Issue 03 is out: AI governance in FinTech

FinTech sits inside the most regulated AI category there is. Credit decisions, fraud scoring, AML profiling, insurance pricing. Regulators didn’t write the rules for education first or healthcare first. They wrote them for financial services first, and in the most detail.

The EU AI Act names financial services by name in Annex III. The CFPB has told the industry in writing that there are no carve-outs for algorithms. The FCA has confirmed that Consumer Duty and SM&CR apply fully to AI-driven decisions. The hard EU deadline is 2 August 2026. That’s roughly 90 days away.

Issue 03 covers all of it.

What’s inside

• The compliance stack. FinTech AI has to answer to six parallel frameworks simultaneously: AI risk classification, data protection, fair lending, model governance, consumer protection, and operational resilience. Most sectors deal with one or two. FinTech gets all six, and several interact in ways regulators are still figuring out.

• The trigger matrix. Credit scoring, fraud detection, insurance pricing, KYC, AI chatbots, algorithmic trading, each mapped against regulatory triggers across the EU, US, and UK. Social scoring for creditworthiness gets its own row, in red. It’s prohibited under Article 5. No compliance pathway exists.

• The EU section. Everything that needs to be in place by 2 August: risk management system, data governance, Annex IV technical documentation, logging, human oversight, conformity assessment, CE marking, EU AI database registration. Plus the five deployer duties institutions carry alongside the vendor, regardless of what’s on the CE mark.

• The US section. ECOA and the adverse action problem. The CFPB has confirmed zero “AI decided” defences are valid under the law. State-level obligations in Colorado, Illinois, and California are already in force. The Massachusetts AG settlement tells you what four years of record retention looks like in practice.

• The UK section. No AI Act, but Consumer Duty, SM&CR, FCA PS7/24, and the Mills Review all apply right now. The gap between “no AI law” and “no AI obligations” is large, and the FCA has been direct about it.

• The 90-day plan. Two tracks: one for founders, one for institutions. Three phases each. Ends with one named owner, documented governance, and a defensible answer to the question regulators ask on both sides of the Atlantic: what did you know about what your AI was doing to customers, and what did you do about it?

Who should read it

• FinTech founders with AI in credit, fraud, insurance, or KYC products

• Compliance and product teams at banks licensing AI tools

• Anyone with August 2 on their radar who hasn’t started the compliance build yet

Informational only, not legal advice. For decisions with real legal consequences, get a lawyer. For understanding what those decisions are, this is what the Playbook is for.

The PDF is linked below [if you are a free subscriber, you can upgrade to access the report.]

Note that this briefing is for informational purposes only and doesn’t constitute advice of any kind. For questions specific to your work, talk to a qualified lawyer in your jurisdiction.

Here is the link ….