In the realm of artificial intelligence, excessive caution may prove more dangerous than agility and speed.  For financial sector regulators, a watch-and-learn approach has long been a prudent way to manage risk. With the rise of AI, however, this time-tested strategy may no longer be the optimal approach. As former U.S. Comptroller of the Currency Michael Hsu observed, there is now an equal risk in moving too slowly as in moving too fast. For regulators in emerging markets, who must grapple with unique infrastructural and capacity constraints, this two-sided risk presents a particular challenge.

Regulators must act. The opportunities are vast, but daunting. The best use of AI will go beyond simply adding on extra tools and instead reimagining how regulation and supervision can be done. By using this technology, supervisors can enhance their decision-making and leverage vast swathes of regulatory intelligence that until now have been out of reach.

But this is premised on a mindset shift among regulators, and a comprehensive strategy to guide the adoption of AI. The strategy should build on existing data and IT strategies, enable the maximisation of the benefits and the careful management of risk. Understanding the level of organisational and market readiness, where to invest effort and resources, how, when and under what conditions it is appropriate to use AI are all questions that should be considered in advance by human decision-makers and be clearly articulated in setting the strategic direction for the use of AI.

Regulator and market readiness to leverage emerging AI use cases

Adoption of AI in financial regulation and supervision is still in its infancy, but there are an emerging set of use cases being adopted by regulators globally. These include, enabling internal efficiencies, more effective supervision, and simplified regulatory processes, all of which provide a menu of options for early-stage AI use among regulators.

It is necessary for regulators to stay up to date with developments to ensure that their approaches are consistent with emerging regulatory practices. Not all AI use cases, even those used by other regulators, will be feasible or valuable in all regulatory or supervisory environments. Nevertheless, what is happening globally provides perspective on what is possible right now.

For many regulators, the level of organisational and market readiness will point to a strategy that begins with small and low-risk AI projects to develop AI fluency while encouraging rapid scaling where appropriate.

Some AI use cases are highlighted below.

Internal organisational efficiencies:

• Automating routine tasks: Regulators, including the Bank of England report using AI to record and summarise meeting transcripts, generate code and summarise documents.
• Basic documentation tasks: The Financial Stability Institute reports supervisors using generative AI for editing and drafting supervisory reports.
• Accessing information: The Netherlands Bank (DNB) implemented ChatDNB to support supervisors in accessing information in Open Book Supervision, which was previously difficult to find.

These are typically lower risk and most feasible to implement AI applications. Many businesses and public sector organisations are already using these kinds of tools, including those entities subject to financial regulation. The ubiquity of the tools, and the potential efficiency gains means they are unlikely to be met with market or public resistance. In some cases, off-the-shelf solutions could be used, keeping costs low.

Nevertheless, there are some key considerations for the use of these applications. These include:

• Ensuring the security of data and information processed by the AI
• Ensuring the quality of the AI outputs
• Providing guidance on the use and disclosure of use

Improved regulatory processes:

• Estimating regulatory impact: The Bank for International Settlements reports that some central banks are using web scraping, classification algorithms and similarity analysis to assess regulator impact.
• Summarising consultation responses: The UK government has launched an AI tool called ‘Consult’, which summarises policy consultation responses. In testing, it identified comparable themes to human summarisers, with potential to save 150 hours of human effort for a single consultation.

Using AI applications in more public-facing activities raises reputational risks, although given the public nature of the information in these examples, data protection risks are less likely. Poor functionality or outcomes using AI would reduce trust in the regulator and regulatory process.  As such, for these applications to be effective, it may be necessary that they are customised. They should all be rigorously tested.

Regulators need to have in place robust management mechanisms for the use of these AI applications, and continuous monitoring for effectiveness. Given the public impact, it may be necessary to create a channel for concerns to be addressed.

Enhanced supervision:

• Improving credit-risk forecasts using real-time data: The Bank of Namibia has launched an AI powered credit-risk model to proactively forecast non-performing loans.
• Expanding access to supervisory data: The European Central Bank is using generative AI to enable supervisors to access its data lake using natural language, a function previously only available to those who could code.
• Expanding capacity to detect and respond to scams and fraud: The Financial Conduct Authority of the UK uses AI for web scraping and to use social media tools to detect, review and triage potential scam websites. The Reserve Bank of India has developed a tool called Mulehunter.ai to detect mule accounts.
• Increasing efficiency in reviewing board documents: The Bank of Thailand is using AI to analyse the minutes of board meetings of financial institutions. This is used by supervisors to assess the regulatory compliance of the board.
• Strengthening anti-money-laundering (AML) efforts: The BIS’s Project Aurora developed a proof of concept for a data-driven, AI-enhanced method of detecting money-laundering networks (including across borders).

