Summary
- AI belongs on the reading steps, not the deciding ones - in a bank, a model can classify documents, extract data, and draft a rationale, but a named human owns every step an examiner can ask about later.
- Where does AI actually fit? Five workflows first: KYC onboarding, loan origination review, AML alert triage, periodic AML reviews, and audit-evidence assembly. Each has reading work a model can take and a sign-off a person must keep.
- The regulator already drew the line - the CFPB’s Circular 2022-03 says a creditor using an “uninterpretable or black-box” model still owes the applicant a “statement of specific reasons” for any adverse action.
- The defense is a logged process with a named owner - put the AI step before a human gate and record the chain. Map your first regulated workflow with us
Walk into any bank or credit union right now and you won’t find a shortage of AI demos. You’ll find a shortage of the thing that lets a model do real work inside a regulated firm: an audit-trailed, multi-approver process to run it in. The model is rarely the bottleneck. The missing piece is the scaffolding around it.
So here’s the short answer before the detail. AI fits financial services as a classify-and-draft layer that feeds a named human owner. It reads the application against the rules and flags what is missing. It pulls the watchlist hit into view and drafts the rationale a reviewer will confirm or reject. What it doesn’t do is approve the loan, clear the customer, or sign the adverse-action letter, because those are the steps an examiner reconstructs months later, and a reconstruction needs a person’s name on it.
This is the evergreen playbook rather than a single news take. We’ve written about the audit-trail-over-accuracy lesson when AI executes financial actions and about where AI is heading across regulated work. This post is the wider map: which workflows to hand a model first, and where the regulator has already told you to stop.
Where does AI actually fit in a bank?
Right where the work is tedious, time-sensitive, and reversible. A clever model with no defined process behind it isn’t an asset in an examined institution. It’s a liability waiting for a Tuesday-afternoon exception nobody can explain. Point that same model at the reading and drafting steps inside a process that records what it did, and it does real work without ever touching a decision.
The split that matters isn’t by department. It’s by what a step does to the outside world. Some steps only propose: they look something up, check it against a rule, or draft a result a human will weigh, and a wrong proposal there costs a few seconds of review. Other steps commit: they move the money, clear the customer, or release the filing, and a wrong commit is the exact event a supervisor will pull a file on. Put the model on the proposing steps. Keep a person on every committing one. You’ve now decided where AI is safe in your firm, and not one benchmark went into the call.
That single split protects you more than any model upgrade will.
Compliance Management Made Easy
The question we get from compliance leads more than almost any other is whether the model can just handle the routine approvals to save everyone the click. For low-stakes internal steps, sometimes. For anything an examiner can ask about, the click is the safeguard, and removing it trades a few saved minutes for a decision nobody can defend.
So name the places AI doesn’t belong, plainly, because a playbook that only sells AI isn’t one a regulator will trust. Autonomous approval of a credit application, an account closure, or an adverse-action decision is out. So is any unreviewed letter that tells a customer no. So is anything that quietly removes the human owner from a decision an examiner will later want a name for. The model can prepare every one of those decisions. It can’t be the one that makes them, and a vendor who tells you otherwise is selling you a problem you’ll meet at the next exam.
Five workflows to hand AI first
Start with the document-heavy, deadline-bound work your team already runs. These five have the right shape: a defined entry, checks along the way, and a sign-off someone owns.
KYC and new-account onboarding. A model classifies the uploaded documents, extracts the fields, and runs the completeness check while the customer is still in the chair. It scores the identity-proofing risk and flags the mismatches. A human adjudicates the edge cases and owns the decision to open the account. The reading is the grind; the model takes it.
Loan and credit origination review. The model assembles the packet, checks it against the program rules, and surfaces what is missing or inconsistent. It drafts the summary a credit officer will confirm. The credit decision itself stays human, for reasons the CFPB makes very concrete in the compliance section below.
AML alert and transaction-exception triage. A model takes first-pass classification and routing of alerts, then drafts the suspicious-activity narrative an analyst will edit. The analyst decides whether to escalate or file. What the model saves is the case-file assembly, not the judgment.
Periodic AML and compliance review. The model collects the evidence, compares it against the prior period, and drafts the summary for the reviewer. A person signs that the review happened and what it found.
Audit-evidence assembly. When the exam comes, the model pulls the immutable trail of who-touched-what into one place, so reconstruction is a query instead of a week-long scramble.
