Share:
In 2012, JPMorgan Chase lost more than $6 billion in a trading debacle now known as the "London Whale." A significant contributing factor was a spreadsheet error in the risk model being used to assess the position's exposure – a formula that divided by a sum instead of an average, effectively cutting the calculated risk in half. The model said things were fine. Things were not fine. That's model risk in its most expensive form, and it predates AI entirely.
Now imagine that same category of failure applied to AI systems making millions of decisions per day across lending, credit scoring, fraud detection, trading, and insurance pricing. Model risk hasn't gone away in the AI era – it's gotten larger, faster, and harder to see.
Model risk is the risk that a financial model produces incorrect outputs that lead to bad decisions. In finance, models are everywhere: they determine whether you get approved for a mortgage, what interest rate you're offered on a credit card, whether a transaction is flagged as fraud, how a bank estimates its capital requirements, and how an algorithm decides to buy or sell a security. When any of these models is wrong – because it was built on flawed assumptions, trained on unrepresentative data, or used in conditions it wasn't designed for – the decisions it drives are wrong too.
Traditional model risk has been a recognized concern in banking regulation for decades. The Federal Reserve and the Office of the Comptroller of the Currency published guidance on model risk management (SR 11-7) back in 2011, requiring banks to validate their models, document their assumptions, and maintain human oversight of model-driven decisions. The guidance was developed in response to failures like the 2008 mortgage crisis, where flawed risk models significantly underestimated the probability of correlated housing market declines.
AI introduces new dimensions of the same problem, and in some ways makes the classic failure modes harder to catch.
A traditional financial model is typically built around explicit, interpretable rules. An underwriter's credit scoring formula might weight income, debt-to-income ratio, payment history, and credit utilization in defined proportions that can be written out and examined. If the model produces a surprising result, you can trace back through the logic and figure out why.
A machine learning model, by contrast, may have millions of learned parameters derived from training data, producing outputs through relationships that are not easily readable by humans. The model works – or appears to work – but the mechanism by which it works is opaque. This is what's often called the "black box" problem, and it has real consequences for model risk management.
First, it makes validation harder. If you can't fully explain why a model produces a given output, it's genuinely difficult to test whether the logic underlying that output is sound or whether it's exploiting a spurious correlation in the training data that won't hold in new conditions. A model that learned to deny credit applications based on a proxy variable correlated with race – not race itself, but something like zip code or browser type that correlates with it – can discriminate without any explicit discriminatory rule embedded in it. This has already happened in documented cases in consumer lending.
Second, it makes failure modes less predictable. Traditional models fail in understandable ways when their assumptions are violated. AI models can fail suddenly and severely when they encounter conditions meaningfully different from their training data – a phenomenon called distribution shift. A credit risk model trained primarily on data from a low-interest-rate environment may perform poorly when rates change significantly, not because anyone made an error, but because the patterns it learned no longer reliably predict the thing it was trained to predict.
Third, the speed and scale of AI-driven decisions amplifies errors. A flawed traditional model might inform thousands of loan decisions per month. A flawed AI system in a high-frequency trading context might execute millions of decisions per day. When the model is wrong, it's wrong at scale before anyone has time to notice and intervene.
These aren't hypothetical concerns. Several high-profile cases illustrate what model risk looks like when AI is involved in financial decisions.
In 2019, Apple Card's credit algorithm came under scrutiny after reports that it was offering significantly lower credit limits to women than to men with similar or stronger financial profiles – including cases where married couples applying separately received different limits.
Goldman Sachs, which backed the card, faced regulatory inquiry. The algorithm itself wasn't examined publicly, but the pattern was consistent with a model trained on historical data that reflected past lending disparities, learning to reproduce them.
In algorithmic trading, the 2010 Flash Crash saw the Dow Jones Industrial Average drop nearly 1,000 points in minutes before recovering – a cascade partly driven by automated trading systems responding to each other's outputs in a feedback loop none of them were designed to handle. The models were individually functioning as designed; the systemic interaction between them was the failure.
More recently, AI-driven underwriting tools used in insurance have faced scrutiny for discriminatory pricing patterns in home and auto insurance, where models using non-traditional data inputs produced outputs that regulators found correlated with protected characteristics even absent explicit use of those variables.
If you're not a banker or a quant, you might reasonably wonder why model risk is your problem. The answer is that you're on the receiving end of model-driven decisions far more often than you may realize.
Whether you're approved for a mortgage, what rate you receive, whether a job application is screened out by an automated system, whether a health insurance claim is flagged for review, whether your credit limit gets automatically cut during a market downturn – these decisions are increasingly made by or significantly influenced by AI models. When those models have problems, the consequences land on the people they're making decisions about.
