Setting the Scene – From Washington to Wall Street

In our previous instalment, we followed FINOS Technical Project Advocate Karl Moll to the U.S. SEC’s AI Roundtable in Washington, D.C. The consensus there was clear: robust, risk‑based AI governance is now a board‑level imperative for every financial‑services institution (FSI). 

Banks, brokers and asset managers are all wrestling with three deceptively simple questions:

1. What do we mean by “AI”?
2. Who is accountable when models misbehave?
3. How can existing risk frameworks be extended to cover AI‑specific threats such as hallucinations, data leakage or model drift?

The FINOS community’s answer is the open‑source AI Governance Framework (AIGF)—a vendor‑agnostic, collaboratively maintained set of risks and controls that any FSI can plug into its existing three‑lines‑of‑defence model. 

Inside the New York Workshop

On 13 May 2025 FINOS convened a hybrid workshop at Barclay’s Rise offices in New York City. More than 30 practitioners from various organisations spent the day:

• Stress‑testing the AIGF Draft Release (launched at OSFF NY in October 2024).
• Mapping 18 top‑level risk categories (e.g. model bias, privacy leakage, operational failures) to 17 implementable controls aligned to existing frameworks such as NIST RMF and OWASP.
• Brainstorming on the Common Controls for AI Services (CC4AI) initiative: a common evidence artefact format so cloud providers and AI vendors can attest once, and every consuming FSI can inherit assurance.

Deliverables from the session will feed into AIGF v1.0, scheduled for public review at OSFF London (24th June 2025). AIGF v1.0 aims to create a standard that fills the current regulatory uncertainty.

Regulatory Landscape – Diverging Paths?

United States: Deregulation First

Since his inauguration in January 2025, President Trump has taken a deregulatory stance on AI by:

• Revoking Executive Order 14110 on “Safe, Secure and Trustworthy AI”.
• Issuing Executive Order 14179  “Removing Barriers to American Leadership in AI”, which instructs agencies to roll back any measures that could “hamper innovation.”
• Proposing a ten‑year federal pre‑emption of state‑level AI laws.

While the direction is pro‑innovation, it leaves U.S (Global) FSIs with even greater uncertainty: without clear federal rules, supervisory expectations will likely be set through enforcement rather than guidance.

European Union: The AI Act Rulebook

Across the pond, the EU’s AI Act entered into force on August 1, 2024, as the world's first comprehensive regulation for AI, introducing risk-based rules that will be implemented in phases until August 2, 2027, and determine what kinds of AI systems and GenAI models can be placed on the EU market and how. 

The regulation includes limited exemptions for AI systems and general-purpose AI (GPAI) models that are released under a “free and open-source license” (see the Foundation’s guidance). On February 2, 2025, prohibitions for AI systems that pose unacceptable risk, such as those used for harmful deception or social scoring, began to apply. The next major date is August 2, 2025, when obligations for providers of GPAI models will begin to apply. 

Earlier this year I chatted with Dr. Cailean Osborne, a Senior Researcher at Linux Foundation Research. He explained that the providers of GPAI models may demonstrate compliance with their obligations through voluntary adherence to the GPAI Code of Practice, which has been drafted by over 1,000 experts and was due to be published on May 2, 2025. 

However, due to pushback from the US government for being too prescriptive and misaligned with the AI Act, among others, the Code of Practice was not published on May 2 and an adjusted version is likely to be released at a later date. In any case, the obligations of providers of GPAI models, including ones released under free and open source licenses, will apply on August 2 with or without the Code of Practice.  

The divergence creates friction for global banks: a single model may face zero mandated controls in New York but hundreds in Frankfurt!

On a positive Note: GenAI becomes insurable 

“Risk comes from not knowing what you’re doing.” – Warren Buffett. The insurance market has noticed:

• Armilla's AI Chatbot Error Coverage: Armilla, a Y Combinator-backed startup, has introduced an insurance product underwritten by Lloyd's of London insurers. This policy covers companies for losses resulting from errors or malfunctions caused by AI chatbots, including legal costs and damages if a business faces claims due to underperforming AI tools. Notably, incidents like Air Canada’s chatbot inventing a discount highlight the potential for reputational and financial harm (source)
• Munich Re’s aiSure™: Munich Re offers aiSure™, a product that guarantees the performance of AI tools. If an AI system fails to deliver as promised, Munich Re backs the performance guarantee and compensates customers for financial losses. This coverage is available for various AI applications, including generative AI and large language models (source) 

These offerings are early signals that quantifiable AI governance is maturing—exactly the gap the AIGF aims to fill.

Call to Action

Whether you are a risk officer, engineer, vendor or regulator:

• Review the current draft and share your feedback by raising issues or propose pull requests. 
• Not sure where to start? Tackle these “good first issues” 
• Join the next virtual AIGF working‑group call on 4 June 2025.

Together we can turn regulatory uncertainty into a shared, open standard for trustworthy AI in financial services.

Author: Luca Borella, Program Manager, AI Strategic Initiative, FINOS