AI Risk in Finance: What CFOs and Compliance Officers Need to Know in 2026

Artificial intelligence is transforming finance faster than most governance frameworks can keep pace. From automated anomaly detection in accounts payable to generative AI tools producing first drafts of financial commentary, AI has moved from experimental to operational in many finance functions. But adoption without governance creates risk — and in 2026, that risk is increasingly regulated.

CFOs and Compliance Officers who have not yet developed a coherent approach to AI risk face multiple overlapping exposures: regulatory non-compliance with the EU AI Act, FCA supervisory scrutiny, model risk in forecasting and credit functions, and reputational damage from AI-driven errors in public disclosures. This article sets out the key AI risk categories, the regulatory framework, and how to upskill finance and compliance teams to manage them.

Types of AI Risk in Finance

1. Model Risk

Model risk is the risk of adverse outcomes arising from decisions based on incorrect or misused models. In finance, AI and machine learning models are increasingly used for forecasting, credit risk assessment, fraud detection, and financial planning. Unlike traditional actuarial or statistical models, machine learning models can be opaque in their reasoning — a problem known as the "black box" issue — which makes validation and challenge more difficult.

Key model risk concerns for CFOs include:

• Models trained on historical data that do not adequately capture structural breaks (e.g., post-pandemic economic behaviour, interest rate shifts)
• Insufficient model validation processes — testing performance only on in-sample data rather than out-of-sample or adversarial scenarios
• Lack of model governance documentation, making it difficult to explain or defend model outputs to boards, auditors, or regulators
• Over-reliance on model outputs without adequate human review — particularly relevant where AI tools generate financial forecasts or risk assessments

2. Data Bias

AI systems are only as reliable as the data they are trained on. In finance, data bias can manifest in several ways:

• Training data that reflects historical patterns of discrimination (e.g., credit models trained on data sets that systematically disadvantaged certain demographic groups)
• Sampling bias in transaction monitoring models that generates disproportionate false positives for certain client groups
• Temporal bias — models that over-weight recent data and lose sight of longer-cycle patterns relevant to financial risk

Data bias is not just an ethical concern — it is a regulatory one. The EU AI Act explicitly requires high-risk AI systems to use training data that is sufficiently representative and free from errors. The FCA has also signalled that it will scrutinise AI-driven decisions for potential consumer harm arising from biased models.

3. Explainability Risk

Explainability is the ability to understand and communicate why an AI system made a particular decision, and it is both a regulatory requirement and an operational necessity. In financial services, decisions made by AI systems (credit scoring, fraud flagging, risk rating) may need to be explained to customers, auditors, or regulators.

The EU AI Act requires high-risk AI systems to provide sufficient information for meaningful human oversight. The FCA, in its 2023 and 2024 guidance on AI, emphasised that firms must be able to explain AI-driven decisions to customers where those decisions are adverse — a requirement rooted in the Consumer Duty and the FCA's Principles for Businesses (Principle 6: treating customers fairly).

For CFOs, explainability risk is particularly acute in external financial reporting contexts: if an AI tool materially influences financial forecasts, impairment assessments, or going concern analysis, the finance team must be able to explain the basis of those outputs to auditors and the audit committee.

4. Regulatory Compliance Risk

The use of AI in finance now operates in an increasingly complex regulatory environment. Finance and compliance teams must understand the obligations arising from:

• EU AI Act: The EU AI Act came into force in August 2024, with phased obligations applying through to 2026. High-risk AI systems — including those used in credit scoring, insurance pricing, and employment decisions — face the most demanding requirements.
• UK AI governance framework: The UK government has adopted a pro-innovation, principles-based approach to AI regulation, with existing sector regulators (FCA, PRA, ICO) taking responsibility for AI within their domains.
• GDPR and UK GDPR: Where AI systems process personal data — including customer transaction data, employee data, or credit information — the requirements of GDPR apply. Article 22 restricts automated decision-making with significant effects.

