Artificial Intelligence and Credit Unions: Navigating Compliance in an Evolving Landscape

Whether you are for it or against it, Artificial Intelligence (AI) is here and it doesn’t look to be going anywhere anytime soon (or ever).  With AI’s exponential growth, we are seeing more questions in our compliance inbox asking for help with using AI technology and ensuring credit unions remain in compliance. As I discussed in the blog  From Patchwork to Policy: The Federal Government’s New Approach to AI Regulation there is federal framework on the horizon, but unfortunately, it has yet to be put in place. You’re probably asking yourself, “what do we do in the meantime?”.

First, there are many states that have passed AI legislation, with California and Colorado leading the charge. It’s important to make sure your credit union is aware of these laws, as a credit union serving members in those states will likely be required to comply, even if the credit union is federally chartered. Monitoring legislative developments and evaluating their impact on your AI governance program will become increasingly important.

Although the NCUA has not yet issued any AI specific rules or regulations, they did issue this article , providing guidance and resources to help credit unions navigate the use of AI in their institutions. The overarching theme is that existing regulations are “technology-neutral and apply to AI use.” The article gives a great example- that information security standards must be followed regardless of whether a credit union communicates via e-mail, phone, or an AI-enabled tool. The focus is on the outcome and associated risks, not the actual tool itself. What this means is that the NCUA will not treat AI any differently than any other existing technology. 

The article largely focuses on governing AI responsibly, managing AI-related security and fraud risks, and leveraging AI to improve credit union operations and member services. The NCUA emphasizes that credit unions should approach AI through strong governance, oversight, and risk management practices. This includes board oversight, vendor due diligence, regulatory compliance, model risk management, and ongoing monitoring of AI systems. The article offers multiple resources to help with this approach, including these NCUA letters to credit unions that can be referenced when performing the due diligence expected on third-party vendors that utilize AI:

• 07-CU-13-Evaluating Third Party Relationships 
• 01-CU-20-Due Diligence Over Third Party Service Providers 

The NCUA expects credit unions to:

• “Identify risks that may be unique to AI or automated tools
• Monitor and measure those risks regularly
• Implement controls to mitigate operational, compliance, and security risks”

A significant portion of the article discusses protecting data used by AI systems, securing AI deployments, and addressing emerging threats such as deepfakes, AI-enabled fraud, and cybersecurity risks. The NCUA points readers to resources from agencies like CISA and FinCEN to help mitigate these risks. 

Lastly, the article highlights how AI can improve member service, operational efficiency, fraud detection, and competitiveness. It also discusses practical considerations for implementing and scaling AI responsibly while balancing innovation with safety and compliance requirements. This article provides a plethora of resources to help credit unions with these tasks.

While the regulatory landscape surrounding AI continues to evolve, credit unions cannot afford to sit back and wait to see what happens. Existing federal laws and regulations already apply to AI use, making it essential for credit unions to establish strong governance, conduct thorough vendor due diligence, and proactively identify and manage AI-related risks. At the same time, AI-specific state laws that are already in place must be considered. By staying informed of legislative developments and implementing sound risk management practices, credit unions can responsibly embrace AI while maintaining compliance and protecting their members.