swap dealers and major swap participants,” including rules explicitly related to “business conduct standards” and “minimum capital requirements.”¹⁷³ For futures commission merchants (FCMs), the CFTC may enact “minimum financial requirements”¹⁷⁴ and regulations governing how these entities handle customer assets.¹⁷⁵ Exchanges must comply with acceptable business practices;¹⁷⁶ “have adequate financial, operational, and managerial resources”; “[create risk management programs] to identify and minimize sources of operational risk”; and “establish and maintain emergency procedures, backup facilities, and a plan for disaster recovery”—and the CFTC may prescribe rules governing all of these activities.¹⁷⁷ Similar requirements apply to clearinghouses, which the CFTC can regulate similarly.¹⁷⁸ With these authorities, the CFTC has enacted various regulations, including the first rules on algorithmic trading.¹⁷⁹ The agency has also recently proposed a rule for cyber and operational resilience.¹⁸⁰

The numerous U.S. financial regulators have ample statutory authority to address concerns AI may pose to customers, banks, securities brokers and futures commission merchants, securities and derivatives exchanges, and other market intermediaries. U.S. financial regulators must begin to address these challenges now with their existing authorities and tools to ensure the success and stability of the U.S. financial system in the AI age. GFI and CAP hope this chapter will offer thoughtful options to regulators as they undertake their AI work.