FSB seeks input on sound practices for responsible AI adoption in financial services

Amid growing concerns about the cyber security implications of advanced AI systems for the financial services sector, prompted in part by Anthropic announcement of its Mythos AI system, the Financial Stability Board has published a consultation report examining the benefits and risks of artificial intelligence in the financial system. The report provides a set of 12 sound practices that firms can consider adopting to facilitate responsible AI adoption.

Benefits and risks of AI in financial services

The FSB’s report highlights that AI is increasingly transforming financial services, with firms leveraging the technology across a wide range of areas ranging from back-office operations to consumer facing use cases. In operational and cyber resilience, for example, firms are using AI to enhance threat detection and response, identify vulnerabilities and promote business continuity through swift recovery from incidents such as ransomware attacks. 

But the report also underscores that AI gives rise to new and evolving risks, like those specific to emerging technologies such as agentic AI. The FSB therefore calls on boards and senior management of financial institutions to draw on its findings as they consider business strategy, technology adoption and risk management in an increasingly AI-enabled environment.

FSB’s proposed sound practices

To facilitate responsible AI adoption, the FSB proposes 12 sound practices that financial institutions could apply to their organisation-wide AI governance and across the stages of AI development and deployment. The report also provides examples of real-world case studies from financial institutions to illustrate how these practices can be implemented in practice.

The first four practices are designed to be cross-cutting, providing the foundation for the remaining practices by emphasising the importance of organisation-wide AI governance and informing a financial institution's decisions on whether, how, and at what scale to adopt AI.

• Strategic direction and oversight: The board and senior management align AI adoption and governance with the financial institution’s business model risk appetite and strategy.

• Governance and accountability: Financial institutions define clear roles and responsibilities and maintain an appropriate governance framework to enable responsible AI adoption.

• Incorporation of AI risks into risk management framework: Financial institutions adopt risk management frameworks that effectively address AI risks and include processes for AI identification documentation as well as materiality and risk assessment.

• Organisational adaptability: Financial institutions learn, adapt and adjust their oversight, governance, risk management practices, and capabilities as AI evolves.

The remaining practices, which focus on the management and mitigation of AI risks throughout the stages of AI development and deployment, comprise:

• Materiality and risk assessment: Financial institutions implement an effective and systematic approach to assess the materiality and risk of AI use cases at the inception stage and thereafter.

• Selection: When selecting AI models or systems, financial institutions consider business objectives, operational and technical needs, as well as the materiality and risks of AI use cases.

• Data governance: Financial institutions establish appropriate data governance to maintain data that is fit-for purpose for training, testing and using AI.

• Explainability and transparency: Financial institutions understand differences in the explainability of various types of AI. If appropriate and feasible, financial institutions adopt more explainable AI or consider compensating controls. Financial institutions also provide appropriate transparency tailored to different stakeholders.

• Performance management: Financial institutions evaluate the performance of AI use cases proportionately to their materiality and risk, including through performance assessments, testing and ongoing monitoring.

• Human oversight: Financial institutions implement appropriate and effective human oversight relevant to the materiality, risk, autonomy, complexity and explainability of different AI use cases.

• Cyber and ICT risk management: Financial institutions manage AI related cyber and ICT risks, including by incorporating AI cyber and ICT risk scenarios into tests and exercises, sharing relevant information and using AI tools in cyber and ICT risk management.

• Third-party AI risk management: Financial institutions appropriately manage risks from AI third-party use with a focus on performance, transparency, data quality, supply chain and concentration risks and business continuity.

Looking ahead

The FSB’s report is a substantive intervention on AI in financial services. The industry will likely welcome it as a step towards more international coordination on this topic. Even though the FSB says that the sound practices are not intended to establish an international standard or prescribe an approach for how firms should adopt AI, firms may treat them as a baseline as they ramp up their AI deployments, with AI agents being the latest iteration.

The report is also timely because recent advancements of AI models and their capabilities have brought to the fore heightened regulatory scrutiny over operational resilience compliance. Even though FSB’s proposed sound practices are not mandatory for financial services firms, over time supervisors may use them as a yardstick to assess firms’ compliance with existing obligations, including operational and cyber resilience regimes.

The FSB invites stakeholders to provide feedback on its consultation report by 22 July 2026.