Banking institutions across the US and Europe are accelerating investment in AI data provenance and lineage infrastructure as regulators tighten enforcement timelines and expand audit expectations to cover AI-driven decision workflows. The push spans loan origination, risk assessment, and customer service operations-areas where AI is now deeply embedded but governance controls remain uneven, particularly at mid-sized institutions.
Background
Regulatory pressure centers on two converging forces: the expansion of longstanding risk data standards into AI territory and the emergence of new AI-specific legislation. The Basel Committee on Banking Supervision's BCBS 239 framework-which requires banks to trace every risk metric from source to final report with full transparency-is no longer considered optional, according to multiple compliance advisory firms. In May 2024, the European Central Bank issued its Risk Data Aggregation and Risk Reporting (RDARR) Guide, requiring complete and up-to-date data lineage at the data attribute level, from data capture through to final reporting, according to EY.
Thematic reviews and on-site inspections across Europe have revealed an "unsatisfactory" implementation status of BCBS 239, with multiple interpretations across the sector and many banks taking shortcuts where possible, according to EY analysis. The Basel Committee's own 2023 progress report underscored the scale of the gap: of the 31 banks assessed, only two were fully compliant with all BCBS 239 principles, and not a single principle had been fully implemented across all banks.
In parallel, the EU AI Act entered into force on August 1, 2024 and began phasing in substantive obligations from February 2025, classifying credit scoring, fraud detection, and risk management as high-risk AI use cases subject to rigorous fairness, transparency, and auditability requirements. In the US, the regulatory picture is more fragmented: President Trump signed Executive Order 14179 on January 23, 2025, revoking President Biden's comprehensive AI Executive Order, while state-level regulation continues to advance. California issued a legal advisory on January 13, 2025, explicitly stating that existing consumer protection laws apply to AI-driven decisions, according to Goodwin Law.
Details
The operational challenge for banks is substantial. Financial institutions relying on manual compliance systems often fulfill only a fraction of their regulatory obligations, leaving them at higher risk of penalties and operational inefficiencies, according to McKinsey's 2025 analysis of regulatory technology. One US-based bank's legacy system met just 75% of requirements before adopting an automated RegTech solution, which raised compliance to above 95%, McKinsey reported.
In financial services, firms must demonstrate not just who touched data, but what enrichment and transformations occurred, why decisions used specific fields, and how controls were applied-especially under BCBS 239 guidance and evolving supervisory expectations, according to Perficient. Practitioners note that AI-driven lineage implementations have enabled compliance teams to answer regulator traceability questions in hours rather than weeks.
The tooling market is responding. Vendors including Solidatus, Ataccama, OvalEdge, and Databricks are positioning unified platforms that combine data quality, governance, lineage visualization, and AI-driven automation. ABN AMRO is using a governed lakehouse on Azure Databricks to modernize legacy risk data platforms and accelerate regulatory reporting, according to Databricks. When M&T Bank deployed Microsoft Copilot to 16,000 employees, the institution needed to prove which data their AI accessed and protect against misuse, according to Solidatus, illustrating the governance demands that large-scale AI deployments now impose.
Governance gaps are particularly acute for mid-sized banks. Legacy systems often operate in silos with limited interoperability, making it difficult to trace data consistently across a bank's various platforms, according to Atlan. Without automation, documenting data lineage across complex, interconnected systems is labor-intensive and often results in incomplete or outdated records-limiting audit responsiveness and risking non-compliance. The ECB is expected to be more expeditious in its use of regulatory penalties, with added emphasis on the ability of organizations to resolve issues once uncovered and ensure compliance from the planned go-live date, according to Treliant's 2025 banking regulatory roadmap.
Accountability requirements are also reaching the boardroom. Model risk management frameworks need to extend explicitly to AI, with board-level accountability, explainability requirements, and bias detection built into the model development lifecycle from the outset, according to Wolters Kluwer's 2026 banking AI analysis.
Outlook
Regulatory convergence across jurisdictions is expected to compress compliance timelines further. International policy bodies including the G7 and OECD have emphasized the importance of harmonizing AI and data governance frameworks globally to minimize fragmentation and ease cross-border compliance, according to McKinsey. In the US, the FCC must initiate a proceeding on a federal AI reporting and disclosure standard within 90 days after the Commerce Department's evaluation of state AI laws is released, according to PwC's December 2025 financial services regulatory update. For banks that have deferred building end-to-end AI data provenance controls, the window for graduated remediation is narrowing as examiner scrutiny of AI model risk management intensifies on both sides of the Atlantic.
