AI Compliance Framework for Financial Institutions: 6 Regulations — Dr. Michael Thiemann

AI compliance framework for financial institutions

AI compliance framework for financial institutions — board-ready implementation guide covering EU AI Act, NIST AI RMF, ISO 42001, GDPR, DORA and BCBS 239.

Regulatory AI Compliance Framework

Strategic Implementation Guide for Board and Executives in the Financial Industry

Presented by Dr. Michael Thiemann

EU AI Act · 1 / 4

EU AI Act: Strategic Overview

Strategic Business Impact

Market Access: Mandatory for EU operations
Competitive Edge: Early compliance differentiates
Risk: Fines up to €35M or 7% revenue

Compliance Architecture

Layer: Strategic (Business Model)
Foundation: GDPR, DORA required
Framework: NIST AI RMF or ISO 42001

EU AI Act · 2 / 4

EU AI Act: Strategic Implementation

Governance Model

Board: Strategy alignment oversight
CEO: Enterprise accountability
CRO: Risk classification & monitoring
CTO: Technical implementation

Investment Required

Phase 1 (6 months): Inventory & classification
Phase 2 (12 months): High-risk controls
Ongoing: Monitoring infrastructure

Dependencies & Sequencing

Foundation: GDPR and DORA first
Parallel: BCBS 239 supports monitoring
Quick Wins: System inventory first

Strategic Decisions

Platform: Build vs buy compliance tools
Framework: NIST AI RMF or ISO 42001
Model: Centralized vs federated

EU AI Act · 3 / 4

EU AI Act: Organizational Structure

Organizational Design

AI Governance Office: 5–7 FTE for inventory & compliance
AI Ethics Committee: Cross-functional quarterly meetings
AI Risk Managers: 1 FTE per business line

Accountability Matrix

Responsible: AI Governance Office executes
Accountable: CTO owns compliance program
Consulted: Legal, Risk, Business, DPO
Informed: Board, ExCo, Regulators

Capability Requirements

Technical: AI/ML expertise (hire 2–3)
Legal: EU regulation (external counsel)
Risk: Assessment methodology (train)
Total: 8–10 FTE new/reallocated

Change Management

Awareness: Organization-wide training
Technical: Developer compliance training
Governance: Monthly ExCo updates

EU AI Act · 4 / 4

EU AI Act: Implementation Workflow

Detailed Roadmap

Q1 2026: Complete AI system inventory
Q2 2026: Risk classification finalized
Q3–Q4 2026: High-risk documentation
Q1–Q2 2027: Audit & EU registration

Cross-Framework Workflow

Efficiency: AI inventory supports NIST RMF
GDPR: Data records inform documentation
DORA: ICT assessments cover AI resilience

Resource Allocation

Phase 1: €500K (consulting & internal)
Phase 2: €1.5M (platform & team)
Ongoing: €800K/year (monitoring)

Success Metrics

KPI 1: 100% inventory completion Q1
KPI 2: High-risk systems documented Q4
KPI 3: Zero prohibited use cases
KPI 4: On-time EU registration

NIST AI RMF · 1 / 4

NIST AI RMF: Strategic Overview

Strategic Business Impact

Voluntary: Industry best practice standard
Enabler: Implements EU AI Act requirements
Risk Reduction: Operational & reputational

Compliance Architecture

Layer: Operational (Risk Management)
Enables: EU AI Act implementation
Integration: Enterprise risk framework

NIST AI RMF · 2 / 4

NIST AI RMF: Strategic Implementation

Governance Model

Board: Risk tolerance & oversight
CRO: Framework ownership
Function Leads: 4-function responsibility
Integration: Risk committee structure

Investment Required

Phase 1 (3 months): Governance & policy
Phase 2 (6 months): Inventory & tools
Ongoing: Continuous monitoring

NIST AI RMF · 3 / 4

NIST AI RMF: Organizational Structure

Organizational Design

AI Risk Team: 3–5 FTE for framework execution
Function Leads: Govern, Map, Measure, Manage owners
Business Integration: Risk champions per unit

Accountability Matrix

Responsible: Function leads execute tasks
Accountable: CRO owns framework
Consulted: Business units, IT, Legal
Informed: Board Risk Committee

NIST AI RMF · 4 / 4

NIST AI RMF: Implementation Workflow

Detailed Roadmap

Month 1–3: Govern function (policies, structure)
Month 4–6: Map function (inventory, context)
Month 7–9: Measure function (metrics, tools)
Month 10+: Manage function (continuous)

Cross-Framework Workflow

Efficiency: Map aligns with EU AI Act inventory
Foundation: Measure uses BCBS 239 data
Integration: Manage leverages ERM processes

ISO 42001 · 1 / 4

ISO 42001: Strategic Overview

Strategic Business Impact

Certification: Market credibility signal
Framework: Alternative to NIST for EU AI Act
Differentiation: Early adopter advantage

Compliance Architecture

Layer: Operational (Management System)
Enables: EU AI Act structured approach
Integration: Aligns with ISO 27001, 9001

ISO 42001 · 2 / 4

ISO 42001: Strategic Implementation

Governance Model

Board: System scope & objectives
CIO: Management system ownership
Rep: Dedicated compliance role
Integration: ISO governance structure

Investment Required

Phase 1 (6 months): System design
Phase 2 (6 months): Implementation
Phase 3 (3 months): Certification audit

ISO 42001 · 3 / 4

ISO 42001: Organizational Structure

Organizational Design

AIMS Office: 4–6 FTE for management system
Management Rep: Dedicated ISO compliance lead
Process Owners: Control implementation per unit

