AI Regulation and Compliance for Finance and Accounting: A Practical Playbook
AI tools can draft a variance analysis, summarize a 200-page filing, or reconcile a messy ledger in seconds. The problem is not whether they are useful in finance and accounting. The problem is that finance is one of the most heavily regulated fields on earth, and most AI guidance ignores that completely. A prompt that saves you an hour can also leak client data, break a confidentiality duty, or undermine an audit control if you run it carelessly.
This is a practical playbook, not an ethics essay and not a course roundup. It explains the regulations that actually touch your AI use, gives you concrete workflows for what you can and cannot put into a chatbot, and ends with a checklist you can apply tomorrow. If you want the broader philosophical background, see our companion piece on the ethics of artificial intelligence. If you want ready-to-use prompts once your guardrails are in place, pair this with ChatGPT for financial analysis: 15 prompts.
Why finance is different
In most jobs, the worst case for a sloppy AI prompt is an embarrassing draft. In finance and accounting, the worst case is a regulatory finding, a breach notification, a lost client, or personal liability. Three things make this field unusual:
- The data is sensitive by default. Client identities, account balances, transactions, and forecasts are confidential, and some of it is legally protected personal data or material non-public information.
- The outputs feed decisions and filings. A number you generate can end up in a financial statement, a loan decision, or advice a client relies on.
- Someone is accountable. Regulators expect a named human to own each control, figure, and recommendation. "The model produced it" is not a defense.
None of this means you should avoid AI. It means you treat AI like any other powerful tool in a regulated environment: with controls, review, and a paper trail.
The regulations that touch your AI use
You do not need to become a lawyer. You do need to recognize which rules are in play so you know when to slow down. Here are the five that come up most often, in plain terms.
SOX (Sarbanes-Oxley Act)
Who it affects: Anyone involved in financial reporting at US public companies and their auditors.
What it means for AI: SOX is about the integrity of financial reporting and the internal controls behind it. If AI touches a number that flows into a financial statement, that use sits inside your control environment. You need to be able to show the figure was reviewed, the process was repeatable, and there is evidence of who checked it. An unreviewed AI calculation dropped straight into a report is a control gap waiting to be found.
GLBA (Gramm-Leach-Bliley Act)
Who it affects: US financial institutions handling customer financial information.
What it means for AI: GLBA and its Safeguards Rule require you to protect nonpublic personal information. When you paste a customer's data into an outside AI tool, you have potentially sent protected information to a third party. To stay inside the rules you need to know what data enters the tool, where it goes afterward including any cloud or vendor processing, how long it is retained, and whether that vendor is covered by your firm's vendor-management and security controls.
GDPR (General Data Protection Regulation)
Who it affects: Anyone handling the personal data of people in the EU and UK, regardless of where you sit.
What it means for AI: GDPR limits how personal data is processed, requires a lawful basis, and gives individuals rights over their data. Feeding a client's personal details into an AI tool is processing. Watch for data residency (where the servers are), whether the data could be used to train a model, and whether you can honor deletion requests. Anonymizing before you prompt removes most of the risk.
MiFID II
Who it affects: Investment firms operating in the EU, especially those doing algorithmic trading.
What it means for AI: MiFID II does not name AI directly, but European regulators have made clear that firms must account for AI's role in trading algorithms through governance, pre-trade controls, stress testing, and annual self-assessments. If you use AI in anything touching trade execution or investment advice, it needs to sit inside your existing oversight framework rather than running as an unmonitored side process.
The EU AI Act
Who it affects: Organizations deploying AI systems in the EU, with obligations scaled to risk.
What it means for AI: The Act sorts AI uses into risk tiers. Many everyday finance uses, such as drafting or summarizing, fall into lighter transparency categories. But some finance uses, notably credit scoring and creditworthiness assessment, are classified as higher-risk and carry obligations like risk management, data governance, logging, documentation, and human oversight. One caution: the timeline has shifted. Some higher-risk obligations that were expected in August 2026 have been proposed for later dates under a recent simplification agreement, and those changes only bind once formally adopted. Treat specific dates as provisional and confirm the current position before you rely on it.
