The launch of the Common Controls for AI (CC4AI) Services initiative is a pivotal moment for the finance sector because it unites financial institutions, cloud providers and technology vendors in setting open, tech-agnostic standards for artificial intelligence’s governance.
Open-source collaboration on shared, peer-reviewed and machine-readable controls will make it easier for financial institutions to demonstrate and for regulators to oversee and enforce compliance.
The problem has been that financial firms are developing AI risk management strategies, which often wind up being similar, in isolation. This results in duplication of effort and fragmentation where approaches differ.
“As artificial intelligence becomes increasingly embedded in financial operations, it became clear that proprietary, firm-specific controls were not enough to ensure safe, consistent and compliant adoption across the sector,” says Gabriele Columbro, executive director of the Fintech Open Source Foundation (FINOS), which is spearheading the CC4AI effort.
Click the banner below to assess which AI use cases will yield the best business outcomes.
CC4AI Will Lay the Foundation for Scalable AI in Finance
CC4AI controls will be auditable, laying the foundation for responsible adoption of scalable AI by financial institutions. The controls will further be interoperable across multiple cloud and hybrid IT environments.
No longer will institutions need to rebuild compliance frameworks for each new AI deployment or provider; instead, they can use CC4AI standards that will embed compliance directly into systems. That means faster, safer AI adoption and improved regulator visibility into governance across the industry.
“It’s never been more important for financial institutions to embrace collaborative solutions that allow us to harness the full potential of AI in a safe, secure and innovative way,” said Kristin Milchanowski, chief AI and data officer at BMO, in a statement.
Common AI Controls Financial Institutions Need
The most important CC4AI controls for financial institutions will be those addressing AI’s core operational, security and regulatory risks, Columbro says.
FINOS developed its AI Governance Framework with financial institutions in 2024, and it focuses on several areas enabling responsible AI deployment:
- Identity and access management: Ensuring access to AI systems, data and models is appropriately controlled, monitored and limited to authorized users
- Data protection: Safeguarding sensitive and regulated data used in AI processes with encryption, retention and privacy compliance
- AI governance and oversight: Structuring processes for managing the development, training and deployment of AI models within approved risk and regulatory boundaries
- Transparency and auditability: Embedding mechanisms for real-time validation and evidence generation, also known as Regulation as Code, enabling clear accountability
- Cyber and operational resilience: Reinforcing safeguards against threats, misconfigurations and dependencies across cloud environments to ensure service continuity
CC4AI will be built on this framework and the FINOS Common Cloud Controls, which were originally contributed by Citi in 2023, and cover major cloud providers Amazon Web Services (AWS), Microsoft Azure and Google Cloud.
“With AI typically being deployed on the cloud, it was critical for the security of such a highly regulated industry that we adapted CCC accordingly,” said Colin Eberhardt, CTO at Scott Logic, in a statement.
Click the banner below to subscribe to our newsletter for the latest financial services IT insights.
A New Level of Alignment on Modern Financial AI Systems
CC4AI represents a new level of alignment across the global financial and technology ecosystem, with leading financial institutions BMO, Citi, Morgan Stanley and RBC working alongside major tech and cloud providers Microsoft, Google Cloud, AWS and Red Hat. These companies are supported by contributors and integrators such as Sonatype, ControlPlane, Scott Logic and Tetrate.
Together these partners represent the full value chain, ensuring that CC4AI will reflect both the regulatory obligations of the finance sector and the technical realities of modern AI systems, Columbro says.
“Shared, open standards for AI governance are essential to ensuring that AI contributes to the overall stability of the financial system,” said Richard Harmon, vice president and global head of financial services at Red Hat, in a statement.
