AI Governance Built In Is a Competitive Advantage, Governance Retrofitted Is a Compliance Cost
The regulatory environment facing North American banks on AI is not a single framework. It is a set of overlapping obligations from multiple agencies — federal and state — that are converging on the same practical requirement: institutions must be able to explain, audit, and demonstrate the fairness of every AI-driven decision that affects a customer. Banks that have built their AI systems with that requirement in mind will satisfy it quickly and cheaply. Banks that have not will spend the next several years and several times the necessary capital retrofitting explainability, audit trails, and fairness documentation into systems that were not designed to accommodate them.
The framing most banks apply to this challenge is wrong, and it is costing them materially. Governance is not a compliance overhead that sits on top of an AI programme. It is the infrastructure that determines whether the programme compounds in value or stagnates.
The regulatory framework is not waiting for the industry to catch up
The federal layer of AI governance obligations in North American banking is already in force, and it is broad. FinCEN’s designation of fraud as an AML/CFT National Priority means that institutions with inadequate fraud AI now face compliance risk within their AML programme, not as a separate matter. The CFPB has issued two circulars — in May 2022 and September 2023 — confirming that the Equal Credit Opportunity Act applies in full to algorithmic credit models. The agency has been explicit: creditors cannot justify non-compliance with ECOA’s adverse action notice requirements on the basis that their model is too complex or opaque to explain. “There is no special exemption for artificial intelligence,” the CFPB stated in its September 2023 guidance. The OCC’s model risk management framework, SR 11-7, requires validation, documentation, and ongoing monitoring of all models used in regulated institutions — requirements that many AI deployments, particularly those using black-box architectures, are not currently meeting. The FFIEC’s AI and machine learning guidance for supervised institutions adds examination expectations across credit decisioning, fraud detection, and compliance functions.
The state layer is accelerating alongside the federal one and creating a compliance geography that crosses jurisdictions. Colorado enacted the first comprehensive state AI law in the US in May 2024, requiring financial institutions that deploy AI in consequential decisions to conduct algorithmic discrimination testing, document risk management programmes, and provide consumers with specific notifications both before and after AI-driven adverse decisions. Colorado’s law has been actively revised since enactment — the legislature passed replacement legislation in May 2026 — but the underlying trajectory is clear and the compliance obligations remain substantial. Illinois amended its Consumer Fraud and Deceptive Business Practices Act in 2024 to extend regulatory oversight to AI used in creditworthiness determinations, effective January 2026. New York City’s Local Law 144, in force since July 2023, mandates independent bias audits for automated decision tools in certain contexts. The pattern across these jurisdictions is consistent: disclosure of AI use, testing for discriminatory outcomes, and auditability of decisions. Banks operating across state lines are navigating a patchwork of requirements with overlapping but non-identical obligations.
The opening question every bank’s board should be able to answer directly is this: when the CFPB examines your AI credit model, can you produce a specific, accurate explanation of the adverse action for every declined application — in a format that satisfies ECOA requirements — without human intervention? For most institutions, the honest answer is still no. The gap between where most banks are and where the regulatory framework already requires them to be is not a future risk. It is a current one.
The compliance view and the advantage view produce different institutions
The banks most at risk from the regulatory environment described above are not, for the most part, the ones acting in bad faith. They are the ones that have built their AI infrastructure under what might be called the compliance view: governance is a box-ticking exercise for the regulator, documentation is a cost to be minimised, explainability is a constraint that slows model development, audit trails are a legal requirement, and fairness metrics are limitations on model accuracy. Institutions operating with this worldview build AI systems that work technically and then discover — typically at the worst possible moment, under examination pressure — that they cannot deploy or defend them.
The advantage view produces materially different outcomes. Banks that treat explainability as a design requirement rather than a retrofit find that models with built-in explainability move through regulatory approval faster — in weeks rather than months — because examiners can engage with the model’s decision logic rather than being handed a black box. Banks that treat audit trails as a data asset rather than a compliance burden discover that every logged decision is a labelled training example: the model improves continuously from its own production history in a way that a system without structured logging cannot. Banks that treat governance infrastructure as the architecture of their AI programme find that regulatory relationships are cooperative rather than adversarial, because the evidence of sound process is available rather than having to be constructed retrospectively. And banks that treat fairness metrics as a market access tool rather than a constraint on accuracy find that documented fairness enables them to serve segments that competitors, constrained by models they cannot defend, are effectively excluding.
