Markets · Financial Services

Financial Services AI Control Readiness

AI governance in financial services is not just a technology problem. It is a threshold, model-risk, adverse-action, vendor, monitoring, and evidence problem. Sellhausen Consulting helps banks, credit unions, fintech lenders, and financial-services vendors determine which AI and model-risk expectations apply to their use cases — then map those expectations to controls and evidence.

The problem

Financial institutions are moving faster with AI than the supervisory environment can cleanly absorb.

Traditional model risk guidance does not always map neatly to generative AI, LLMs, agentic workflows, vendor AI, or AI systems embedded in business operations. At the same time, existing obligations around safety and soundness, fair lending, adverse action, third-party risk, monitoring, validation, and consumer protection still matter.

The question is not simply:

Are we using AI?

The better question is:

Which AI-supported decisions require which controls and evidence?

Who this is for

Financial institutions, vendors, and the people accountable for AI risk inside them.

  • Banks
  • Credit unions
  • Fintech lenders
  • AI lending vendors
  • Financial-services vendors
  • Model risk teams
  • Compliance teams
  • CRO organizations
  • Fair lending teams
  • Vendor risk teams
  • Internal audit teams
  • AI governance leads

What we help with

Applicability analysis

We determine which sources apply directly, indirectly, by analogy, or not at all.

Axes evaluated

  • Traditional model risk expectations
  • AI governance frameworks (NIST AI RMF, ISO 42001)
  • Sector-specific AI risk frameworks
  • ECOA and Regulation B adverse action obligations
  • Third-party risk expectations
  • State AI law exposure
  • Federal procurement exposure, if applicable
  • Generative AI and agentic AI governance gaps

Decision-control mapping

We map each AI system to the decision it influences. Common decision domains in financial services include:

  • Credit underwriting
  • Loan pricing
  • Prequalification
  • Fraud detection
  • Collections prioritization
  • BSA / AML alert triage
  • Customer service chatbots
  • Complaint routing
  • Internal policy copilots
  • Marketing personalization
  • Vendor scoring tools

Evidence readiness

We identify the evidence an examiner, auditor, board, or committee will accept as proof a system is governed.

  • Model inventory
  • AI use case inventory
  • Applicability determination memo
  • Model and system documentation
  • Validation report
  • Outcomes analysis
  • Monitoring dashboard
  • Fair lending analysis
  • Adverse action reason mapping
  • Vendor due diligence packet
  • Human review procedure
  • Change control log
  • Board and committee reporting

Common governance gaps

Where financial institutions usually miss.

Generative AI governance gap

The April 17, 2026 interagency model risk guidance (SR 26-2 / OCC Bulletin 2026-13 / FDIC FIL-15-2026) states verbatim in OCC Bulletin 2026-13 that generative AI and agentic AI models are not within the scope of that guidance. That does not mean they are ungoverned. It means the organization needs an interim control and evidence structure.

Adverse action evidence gap

If AI influences credit decisions, the organization must support specific and accurate adverse action reasons under ECOA and Regulation B. That requires more than a generic explanation statement — it requires reason-code mapping the institution can defend.

Vendor opacity gap

Financial institutions remain accountable for third-party AI systems they use. Vendor documentation, testing evidence, monitoring responsibilities, and contractual safeguards need to be reviewable.

Human oversight gap

"Human in the loop" is not a control unless the organization can prove what the human reviews, when they intervene, what authority they have, and how the review is documented.

Monitoring gap

AI control is not finished at launch. Institutions need ongoing monitoring, drift review, exception tracking, complaint signals, incident handling, and change management.

Deliverables

What an engagement produces.

  • Organization applicability profile
  • Financial-services AI use case inventory
  • Source applicability matrix
  • Decision-control map
  • Required controls register
  • Evidence checklist
  • Generative AI governance gap register
  • Adverse action reason-mapping review
  • Vendor AI evidence review
  • Monitoring and remediation roadmap
  • Executive readout

The outcome

The institution can answer.

  • Which AI and model-risk expectations apply to this institution?
  • Which use cases influence consequential financial decisions?
  • Which systems are traditional models, generative AI, agentic workflows, or vendor-provided AI?
  • Which controls are required for each use case?
  • What evidence would an examiner, auditor, board, or risk committee ask for?
  • Which gaps should be fixed first?

Next step

Start with applicability.

If your institution is using AI in credit, fraud, compliance, customer-facing, or operational decisions, the first conversation is an applicability conversation.

Book an Applicability Call