Those templates already carry the bones: a defined entry, checks along the way, and a sign-off step that someone owns. Dropping an AI step into the checking parts, while keeping the sign-off human, is most of the job.
The order in that diagram is the whole point. The AI step sits before the human gate, so the model’s confidence never reaches the ledger on its own. The logging sits at the workflow level, so the trail survives even when you replace the model next year. None of this is exotic. It’s the ordinary discipline of a KYC onboarding process or an AML compliance program, with one step now handled by a model instead of a junior analyst.
What an examiner actually checks
Not your model’s accuracy score. A score describes a population; an exam is about one decision on one day. The supervisor wants to walk backward from an outcome to the inputs the model saw, the rule it applied, and the person who signed. If you can produce that for every consequential action, you’re in good shape. If you can’t, the accuracy figure has nothing under it.
Picture the reconstruction. An examiner points at one account opened eight months ago and asks why it cleared. A defensible answer pulls up the documents the model read, the risk score it produced, the watchlist hit it surfaced, the analyst who reviewed the edge case, and the timestamp on the sign-off, all from one run. An indefensible answer is a scramble through email threads and a call to the vendor. Same model, same accuracy. The difference is whether the process wrote the trail down as the work happened or left someone to assemble it under pressure the week before the exam.
That reframes the compliance work into something a process tool can actually help with. Three rules sit underneath almost every financial workflow, and each one points at the same fix.
Model governance comes first. The Federal Reserve and OCC’s guidance on model risk management, known as SR 11-7, expects banks to manage the risk of decisions made on incorrect or misused models through disciplined development, effective validation, and sound governance. An AI step is a model. It needs an owner, a validation record, and a place in the governance chain, not a quiet deployment that nobody documented. The point of validation is the part most pilots skip: you have to be able to show the model still does what you said it does, on this quarter’s data, not the data it was built on.
Fair lending comes next, and the regulator has been blunt. The CFPB’s Circular 2022-03 states that a creditor making decisions on “complex algorithms,” sometimes called “uninterpretable or black-box models,” still has to give the applicant a “statement of specific reasons” for an adverse action under the Equal Credit Opportunity Act and Regulation B. In plain terms: you can’t hide behind the model. If it can’t explain why it denied credit, you can’t use it to deny credit. That single rule is why the credit decision stays human.
Then the BSA and AML program itself. The FFIEC BSA/AML Examination Manual builds a compliance program on internal controls, independent testing, a designated BSA compliance officer, and ongoing training, with customer due diligence woven through. An AI step that triages alerts has to live inside those controls and leave a record independent testing can read, rather than floating outside them.
The through-line is dull and it’s the point: the defense is a defined, logged process with a named human owner, not the model’s accuracy claim. In Tallyfy terms, the model’s contribution lives inside a step, and the step that follows is a blocking approval with a named owner, while the run history records every step as it happens. The reconstruction an examiner wants then exists by default.
Pilot the reading, keep humans on the call
Be straight about what you can do alone and where help pays for itself. The classification and drafting pilots are the part you can start yourself this quarter. Pick one workflow, KYC is the usual winner, put a model on the document-reading step, keep your existing sign-off, and watch what it catches. That’s a contained experiment with a clear owner and little downside if the model is wrong, because a wrong proposal just costs a reviewer a few seconds.
Firm-wide rollout under exam scrutiny is the other thing entirely. Once an AI step touches credit, AML disposition, or anything a regulator samples, you’re into model validation, fair-lending testing, and a governance story you’ll have to defend. The mistake we watch regulated teams make is treating the firm-wide rollout like the pilot, scaling the model before the process and the evidence trail are built to carry it. That’s where an independent take on what to automate, and in what order, is worth bringing in, because the sequencing is the risk.
A clever model behind no process is the thing that fails an exam. The same model inside a defined workflow that records every move is the thing you can defend. Build for the second one, and let the structure carry the weight the way the wider move to workflow automation already does for work with no AI in it at all.
Two ways to move on this
Run it on Tallyfy. Clone a KYC or loan-review template, drop the AI step into the reading parts, keep a named approver on every decision, and get a defined, audit-trailed process live in days.
Book a walkthrough with Tallyfy
.
Not sure what to automate first? If you want an outside, vendor-neutral take on which workflows are safe to start with before you commit to any tool, talk to
Blue Sheen
. Blue Sheen is the AI advisory practice founded by Tallyfy’s founders, Amit Kothari and Pravina Pindoria. It’s tool-agnostic, not a Tallyfy reseller.
