Home Slider Generative AI and Financial-Services Compliance: How Smart Automation of Audit and Control Can Improve Efficiency, Accuracy and Transparency

Generative AI and Financial-Services Compliance: How Smart Automation of Audit and Control Can Improve Efficiency, Accuracy and Transparency

by internationalbanker

By Saket Sinha, Senior Partner and Vice President Financial Services, and Rodney Rideout, Financial Services Risk & Compliance Strategy, IBM Consulting




The financial-services sector is one of the most regulated industries worldwide. Every day, banks, asset-management firms, insurance companies and other institutions must sift through hundreds of complex and constantly changing requirements to demonstrate sufficient transparency and adequately protect customers’ assets. To do this, financial institutions must monitor and manually implement changes in three regulatory areas: financial stability, prudent operations and resolution.

As a result, banks and other financial institutions have seen rising costs across the board. In the years following the 2010 enactment of the Dodd-Frank Act (Dodd-Frank Wall Street Reform and Consumer Protection Act) in the United States, for example, compliance costs for banks rose more than $50 billion per year.1 A 2020 study of 240 senior executives in financial services found that one-third spent 5 percent of their annual budgets on compliance.2 Larger banks operating within multiple jurisdictions often have had to spend even more money—not to mention time and effort—than their smaller, more localized counterparts to identify international regulatory obligations and map them to specific controls.

Ensuring a sound control environment can burden not only compliance and legal teams but also business-line and product managers. For instance, a product manager owning an application, such as a reporting tool, likely spends a disproportionate amount of time addressing frequent regulatory changes and compliance measures when he or she could—and should—be looking for ways to improve his or her offering.

Generative AI can help automate regulatory compliance

Today, most financial-services companies find it difficult to keep pace with the required changes and investments as they manage controls and compliance. This results in many tasks being completed manually, often through sheer force of will, which can delay adherence to new laws, rules and regulations (LRRs). As a result, businesses may be left scrambling to adhere to certain policies to avoid penalties and fines. Yet, manual processes are prone to human error because mapping regulatory obligations to controls can be subjective and requires expert judgment. In addition, regulatory requirements and instituted controls are subject to human interpretation, and human-based processing struggles to keep up with the vast number of points to look for and comply with.

While artificial intelligence (AI) has been a tool used by a growing number of organizations over the past decade, generative AI (GenAI) is emerging as an effective solution for automating and improving the outcomes of routine administrative and repetitive tasks. GenAI platforms, such as IBM’s watsonx3, apply large language models (LLMs)—machine learning (ML) algorithms—to recognize, summarize, translate, compare, predict and generate content using enormous datasets. Technologies such as generative AI help businesses accomplish the daily tasks they perform repeatedly much quicker, more efficiently and more productively, using a fraction of the resources required before.

For example, generative AI can help a bank ingest all applicable regulatory requirements and internal controls and then quickly alert it to gaps in the existing controls set up to adhere to regulatory requirements. GenAI can do so without human biases or interpretational differences while strictly sticking to hard facts. Using that information, the technology determines an organization’s obligations and evaluates whether they are being met. If not, generative AI can map regulatory obligations to specific controls or be trained to generate new controls over time. As the underlying GenAI foundation models are trained, the technology becomes more accurate in identifying gaps and related intricacies around interpretations of new regulatory requirements while addressing ambiguities to generate new controls to meet the determined obligations. Looking ahead, generative AI may eventually be able to write a new control that does not exist, driving even further efficiencies.

Generative AI’s benefits can include:

  • Seventy-five percent faster regulatory-change impact assessments,
  • A 40-percent reduction in compliance and legal-advisory hours,
  • A 20-to-70-percent reduction in external spending for legal and compliance content providers,
  • A 20-percent reduction in independent testing and discovery,
  • A 25-to-50-percent reduction in external spending for legal and compliance subject-matter experts,
  • A 75-percent reduction of manual mapping efforts of LRRs (laws, rules and regulations) to internal controls.

