AI Governance for LatAm Banks: What EBA 2026 Actually Requires
By Meritra Studio · last updated 2026-04-23
The EBA Guidelines on Internal Governance (EBA/GL/2021/05) were updated in January 2026 to include explicit requirements for AI risk management in credit institutions. The guidelines are formally a European instrument — they bind EBA member states directly. Their relevance to LatAm banks is indirect but significant: they define the operational standard that globally-minded boards, international investors, and correspondent banking counterparties now use as a reference when evaluating AI governance maturity.
- EBA Guidelines on ESG and AI Risk Management entered full effect January 2026, effective for all EBA-supervised institutions and adopted as reference framework by CNBV, SFC Colombia, and BCRA in updated AI risk guidance.
- The five elements required: model inventory, risk tiering, governance body, monitoring protocol, and incident reporting.
- LatAm translation: local regulators have not adopted EBA guidelines verbatim, but the five elements map directly to existing local frameworks (CNBV Circular 14, BCB Resolution 4.557) and are likely to appear in explicit AI risk guidance in 2026.
- A 90-day roadmap exists for banks that need to build from scratch — two elements are organizational (no technology required), one requires a spreadsheet, one requires a policy document, and one requires a board resolution.
What EBA 2026 actually requires
The January 2026 EBA guidelines added three new provisions to the existing internal governance framework specifically addressing AI systems used in material decisions — defined as decisions that affect credit access, fraud detection, pricing, or customer eligibility. The provisions are organized around five requirements:
Article 76a — Model inventory. Institutions must maintain a comprehensive inventory of all AI models used in material decision processes, including: the model's purpose, the data it was trained on, its last validation date, its governance owner, and its risk tier. The inventory must be accessible to the board's risk committee and updated whenever a new model is deployed or a material change is made to an existing one.
Article 76b — Risk tiering. Models must be classified into risk tiers — EBA uses a three-tier framework: Tier 1 (high-risk: credit decisions, fraud scoring for amounts above a threshold, regulatory capital models), Tier 2 (medium-risk: customer segmentation, product recommendations, collections scoring), Tier 3 (low-risk: internal process automation, back-office models). Tier 1 models require annual independent validation, board approval for deployment, and a documented fallback procedure. Tier 2 requires annual internal review. Tier 3 requires periodic review with no mandatory frequency.
Article 76c — Governance body. Material AI deployments must be approved by a designated governance body — not the technology team alone. EBA specifies that the governance body must include the CRO or equivalent, must have access to model documentation, and must explicitly approve the model's intended use case and its risk tier assignment before production deployment.
Article 76d — Monitoring protocol. Deployed models must be monitored for performance drift, bias, and data quality degradation on a defined schedule. Tier 1 models require monthly monitoring reports with predefined alert thresholds. When an alert threshold is crossed — for example, model accuracy drops by more than 5 percentage points versus baseline — an automatic escalation is triggered and the model enters enhanced review until resolved.
Article 76e — Incident reporting. Material AI incidents — model failures that result in erroneous credit decisions, fraud losses attributable to model failure, or regulatory findings related to AI use — must be reported to the board risk committee within 72 hours and to the regulator within 15 business days. EBA defines "material" as any incident affecting more than 1,000 customers or involving a financial impact exceeding a defined threshold.
How this translates to LatAm
LatAm regulators have not adopted the EBA guidelines verbatim. But three of the five elements have direct equivalents in existing local frameworks, and the other two are on regulators' stated agendas for 2026.
The model inventory (76a) is implicitly required by CNBV's model risk management framework (Circular Única Bancaria, Título 1, Capítulo VIII) and by BCB Resolution 4.557 for models used in credit risk. CNBV has not specified a format, which means many banks have model inventories that are incomplete, inconsistently maintained, or inaccessible to the board. EBA 76a provides a concrete format that satisfies both local requirements and international standards.
Risk tiering (76b) is not explicitly required by CNBV, BCB, or SFC Colombia in AI-specific terms. However, CNBV's Disposiciones de Carácter General Aplicables a las Entidades de Ahorro y Crédito Popular (2023 update) requires risk categorization for credit models, which is the functional equivalent for the most material use case. The EBA three-tier framework can be implemented in a LatAm bank as a voluntary internal standard that simultaneously satisfies local requirements for credit models and prepares the institution for likely regulatory expansion.
