The growing reliance on automated customer interactions across banks and retailers is now being matched by a change in supervisory expectations, one that places continuous oversight at the center of financial operations.
Compliance is no longer defined by periodic reviews, and will increasingly be treated as a persistent function embedded within systems tied to risk assessment and transaction execution.
Recent guidance from the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve reflects the evolution. This week, the agencies issued revised interagency model risk management guidance that emphasizes ongoing validation and governance controls tied to the scale and complexity of model usage.
The updated framework addresses third-party tools and vendor-provided models, as banks must validate and monitor external dependencies alongside internal ones.
Interconnected Risks
Regulators are increasingly focused on the shared infrastructure underpinning modern financial services. Artificial intelligence models, cloud providers and external data services can and are being viewed as interconnected risk channels rather than discrete operational components.
Elsewhere, the U.S. Department of the Treasury released new AI risk management resources designed to standardize terminology and strengthen oversight as financial institutions expand AI use across customer service, underwriting and operational processes.
Advertisement: Scroll to Continue
In parallel, supervisory expectations increasingly require institutions to map dependencies across these systems. That includes understanding concentration risk tied to a limited number of cloud or model providers, and ensuring that those dependencies are subject to ongoing monitoring rather than static vendor reviews.
This approach builds on existing third-party risk frameworks but extends them into real-time supervision.
A bank’s customer service platform, whether in a call center or digital interface, is part and parcel of a broader risk network that must be observable and auditable at all times. The movement is toward traceable, decision-level accountability, where institutions must demonstrate how specific outputs are generated, validated and governed within automated systems.
Frameworks Multiply
The structural change in compliance is also evident in the increasing specificity of regulatory frameworks. The Treasury-linked AI guidance introduces detailed control structures that can include hundreds of mapped control objectives across risk categories and lifecycle stages.
At the same time, anti-money laundering (AML) expectations are being recalibrated. While formal rulemaking continues to evolve, supervisory direction embraces risk-based programs that demonstrate effectiveness through outcomes rather than adherence to static procedures.
This orientation is reflected in recent interagency efforts tied to model risk and Bank Secrecy Act (BSA) and AML systems, where regulators emphasize validation, monitoring and governance over time, particularly when models or automated systems are used to detect suspicious activity.
Identity signals, transaction context and behavioral indicators must flow across platforms without delay. The renewed focus described above places new weight on infrastructure.
APIs, interoperable data layers and identity frameworks are becoming essential not only for customer experience but for supervisory visibility. A fragmented system cannot support the level of transparency now expected.
Legacy architecture presents a constraint. A recent PYMNTS Intelligence report, done in collaboration with Trulioo, underscores how identity has become a central pressure point in this shift toward continuous oversight.
Financial institutions derive roughly 76% of revenue from digital channels, yet nearly 75% report inconsistent identity verification outcomes, creating both operational friction and regulatory exposure. The report finds that 76% of firms are missing growth opportunities due to know your customer (KYC) and know your business (KYB) constraints, while identity failures generate an estimated $34 billion in annual losses.
At the same time, reliance on a concentrated set of technology providers raises additional concerns. Regulators are beginning to address concentration risk in technology dependencies with greater precision, recognizing that shared infrastructure can transmit disruptions across institutions.
