The US Department of the Treasury has released its Financial Services AI Risk Management Framework, building on the NIST AI Risk Management Framework and translating it into 230 controls tailored for financial institutions. The framework is a significant development for banks, insurers, asset managers and fintechs that use AI in lending, trading, fraud detection, customer service and compliance.
From NIST to financial services
The NIST AI RMF provides a high-level structure for managing AI risk: govern, map, measure and manage. The Treasury framework takes that structure and fills it with controls that financial services firms can implement. The result is a detailed, sector-specific playbook rather than a principles document.
The 230 controls cover the lifecycle of AI use in financial services, from governance and risk assessment through model development, deployment, monitoring and third-party management. Firms that have already adopted the NIST framework will recognise the structure, but the Treasury document adds the specificity that risk and compliance teams need.
What the framework expects
Governance. Boards and senior management are expected to own AI risk. That includes setting risk appetite, assigning accountability, and ensuring that AI risk is integrated into enterprise risk management rather than treated as a technology silo.
Risk mapping. Firms should identify where AI is used, what decisions it influences, and what harms could occur. This includes customer-facing applications, internal automation and vendor-provided tools.
Measurement. The framework calls for testing, validation and ongoing monitoring. Model performance, fairness, robustness and explainability should all be measured against documented criteria.
Third-party risk. Many financial institutions rely on vendor models and cloud AI services. The framework expects firms to assess and monitor these relationships, including how vendor models are tested, updated and governed.
Consumer protection. AI used in credit decisions, insurance pricing, fraud detection and customer interactions must be fair, transparent and compliant with existing consumer-protection laws.
What firms should do now
Gap-assess against the 230 controls. You do not need to implement every control immediately, but you should know where the gaps are and prioritise the highest-risk areas.
Align with existing model risk management. Financial services firms already have mature model risk frameworks. The Treasury AI framework should be mapped onto these rather than run as a separate programme.
Involve the board. AI risk is increasingly a board-level issue. The framework reinforces that expectation. Ensure directors receive clear, non-technical reporting on AI risk exposure and control effectiveness.
Document everything. Regulators and auditors will ask for evidence of testing, validation, monitoring and remediation. The framework is control-heavy precisely because supervisors want documentation.
The bottom line
The Treasury framework does not create new statutory obligations on its own, but it will shape supervisory expectations. Financial institutions that align with the 230 controls will be better prepared for examinations, enforcement and litigation. Those that ignore it risk finding that their AI governance is out of step with the standard their regulators now expect.