Three weeks into your AI mandate, someone sends over the website copy for approval. The line reads, “Our investment process is powered by AI.” Your instinct is to approve it. It sounds credible. The board wants the firm to look advanced. But if that line describes a tool that processes data for reporting rather than driving the investment decisions, you have a problem. The issue has a name, a regulator attached to it, and a paper trail that starts with whoever signs it off.
What is AI washing?
AI washing is the practice of claiming AI capabilities that a product or service cannot substantiate to a regulatory standard. The term mirrors greenwashing, where environmental claims exceed the evidence. In financial services, it typically takes one of two forms. The first is vague language that implies more than the technology delivers, such as “AI-powered insights”. The second is a direct performance claim about AI-driven outcomes that the firm cannot evidence.
The gap between description and claim is where enforcement attention lands. A claim that the firm uses AI to monitor portfolios is descriptive and verifiable. A claim that AI-driven analysis produces superior returns is a performance assertion. The distinction seems minor until a regulator asks you to prove the second one. At that point, the copy you signed off becomes the document under review.
Why does this create an enforcement problem specifically?
Because in financial services, the regulator has already acted. The US Securities and Exchange Commission charged Delphia USA Inc. and Global Predictions, Inc. in 2024 after finding both firms made unsubstantiated claims about their AI-driven investment capabilities. Neither firm had to cause customer harm to attract enforcement. The false claim was sufficient. A delegate who drafts the line that cannot be backed up is the person in front of the regulator.
The legal route the SEC used in both cases was Section 10(b) and Rule 10b-5, which prohibit material misstatements in connection with securities transactions. The New York State Bar Association’s analysis of these cases argues that the SEC is well-positioned to apply this provision aggressively, because AI claims are increasingly decision-relevant for investors. When a client allocates capital on the basis that a firm uses AI to generate alpha, a false capability claim is not a marketing error. It affects an investment decision.
In the UK, the FCA has stated it is building capability to identify key risks earlier, including using AI to review documents and accelerate regulatory decisions. A monitoring function that can process external AI claims automatically operates differently from one that depends on manual spot checks. Firms making capability claims they cannot substantiate are more visible to the regulator than they may assume. The financial sector also sits under the Consumer Duty obligation, which places heightened expectations around accuracy in communications with retail clients.
Where does the claim show up in your materials?
The three places where AI washing lives in a financial services firm’s communications are the marketing website, the board deck, and client-facing literature. Each carries different exposure. Website copy reaches the regulator’s monitoring function as readily as it reaches prospects. Board materials appear in due diligence and in post-event investigations. Client materials go out under the firm’s regulatory permissions and can trigger formal complaints.
The board deck deserves particular attention. A delegate preparing the AI section for an annual board review is usually writing for two audiences simultaneously. One is the board itself. The other is whoever reads those materials later. A prospective acquirer, an investor conducting diligence, or a regulator following up on a complaint all have access to board-level documents. Claims that feel informal in a verbal briefing become fixed statements on paper.
The useful distinction to apply to each document is between function and outcome. “Our AI system flags unusual transaction patterns for compliance review” describes a function. “Our AI-driven compliance monitoring reduces regulatory breach risk” claims a result. The first is defensible if the system actually does that. The second needs data from your actual deployment to stand behind it.
When do you need to substantiate a claim?
Every external claim about AI capability needs a document behind it before it ships. That document does not need to be a formal research report. It needs to answer three questions. What does the AI tool actually do in this deployment? How was it tested under realistic conditions? What is the evidence for the outcome claimed? Without clear answers to all three, the claim is a liability rather than a selling point.
The most practical way to hold this standard is to run claims through a short register before they go out. The register records the claim, the evidence that supports it, who holds accountability for that evidence, and when it was last reviewed. It does not need to be elaborate. What it cannot be is absent.
Pilot results are worth treating separately from deployed performance. A capability that worked in a three-month test on historical data is different from one running at scale across live client portfolios. If the only evidence document is the pilot report, the claim should reflect pilot conditions, not full production performance. Marketing language tends to drift from the evidence as it passes through drafts. The person who approves the final version needs to have checked that it still matches what the evidence actually says.
What else sits next to this risk?
The Bank of England’s TRUSTED framework asks whether a deployed AI system is targeted at a specific need, reliably accurate, appropriately secure, understood by the people operating it, supported by ethical governance, stress-tested under adverse conditions, and durable enough to remain fit for purpose over time. Satisfying those criteria is what gives a financial services firm grounds to make AI capability claims. Failing any of them means the claim is ahead of the reality.
Two other risks sit alongside AI washing for a delegate with AI responsibility. The first is director liability. Where a firm makes false or unsubstantiated AI claims that influence a client outcome, the accountability for those claims reaches board level. If the delegate drafted the claim and the board signed the report that carried it, both are exposed. The second is data governance. Capability claims about AI accuracy often rest on the quality of data the model was trained on or queries in production. A claim about AI-driven performance that cannot be traced to a data audit carries compounded exposure.
TRUSTED functions as an internal benchmark, not a public label. Claims should be tested against it before they reach any external audience. Firms that work through the criteria often find the claims they can substantiate are narrower than the ones they were preparing to make. That gap is the governance work, and it is considerably less expensive to find before the copy ships than after.
