Banks using AI for creditworthiness, fraud, AML triage or HR sit inside Annex III and acquire Articles 8 to 27 obligations on top of existing model risk supervision. The ECB SSM and EBA hold the prudential line in the EU. The biggest pitfall: building three artefact sets when one, mapped to SR 11-7, SS1/23 and the AI Act, will satisfy all three.
Insurers must treat AI used for risk assessment and pricing in life and health insurance as high-risk under Annex III, with technical documentation, human oversight and post-market monitoring. Supervision sits with EIOPA at the European level and national competent authorities day-to-day. The biggest practical issue is overlap: the same models already sit inside Solvency II governance, IDD product oversight rules, and GDPR Article 9 for health data.
SR 11-7 is US bank supervisory guidance issued in 2011 by the Federal Reserve and OCC, not a direct rule for asset managers. Bank-affiliated managers sit under it through the parent. Non-bank managers have largely adopted its principles voluntarily because SEC examiners, allocators and counterparties expect comparable practice. The biggest practical issue is applying bank model risk machinery to buy-side risk, valuation and liquidity models without overbuilding.
PRA SS1/23 sets five principles for model risk management at UK banks, effective 17 May 2024: a single firm-wide inventory and materiality framework, board-level governance, development standards, independent validation with effective challenge, and ongoing monitoring with risk mitigants. Material AI and machine learning models sit inside the same framework as quantitative models.
AI/ML-enabled medical devices fall under FDA SaMD regulation through CDRH. The PCCP framework, finalised in December 2024 guidance, is the major change: manufacturers can pre-approve a defined envelope of model modifications, removing the need for a new submission for every retraining cycle. The 510(k), De Novo and PMA pathways still apply based on risk class.
MiCA is the EU's first comprehensive crypto-asset framework. Its stablecoin titles applied from 30 June 2024 and the Crypto-Asset Service Provider (CASP) titles from 30 December 2024. MiCA does not regulate AI directly, but governance under Article 68, market abuse under Title VI and adjacent AML and Travel Rule obligations bring AI use in trading, KYC and surveillance squarely into supervisory scope.
The June 2023 interagency third-party guidance from the Federal Reserve, OCC and FDIC sets lifecycle expectations for managing third-party relationships, including AI vendors. Most material AI vendor arrangements sit in the higher-risk band because of sensitive data, subcontractor chains and customer-affecting decisions. The framework sits on top of SR 11-7 for the model layer itself, and the two registers must reconcile.
More industry views will be added under the published programme. Pages are released only when the data points required by our programmatic SEO release gate can be filled with sourced, non-paraphrased facts.