(These estimates were derived in collaboration with auditors based on findings from a 2023 IBM engagement with a global bank and follow the conclusions of a two-month pilot.)

High-level process overview

The following image shows a high-level process of sourcing regulation data, enriching the data, identifying the obligations and performing an operation similar to the organization’s internal controls to be in a position to map the data.


Line-of-business leaders, in collaboration with their compliance and technology partners, should discuss and identify the top bottleneck challenges the organization has faced in the past in the three areas of interpreting regulatory requirements, inadequate controls and MRA (matters requiring attention) violations. For example, this would involve determining regulatory changes and their impacts on the control environment or mapping regulatory laws to business processes to show coverage.

Choose one or more of the identified bottlenecks to define a few use cases focusing on intended outcomes to mitigate these challenges, then use them to test how generative AI can make a difference in solving specific problems. Document learned steps, time and effort to train, prompt engineer and fine-tune the models to acquire the known outcomes related to regulatory interpretations and control requirements. As the organizationbecomes more comfortable with GenAI technologies, it should address more complex challenges, such as automation and integration with its legacy environment.

Pitfalls to avoid:

  • Resist overwhelming the team by starting with a too-big, complex challenge. Keep it manageable, beginning with smaller, more confined but significant known problems and known solutions to run through the GenAI tools. In the process, learn and understand the applicability of the GenAI foundation model, familiarizing staff with the usages and quality of outputs to demonstrate how the process can be fine-tuned to achieve greater confidence.
  • Assess data availability and quality. Ensure the right data is available to train the model, and repeatedly check the outputs for known solutions to known problems to gain confidence that the process works and can be matured.
  • Be ready to fail quickly and reinvent. Try multiple foundation models in parallel for the same type of problem to see where effort and time can be optimized.
  • Ensure business-domain regulatory subject matter experts (SMEs) are involved to validate the results; otherwise, you could go down a rabbit hole and not solve targeted problems.

Be ready to train or infuse outside talent to help with resource-consuming and error-producing tasks, such as prompt engineering and model fine-tuning. When you scale for success, these quickly become costly if not planned and executed properly.

Understand the true nature of GenAI’s costs and limitations. It is not a magic wand but a powerful tool that needs careful consideration, enterprise governance, foundation-model selection and access to the critical data that the model can easily consume. A training or incubation program with skilled resources and willingness to persevere will be the keys to success.

Humans aren’t going anywhere

Although generative AI can vastly improve a financial institution’s audit and control processes, technology can’t do it all. Humans are the ultimate decision-makers and will continue to be for the foreseeable future. But generative AI can augment human capabilities by being less error-prone, more productive and more efficient, as well as by addressing the most tedious and time-consuming tasks more predictably.

Generative AI is ideal for automating the numerous repeatable tasks involved in understanding and interpreting esoteric compliance-data relationships, but there are still parts of the process that are not repeatable and, therefore, require human intervention. Ultimately, the expertise that compliance, risk, legal and IT (information technology) professionals provide will always be needed. But with generative AI, financial-services industry employees have a powerful tool to help them work more efficiently and effectively—the ultimate goal of all technologies.



1 Rice University’s Baker Institute for Public Policy: “Costs of Compliance with the Dodd-Frank Act,” Thomas Hogan, September 6, 2019.

2 Kroll: “Global Regulatory Outlook 2020: The Regulatory Landscape Evolves.”

3 IBM/watsonx: “Meet the AI and data platform that’s built for business.”



Saket Sinha is a Senior Partner within IBM’s financial-services industry consulting practice and leads IBM’s Global Banking & Financial Markets Center of Excellence. He has more than 25 years of experience working with financial institutions on their digital-transformation priorities, advising them on strategy, governance, operational and technical challenges and opportunities.

Rodney Rideout is a compliance and risk Expert within IBM’s global financial-services industry consulting practice. He has more than 20 years of experience with enterprise-risk management and compliance functions within global financial institutions. He is responsible for a range of client projects, including risk and compliance strategy, risk methodology, process improvement and artificial intelligence.


Related Articles

Leave a Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.