What you can and cannot put into an AI tool
This is the question finance professionals actually ask, so here is a direct answer. The table below assumes a consumer chatbot. The rules loosen if your firm has approved an enterprise tier with a data processing agreement and a no-training guarantee, but you still apply judgment.
| Data type | Safe to paste? | What to do instead |
|---|---|---|
| Client names, account numbers, personal IDs | No | Anonymize or use placeholders before prompting |
| Material non-public information (MNPI) | No | Never paste; this can also be a securities-law issue |
| Identifiable client financials | No | Strip identifiers, or use an approved enterprise tool with a DPA |
| Audit evidence and working papers | Caution | Only in approved tools; keep the source of record in your audit system |
| Public filings (10-K, annual reports) | Yes | Already public, safe to summarize and analyze |
| Generic templates and formulas | Yes | No sensitive data involved |
| Anonymized or synthetic numbers | Yes | Ideal for testing prompts and building workflows |
A simple rule covers most situations: if the text would be a problem in an email to a stranger, it is a problem in a prompt. AI tools are external systems unless your firm has explicitly made them internal.
The anonymize-first workflow
Most of the value of AI in finance comes from structure and reasoning, not from the specific identities involved. So separate them. Replace "Acme Corp, account 4471, balance 2.3M" with "Client A, balance 2.3M" before you prompt. Do the analysis on the anonymized version, then map the results back yourself. You keep the speed and lose the exposure.
Five compliance workflows you can adopt
Regulations tell you what to achieve. Workflows tell you how. These five turn the rules above into daily habits.
1. Classify before you prompt
Before pasting anything, ask one question: is this public, internal, or confidential? Public data is fair game. Internal data needs an approved tool. Confidential data, especially personal data or MNPI, gets anonymized or stays out entirely. This three-second check prevents most incidents.
2. Keep a human in the loop
Treat every AI output as a first draft from a fast but unreliable junior. A qualified person reviews and owns any figure, reconciliation, or client-facing text. This is not optional politeness; it is how you stay compliant with reporting controls and professional duties. The reviewer, not the model, is accountable.
3. Build an audit trail
For work that matters, record three things: which tool you used, what you put in (at a category level, not the raw confidential data), and who reviewed the output. A short note in your working papers is enough. If a regulator or partner asks how a number was produced, you can answer. No trail means no defense.
4. Mind data residency and retention
Know where your AI vendor stores and processes data, and whether your inputs could train future models. For EU client data, residency and training settings can be the difference between compliant and not. Favor tools with clear no-training options and documented data handling, and turn off chat history retention for sensitive work where the tool allows it.
5. Apply basic model risk management
Borrow a habit from banking: do not trust a model you have not tested. Before you rely on an AI workflow for recurring work, run it against cases where you already know the answer. Watch for confident errors, check the math independently, and note the tool's limits. Re-test when the model is updated, because behavior can change between versions.
A do and don't quick reference
| Do | Don't |
|---|---|
| Anonymize client data before prompting | Paste names, account numbers, or MNPI |
| Use firm-approved tools with a data agreement | Use a personal account for client work |
| Review and sign off on every AI output | Copy a figure straight into a report |
| Record tool, input category, and reviewer | Rely on memory for how a number was made |
| Confirm current regulatory dates | Assume a deadline you read last year still holds |
| Test workflows on known answers first | Trust a new model version without re-checking |
Your tomorrow-morning checklist
You do not need a compliance department to start. Run through this before your next AI-assisted task:
- Is this tool approved by my firm for the data I am about to use?
- Have I removed or anonymized client identifiers and any MNPI?
- Do I know where this vendor stores data and whether it trains on my inputs?
- Will a qualified human review the output before it is used?
- Have I noted which tool I used, the input category, and who reviewed it?
- For higher-risk uses like credit decisions, have I checked the current EU AI Act position?
If you can tick all six, you are using AI in a way you can defend.
Key takeaways
- Finance is regulated, so AI use needs controls, human review, and a paper trail, not a ban.
- Know the five rules in play: SOX, GLBA, GDPR, MiFID II, and the EU AI Act, each in plain terms.
- Never paste client identifiers or material non-public information into a consumer chatbot; anonymize first.
- Keep a human accountable for every AI output and record how each important number was produced.
- Regulatory timelines move, so confirm current dates rather than trusting last year's note.
Compliance is not the enemy of productivity here. It is what lets you keep the speed of AI without betting your license or your client relationships on it. Build the habits once and they fade into the background.
Want to go deeper on safe, practical AI for your role? Our free AI for Finance & Accounting course walks through real workflows, and Module 10 focuses on compliance and limitations. For a broader practical track, see the AI for Finance Professionals complete guide. Both are free, and both are built for people who want to apply AI inside the rules that govern their work.