Banks use AI for credit assessments. Insurers for claims review. Law firms for legal research. Fiduciaries for tax advisory. Introducing AI in regulated industries is no longer a trend; it is everyday reality.
But introducing AI under regulatory frameworks (FINMA, FADP, EU AI Act, BGFA) follows different rules than in unregulated industries. Those who ignore these rules risk not just money, but professional licences, supervisory measures, and reputational damage.
These five mistakes come up in practice time and again.
Mistake 1: Introducing AI Without Knowing Where AI Is Already in Use
The most common mistake is also the most fundamental. Many companies begin evaluating a new AI tool without knowing which AI systems are already in use.
The reality: employees use ChatGPT on company devices. The CRM has integrated lead scoring. The document management system classifies files automatically. The customer service chatbot on the website is an AI system. The marketing team uses a content creation tool.
Without a complete AI inventory, the foundation for every further measure is missing. FINMA Guidance 08/2024 explicitly requires this inventory. The EU AI Act presupposes it. And the FADP requires a register of processing activities (Art. 12) that must include AI-powered processing.
Better: Create an AI inventory before evaluating a new system. Ask every department: “Which tools do you use that generate automated recommendations, assessments, or decisions?” The result will surprise you.
Mistake 2: Choosing the Provider Before Defining Compliance Requirements
Technical evaluation before regulatory analysis is the natural order in unregulated industries. In regulated industries, it is the wrong one.
Those who first choose the tool and then check compliance face a problem when the chosen tool does not meet the requirements. The provider is US-based, but FINMA requires data localisation. The model is a black box, but the EU AI Act requires explainability. Data flows to third parties, but the DPA process is not complete.
Reverse the order: Define the regulatory requirements first. For a Swiss financial institution: FINMA outsourcing circular, FADP (especially Art. 16-17 on cross-border data disclosure), EU AI Act (if EU customers are affected), internal IT security policies. Then evaluate providers against these requirements. The best algorithm is useless if it fails compliance.
Mistake 3: No Distinction Between “AI-Supported” and “AI-Decisive”
Not every AI system has the same risk profile. An AI that sorts documents is something different from an AI that evaluates credit applications. Both are AI systems. But the regulatory requirements are fundamentally different.
The EU AI Act makes this distinction law: high-risk AI systems (those that influence decisions about credit granting, insurance premiums, employment relationships, or legal matters) must fulfil extensive requirements. Systems with minimal risk (document sorting, translation, summarisation) are subject to fewer or no specific obligations.
In practice: Classify every AI system by risk. Ask: “Does this system influence a decision that affects a person’s rights or interests?” If yes: high-risk. If no: lower risk. The compliance investment must be proportional to the risk. Treating everything equally wastes resources. Classifying nothing is an audit finding.
Mistake 4: Ignoring Hallucinations Because the Tool Is “Usually Right”
Language models hallucinate. They generate content that sounds plausible but is factually wrong. In unregulated industries, this is annoying. In regulated industries, it is dangerous.
A lawyer who cites a fabricated judgment risks disciplinary action. This has already happened multiple times in the US. A compliance officer who submits an AI-generated regulatory report with false article references risks FINMA supervisory measures. A fiduciary who gives incorrect tax advice based on an AI output is personally liable.
“Usually right” is not good enough in regulated industries. The standard is: “Verifiably correct, every time.”
Minimum standard: Demand source references. Every AI-generated answer must trace back to a verifiable source: a legislative article, a court decision, a circular. If the tool does not cite sources, it is not suitable for professional work in regulated industries. Period.
Additionally: establish a review process. No AI output leaves the organisation without a qualified person having reviewed it. This is not a weakness of AI. It is the professional standard.
Mistake 5: Treating Data Protection as an Afterthought
“We will sort out data protection later.” This sentence comes up in almost every evaluation project. And it almost always leads to problems.
Data protection is not a feature you bolt on after the fact. It is a fundamental condition. The FADP requires Privacy by Design (Art. 7): processing must be designed from the outset to comply with data protection principles. Not “from the outset, once we get around to it.” From the outset.
In practice, this means: before employees enter a query into an AI tool for the first time, the following questions must be answered:
- Where does the input data flow?
- Is it used for model training?
- Who has access to the inputs and outputs?
- Where are they stored and for how long?
- Has a data processing agreement (Art. 9 FADP) been concluded?
- Does a cross-border data disclosure take place (Art. 16-17 FADP)?
From day one: Integrate the data protection review into the evaluation process from day one. Not as an obstacle, but as a quality criterion. A provider that cannot clearly answer these questions is not ready for regulated industries.
Conclusion
Introducing AI in regulated industries is not a technology project. It is a governance project with a technology component. The technology is the easy part. Compliance, processes, and accountability are the hard part.
Companies that avoid these five mistakes save not just costs and risks. They also build the trust of their customers and supervisory authorities that, in regulated industries, is the real currency.
Further information: montvirtua.com
This article is for general information purposes and does not constitute legal advice.