Financial Services AI Compliance Guide¶
This guide covers AI regulatory requirements for financial services, including banking (EBA), securities trading (ESMA MiFID II), insurance (EIOPA), and UK prudential/conduct regulation (PRA/FCA).
Executive Summary¶
Regulatory Landscape¶
| Framework | Jurisdiction | Sector | Key Focus |
|---|---|---|---|
| EBA AI Guidelines | EU | Banking | Credit decisions, customer protection |
| ESMA MiFID II | EU | Securities | Algorithmic trading, best execution |
| EIOPA Guidelines | EU | Insurance | Underwriting, claims, consumer protection |
| PRA SS1/23 | UK | All FS | Operational resilience, model risk |
| FCA Consumer Duty | UK | All FS | Customer outcomes, vulnerability |
OxideShield Coverage¶
| Framework | Current Coverage | OxideShield Feature |
|---|---|---|
| EBA AI Guidelines | 74% | PII, Attestation, Policy Engine |
| ESMA MiFID II | 67% | Emergency Kill Switch, Audit Trail |
| EIOPA Guidelines | 63% | Fairness detection, Explainability |
| PRA SS1/23 | 70% | Operational resilience, Model monitoring |
| FCA Consumer Duty | 85% | Wellbeing guards, Vulnerability detection |
Framework-Specific Guides¶
-
EBA Guidelines
Banking AI requirements for credit decisions, customer protection, and model governance.
-
ESMA MiFID II
Securities trading AI requirements for algorithmic trading and investment advice.
-
EIOPA Insurance
Insurance AI requirements for underwriting, claims, and pricing.
-
PRA Prudential
UK prudential requirements for operational resilience and model risk.
-
FCA Consumer Duty
UK conduct requirements for customer outcomes and vulnerability.
Common Requirements Across Frameworks¶
1. Explainability¶
All frameworks require AI decisions to be explainable to customers and regulators.
| Requirement | OxideShield Feature | Status |
|---|---|---|
| Decision audit trail | Attestation layer | ✅ |
| Guard trigger logging | Telemetry | ✅ |
| Reason codes | GuardResult.reason | ✅ |
| Customer explanation | Policy engine | ⚠️ Partial |
2. Fairness & Non-Discrimination¶
| Requirement | OxideShield Feature | Status |
|---|---|---|
| Bias detection | Under development | ❌ Gap |
| Protected characteristics | PII Guard | ✅ |
| Disparate impact monitoring | Telemetry | ⚠️ Partial |
3. Model Risk Management¶
| Requirement | OxideShield Feature | Status |
|---|---|---|
| Model inventory | Policy-as-code | ✅ |
| Performance monitoring | Metrics collector | ✅ |
| Drift detection | ConsistencyTracker | ✅ |
| Validation testing | Red team scanner | ✅ |
4. Human Oversight¶
| Requirement | OxideShield Feature | Status |
|---|---|---|
| Human-in-the-loop | GuardAction::Review | ✅ |
| Override capability | Dashboard | ✅ |
| Escalation paths | Alert system | ✅ |
| Kill switch | Emergency controller | ✅ |
5. Customer Protection¶
| Requirement | OxideShield Feature | Status |
|---|---|---|
| Vulnerability detection | Wellbeing guards | ✅ |
| Crisis routing | PsychologicalSafetyGuard | ✅ |
| Manipulation prevention | DarkPatternGuard | ✅ |
| Data protection | PII Guard | ✅ |
Deployment Configurations¶
Banking (EBA Compliant)¶
# oxideshield-banking.yaml
guards:
- name: pii
type: PIIGuard
config:
categories: all
action: redact
audit: required
- name: fairness
type: PatternGuard
config:
patterns:
- "based on your race"
- "because of your gender"
- "due to your age"
action: block
severity: critical
- name: customer_protection
type: DarkPatternGuard
config:
categories:
- sycophancy
- user_retention
action: block
attestation:
enabled: true
storage: file
retention_days: 730 # 2 years for EBA
telemetry:
enabled: true
export: otlp
metrics:
- guard_decisions
- customer_outcomes
- response_times
Trading (ESMA MiFID II Compliant)¶
# oxideshield-trading.yaml
guards:
- name: trading_safety
type: PatternGuard
config:
patterns:
- "guaranteed returns"
- "risk-free investment"
- "insider information"
action: block
severity: critical
- name: suitability
type: ToxicityGuard
config:
categories:
- misleading
- aggressive_sales
threshold: 0.3
emergency:
enabled: true
admin_token: ${EMERGENCY_TOKEN}
auto_recovery_timeout_secs: 3600
attestation:
enabled: true
retention_days: 2555 # 7 years for MiFID II
Insurance (EIOPA Compliant)¶
# oxideshield-insurance.yaml
guards:
- name: claims_fairness
type: PatternGuard
config:
patterns:
- "claim denied because"
- "premium increased due to"
log_only: true # For audit, not blocking
- name: customer_wellbeing
type: PsychologicalSafetyGuard
config:
enabled: true
crisis_resources: insurance_support
- name: pii
type: PIIGuard
config:
categories:
- health_data
- financial_data
action: redact
attestation:
enabled: true
retention_days: 1825 # 5 years
Audit & Evidence Generation¶
Generating Compliance Reports¶
from oxideshield import (
generate_compliance_report,
get_audit_entries,
AuditFilter,
)
# Generate EBA compliance report
report = generate_compliance_report(
framework="eba",
start_date="2025-01-01",
end_date="2025-12-31",
include_metrics=True,
include_incidents=True,
)
# Export for regulator
report.export_pdf("eba-compliance-2025.pdf")
report.export_json("eba-compliance-2025.json")
Attestation for Regulators¶
from oxideshield import AttestationReport, FileAuditStorage
# Load audit storage
storage = FileAuditStorage("/var/log/oxideshield/audit")
# Generate signed attestation
report = AttestationReport.generate(
storage=storage,
start_date="2025-01-01",
end_date="2025-12-31",
include_signatures=True,
verifiable=True,
)
# Verify chain of custody
verification = report.verify_chain()
print(f"Chain verified: {verification.valid}")
print(f"Entries: {verification.entry_count}")
Gap Remediation Roadmap¶
Current Gaps¶
| Gap | Framework | Priority | Remediation |
|---|---|---|---|
| Bias detection | EBA, EIOPA | High | ML fairness classifier |
| Explainability UI | All | Medium | Customer-facing explanations |
| Disparate impact metrics | EBA | Medium | Telemetry extension |
| Model inventory API | PRA | Low | Dashboard feature |
Planned Features¶
| Feature | Target | Frameworks |
|---|---|---|
| Fairness Guard | Q2 2026 | EBA, EIOPA, FCA |
| Explainability Layer | Q2 2026 | All |
| Regulatory Reporter | Q3 2026 | All |
| Bias Metrics Dashboard | Q3 2026 | All |
Regulatory Contact Information¶
EU Regulators¶
| Regulator | Website | Contact |
|---|---|---|
| EBA | eba.europa.eu | AI inquiries via website |
| ESMA | esma.europa.eu | fintech@esma.europa.eu |
| EIOPA | eiopa.europa.eu | info@eiopa.europa.eu |
UK Regulators¶
| Regulator | Website | Contact |
|---|---|---|
| PRA | bankofengland.co.uk/pra | Via website |
| FCA | fca.org.uk | consumer.queries@fca.org.uk |