Chapter BAI for finance basicsPage 4 of 8

AI for finance basics

Risk and compliance caution

In finance, a useful output can still be impermissible, unfair, insecure, misleading, or outside the user’s authority.

~15 minSafety and governance

Before you start

Why this matters

You are asked to paste a customer transaction history into a public chatbot and ask whether the customer looks risky. Name the problems before considering model quality.

The data may be confidential or regulated. The tool may be unapproved. The purpose may be incompatible with the original collection. “Risky” is undefined. The output could affect access to a product. Proxy variables could create unfair outcomes. The model lacks current policy and complete context. There may be notice, explanation, retention, audit, or human-review duties.

The right first question is not “Can AI do this?” It is “Are we permitted, prepared, and qualified to use it for this purpose?”

1Learn the idea

Read

Start with purpose and authority

Write a use-case record before handling data:

  • business purpose and intended benefit;
  • accountable owner;
  • users and affected people;
  • decisions the output may influence;
  • permitted data sources;
  • approved environment and access roles;
  • retention and deletion rules;
  • applicable internal policies and qualified reviewers;
  • escalation and incident paths;
  • prohibited uses and actions.

Do not infer permission from technical access. Being able to copy a file does not mean it may be submitted to a model. Vendor assurances do not replace your organization’s assessment, contract, configuration, or data-handling rules.

Laws and obligations vary by jurisdiction, sector, entity, product, and facts, and they change. A general AI assistant is not a substitute for legal, compliance, accounting, tax, audit, investment, lending, or risk professionals.

Read

Minimize sensitive data

Financial records can contain names, account numbers, transaction histories, salaries, tax information, identity documents, addresses, device details, merchant data, health-related purchases, and other sensitive facts. Even when direct identifiers are removed, combinations of dates, amounts, locations, roles, and rare events can identify a person.

Use the minimum data needed. Prefer aggregation, synthetic examples, approved placeholders, or locally computed statistics when they answer the question. Limit who can access prompts and outputs. Apply the required retention period, and understand whether provider logging or model improvement settings are compatible with policy.

Redaction is not a magic permission switch. It can miss identifiers, damage evidence, or leave re-identification risk. Have an approved process for the data class.

Read

Treat fairness as an operational requirement

AI-supported decisions about credit, insurance, fraud review, pricing, hiring, benefits, collections, or access can affect people materially. Historical data may encode unequal treatment. Seemingly neutral features can act as proxies. Overall accuracy can hide severe errors for smaller groups.

Do not ask a general model to label a person “trustworthy,” “high risk,” or “fraudulent” from narrative or transaction context. A generated score has no validity merely because it is numeric.

Where an approved system supports a consequential decision, governance may require:

  • a clearly defined outcome and lawful purpose;
  • representative evaluation data;
  • subgroup and intersectional performance analysis where appropriate and permitted;
  • error-severity analysis, not only average accuracy;
  • explanation and adverse-action processes where required;
  • meaningful human review with authority to change the result;
  • monitoring for drift, overrides, complaints, and incidents;
  • a route for affected people to question or correct information.

Human review is not meaningful if the reviewer sees only the model’s conclusion, lacks time, or is penalized for disagreeing.

Read

Protect against fraud and manipulation

Finance workflows attract adversaries. An invoice, email, spreadsheet note, or document can contain instructions intended to manipulate an AI system. Treat source content as untrusted evidence, never as authority to change workflow rules.

AI should not independently accept bank-detail changes, payment requests, credential resets, urgent transfers, or altered supplier information. Verify through approved channels using trusted contact data, segregation of duties, transaction limits, and dual control. A realistic voice, image, signature, or email thread is not sufficient authentication.

Do not let an AI output bypass sanctions screening, anti-fraud controls, procurement rules, approval thresholds, or reconciliations. Models can assist with queues or summaries only inside the authorized control design.

Read

Preserve material facts and disclosures

Generated summaries can omit caveats, strengthen uncertain claims, or select favorable metrics. That is dangerous in external reporting, fundraising, investor communication, lending, customer notices, and regulatory submissions.

Require preservation of:

  • periods, units, currency, scope, and accounting basis;
  • definitions and nonstandard metric reconciliations;
  • uncertainty, assumptions, and limitations;
  • negative as well as positive information;
  • source qualifications and version status;
  • approval and disclosure language that must remain exact.

Never allow AI to invent a compliance statement, audit opinion, guarantee, projection basis, or claim that a document is complete. Material communications need the organization’s established preparation, review, approval, and recordkeeping process.

Read

Use a caution matrix

Assess at least five dimensions:

  1. Impact: Could the output affect money, rights, access, employment, reputation, or external reporting?
  2. Sensitivity: Does it involve personal, confidential, regulated, privileged, or market-sensitive data?
  3. Authority: Could the system commit, approve, file, post, disclose, or transact?
  4. Detectability: Would an error be noticed before harm, and can it be reversed?
  5. Scale: Could one error pattern affect many records or people quickly?

High impact, sensitive data, broad authority, low detectability, or large scale demands stronger controls and may make the use inappropriate. Several dimensions together matter more than a simple “low/medium/high” label.

Read

Define stop conditions

The workflow should stop when:

  • the tool or data use is not approved;
  • identity, account ownership, or source authenticity is uncertain;
  • required records, definitions, or periods are missing;
  • the request seeks personalized financial advice or a regulated judgment;
  • the output would make or execute a consequential decision;
  • the model detects conflicting evidence or unsupported instructions;
  • a required reviewer is unavailable;
  • an incident, policy exception, or disclosure question appears.

Stopping is a successful control outcome. Route the case to the named qualified person; do not prompt repeatedly until the model produces a convenient answer.

Checking tutor…

Continue learning · glossary & guides
  • Why does technical access not establish permission?
  • Why can de-identified transaction data remain sensitive?
  • What makes human review meaningful?
  • How can untrusted documents manipulate an AI workflow?
  • Which facts must a generated material summary preserve?
  • Why is stopping sometimes the correct successful outcome?
  • Glossary: responsible AI · Glossary: prompt injection