A striking paradox has emerged from ComplyAdvantage’s annual compliance survey: whilst 94% of compliance leaders believe existing and upcoming AI regulations will prove effective, and 98% report some form of AI oversight already in place, fewer than three in five describe their programmes as fully mature. That gap — between confidence in the rules and readiness to demonstrate compliance — is precisely where regulators are now looking.
According to ComplyAdvantage, the stakes have sharpened considerably. As US anti-money laundering (AML) reform shifts towards outcome-based regulation, and as agentic AI pushes decision-making further from direct human review, “the model decided” has ceased to be an acceptable explanation.
Compliance officers must now be able to articulate, in plain language, how a decision was reached, whether it can be reproduced, and who bears accountability for it.
At ComplyAdvantage’s North American Future of Compliance summit, three senior practitioners joined the firm’s global head of FCC strategy, Andrew Davies, to examine what that standard demands in practice.
The panel brought together Glenna Smith, CEO and founder of Smith Compliance Consultants, with 38 years of financial services experience; Christina Rea-Baxter, founder of Raycor Consulting and a fractional chief compliance officer who has developed AIRE, an AI risk and explainability framework; and Claude Baksh, co-founder and president of Grace CSI, who has spent more than two decades advising regulated firms on the boundary between innovation and regulation.
A patchwork of rules pointing in one direction
There is no single codified standard for AI explainability in US financial services. What exists instead is an accumulating body of guidance: traditional model risk management frameworks such as SR 11-7 and the updated SR 26-2, commentary from the Office of the Comptroller of the Currency confirming that existing banking guidance extends to AI, Colorado’s AI Act at state level, and international reference points including the EU AI Act, FATF guidance, and Singapore’s regulatory approach.
Taken together, these frameworks converge on a shared question: not whether the technology functions as advertised, but whether the institution retains meaningful oversight of the decisions it delegates to automated systems. That distinction shifts the burden from the vendor — who can speak to technical capability — to the regulated firm, which must demonstrate governance.
Examiners are unlikely to ask a compliance officer to explain algorithmic parameters. They will ask about control logic, data flows, the audit trail, version history, and accountability ownership. The artefacts that survive an examination are documentation, version control, and clearly assigned responsibility.
What examiners are actually testing
The panel was direct that demonstrating outputs alone no longer satisfies regulatory scrutiny. Smith Compliance Consultants CEO and founder Glenna Smith said, “Just showing the output, just showing the decision, is no longer enough. The regulators want regulated entities to be able to explain how the AI tool reached that decision. Is it repeatable? Is it consistent?”
That standard operates in both directions. Examiners will ask why a particular customer received an elevated risk rating, but equally why a transaction was not flagged, why an alert did not convert into a suspicious activity report, and why a given customer was onboarded. Explainability must account for the negative space — the decisions not to act — as much as the positive outcomes.
There is also an audience dimension. Regulators, analysts acting on AI-prioritised alerts, and board-level governance each require the same underlying decision to be expressed in language appropriate to their role. Compliance functions must be capable of translating technical decisioning across all three.
Documentation as the foundation of defensibility
If explainability is the standard, documentation built at the point of decision — not retrofitted ahead of an examination — is the foundation. The panel outlined a defensibility checklist they consider non-negotiable for any AI system feeding regulated outcomes.
It includes a model and data state record capturing which version, parameters, and data sources were active at the moment of each decision; a plain-language narrative explaining the what and the why; a counterfactual analysis addressing why the model did not act on adjacent cases; a fairness snapshot evidencing consistent outcomes across protected attributes; and an immutable audit log providing a tamper-resistant record of the agent’s actions and the data state at decision time.
Grace CSI co-founder and president Claude Baksh said, “You cannot outsource explainability to your vendor. You as the compliance officer, you own that. You need to look for immutable audit logs that capture not just what the agent did, but the exact state of the data and the rule or model version it was running at the moment of the decision.”
That ownership principle is, the panel noted, the requirement most often overlooked in vendor relationships.
Evaluating vendors against a higher bar
Almost every compliance vendor now markets AI capability, but the panel cautioned that polished demonstrations are insufficient evidence of what a system can deliver under regulatory scrutiny. Raycor Consulting founder Christina Rea-Baxter said, “Show me a real decision path, not just your sandbox demo. Pick one alert, one risk score, one automated action. Show me exactly what data went in, what models or rules were active at that time, and how we could reproduce that decision during an exam.”
The practical evaluation framework that follows includes decision lineage and version control — specifically whether the vendor can reconstruct, on demand, every input, model version, and output behind a historical decision. It also covers override tracking, to confirm that human reviewer interventions are captured and attributable; human-in-the-loop evidence documenting the handoff between automated and human decisioning; and integration with existing model risk and third-party risk frameworks, rather than parallel governance structures.
Red flags follow a recognisable pattern: vendors who respond to specific data questions with general capability claims, who resist testing against the buyer’s actual data, or who cannot reproduce a past decision on request. Smith’s practical countermeasure — maintaining a working list of named entities the institution expects to match or not match in screening, then testing any prospective vendor against that list — mirrors the approach the UK’s Financial Conduct Authority has applied to sanctions screening accuracy at industry level.
The case for building defensibility in from the start
ComplyAdvantage global head of FCC strategy Andrew Davies said, “I remember in math class as a kid, you’d write the answer down, but if you didn’t show your working, you didn’t get the marks. That’s what we’re reinventing here with explainability. Show me how you got to this decision.”
The panel rejected the framing of governance and explainability as a tax on innovation. Firms with mature decision lineage and embedded governance present demonstrably differently in regulatory and banking-partner reviews from those reverse-engineering their AI after the fact. They also move faster, because the architecture is already defensible.
For compliance leaders mapping the next 12 to 24 months, the panel identified three priorities: treating explainability as a first-class feature built into vendor selection and internal models from the outset; mapping internal governance frameworks to the full patchwork of SR 11-7, SR 26-2, OCC guidance, state legislation, and international references; and owning the explainability outcome alongside vendors rather than in spite of them.
The compliance officer remains accountable to the regulator. That accountability cannot be delegated, however capable the underlying technology.
The infrastructure to support explainable, regulator-ready AI already exists. The question is whether compliance leaders design for defensibility from the start, or are compelled to reconstruct it under examination pressure.
Read the full ComplyAdvantage post here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