The financial difference between these two postures is not theoretical. Retrofitting ECOA-compliant explainability into a production AI model typically costs three to five times what it would have cost to build it in from the start, because the work touches data pipelines, monitoring infrastructure, and regulatory documentation across the entire deployment. The cost of a failed regulatory examination — remediation programmes, independent monitorships, asset caps, reputational damage — is higher still. The TD Bank penalty, exceeding $3 billion across agencies in 2024, was the most visible recent example of what deferred investment in compliance infrastructure ultimately costs. The institutions that invest in governance architecture before they need it are not being cautious. They are making the higher-returning investment.
There are three paths, and the window for the first is narrowing
The evidence in North America is not ambiguous. The compliance cost of the current AML system, the enforcement trajectory, the CFPB’s explicit guidance on AI credit models, and the real-time payment liability created by FedNow all point in the same direction. The question facing institutions is not whether AI-enabled decisioning matters. The question is when to act — and timing now determines the magnitude of the advantage, not just the speed of the benefit.
The first path is to lead: identify one decision where the value case is clearest and data readiness is highest, run a properly governed proof of value, and use the results to build the board-level business case for enterprise rollout before regulatory deadlines force a reactive programme. Institutions that act in the next six months secure first-mover advantage in AI decision quality that compounds with every decision their model sees. They build governance infrastructure before regulatory deadlines rather than under pressure. They establish regulatory relationships before scrutiny intensifies. And they begin accumulating the outcome data that will widen the gap between their models and those of institutions that moved later.
The second path is to follow: wait for internal consensus and for regulatory requirements to clarify further, watch early movers before committing, and prioritise other transformation initiatives in the near term. This path avoids early implementation risk and remains available to most institutions today. Its costs are real but bounded: no first-mover advantage in model quality, a shortening implementation timeline as regulatory deadlines approach, and a talent market for AI governance expertise that becomes more competitive as demand concentrates. Institutions on this path will implement. They will do so under more pressure and at higher cost than those on the first path, but implementation is achievable.
The third path is to defer: continue with current rule-based and batch-scoring systems and revisit the question when external pressure forces action. This path does not stay stable. The structural cost disadvantage compounds annually. Regulatory risk accumulates as compliance deadline programmes become the only available response. The talent and technology markets become less favourable with each passing quarter. And in practice, the deferred path almost always ends in a crisis-driven reactive programme — the worst possible conditions under which to build AI infrastructure that is supposed to be reliable, explainable, and fair. It is not a strategy. It is the absence of one.
The question is not whether to build the advantage. It is whether to build it deliberately or inherit the disadvantage by default.
Part 3 of 3.
Sources
Consumer Financial Protection Bureau. Consumer Financial Protection Circular 2022-03: Adverse Action Notification Requirements in Connection With Credit Decisions Based on Complex Algorithms. May 2022. Consumer Financial Protection Bureau. Consumer Financial Protection Circular 2023-03: Adverse Action Notification Requirements and the Proper Use of Sample Forms. September 2023. Office of the Comptroller of the Currency / Federal Reserve. SR 11-7: Guidance on Model Risk Management. April 2011, updated guidance ongoing. Federal Financial Institutions Examination Council. Supervisory Guidance on Model Risk Management. Ongoing. Colorado General Assembly. SB 24-205: Consumer Protections for Artificial Intelligence. Signed May 2024; revised by SB 189, May 2026. Illinois General Assembly. Amendment to Consumer Fraud and Deceptive Business Practices Act covering AI in creditworthiness determinations. Effective January 2026. New York City. Local Law 144: Automated Employment Decision Tools. Effective July 2023. Financial Crimes Enforcement Network. AML/CFT National Priorities. fincen.gov. Federal Reserve. FedNow Service. federalreserve.gov/paymentsystems/fednow.
