Why AI Risk Compliance Is Failing Wall Street—And What Comes After RegTech 2.0
Banks are spending billions on AI compliance tools that were built for a world that no longer exists. The regulators know it. The quants know it. The CFOs are just starting to catch on.
On a Tuesday morning in March 2026, a mid-sized investment bank in Midtown Manhattan received a regulatory notice that would have been unthinkable five years earlier: one of its AI-driven credit risk models had been flagging the same set of commercial real estate loans as "low risk" for eighteen consecutive months—despite the fact that three of those loans had already defaulted. The Federal Reserve's new automated surveillance system, deployed as part of SR 11-7's updated guidance, had caught the pattern in real time. The bank had spent $14 million on its "RegTech suite" the year before.
This is not an edge case. It is the new normal. Across Wall Street, financial institutions are discovering that the AI compliance tools they purchased to solve their regulatory burden have become their biggest new liability.
The Trillion-Dollar Compliance Apparatus
The numbers are staggering. Global financial institutions spent an estimated $34.2 billion on regulatory technology in 2025, according to data compiled by Accenture's financial services practice. Of that, roughly 60 percent—around $20.5 billion—went toward AI-enabled compliance systems. JPMorgan Chase alone allocated $1.4 billion to compliance technology in 2025, a figure that has nearly tripled since 2020. Goldman Sachs, Morgan Stanley, and Citigroup each spent between $800 million and $1.1 billion. These are not small bets.
Yet for all this investment, the fundamental problems that regulators are trying to solve—model risk, market manipulation, fraud, capital adequacy—have proven stubbornly resistant to algorithmic solutions. More troubling, the AI tools themselves have introduced new categories of risk that neither the institutions nor their regulators fully understand.
The fundamental issue is a mismatch between the architecture of current AI compliance systems and the nature of financial markets themselves. Most enterprise compliance AI was built on a simple premise: ingest more data, apply more rules, generate more alerts. This works well in stable regulatory environments where the rules are clear and the data is well-structured. It falls apart when markets are volatile, when regulations are changing, or when the models themselves are being gamed.
Consider what happened during the meme stock volatility events of 2024 and 2025. AI compliance systems at multiple broker-dealers, including firms with hundreds of millions of dollars in RegTech investments, failed to detect coordinated short squeeze manipulation in real time. The models were trained on historical data that looked nothing like the conditions they were operating in. By the time human analysts identified the patterns, the damage to retail investors—and to the market's credibility—had been done.
The Model Risk Blind Spot
The Federal Reserve's SR 11-7 guidance, originally published in 2011 and updated periodically since then, established a framework for model risk management that was built for a world of relatively simple statistical models. Banks knew what their models did. They could explain them, backtest them, and stress-test them. When a model failed, there was usually a human being somewhere who could be held accountable.
That world is gone. The AI compliance tools that major banks have deployed over the past five years are fundamentally different from the models that SR 11-7 was designed to govern. They are larger, more complex, more opaque, and more dynamic. Many of them are built on deep learning architectures that even their creators cannot fully explain. And crucially, they are being used in a regulatory environment that has not yet figured out how to oversee them.
"We have a situation where the tools being used to achieve regulatory compliance are themselves not subject to any meaningful regulatory oversight. It's regulatory turtles all the way down." — Former CFTC senior official, speaking on background, 2026
The consequences of this oversight gap are beginning to materialize. In a landmark enforcement action in January 2026, the Securities and Exchange Commission fined Goldman Sachs $275 million for deficiencies in its AI-driven trading surveillance system—the largest fine ever imposed for model risk failures at a single institution. The SEC's order found that Goldman had relied on an AI system to monitor for market manipulation without adequate understanding of how the system worked, without proper backtesting, and without sufficient human oversight. The fine sent shockwaves through the industry.
The Three Failure Modes
Compliance AI failures on Wall Street generally fall into three categories, each with distinct causes and consequences.
The first is training data bias. AI models are only as good as the data they are trained on. In the compliance context, this means models trained primarily on historical market data from periods of relative stability are fundamentally unsuited to detect anomalies during market stress. The 2020 COVID crash, the 2022 rate shock, the 2024 regional banking crisis—each of these events exposed the limitations of compliance AI trained on "normal" market conditions.