Accountability Matrix

Responsible: Process owners execute controls
Accountable: CIO owns management system
Consulted: Quality, Risk, IT Security
Informed: Board, Certification Body

ISO 42001 · 4 / 4

ISO 42001: Implementation Workflow

Detailed Roadmap

Month 1–6: System design & documentation
Month 7–12: Implementation & training
Month 13–15: Internal audit & gap closure
Month 16–18: Stage 1 & Stage 2 certification

Cross-Framework Workflow

Leverage: ISO 27001 structure if existing
Alignment: GDPR data governance controls
Integration: DORA resilience requirements

BCBS 239 · 1 / 4

BCBS 239: Strategic Overview

Strategic Business Impact

Mandatory: Required for systemically important banks
Business Value: Real-time risk visibility
Pressure: Ongoing supervisory assessment

Compliance Architecture

Layer: Foundation (Data Infrastructure)
Enables: All risk & AI frameworks
Critical: Required for monitoring & reporting

BCBS 239 · 2 / 4

BCBS 239: Strategic Implementation

Governance Model

Board: Data governance oversight
CDO: Enterprise data strategy
CRO: Risk data requirements
CTO: Infrastructure & scalability

Investment Required

Multi-Year: 3–5 year transformation
Capital: Infrastructure & platforms
Operations: Permanent data quality functions

BCBS 239 · 3 / 4

BCBS 239: Organizational Structure

Organizational Design

Data Office: 15–25 FTE for governance & quality
Data Stewards: 1–2 per critical data domain
Platform Team: 10–15 FTE for infrastructure

Accountability Matrix

Responsible: Data stewards execute quality
Accountable: CDO owns enterprise data
Consulted: Risk, Finance, IT, Business
Informed: Board, Regulators, ExCo

BCBS 239 · 4 / 4

BCBS 239: Implementation Workflow

Detailed Roadmap

Year 1: Governance, critical data domains
Year 2: Platform build & integration
Year 3: Risk aggregation capabilities
Year 4–5: Full compliance & optimization

Cross-Framework Workflow

Enables: AI Act model monitoring data
Supports: DORA incident reporting
Foundation: GDPR data accuracy & completeness

GDPR · 1 / 4

GDPR: Strategic Overview

Strategic Business Impact

Mandatory: Required for EU operations
Trust: Customer data protection commitment
Risk: €20M or 4% revenue fines

Compliance Architecture

Layer: Foundation (Data Governance)
Enables: EU AI Act, DORA data protection
Integration: Pervasive across processes

GDPR · 2 / 4

GDPR: Strategic Implementation

Governance Model

Board: Data protection strategy
DPO: Independent function to board
CISO: Technical security measures
All Functions: Embedded accountability

Investment Required

Established: Ongoing operations
AI Focus: Enhanced automated controls
Training: Organization-wide capability

GDPR · 3 / 4

GDPR: Organizational Structure

Organizational Design

DPO Office: 3–5 FTE independent function
Privacy Champions: 1 per business unit
Legal/Compliance: 2–3 FTE privacy specialists

Accountability Matrix

Responsible: Privacy champions execute
Accountable: DPO owns compliance program
Consulted: Legal, IT Security, Business
Informed: Board, Supervisory Authority

GDPR · 4 / 4

GDPR: Implementation Workflow

Detailed Roadmap

Continuous: Ongoing compliance operations
Q1–Q2 2026: AI-specific control enhancement
Q3 2026: Data transfer mechanism review
Q4 2026: Privacy technology upgrades

Cross-Framework Workflow

AI Act: Data processing records inform docs
DORA: Breach notification coordination
BCBS 239: Data quality supports accuracy

DORA · 1 / 4

DORA: Strategic Overview

Strategic Business Impact

Continuity: Protects revenue & trust
Third-Party: Critical cloud dependencies
Risk: 2% turnover fines + disruption costs

Compliance Architecture

Layer: Foundation (Technology Infrastructure)
Enables: EU AI Act system resilience
Integration: Technology risk across operations

DORA · 2 / 4

DORA: Strategic Implementation

Governance Model

Board: Resilience strategy oversight
CISO: Technology risk & resilience
CTO: Infrastructure & third-party
CRO: Enterprise risk integration

Investment Required

Immediate: Gap remediation & reporting
Testing: Annual resilience, triennial pentest
Operations: Third-party monitoring

DORA · 3 / 4

DORA: Organizational Structure

Organizational Design

Resilience Office: 5–8 FTE for coordination
Third-Party Risk: 3–5 FTE for vendor oversight
Incident Response: 24/7 SOC capability

Accountability Matrix

Responsible: Resilience Office executes
Accountable: CISO owns compliance
Consulted: IT, Business, Legal, Vendors
Informed: Board, Regulators, ExCo

DORA · 4 / 4

DORA: Implementation Workflow

Detailed Roadmap

Q1 2026: Gap assessment & remediation
Q2 2026: Third-party contract updates
Q3 2026: Incident reporting platform live
Q4 2026+: Annual testing regime

Cross-Framework Workflow

AI Act: ICT risk assessments cover AI systems
GDPR: Breach notification coordination
BCBS 239: Incident data aggregation

Next Steps

1. Board Approval: Strategic framework selection and investment authorization

2. Executive Mobilization: Assign accountability and initiate organizational design

3. Quick Wins: Begin AI system inventory and prohibited use identification

4. Foundation First: Prioritize GDPR, DORA, and BCBS 239 as enabling infrastructure

Arrange a Discovery Call