FINANCIAL SERVICES

The regulation you know was built for a different kind of system

Retail and corporate banking, insurance, asset management, fintech, payments. Financial services operates under the most mature regulatory framework of any industry, and yet none of those frameworks were designed for AI systems whose behavior changes after deployment. The gap is widening, and supervisors are closing it.

How AI is changing financial services

The dominant assumption inside financial services has been that AI risk fits within existing model risk management frameworks. SR 11-7 in the US, equivalent standards in Europe, and internal validation processes built over decades. The assumption: AI is a more sophisticated model, and sophisticated models are what financial services has always governed.

That assumption breaks at three structural points. First, traditional model risk management assumes models can be specified, validated, and then operate within known parameters. AI systems do not behave that way. The same model, fed slightly different production data, can produce systematically different outcomes than it did in validation. Second, the model is no longer the unit of governance. A single foundation model can power five distinct banking use cases simultaneously, each with a different risk profile. Third, vendor models, the foundation models from third-party providers that increasingly power banking AI, are governed by procurement frameworks that were never designed for systems whose behavior the buyer cannot fully observe.

Insurance compounds the problem. The EU AI Act explicitly classifies pricing in life and health insurance as high-risk. That single sentence changes the obligations of every insurer deploying AI in underwriting or claims, regardless of how mature their existing actuarial governance is.

What risks does this create

The risks are structural, and they sit at the intersection of existing supervisory frameworks and new regulatory obligations that none of those frameworks anticipated.

Model risk frameworks that do not cover AI behavior

Traditional model risk management was designed for systems that operate within defined parameters after validation. AI systems in production can behave differently as data distributions shift, as models are retrained, or as the same architecture is deployed in a new use case. The validation that cleared the model does not guarantee the model in production.

Vendor governance that stops at procurement

The relationship with foundation model providers, AI vendors, and embedded AI in core banking systems cannot be governed solely by procurement. Third-party AI that processes credit decisions, detects fraud, or supports AML functions requires AI governance, not just vendor management. ISO/IEC 42001 is the framework that codifies the difference.

High-risk obligations that apply to existing products

The EU AI Act classifies credit scoring, life and health insurance pricing, and employment-related AI as high-risk. These obligations apply to systems already in production. Most financial institutions have not yet mapped their existing AI portfolio against Annex III.

The integration gap with existing certifications

Many financial institutions already operate certified ISO/IEC 27001 information security management systems, particularly larger banks and insurers. The structural overlap with ISO/IEC 42001 is significant and the implementation effort is materially lower than starting from scratch, but only if the integration is done deliberately. Fintechs and mid-size insurers without existing certifications face a different starting point.

The question that has changed

The question supervisors and boards are asking has shifted: from whether the model risk framework covers AI, to whether the institution can demonstrate that AI deployed across credit, fraud, AML, underwriting, and claims operates under a continuous risk management system they can assess.

How these risks can be mitigated

The mitigation path runs through a management system that integrates AI governance with the existing risk and compliance infrastructure.

1

Use cases as the unit of governance

A credit decisioning model used in mortgage origination has a different risk profile than the same architecture deployed in fraud detection. Existing model risk frameworks are mostly blind to this distinction. AI governance has to operate at the use-case layer, with different controls, different oversight, and different documentation for each application.

2

Vendor governance extended to AI behavior

Procurement contracts do not substitute for continuous oversight of AI vendor behavior. Documented controls, escalation paths, and evidence of human oversight are required for third-party AI that participates in regulated activities.

3

ISO/IEC 42001 integrated with ISO/IEC 27001

The overlap between information security and AI governance management systems is extensive. A deliberate integration avoids duplication, reduces audit burden, and produces a single coherent framework that supervisors and boards can assess.

Certification under ISO/IEC 42001 converts AI governance into independently verified evidence.

What regulators are asking and what certification answers

Regulatory obligation What it requires How Zertia addresses it
EU AI Act — Annex III (High-risk: financial services) AI used in credit scoring, life and health insurance pricing, and employment decisions is classified as high-risk. Requires risk management system, logs, human oversight, and registration in the EU database. Applies to systems already in production. EU AI Act Assessment for Banking and Insurance: full portfolio classification, Annex III mapping, and gap analysis against deployer obligations, with prioritized remediation path.
EBA Guidelines on internal governance (AI implications) EBA Guidelines on internal governance (EBA/GL/2021/05) establish management body accountability and internal control requirements that supervisors are now applying to AI systems in credit and risk functions. While the guidelines predate the AI Act, supervisors are using them as the existing framework for challenging AI governance in on-site inspections. ISO/IEC 42001 certification addresses governance structure, accountability, and documented oversight at the management system level. Designed to satisfy supervisory inspection requirements.
GDPR — Art. 22 (Automated decision-making) Data subjects have the right not to be subject to solely automated decisions with significant effects. Financial institutions must be able to explain and override AI decisions in credit, insurance, and related contexts. Covered in certification scope and DPIA services. Explainability and human override controls are assessed as part of the management system audit.
ISO/IEC 27001 (Integration with existing ISMS) Most financial institutions already operate a certified ISMS. AI governance obligations require either extending the existing framework or building a parallel one, with corresponding audit burden. Single integrated management system, single audit cycle where possible.
WHERE TO START

From inquiry to certification

If you're earlier in the process

1

Get the Financial Services AI Roadmap

Free

A structured assessment for banks, insurers, and fintechs. Covers AI use case inventory, classification under the AI Act, and integration with existing risk frameworks.

Download the roadmap
2

Readiness Audit

Paid · Fixed fee

Diagnostic of your AI deployments against ISO/IEC 42001, AI Act obligations, and integration with your ISMS or model risk framework. Documented gap report, remediation plan, and certification timeline.

Book a readiness audit

If you're ready for certification

ISO/IEC 42001 Certification

ANAB-accredited

Three-year cycle, fixed fees, ANAB-accredited. Designed to integrate with your existing certifications. Surveillance audits included.

Talk to us about certification
HOW WE ENGAGE

A model that adapts to your firm

How we work with you depends on your institution's size and complexity. A regional fintech operates on different terms than a global bank with multiple regulators. Three engagement models adapted to institutional realities.

See how we engage →
  • Startup

    Early-stage AI. Light roadmap, certification when you scale.

  • Scaleup

    Readiness audit and certification timed to your growth.

  • Enterprise

    Full certification with recurring governance and ongoing support.

ACCREDITATION

Zertia is a conformity assessment body accredited by ANAB for ISO/IEC 42001

Our certification activities under ISO/IEC 42001 are conducted under accreditation by ANAB (ANSI National Accreditation Board), a globally recognized accreditation body.

ANAB accreditation confirms that our audit and certification processes meet applicable ISO standards and international requirements for competence, impartiality, and independence. Our methodologies, auditor qualifications, and decision processes are externally assessed against rigorous technical criteria.

For certified organizations, this provides internationally recognized certificates and enhanced credibility with regulators, clients, and investors.

Your fast track to compliance starts here

Our team is ready to support your compliance, cybersecurity, and privacy needs. Complete the contact form or reach out to [email protected], and our experts will guide you through the next steps.