What does OCC 2023-17 require here?

AI vendors are third parties under the interagency rule. The bank must apply risk-based oversight across the third-party lifecycle. Use of third parties does not diminish bank responsibility.

Does OCC 2026-13 model risk management apply?

Mostly no for generative AI specifically — OCC 2026-13 (April 2026) excludes generative and agentic AI from scope. For traditional ML models, 2026-13 supersedes the prior SR 11-7 baseline.

What about BSA/AML — can AI make those decisions?

AI triages; humans decide. The architecture surfaces signals and routes to your BSA officer with a confidence score. The officer makes the SAR-or-not decision.

Will this affect adverse-action timing requirements?

If anything, it tightens compliance — drafts ready faster with regulatory content pre-checked. Audit trail shows generation, review, and send times.

What happens if AI drafts wrong adverse-action language?

The loan officer catches it during review. AI flags low-confidence drafts. Mistakes observable in the audit log; tuned monthly based on corrections.

A use case we run for Lincoln banks and credit unions

AI for loan processing — Lincoln

Loan packet summarization, BSA/AML triage, exception flagging, member communication drafts — designed for community banks and credit unions across Lincoln. With the third-party governance OCC 2023-17 requires.

Omaha companies asking the same? See the Omaha view →

Text Rosey · Schedule a call →

The workflow, end to end

What goes in, what the AI does, what comes out, what your team gets back.

Input: Loan packet + applicant docs + policy + BSA/AML signals
Work: Summarize the packet, flag missing documents, triage BSA/AML signals, draft adverse-action language where required
Output: Reviewable loan summary, exception list, BSA/AML triage queue, draft adverse-action letters when applicable
Saved: 25–45 minutes per loan packet

What this looks like in production

Loan processing is dense paperwork with regulator-mandated decision points — exactly the workflow shape AI handles well in an assistive architecture. AI drafts; the loan officer or underwriter approves.

In production: a loan packet enters the workflow. AI summarizes, flags missing or stale documents, triages BSA/AML signals, and drafts adverse-action language where applicable. The officer reviews everything material, edits or overrides where needed, and approves.

The governance discipline is OCC Bulletin 2023-17 third-party guidance — your AI vendor is a third party, and the bank's responsibility isn't diminished by using one. OCC 2026-13 model risk (April 2026) excludes generative AI from scope. NCUA supervises through existing third-party rules.

How we run it

Two-week diagnostic with loan operations leadership.
Build inside the real LOS, document repository, BSA/AML platform. Production from week 3.
Pilot with a small named loan officer group.
Tune BSA/AML triage against your historical patterns and BSA officer's calibration.
Roll out to full loan ops with manager-led training. AI use policy + third-party AI vendor due-diligence in place.
Audit trail: every document and decision archived with source data and officer edits.

Common questions

What does OCC 2023-17 require here?: AI vendors are third parties under the interagency rule. The bank must apply risk-based oversight across the third-party lifecycle. Use of third parties does not diminish bank responsibility.
Does OCC 2026-13 model risk management apply?: Mostly no for generative AI specifically — OCC 2026-13 (April 2026) excludes generative and agentic AI from scope. For traditional ML models, 2026-13 supersedes the prior SR 11-7 baseline.
What about BSA/AML — can AI make those decisions?: AI triages; humans decide. The architecture surfaces signals and routes to your BSA officer with a confidence score. The officer makes the SAR-or-not decision.
Will this affect adverse-action timing requirements?: If anything, it tightens compliance — drafts ready faster with regulatory content pre-checked. Audit trail shows generation, review, and send times.
What happens if AI drafts wrong adverse-action language?: The loan officer catches it during review. AI flags low-confidence drafts. Mistakes observable in the audit log; tuned monthly based on corrections.

Sources

Use of a third party (including an AI vendor) does not reduce a bank's responsibility for safety, soundness, and consumer protection — Third-Party Relationships: Interagency Guidance on Risk Management, Office of the Comptroller of the Currency (OCC), with FDIC and Federal Reserve, 2023
OCC Bulletin 2026-13 explicitly excludes generative AI and agentic AI from its scope; an interagency RFI on those technologies is anticipated — Model Risk Management: Revised Guidance, Office of the Comptroller of the Currency (OCC), with FDIC and Federal Reserve, 2026
NCUA does not have AI-specific rules; existing safety, soundness, compliance, and third-party rules apply to AI use — Artificial Intelligence (AI) — Regulation and Supervision Resources, National Credit Union Administration (NCUA), 2026
AI high performers are nearly 3x as likely as others to say their organizations have fundamentally redesigned individual workflows — The state of AI in 2025: Agents, innovation, and transformation, McKinsey & Company (QuantumBlack, AI by McKinsey), 2025

Use Case

AI for community banks

Industry

Banking & Credit Unions

Service

running AI from strategy to cutover

Service

AI governance framework

Concern

what data privacy looks like with AI

Answer

AI oversight and governance

→ Start here

Text Rosey to begin.

Rosey is our executive-assistant bot. Text the number below — she'll ask two questions, offer three calendar slots, and put a 30-minute call on Jim's calendar.