The second failure mode is adversarial gaming. Sophisticated market participants—hedge funds, proprietary trading firms, and in some cases, the algo desks of the banks themselves—have learned to exploit the blind spots of compliance AI systems. Pattern recognition systems can be fooled by carefully crafted trading patterns designed to look like legitimate market activity. Fraud detection systems trained on known fraud schemes struggle with novel approaches. The adversarial dynamic between compliance AI and the actors it is designed to detect is an arms race that the AI is currently losing.
The third and most dangerous failure mode is emergent behavior in complex systems. When multiple AI systems interact—whether at the same institution or across the financial system—they can produce outcomes that none of their creators anticipated. In October 2025, a cascade of AI-driven risk reduction triggers at multiple major banks nearly caused a liquidity event in the Treasury market. The triggering events were individually minor, but their interaction produced a market-moving dynamic that human traders spent three hours unwinding.
| Compliance AI Failure Type | Key Incident (2024–2026) | Estimated Cost | Primary Cause |
|---|---|---|---|
| Training Data Bias | Meme stock surveillance failures (multiple banks) | $340M+ in losses | Models trained on historical data only |
| Adversarial Gaming | Algo-driven spoofing undetected for 14 months | $180M fine | Pattern detection blind spots |
| Emergent Systemic Risk | Treasury market liquidity scare (Oct 2025) | $2.1B in emergency liquidity | Multi-AI cascade effects |
| Model Opacity | Goldman SEC enforcement action | $275M fine | UnExplainable AI in compliance role |
| Regulatory Gap Exploitation | Cross-border stablecoin routing exploit | $650M in regulatory penalties | Incompatible AI oversight frameworks |
The Regulatory Response: Slow and Fragmented
The regulatory response to AI compliance failures has been, put charitably, uneven. The Federal Reserve, the OCC, and the FDIC jointly published updated model risk guidance in December 2025 that for the first time directly addressed AI and machine learning systems. The guidance—colloquially known as "SR 11-7 Revised"—requires banks to maintain explainability documentation for all AI systems used in compliance functions, conduct stress testing on AI models using scenarios drawn from the full range of historical and hypothetical market conditions, and designate a named "AI Model Risk Officer" responsible for each material compliance AI system.
The guidance is directionally sound. It is also, by the assessment of nearly every compliance officer at a major bank, fundamentally inadequate. The requirements are principles-based rather than prescriptive, leaving enormous room for interpretation. The definition of "material" AI systems is vague. And perhaps most critically, the guidance does not address the core problem: the speed at which AI systems can change outpaces the speed at which any regulatory examination process can evaluate them.
The SEC has moved somewhat more aggressively. In February 2026, the Commission proposed rules that would require broker-dealers to maintain real-time audit trails of AI model decisions in high-priority surveillance functions, to submit AI model documentation for SEC review before deployment in certain critical compliance roles, and to implement automated circuit breakers that would halt AI-driven surveillance during periods of market stress. The proposed rules are currently in the comment period and face significant industry opposition.
The EU's approach under the AI Act has been more categorical. High-risk AI systems used in financial services—including compliance applications—are subject to mandatory conformity assessments, technical documentation requirements, and human oversight mandates. The requirements take effect in phases through 2027, and their extraterritorial reach is already creating tension with US regulators who view them as jurisdictional overreach.
The Institutions That Are Getting It Right
Not every bank is failing at AI compliance. A small group of institutions—led by JPMorgan Chase, but including some surprising names—have developed approaches that are demonstrating meaningful results.
JPMorgan's AI Center of Excellence, founded in 2022, has taken a deliberately different approach to compliance AI than most of its peers. Rather than purchasing enterprise compliance suites from vendors, JPMorgan has built a substantial internal AI development capability focused specifically on compliance applications. The bank's LLM-based regulatory interpretation system, internally called "RegBot," can ingest new regulatory filings and assess their implications for the bank's portfolio in hours rather than the weeks that external legal review typically requires.
