Industry
Banking
Banking Services Transformation: Unlocking Exponential Value
Highlights
- The Financial Services AI Risk Management Framework (FS AI RMF) was issued in February 2026 by the U.S. Department of the Treasury in partnership with the Cyber Risk Institute.
- The FS AI RMF offers a practical, sector‑specific framework that enables financial institutions to govern, manage, and scale AI responsibly while remaining aligned with existing enterprise risk and compliance programs.
- Financial institutions require a structured roadmap that demonstrates how AI governance can be progressively enhanced by integrating the FS AI RMF as AI maturity grows.
On this page
Introduction
Govern, Map, Measure, and Manage
The Financial Services AI Risk Management Framework (FS AI RMF) is a voluntary, industry‑led framework tailored for financial institutions and aligned with the NIST AI RMF. It includes 230 control objectives to manage AI risks such as fraud, bias, model risk, explainability, and cybersecurity while supporting responsible innovation. Built around NIST’s four functions—Govern, Map, Measure, and Manage—it provides a comprehensive AI governance model for all financial institutions.
Overview
The U.S. Department of the Treasury has released the first two of six planned resources to help the financial services sector safely, securely, and responsibly deploy artificial intelligence (AI).
The U.S. Department of the Treasury has released the first two of six planned resources to support safe, secure, and resilient AI adoption in financial services. The first resource, an AI Lexicon, establishes a consistent vocabulary for key technical terms. The second resource is a financial‑services‑specific adaptation of the NIST AI RMF, which includes: a self‑assessment questionnaire to help firms evaluate AI maturity and governance posture; a risk‑to‑control mapping matrix linking AI risks to relevant security and risk‑management controls; and actionable implementation guidance enabling firms to adopt and operationalise the controls effectively.
These initial releases lay the foundation for a structured, risk‑based approach to AI governance in financial services, supporting innovation while ensuring safety, security, and resilience. Two key components are highlighted below:
- AI adoption questionnaire – A structured self‑assessment tool that helps organisations evaluate and classify their AI adoption level across six dimensions.
- Risk‑control matrix – A comprehensive set of control objectives organised by adoption stage, with clear rationale for each control’s applicability.
FS AI RMF vs. EU AI Act
While the European Union (EU) AI Act defines what organisations must comply with, the FS AI RMF serves as a voluntary, implementation‑focused guide that helps financial institutions operationalise and achieve the high‑level compliance outcomes mandated by the EU AI Act.
FS AI RMF vs. EU AI Act
Action plan
The FS AI RMF aligns naturally with established frameworks such as Model Risk Management, enabling organisations to conduct integrated risk assessments, support risk aggregation and prioritisation, and drive coordinated mitigation efforts across the enterprise. This integrated, harmonised approach ensures that AI‑related risks are managed consistently alongside other strategic, operational, and technology risks. As AI capabilities mature, institutions can progressively embed the FS AI RMF into their existing governance and risk management structures by following the stages outlined below.
- Determine AI Adoption Stage: Institutions should begin by using the FS AI RMF questionnaire to identify their current stage of AI adoption—development, pilot, or production—establishing a clear baseline for risk management activities.
- Conduct Gap Analysis: Organisations should compare their existing risk management policies and controls against FS AI RMF control objectives to identify gaps, with emphasis on data privacy, model explainability, and algorithmic bias.
- Customise the risk and control matrix (RCM): Institutions should tailor the RCM to reflect their specific risk profile, using the guidebook to adapt control objectives to relevant AI use cases and deployment models.
- Update policies and standards: Existing AI‑related policies should be revised to incorporate the FS AI RMF, explicitly addressing risks associated with third‑party AI platforms and mitigating unauthorised or “shadow AI” usage.
- Integrate third‑party risk management (TPRM): The framework should extend to AI‑related risks introduced by vendors, partners, and affiliates, ensuring consistent oversight across the extended enterprise.
- Deploy risk controls: Organisations should implement applicable FS AI RMF controls, prioritising high‑risk areas and focusing on automated monitoring, input validation, and model auditing.
- Develop audit trails and evidence: Institutions should build robust documentation and evidence to demonstrate alignment with the 230 control objectives, supporting regulatory and assurance activities.
- Establish continuous monitoring: Risk practices should shift from point‑in‑time reviews to continuous monitoring to detect model drift, performance degradation, or emerging vulnerabilities.
- Establish governance forums: Regular reporting and oversight mechanisms should inform senior management and the board about AI risk posture and FS AI RMF implementation progress.
By assessing AI maturity, mapping risks to tailored controls, and embedding continuous monitoring and governance, institutions can operationalise trustworthy AI at scale through a structured, risk‑based approach that balances innovation with regulatory readiness, resilience, and accountability across financial services.