AI Compliance: Who's Liable for Non-Compliant AI Decisions?

A critical question is emerging for financial institutions using AI for customer outreach: who is legally responsible when an AI system makes a non-compliant contact decision? On the surface, it might seem the institution is responsible. However, the complex nature of modern AI decisions, involving multiple vendors, training data, and configurations, makes accountability far more complicated. Regulators have not yet provided a clear framework for this issue. In traditional outreach, compliance rules are explicit and auditable. An investigation can trace back to where a rule failed. But with AI, a model makes decisions based on learned patterns. It might optimize for engagement without fully considering compliance risks. The resulting violation isn't from a failed explicit rule. It's from a model's inference, which no human explicitly programmed or fully anticipated. The audit trail for these AI-driven violations is distributed across complex, non-human-readable data. What's more, most financial institutions use AI platforms from technology vendors, adding another layer of complexity to accountability. This matters because it creates a significant legal and regulatory gray area for financial institutions using AI.