BankThink

Why do US bankers want more AI regulation than Europeans?

  • Key insight: In the U.S., bankers are used to prescriptive rulemaking, and without it they seem uncertain about how to move forward with AI. Europe tried writing prescriptive AI rules, and they were a disaster. Now nobody knows how to move forward.
  • Expert quote: In December, the U.K.'s FCA Chief Executive Nikhil Rathi declined to create new AI-specific rules, calling AI a technology where "the frontier is moving every three to six months."
  • Forward look: The answer is neither an innovation-led approach nor a regulation-first
    model but a fundamentally different relationship between regulator and regulated, one that is continuous, adaptive and built for the speed of AI rather than the speed of legislation.

Ask a room full of North American financial crime professionals how to manage AI risk, and many of them will tell you what you'd least expect: They want more regulation. I was shocked when a recent survey of 600 senior compliance leaders across three regions found that nearly a quarter want regulation to come first, with innovation developing inside predefined guardrails. Their European counterparts, living under the most prescriptive AI regulatory framework on the planet, are more likely to say that innovation should be allowed to lead the way.

Processing Content

The gap is narrow, but the reversal is the story. The continent that produced the EU AI Act is favoring regulatory restraint; the home of Silicon Valley is showing a measurable appetite for Washington to write the rules first. That appetite has roots in both traditions, and both are now hitting their limits. The deeper question is whether AI demands a fundamentally different relationship between regulator and regulated. And if so, what that relationship looks like.

In 2011, U.S. federal regulators issued SR 11-7 — a set of rules that told banks exactly how to govern the AI models they use in fraud detection and compliance. It became the global gold standard for model risk management and went untouched for 15 years. And SR 11-7 isn't an outlier. American financial regulation has a tradition of being rules-based rather than principles-based — designed to spell out requirements and tell firms exactly what to do. 

Decades of this type of regulatory stability left the U.S. financial sector with a deeply held conviction: When the next big technological shift arrives, Washington will figure it out.

Yet that long-trusted regime may now be in retreat. When regulators finally revised SR 11-7 in April 2026, they explicitly excluded generative and agentic AI from its scope. As Fortune recently reported, there is still no comprehensive federal AI law on the books, and the path to one remains uncertain. The current administration has revoked existing AI safety frameworks and is actively challenging national or state AI regulation. The framework that U.S. financial professionals are counting on may, in fact, never coalesce. But either way, AI isn't standing around and waiting for it.

Europe built its regulatory reputation on a different philosophy than the U.S. Whereas the American tradition is to write rigid rules, European regulators have traditionally favored a principles- and risk-based approach — the idea that not every product or market carries the same risk, so oversight should be scaled accordingly.

The EU AI Act threw that philosophy out the window. It tried to pin down a technology that moves faster than any legislature can keep up with. And the results have not been encouraging. The European Commission missed its own deadlines for providing guidance on high-risk AI systems. The standards bodies tasked with developing technical requirements missed theirs too. Enforcement of the high-risk provisions has been pushed back 16 months to December 2027, and executives from ASML, Airbus, Ericsson, Nokia, SAP, Siemens, and Mistral AI have publicly warned the EU is regulating itself out of the global AI race.

The U.S. and Europe adopted opposite regulatory approaches to AI yet ended up in the same place. U.S. businesses trusted the rules-based playbook then discovered that regulators decided to essentially eschew generative AI regulations. The EU abandoned its flexible regulatory tradition to write a prescriptive AI rulebook, then watched as it fell behind before it even took effect.

The U.K.'s Financial Conduct Authority, or FCA, may be the first major regulator to say openly that the traditional approach is broken. In December, FCA Chief Executive Nikhil Rathi declined to create new AI-specific rules, calling AI a technology where "the frontier is moving every three to six months." In remarks at the 2025 Financial Times Global Banking Summit, he went further, noting that "there needs to be a different relationship between regulator and regulated."

Having worked inside the FCA, I read those remarks as a sharper signal than they may first appear. Rathi isn't proposing a refinement of the existing supervisory model. He's saying the model itself doesn't fit the technology. The old cycle of write, comply, update, repeat simply doesn't work at the speed of AI. 

The real takeaway from the survey is that models of regulation, not just regulations themselves, need to change for AI.

The North American compliance leaders asking for more regulation are drawing on a rich regulatory tradition — yet one that cannot be applied to technology that reinvents itself in months. The European respondents who lean toward innovation have already experienced the pitfalls of over-specificity in a technology and regulatory greenfield.

An unpatched vulnerability in Anthropic's Model Context Protocol creates a channel for attackers, forcing banks to manage the third-party security risk.

April 21
Anthropic Model Scare Sparks Urgent Bessent, Powell Warning To Bank CEOs

The answer is neither an innovation-led approach nor a regulation-first model but a fundamentally different relationship between regulator and regulated, one that is continuous, adaptive and built for the speed of AI rather than the speed of legislation.

No major jurisdiction has fully defined what that looks like for now — the EU's AI Act was Europe's attempt to be a trailblazer in this area, but they ended up needing to backtrack on the scope of the legislation. Rathi has not indicated that the FCA is moving in that direction yet. However, I expect to see some consultations in the second half of 2026 that moves the industry toward this new model. 

For now, the smart move is for banks to use AI where it makes sense to do so — namely, to augment the process of detecting financial crime and reduce the high-volume noise that often swallows the most meaningful signals during the detection process. What regulators will want to see is that banks have a strong documented rationale for their AI use cases, and can demonstrate that they have the means to regularly check if it performs as intended — exactly what banks should be doing with any form of control framework.

Rathi has hit upon the honest reality: None of us truly knows how much or how quickly AI is going to develop over the coming years. That's why now is the time to test out hypotheses and engage with regulators. To quote the great technology pioneer Alan Kay: "The best way to predict the future is to invent it."


For reprint and licensing requests for this article, click here.
Regulation and compliance Artificial Intelligence Risk
MORE FROM AMERICAN BANKER
Load More