AI Governance in Financial Services A BFSI Leader's Framework OpenSense Labs
Artificial Intelligence

AI Governance in Financial Services: A BFSI Leader's Framework

Published on 02 Jul, 2026|10 min read

AI governance in financial services is converging fast, the EU AI Act, DORA, and the FCA now demand the same things: oversight, explainability, accountability. Non-compliance carries real fines, and adoption is already outpacing trust across BFSI.

For much of the past two years, AI governance in financial services has operated in a holding pattern. Digital leaders have watched Brussels negotiate, London deliberate, and Washington shift position, and many have used that uncertainty as a license to wait.

On 29 June 2026, that excuse expired. The Council of the European Union gave final approval to a package of amendments to the EU AI Act, pushing back several compliance deadlines by as much as 16 months while also expanding the penalties for non-compliance.

The regulatory picture has not become simpler. It has become more settled, and settled is precisely the condition under which delay stops being defensible. For BFSI digital leaders, what remains is building the governance architecture that regulatory clarity was supposed to unlock.

What is AI Governance and Its Regulatory Landscape?

AI governance in financial services is the set of policies, controls, and accountability structures that ensure an AI system's decisions can be trusted, explained, and corrected, covering everything from who is allowed to approve a production model to how its outputs are monitored to who is held responsible when it gets something wrong.

In financial services specifically, it's the difference between an AI-driven lending or fraud decision that can withstand regulatory scrutiny and one that can't. Three regimes currently define what AI governance in financial services needs to look like in practice, and none is more foundational than the EU AI Act.

The EU AI Act

The EU AI Act is the first comprehensive, binding AI-specific law in the world, and it forms the backbone of any AI governance framework built for financial services operating in or touching the EU. It works by sorting every AI system into one of four risk tiers:

  • Unacceptable (banned outright, covering practices like social scoring or exploiting a person's financial vulnerability),
  • High-risk (which includes most BFSI credit scoring, underwriting, and fraud-detection AI, subject to strict documentation and oversight requirements),
  • Limited risk (transparency obligations, such as disclosing that a chatbot is AI),
  • And minimal risk (largely unregulated).

The Act applies extraterritorially; if an AI system's output affects someone in the EU, it can reach the provider regardless of where the company is headquartered, which is why this matters as much for US, and Indian-based BFSI technology operations as it does for firms physically based in Europe.

Financial institutions found in breach of the Act will face these penalties (three tiers under Article 99):

  • Up to €35 million or 7% of global annual turnover (whichever is higher), banned practices under Article 5.
  • Up to €15 million or 3% of global turnover, failures in high-risk system obligations (missing risk management, inadequate documentation, insufficient human oversight), the tier under which most BFSI credit and underwriting AI would fall.
  • Up to €7.5 million or 1.5% of global turnover, supplying incorrect or misleading information to a regulator during an investigation.
AI Governance in Financial Services EU AI Acts 3 Fine Tier OpenSense Labs

For smaller firms, the calculation flips to the lower of the fixed amount or the percentage, rather than the higher, as a proportionality safeguard.

The amendments approved on 29 June 2026 deferred the high-risk (Annex III) deadline to 2 December 2027 and Annex I to August 2028, but left this fine structure fully intact.

Digital Operational Resilience Act (DORA)

It is a cybersecurity and operational-resilience regulation, but it has become the practical AI governance lever in the EU today because, unlike the AI Act, it isn't waiting on any deferred timeline. For institutions building AI governance in the financial industry, DORA is often the regime that applies first, simply because it's already fully active.

It requires financial entities to maintain a formal ICT risk management framework, report major incidents within 24 hours, run regular resilience testing, and maintain active oversight of every third-party technology vendor a system depends on.

That third-party provision is what pulls AI model providers and cloud infrastructure into DORA's scope even though the regulation never mentions AI by name, making it the regime most likely to catch a BFSI institution's AI vendor relationships even before the AI Act's high-risk obligations apply.