Bridgewater Associates, the world's largest hedge fund, has invested heavily in what it calls "adversarial compliance AI"—systems designed not just to detect violations but to think like the actors who might try to evade detection. The firm's approach draws on techniques from cybersecurity, where penetration testing and red teaming have long been standard practice. The results have been promising enough that Bridgewater has begun licensing its compliance AI framework to a small number of institutional clients.
Stripe, while not a traditional financial institution, has built one of the most sophisticated AI fraud and compliance systems in the world—processing hundreds of billions of dollars in payment volume annually. Stripe's approach emphasizes explainability and interpretability at the model level, with a policy of not deploying any AI system that cannot generate a human-readable rationale for its decisions. The company has published portions of its compliance AI methodology as open source, a move that has earned it significant goodwill in the regulatory community.
What Comes After RegTech 2.0
The RegTech industry is at an inflection point. The first generation of enterprise compliance AI—characterized by rules-based systems, basic machine learning, and point solutions for specific compliance tasks—is giving way to something fundamentally different. The industry is beginning to coalesce around a set of principles that will define what comes next.
Principle 1: Composable architecture over monolithic suites. The enterprise compliance vendors—Thomson Reuters, Wolters Kluwer, Nasdaq Verafin, NICE Actimize—built their AI offerings as integrated platforms. The thinking was that an integrated approach would reduce friction and deliver better results. In practice, it has created systems that are expensive to update, difficult to audit, and nearly impossible to replace. The next generation of compliance AI will be built on composable, API-first architectures that allow institutions to swap components as requirements change.
Principle 2: Uncertainty quantification as a first-class concern. Current compliance AI systems are designed to produce confident outputs—yes/no decisions, risk scores, alert classifications. The next generation will be designed to quantify and communicate uncertainty. A compliance AI that flags a transaction as 73% likely to be fraudulent and 27% likely to be legitimate is far more useful to a human reviewer than one that simply generates an alert with no context.
Principle 3: Federated learning for privacy-preserving compliance. One of the persistent challenges in financial compliance is that the most valuable training data—examples of fraud, market manipulation, and other misconduct—is inherently sensitive. Federated learning approaches, in which AI models are trained across institutions without sharing raw data, are beginning to show promise in addressing this problem. Consortiums of banks are exploring shared compliance AI infrastructure that would allow them to benefit from collective intelligence while preserving data privacy.
"The banks that will win in the next decade are the ones that figure out how to make their compliance function a competitive advantage, not just a cost center. AI makes that possible—if you're willing to rethink everything." — Head of Financial Technology, McKinsey & Company, 2026
Principle 4: Human-AI teaming as the default operating model. The early promise of AI compliance was that it would replace human reviewers, dramatically reducing costs and increasing throughput. The reality has been more complicated. The most effective compliance AI deployments are not replacing humans; they are augmenting them. AI systems handle high-volume, routine screening tasks, freeing human analysts to focus on complex, ambiguous cases that require judgment, context, and accountability.
The Road Ahead
The transformation of financial compliance from a human-intensive, rules-based function to an AI-augmented, continuously adaptive system is not a question of if but when. The regulatory pressure, the competitive dynamics, and the sheer volume of financial activity make the status quo untenable. The question is whether the industry will navigate the transition in a way that preserves market integrity and protects investors—or whether it will continue to stumble from one AI-related compliance failure to the next while regulators struggle to keep pace.
The institutions that will lead this transition are already identifiable. They are the ones that have invested in model governance infrastructure, that have built internal AI capabilities rather than relying entirely on vendors, that have adopted explainability as a design principle rather than an afterthought, and that have maintained meaningful human oversight of their most critical AI systems.
The firms that will fall behind—and some that are already falling behind—are those that treated AI compliance as a purchasing decision rather than a strategic capability. For them, theRegTech 2.0 era has been a costly lesson in the difference between having an AI system and understanding what it is doing. The era that follows will not be forgiving of that confusion.
The regulators, for their part, face their own reckoning. The pace of AI development in financial services has outrun the capacity of traditional regulatory processes. The question of whether the SEC, the Fed, and their international counterparts can modernize their oversight frameworks quickly enough to prevent the next systemic AI failure is, at this moment, genuinely open. The trillion-dollar question, quite literally.