The EU AI Act: Implications for Financial Services

The EU AI Act is the world's first comprehensive legal framework for AI. For financial services firms operating in or serving customers in the EU, it creates material compliance obligations:

Risk Classification

• Unacceptable risk: Prohibited AI applications
• High risk: AI systems used in credit scoring, insurance pricing, employment decisions, and critical infrastructure
• Limited risk: AI systems with transparency obligations
• Minimal risk: All other AI applications

Key Obligations for High-Risk AI in Finance

• Conduct conformity assessments and maintain technical documentation
• Implement robust data governance for training, validation, and testing data
• Ensure human oversight
• Maintain logs of AI system operation
• Register the AI system in the EU AI database

Timeline

• August 2024: EU AI Act in force
• February 2025: Prohibited AI applications banned
• August 2025: GPAI model obligations apply
• August 2026: High-risk AI system obligations fully apply

FCA Expectations on AI Governance

The FCA has been signalling its AI governance expectations clearly since 2022, through its AI Public Private Forum, its 2023 AI Update, and individual firm guidance. Key expectations include:

• Accountability: Under SM&CR, a named Senior Manager must own AI governance.
• Consumer Duty alignment: AI systems affecting retail customers must demonstrably deliver good outcomes.
• Operational resilience: AI ssystems supporting important business services must be tested and maintained.
• Third-party AI risk: Firms remain responsible for outputs of third-party AI tools.

How to Upskill Finance and Compliance Teams on AI Risk

All Finance and Compliance Professionals

• What AI is and how it is used in finance functions
• Types of AI risk: model risk, data bias, explainability, regulatory compliance
• How to apply professional scepticism to AI-generated outputs
• When and how to escalate AI-related concerns

Finance Leaders (CFOs, Controllers, Compliance Officers)

• EU AI Act requirements and their application to current AI tools in use
• FCA AI governance expectations and SM&CR accountability
• How to build an AI risk register and governance framework
• Model risk management principles for non-technical leaders

Frequently Asked Questions

What is AI risk in finance?

AI risk in finance refers to the potential for harm arising from the development, deployment, or reliance on artificial intelligence systems in financial functions. The main categories are: model risk, data bias, explainability risk, and regulatory compliance risk.

Does the EU AI Act apply to UK companies?

The EU AI Act applies to any organisation that places AI systems on the EU market or whose AI systems affect people in the EU, regardless of where the organisation is headquartered. UK companies with EU customers, EU subsidiaries, or AI systems deployed in EU member states are in scope for those activities.

What are the FCA's expectations for AI governance?

The FCA expects firms to govern AI consistently with existing regulatory obligations, including SM&CR accountability, Consumer Duty compliance, operational resilience, and third-party risk management.

What is model risk and how should CFOs manage it?

Model risk is the risk that a financial model produces inaccurate or inappropriate outputs. CFOs should manage model risk by establishing a model inventory, assigning ownership, requiring regular validation, and ensuring AI outputs are subject to professional scepticism.

When do EU AI Act obligations for High-Risk AI apply?

Full obligations for high-risk AI systems apply from August 2026. Firms with high-risk AI in production should have compliance programmes underway now.

How can finance professionals develop AI risk competence?

Finance professionals can develop AI risk competence through structured CPD covering the EU AI Act, FCA governance expectations, model risk management, and GDPR obligations. Online CPD platforms such as Learnsignal offer targeted AI risk modules for finance professionals.

What should be in an AI risk register for a finance function?

An AI risk register should document: each AI system in use, its function, data processed, risk classification, SM&CR owner, validation processes, any bias or explainability concerns, GDPR status, and the date of last review.

Download the AI Risk in Finance whitepaper from Learnsignal — covering the EU AI Act, FCA expectations, model risk frameworks, and practical upskilling strategies. Access the whitepaper at learnsignal.com/resources/.