Financial entities found in breach of DORA will face these penalties:

  • Financial entities: up to 2% of total annual worldwide turnover
  • Individual senior managers: up to €1 million personally, DORA explicitly makes an institution's management body accountable for ICT risk oversight
  • Critical third-party providers: up to €5 million for the firm
  • Individuals within those providers: up to €500,000
  • Some member states have added criminal penalties on top of the most serious breaches

Fully in force since January 2025, with no deferrals.

The FCA

The UK has taken a structurally different approach from the EU; rather than writing AI-specific rules, the FCA applies two existing frameworks to AI-driven outcomes. This is a useful case study in AI governance in finance where regulation doesn't need a dedicated AI statute to carry real teeth:

  1. The Consumer Duty: Outcome-focused: firms must ensure good outcomes for retail customers, regardless of whether a human or an AI system made the decision.
  2. Senior Managers and Certification Regime (SMCR): Accountability-focused: assigns a specific, named senior manager with personal responsibility for the AI systems within their area of the business.

The two collaborate; Consumer Duty defines the standard for a positive outcome, while SMCR identifies who is personally responsible if an AI system does not achieve it.

Fines:

  • Unlike the EU frameworks, which impose a statutory percentage cap, penalties are calculated on a case-by-case basis under the FCA's own penalty framework, typically as a percentage of the firm's relevant revenue during the breach period.
  • Recent scale for context: Nationwide, £44 million (December 2025, financial crime systems and controls weaknesses); Monzo, £21 million (July 2025, inadequate controls during rapid growth).
  • No AI-specific fine has been issued yet, but any AI-driven decision breaching Consumer Duty, or any Senior Manager failure to oversee an AI system, would be assessed under this same uncapped framework.

What's Coming: the Treasury Committee has told the FCA to publish practical guidance by the end of 2026 on how Consumer Duty and SMCR specifically apply to AI.

AI Governance in Financial Services 3 Regulators OpenSense Labs

Three different regulatory philosophies, prescriptive, operationally embedded, and principles-based, are converging on the same underlying question: can this institution demonstrate that a human can intervene, that a decision can be explained, and that accountability sits with a named function rather than a model?

The Role of AI Governance in Financial Services

  1. Adoption Moved Past the Pilot Stage: According to Cambridge Judge Business School's 2026 Global AI in Financial Services Report, 81% of firms are adopting AI at some level, with 40% at advanced "Scaling" or "Transforming" stages of maturity. This is no longer an emerging-technology conversation for BFSI; it's core infrastructure.
  2. The Agentic AI is the Fastest Moving Frontier: Agentic AI systems that act with a degree of autonomy, rather than simply generating output for a human to review, are already in active use among 52% of industry respondents. Adoption reached this scale in a comparatively short window.
  3. The Core Use Cases are Now Well Established: Credit scoring and underwriting, fraud detection, customer-facing chatbots, document processing, and algorithmic trading account for the bulk of BFSI's AI deployment. Each of these sits close to a regulated, high-stakes decision.
  4. Confidence Hasn't Kept Pace with Deployment: Only 14% of industry respondents currently see AI as transformational to their organizational strategy, despite the adoption figures above. That gap between usage and confidence is where governance work is most needed.

The Importance of AI Governance in Financial Services

The previous section pointed to a gap between how much BFSI has adopted AI and how much confidence institutions have in it. AI governance in financial services is what closes that gap, and it matters in three specific ways: what the regulatory convergence signals, how institutions rate their own readiness, and how significantly their comfort with autonomous AI is still lacking.

  1. Regulatory Convergence is Real: When three regimes with entirely different regulatory instincts independently land on the same expectations, it's a sign these aren't arbitrary compliance boxes; they're what deploying AI responsibly at scale actually requires.
  2. Institutions' Own Confidence in Their Governance is Notably Weak: EY's 2025 European AI Pulse Survey of financial services C-suite executives found that 57% consider their current AI risk management approach insufficient, and 30% report limited or no bias controls in place. That's most of the leadership acknowledging a governance gap in their own institutions.
  3. Comfort with Autonomy Lags Adoption: Only 33% of executives say they're comfortable with agentic AI operating with real autonomy, even as more than half the industry has already deployed it. Institutions are running ahead of their own trust in the technology.

