The 160-Year-Old Banking Law That Will Shape AI Regulation for Nationa

• AI bank regulation for national institutions is anchored in the 160-year-old National Bank Act, limiting how the OCC can act.
• The OCC’s authority over AI bank regulation flows directly from an 1863 statute written to finance the Civil War.
• Banks deploying AI tools must navigate a patchwork of outdated legal frameworks never designed with machine learning in mind.
• Without new Congressional legislation, federal regulators are essentially retrofitting 19th-century law onto 21st-century technology.

AI Bank Regulation Is Built on Civil War-Era Foundations

When people talk about AI bank regulation, they tend to picture sleek federal task forces, freshly minted executive orders, and regulators racing to keep pace with Silicon Valley. The reality is considerably less cinematic. The legal framework that will define how national banks in the United States are governed when they deploy artificial intelligence traces back not to any recent Washington memo — but to 1863, when Abraham Lincoln signed the National Bank Act into law to help fund the Union Army. That statute, and the regulatory body it eventually spawned — the Office of the Comptroller of the Currency — will shape AI governance at national banks for years, possibly decades, to come.

It’s a strange situation to sit with. Executives at JPMorgan Chase, Bank of America, and Wells Fargo are pouring billions into AI infrastructure — automating credit decisions, flagging fraud in real time, personalising customer interactions at scale — while the legal guardrails overseeing all of it were drafted in an era of telegraph machines and horse-drawn carriages. The mismatch isn’t just philosophical. It has real, practical consequences for how regulators can act, what rules they can write, and how much flexibility banks actually have. Understanding AI bank regulation means grappling with this foundational tension first.

What the National Bank Act Actually Says — and Why It Still Controls

The National Bank Act of 1863 established the federal chartering system for banks and created the OCC to supervise them. At its core, the law was about ensuring financial stability and sound lending practices. Nobody in Lincoln’s cabinet was thinking about algorithmic underwriting or large language models. But the Act defined the scope of national bank activities and, crucially, the OCC’s authority to regulate them — and that scope has been interpreted, stretched, and litigated ever since.

The OCC derives its supervisory power directly from this statute. That means when the agency wants to issue guidance or rules about how a bank uses AI — whether for loan approvals, anti-money laundering systems, or customer service chatbots — it can only act within the boundaries Congress granted it in 1863 and through subsequent amendments. It can’t simply invent new powers because a transformative technology has arrived. Regulators don’t get to do that. Congress does.

This is why the OCC has so far leaned heavily on interpretive guidance rather than hard rules when it comes to AI bank regulation. Guidance documents, supervisory letters, and informal expectations don’t carry the same legal weight as formal rulemaking — but they’re easier to issue quickly, and they don’t require the agency to claim statutory authority it may not clearly possess.

Retrofitting Old Rules to New Risks

The absence of AI-specific federal banking legislation has forced regulators into an awkward position: applying existing frameworks to technologies those frameworks were never designed to address. The OCC, the Federal Reserve, and the FDIC have all pointed to existing model risk management guidance — most notably the interagency SR 11-7 guidance on model risk management — as the primary lens through which AI systems should be evaluated at banks.

SR 11-7 was written to address statistical models used in credit risk and capital calculations. It’s not nothing. The principles around validation, independent review, and ongoing monitoring are genuinely applicable to AI systems. But anyone who has looked at how a modern deep learning model works compared to a linear regression model understands the conceptual gap. The opacity of large AI models, their sensitivity to training data, and their tendency to behave unexpectedly in edge cases introduce risks that the guidance simply wasn’t built to anticipate.

Banks have been told, essentially, to use their judgement and apply existing principles as best they can. That’s an uncomfortable place to be when the stakes involve fair lending compliance, consumer protection, and systemic financial risk. Effective AI bank regulation requires purpose-built rules, not improvised retrofits of decades-old guidance.

The OCC’s Evolving Stance on AI Bank Regulation

To its credit, the OCC hasn’t been entirely silent. The agency has published fair access principles, flagged AI-related concerns in its annual risk reports, and participated in interagency statements on the use of AI in financial services. The OCC, alongside the Fed and FDIC, reportedly issued a request for information on how banks were using AI — a signal that regulators were at least trying to map the terrain before drawing any lines on it.

What’s been slower to materialise is any binding, AI-specific rulemaking. Part of that reflects genuine regulatory caution — nobody wants to write rigid rules for a technology that’s still evolving rapidly. Part of it reflects the statutory constraints that the National Bank Act imposes. And part of it, frankly, reflects the political difficulty of getting Congress to pass anything coherent on AI bank regulation when lawmakers are still debating far more basic questions about AI governance generally.

The Consumer Financial Protection Bureau has been more aggressive, warning explicitly that banks can’t use ‘black box’ AI models to deny credit without providing legally required explanations. But the CFPB’s jurisdiction is over consumer financial products broadly — it doesn’t exclusively supervise national banks the way the OCC does, and the two agencies operate under different statutory mandates.

Third-Party AI Vendors and the Accountability Gap

There’s another layer to this that doesn’t get enough attention: the growing role of third-party AI vendors in the banking sector. Banks increasingly aren’t building their own models from scratch — they’re licensing AI tools from technology companies, integrating large language models from the likes of Microsoft, Google, or specialist fintech vendors, and embedding them into core banking workflows.

Under the OCC’s existing third-party risk management framework, national banks remain fully accountable for activities performed by vendors on their behalf. That’s the rule. In practice, enforcing it when the ‘vendor’ is a foundation model provider whose technology is also used by airlines, hospitals, and retailers — and whose internal workings aren’t fully disclosed — is genuinely difficult. The OCC reportedly updated its third-party risk management guidance with an explicit nod toward technology partnerships, but the gap between regulatory expectation and operational reality remains wide.

Who is ultimately responsible when an AI model trained by a technology firm produces a discriminatory lending decision? The bank, under current rules. Whether that accountability structure is sustainable as AI becomes more deeply embedded in financial services is an open question — and one the National Bank Act certainly doesn’t answer. Closing this accountability gap is one of the most pressing challenges facing AI bank regulation today.

What Has to Change — and What Probably Won’t Anytime Soon

The most honest assessment of where AI bank regulation stands today is this: the legal infrastructure is inadequate, everyone knows it’s inadequate, and the political will to fix it comprehensively doesn’t yet exist. The OCC can nudge, guide, and supervise. It cannot legislate. That’s Congress’s job, and Congress has so far produced more hearings than statutes on the subject of AI in financial services.

Some observers point to the EU’s AI Act as a model — a risk-tiered regulatory framework that treats AI systems used in credit scoring and financial decisions as ‘high risk,’ triggering stringent transparency and oversight requirements. Whether anything analogous could pass in Washington is, at minimum, a multi-year question. The US approach to financial regulation has historically been fragmented across agencies with overlapping and sometimes conflicting mandates, and there’s no obvious reason AI bank regulation will prove easier to coordinate than anything else.

In the meantime, national banks are left doing what they’ve always done when regulation lags technology: building internal governance frameworks, leaning on legal counsel, and hoping that their interpretation of existing rules aligns closely enough with what their examiner thinks when audit season arrives. The AI bank regulation landscape will sharpen eventually — but the 160-year-old law at its foundation means the pace of that sharpening is largely out of the industry’s hands. The banks that get ahead of this now, by building genuine explainability and fairness into their AI systems rather than treating compliance as an afterthought, will be far better positioned when the rules finally do crystallise.

Source: The Financial Brand

Frequently Asked Questions