AI as the Operating Layer: What It Takes to Run AI Inside Regulated Fintech

So this is the first of seven follow-ups, each taking one trend from that article and pushing past the headline into the part that actually keeps operators up at night. We are starting where the pressure is highest.

Almost every fintech is using AI now. That fact, on its own, tells you nothing. The question worth asking is where you are letting AI sit inside a real financial workflow, and what sits around it when it gets something wrong.

The honest list of where AI now lives is longer than most leadership decks admit: onboarding review, transaction-monitoring triage, reconciliation, fraud detection, case prioritization, document handling, internal QA, and a good slice of customer operations. The drivers are not mysterious. Margins are thinner, compliance headcount is expensive, and supervisors expect more monitoring than a manual team can realistically deliver. AI absorbs that load.

But here is the limit we keep running into with clients. In regulated finance, nobody serious wants an opaque model making or shaping a critical decision without auditability, escalation logic and a human who can be held responsible. The moment AI moves from drafting a reply to influencing whether an account is opened, a transaction is released, or a customer is offboarded, it stops being a productivity feature. It becomes part of your control environment - and your control environment is what you get examined on.

This is no longer theoretical. Under the EU AI Act, AI systems used to assess the creditworthiness of individuals, or to price and assess risk in life and health insurance, are classified as high-risk. High-risk classification is not a label you frame on the wall. It pulls in obligations around risk management, data governance, logging, transparency, human oversight and post-market monitoring. If your lending decision quietly leans on a model, that model now lives inside a defined regulatory perimeter.

Sit this next to DORA, which already pushes operational resilience, ICT oversight and third-party risk into the core of how a financial firm is run. An AI capability you buy from a vendor is, by definition, a third-party dependency. So is the model API behind it. The supervisory direction is consistent: structured reporting, traceable decisions, and clear ownership of outsourced components.

There is a discipline that banks have used for years here, and fintech teams should borrow it early rather than rediscover it after an exam. The US Federal Reserve's model risk guidance, SR 11-7 - first issued in 2011 and refreshed in April 2026 as the interagency SR 26-2 - is old, but its core idea travels well: a model you rely on must be validated, monitored, documented, and owned by someone accountable. You do not need to be a US bank for that principle to apply to you. You need to be a firm whose decisions can be questioned, which is all of us.

The practical failure mode is worth naming, because we see it often. A team ships a model that works well in testing, it drifts quietly as customer behavior shifts, and nobody owns the job of noticing. There is no schedule for revalidation, no record of what the model saw when it made a given call, and no named person who can answer for it when an examiner asks. The technology was never the problem. The absence of an owner and an audit trail was.

The efficiency narrative has a twin that is far less comfortable to put in a board pack. The same tools making your operations cheaper are making attacks cheaper. Synthetic identities, voice clones and document forgeries that used to take skill and time are now close to commodity.

The numbers are sobering. Deloitte's Center for Financial Services projects that generative-AI-enabled fraud losses in the United States could reach around 40 billion dollars by 2027, up from roughly 12 billion in 2023. Whatever the precise figure turns out to be, the slope is the point. Your onboarding and authentication controls are now being tested by systems that learn faster than a manual fraud team can rewrite a rulebook.

This is why we keep telling founders that AI in fintech is a control-systems theme, not an efficiency theme. The defensive side has to be at least as well resourced as the side chasing cost savings, and it sits right on top of your AML and KYC tooling. If your fraud and onboarding controls are still mostly static rules, AI-assisted attackers will find the gaps long before your next audit does.

The trend lands differently depending on what you run.

For payment institutions and EMIs, the pressure point is monitoring and onboarding at scale. AI can cut false positives and speed up case work, but only if the model's decisions are logged, explainable and reversible by a human. Buy or build with that requirement first, not last.

For digital banks and neobanks, the exposure widens to credit and risk decisions, which is exactly where the high-risk classification bites. If a model shapes who gets an account or a limit, treat it as a regulated component from day one.

For crypto businesses, VASPs and CASPs, AI shows up in chain analytics, transaction monitoring and fraud screening, against a threat surface that moves quickly. The governance bar is the same, even if the typical in-house compliance team is smaller.

For early-stage founders, the trap is treating AI as a feature you sprinkle on later. The firms that will struggle are the ones that wired AI into live decisions before they could explain, log or override it.

Our advice to clients is unglamorous and consistent. Decide where AI is allowed to sit, and write that down. Keep a human in the loop wherever a decision affects a customer's access to money or services. Log model inputs and outputs so a decision can be reconstructed months later. Know which third parties sit behind your AI, and treat them as the dependencies they are. And keep your defensive controls - fraud, onboarding, monitoring - ahead of the attackers, not in catch-up.

None of this requires exotic technology. It requires a platform where onboarding, AML and KYC, monitoring and reporting already sit together with the audit trail attached. That is the unglamorous foundation that makes AI safe to use, rather than a liability waiting for an examiner. Advapay's Macrobank core banking platform is built to be exactly that - what turns "we use AI" into "we can show exactly how, and prove it held." Whether you build it, license it, or run it as a service through banking-as-a-service infrastructure, the control layer is the part that cannot be an afterthought.

The headline - AI is moving into the operating layer - is true, and by now almost boring. The operating consequence is the part that separates firms that scale from firms that get a hard letter from a supervisor. AI does not lower your accountability for a decision; it concentrates it. The teams that win in 2026 are not the ones using the most AI. They are the ones who can explain, audit and override every place they let it touch the money. Build the controls first. The cleverness is cheap by comparison.

This is the first in a seven-part series expanding on our 2026 fintech trends. If you are weighing how to put AI inside a regulated stack without losing the audit trail, talk to our team - we have done it across 100+ licensing and platform builds.

*Maxim Ivanchenko, CEO at Advapay*