Financial companies and finance departments are subject to strict regulations. AI use in finance is not a legal vacuum — BaFin, MaRisk, DORA, and the EU AI Act set clear guardrails.
BaFin Requirements
Supervisory Expectations for AI
The Federal Financial Supervisory Authority (BaFin) updated its AI guidance in 2025:
Model governance: Every AI model needs a responsible model owner
Validation: Independent validation before production use and regularly thereafter
Documentation: Complete documentation of data, methodology, assumptions, and limitations
Explainability: For customer-relevant decisions, AI logic must be traceable
Outsourcing: Cloud-based AI services are subject to outsourcing requirements
Reporting Obligations
Material outsourcing to AI providers must be reported to BaFin
Model risk events (AI model delivers erroneous results with material impact) are reportable
Incident reporting for AI-related IT security incidents
MaRisk and DORA
MaRisk (Minimum Requirements for Risk Management)
MaRisk governs risk management for banks and financial service providers:
AT 7.2 — Technical-organizational setup: AI systems must meet IT system requirements
AT 4.3.2 — Risk management and controlling processes: AI models in risk management need special controls
BT 3 — Risk reporting: AI-generated reports must meet the same quality standards as manual ones
DORA (Digital Operational Resilience Act)
In effect since January 2025 — applies to all financial companies in the EU:
ICT risk management: AI systems must be integrated into the ICT risk management framework
Incident reporting: AI-related ICT incidents must be initially reported within 4 hours
Digital resilience testing: AI systems must undergo regular stress tests
Third-party risk: AI providers (OpenAI, Google, AWS) are considered critical ICT third-party providers
Information sharing: Obligation to participate in information exchange about cyber threats
AI Governance in the Financial Sector
Three Lines of Defense for AI
1st Line — Business/Operations:
Model owner is responsible for correct usage
Monitoring model performance in daily operations
Escalation for anomalies
2nd Line — Risk/Compliance:
Independent model validation
AI risk assessment and classification
Compliance check against regulatory requirements
3rd Line — Internal Audit:
Regular review of the entire AI governance framework
Spot checks on individual models
Report to board/supervisory board
Model Inventory
Every AI model must be recorded in a central register:
Model name and purpose
Risk category (low/medium/high/critical)
Data sources and data quality metrics
Performance metrics and thresholds
Validation results and next review date
Responsibilities (owner, validator, sponsor)
Ethics Committee
For high-risk AI models (credit decisions, fraud detection, AML monitoring):
Ethical assessment before deployment
Fairness tests across different customer groups
Impact assessment for model failures
Practical Checklist
Model inventory created and current
Validation process defined (independent from development team)
DORA compliance verified (ICT risk management, incident reporting)
BaFin reporting obligations for AI outsourcing fulfilled
Three lines of defense for AI implemented
Regular model performance reviews (at least quarterly)
Conclusion: Regulation is not an innovation barrier — it's quality assurance. Those who build AI governance correctly from the start save themselves expensive later corrections and fines.