In using AI in this way, it is essential that human decision-making is not abdicated to AI, but rather the AI is used to improve the decision-making environment. These implementations are necessarily more complex, and have potential for higher risk, combining both data risk, and the risk that decisions lead to poor supervisory outcomes. As AI fluency and capability develop, it is likely that AI-enhanced supervision will begin to mean the delegation of certain contained supervisory functions to AI. The best implementations will be those that improve supervisors’ abilities to understand, predict and influence the markets and institutions they oversee.

AI adoption should be led by strategy and governance. As regulators tell their regulated population, governance is key to managing risk. There also needs to be a clear and structured strategy to guide the use of AI. Aligning with regional and national principles, regulators must put in place appropriate governance structures for their use of AI. The Bank for International Settlements in its January 2025 paper cautions against reinventing the wheel and provides a set of guidelines based on existing risk and governance frameworks.

From fluency to integration. Many of the use-cases already adopted by regulators are lower risk – particularly those around organisational efficiency, and those that use AI to do something that is an add-on to supervision, such as extra detection of scam websites or mule accounts. More game changing, higher risk, AI implementations however, are increasingly likely to be valuable or even necessary as the supervisory task becomes more demanding, and as supervised entities and markets become complex.

Strategically adopting lower-risk AI can support the development of AI fluency in the regulator and provide an opportunity to test the governance structures. If the AI addresses pain points, or provides value, it will help shift the culture to a more open stance. This paves the way for higher impact, higher-risk AI in the future. Before implementing higher-level supervisory AI, regulators need to have in place legal, technological and cultural foundations, including:

• The legal mandate to gather and process data
• Recourse mechanisms for data subjects to challenge or correct AI-based decision-making or AI conclusions that have a detrimental impact
• Clean, well-structured, reliable data and inputs
• Tech teams that are able to exercise oversight and judgement over providers and/or develop and support internal AI
• A culture that is open to and cognisant of the benefits and risks of AI
• A level of capacity and capability to both see the value and apply it within regulatory and supervisory functions, including by increased cross-functional collaboration
• Strong leadership promoting the use and value of AI

In some cases, these will merely be adaptations of existing approaches, but articulating how the existing approach applies in the case of AI is a necessary pre-condition to the roll out of this kind of higher-risk AI. In some cases, there will be substantial work to be done on underlying technology, data and governance structures.

The next phase

For many regulators, identifying risks may come more naturally than actively pursuing innovation. But failing to engage with AI carries its own risk – being left behind, without the skills or tools needed to oversee a rapidly evolving sector. Building a regulator that is fluent in AI and capable of leveraging its possibilities starts with establishing strong technical and governance foundations. It requires leadership and a culture that supports experimentation and adoption because for regulators, failing to act will not just be a missed opportunity, but will create a fundamental gap in their abilities to perform their roles.

Mapping AI regulatory use cases

In this figure, we’ve adapted Gartner’s AI opportunity radar to the financial regulatory context. Each use-case is in a quadrant, being: high impact/high risk; low impact/low risk; low impact/high risk and high impact/low risk. This is a qualitative judgement based on risks including possibilities for data misuse/loss; poor outcomes for consumers or participants and reputational damage to regulators. It is important to note that in many cases the specific design, including the human supervision, will significantly impact the risks. There is no judgment made within the quadrants.

The concentric circles represent ease of implementation, with easier implementations at the outside and potentially more difficult implementations towards the centre. This is also a qualitative judgement based on considerations including existing usage patterns, necessity for bespoke solutions, and underlying data governance requirements. This will necessarily differ from regulator to regulator so is a general assessment only.

What do you think? Are there any we’ve missed? Have we assessed correctly? Where can regulators best invest for impact?

Key sources:

1. Matei Dohotaru, Marin Prisacaru, Ji Ho Shin and Yasemin Palta “AI FOR RISK-BASED SUPERVISION Another “Nice to Have” Tool or a Game-Changer” World Bank, January 2025
2. BIS Representative Office for the Americas “Governance of AI adoption in central banks” Bank for International Settlements, Consultative Group on Risk Management, January 2025.
3. BIS ‘The use of artificial intelligence for policy purposes: Report submitted to the G20 Finance Ministers and Central Bank Governors’, October 2025.