Real World Example of AI Governance in Financial Services

On explainability specifically: a 2025 study from the Federal Reserve Bank of Kansas City and Stanford tested several large language models on mortgage lending decisions, holding applicant profiles identical and varying only race or a race proxy such as university attended.

The models exhibited race-based discrepancies in loan terms that exceeded those documented in historical human lending decisions, and the bias persisted even when explicit race indicators were removed and replaced with indirect proxies.

The finding that should concern BFSI leaders most is that removing the obviously sensitive variable didn't remove it, because the model had learned to infer it from other signals. Encouragingly, the same study demonstrated a workable fix.

A targeted intervention within the model's internal reasoning reduced the disparities by up to 70%, with an average reduction of roughly a third, without degrading the model's overall performance.

That's a concrete illustration of what the EU AI Act's transparency obligations and the FCA's outcome-testing expectations are asking for, tooling that catches biased outcomes before they reach a customer, not a document explaining how a model works in theory.

Key Risks of AI that Need Governance for BFSIs

  1. Discriminatory Bias in Credit and Underwriting Decisions: Bias in credit and underwriting decisions can survive standard mitigation techniques, as the case above demonstrates.
  2. Explainability Gaps: Many AI systems, particularly LLM-based ones, cannot yet produce a clear rationale for individual decisions, undermining both regulatory audit requirements and customer recourse.
  3. Third-Party and Vendor Dependency: AI increasingly relies on external models, data providers, and cloud infrastructure; a failure anywhere in that chain becomes the institution's regulatory exposure under DORA.
  4. Model Drift: Performance and fairness characteristics shift as data distributions change, meaning a model compliant at launch can drift out of compliance without any code change.
  5. Over-Reliance on Autonomous Agentic Systems: Agentic systems are being deployed faster than institutions have built confidence in their autonomy.
  6. Accountability Diffusion: When a decision passes through multiple models, vendors, and automated handoffs, responsibility can become genuinely unclear unless a named accountable function is defined in advance.

Implementing AI governance in Financial Services

Rather than building four separate compliance programmes, a single governance architecture built around five capabilities satisfies EU AI Act, DORA, and FCA expectations simultaneously.

  1. Model Inventory and Risk Classification: A live, complete register of every AI model in production: its function, its data inputs, and the decision it influences. This satisfies the EU AI Act's Annex I/III risk-tiering requirement directly.
  2. Human Oversight and Intervention Pathways: Designed escalation paths, override authority, and the technical means to halt a model in production. The EU AI Act explicitly requires this; it must exist before deployment, not be retrofitted after a regulator asks.
  3. Third-party and Data Lineage Tracing: Full visibility into every external vendor, model, and dataset feeding an AI-driven decision. This satisfies DORA's ICT third-party risk provisions directly.
  4. Explainability and Audit Trail: The capability most exposed by real-world testing, discussed above.
  5. Board-level Accountability Structure: The accountability structure at the board level shows a connection between the EU AI Act's deployer obligations and the FCA's SM&CR; responsibility lies with a specific individual or governing body, rather than with "the model" or "the vendor." This needs to be assigned before the other four capabilities are built.
Implementing AI governance in Financial Services 5 Capabilities OpenSense labs

What BFSI Leaders Should Build Next?

None of the five capabilities above depends on how the EU AI Act's deferred deadlines or the FCA's promised guidance ultimately resolve.

They answer a question every regime is independently asking; can this institution see its models, intervene in them, trace their dependencies, explain their decisions, and name who is accountable for them?

BFSI digital leaders who build this now aren't betting on a specific regulatory outcome; they're building infrastructure any outcome will require.

OpenSense Labs' AI Governance solution addresses the explainability piece directly, scoring and filtering AI outputs in real time across models like OpenAI, Claude, and Gemini, catching biased or non-compliant outputs before they reach a customer.

Check Out Our Solution

Newsletter illustration

Join Our Newsletter

Love open-source tech? Stay updated with projects that make a difference.

Nisha Katariya
Nisha Katariya

Share Article