There's also a systemic dimension. Financial institutions are deeply interconnected, and if multiple institutions are using models with similar flaws – trained on the same datasets, built on similar architectures, validated against similar benchmarks – correlated failures become possible. The 2008 crisis was partly a story of correlated model failures: many institutions had models that underestimated the same risks, which meant when those risks materialized, they materialized everywhere simultaneously.
Regulators globally have been working to extend model risk management frameworks to cover AI specifically, with varying degrees of urgency.
In the United States, the OCC, Federal Reserve, FDIC, NCUA, and CFPB issued joint guidance on model risk management for AI in 2023, reinforcing that existing model risk principles apply to machine learning models and emphasizing the need for explainability, ongoing monitoring, and bias testing. The CFPB has been particularly active on the consumer protection dimension, issuing guidance on adverse action notices – the explanations lenders are required to provide when they deny credit – and making clear that "the algorithm decided" is not an acceptable substitute for a genuine explanation.
The EU's AI Act, which entered into force in 2024, classifies AI systems used in credit scoring, insurance, and employment as high-risk, requiring conformity assessments, documentation, human oversight mechanisms, and transparency for affected individuals before deployment. This represents a more structural regulatory intervention than US guidance, though implementation is phased over several years.
For consumers specifically, the Fair Credit Reporting Act and Equal Credit Opportunity Act already provide rights around credit decisions – including the right to an explanation of adverse decisions and the right to dispute inaccurate information. These protections don't disappear when the decision is made by a model, though enforcing them against opaque AI systems remains a practical challenge.
For institutions using AI in financial decisions, model risk management means more than just testing a model before deployment. It means ongoing monitoring for performance degradation and distribution shift, regular bias audits against protected class proxies, documentation of training data sources and known limitations, clear escalation paths when a model behaves unexpectedly, and genuine human review capacity for consequential decisions – not rubber-stamp sign-off on model outputs.
For consumers, knowing your rights is the most practical starting point. If you're denied credit, insurance, or another financial product and believe the decision may have been model-driven and potentially biased, you have legal rights to an explanation and a dispute process. The CFPB and your state's financial regulator are the relevant places to direct complaints.
The broader awareness point is simply this: AI models in finance are not neutral or infallible. They reflect the data they were trained on, the assumptions baked into their design, and the conditions they were built to handle. Understanding that these systems have real failure modes – and that those failures affect real people and real money – is a useful frame for navigating an increasingly model-driven financial world.
Is model risk only a concern for large banks and institutions? No. Any financial institution using AI or algorithmic models – including fintech lenders, insurance companies, robo-advisors, and payment platforms – carries model risk. Smaller institutions may have less regulatory oversight around model validation, which in some cases makes the risk higher rather than lower.
What's the difference between model risk and regular financial risk? Regular financial risk is the risk of loss from market movements, credit defaults, or operational failures. Model risk is specifically the risk that a tool used to measure or manage those risks is itself flawed in a way that produces bad decisions. It's a meta-risk – a risk about how risk is being assessed.
How can I find out if an AI model was used in a financial decision about me? In the US, you have the right to request an explanation for adverse credit decisions under the Equal Credit Opportunity Act. Ask for the specific reasons in writing. If the explanation is vague or circular, you can file a complaint with the CFPB. For other financial decisions (insurance, employment screening), the rights vary by context and state.
Can AI models be biased even if the designers didn't intend bias? Yes. This is one of the well-documented challenges with machine learning. A model trained on historical data reflects historical patterns, including historical discriminatory practices. It can learn to reproduce those patterns through proxy variables without any explicit discriminatory instruction. This is why bias testing and ongoing auditing are part of responsible model risk management.
What is the "black box" problem and why does it matter? "Black box" refers to AI models whose internal decision-making process is not human-readable. It matters for model risk because if you can't explain why a model made a decision, you can't verify that the reasoning is sound, you can't catch discriminatory patterns through logic review, and you can't provide the legally required explanations to affected individuals. Regulators increasingly require explainability for AI used in high-stakes financial decisions.
Federal Reserve / OCC – SR 11-7 Supervisory Guidance on Model Risk Management: https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm
CFPB – Adverse Action and AI Credit Decisions Guidance: https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-guidance-on-credit-denials-by-lenders-using-artificial-intelligence/
European Parliament – EU AI Act Overview (High-Risk AI Systems): https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence
SEC – Staff Bulletin on AI and Model Risk in Investment Contexts: https://www.sec.gov/investment/ai-use-in-investment-management
Bank for International Settlements – Machine Learning and Model Risk in Finance: https://www.bis.org/publ/work1063.htm