The governance body requirement (76c) is where most LatAm banks are furthest behind. Technology teams routinely deploy AI models in production without CRO sign-off or formal board notification. This is not a compliance gap yet — but it is a governance gap, and it is the gap most likely to generate a regulatory finding when AI-specific guidance arrives. The AI Governance Framework for Banks includes a board-ready governance policy document and RACI matrix that closes this gap with a single board resolution.
The five minimum elements for a LatAm AI governance framework
Based on the EBA 2026 requirements, existing LatAm regulatory frameworks, and the BCBS principles on model risk management (2011, updated 2022), the minimum AI governance framework for a LatAm bank consists of five elements:
A spreadsheet or database listing every AI model in production with: name, purpose, risk tier, data sources, training date, last validation date, governance owner, fallback procedure. Must be reviewed and signed off by CRO quarterly.
A board-approved policy document defining the three tiers, the criteria for tier assignment, the validation requirements per tier, and the procedure for re-tiering when model scope changes. Maximum 4 pages. Must be approved by board risk committee.
A formal charter for the AI Model Risk Committee (or equivalent), defining membership (CRO, CIO, CCO at minimum), decision rights (what requires committee approval vs. CRO approval vs. technology team discretion), meeting frequency, and escalation path to board.
Per-model monitoring plans for all Tier 1 and Tier 2 models, specifying: performance metrics tracked, alert thresholds, monitoring frequency, escalation owner, and what 'enhanced review' means operationally. Models in enhanced review cannot be used for material decisions until resolved.
A documented procedure for AI incidents: who declares an incident, what documentation is collected, when the board risk committee is notified (72h per EBA / as per local regulation), when the regulator is notified, and what constitutes incident closure. Must be tested in a tabletop exercise annually.
The 90-day implementation roadmap
A bank starting from a governance gap — no formal AI risk committee, incomplete model inventory, no board policy — can reach a defensible governance posture in 90 days. The sequence matters because element 3 (governance body) must exist before elements 4 and 5 can be properly owned.
| Days | Action | Owner | Output |
|---|---|---|---|
| 1-15 | Model discovery: inventory all AI models in production, assign preliminary risk tiers | CIO + CRO | Draft model inventory v1 |
| 15-30 | Draft Risk Tier Policy and Governance Body Charter; present to CRO for review | CCO + CRO | Policy drafts ready for board |
| 30-45 | Board risk committee: approve Risk Tier Policy and Governance Body Charter | Board Risk Committee | Board-approved policy + charter |
| 45-60 | First formal AI Model Risk Committee meeting: review model inventory, confirm tier assignments, identify validation gaps | AI Model Risk Committee | Validated model inventory v2 |
| 60-80 | Build monitoring plans for all Tier 1 and Tier 2 models; assign monitoring owners | CRO + model owners | Monitoring protocol per model |
| 80-90 | Draft AI Incident Response Plan; run tabletop exercise with CRO, CIO, CCO, and legal | CRO + CCO | Tested incident response plan |
At day 90, the bank has: a board-approved AI risk policy, a functioning governance body, a complete model inventory, monitoring plans for material models, and a tested incident response procedure. This is the foundation that satisfies EBA 2026 elements, fulfills LatAm regulatory requirements for model risk management, and gives the board a defensible answer to "how do we govern AI?"
The AI Governance Framework for Banks provides the policy document, model inventory template, RACI matrix, board report template, and Q&A prep for the board questions that follow — specifically the EU AI Act, BCBS, and EBA questions that internationally-informed directors will ask. The AI Adoption Scorecard v2 provides the self-assessment tool that allows the bank to measure its current AI maturity against the governance framework requirements before the first board presentation.
The question that will be asked
The question that every board will eventually receive — and that many have already started receiving from audit committees, international correspondents, and regulators — is: "Who approved the AI model you are using to make credit decisions, and what oversight does the board have over its performance?"
The answer that satisfies a well-informed board is not "the technology team approved it" and not "we use a vendor model and they are responsible." The answer is: "The AI Model Risk Committee approved the model under our board-approved Risk Tier Policy. It is classified as Tier 1, validated annually, monitored monthly against defined performance thresholds, and any material incident would be reported to this committee within 72 hours." That answer requires the five elements above to be in place. It does not require them to have been in place for years — only that they exist, are functional, and can be demonstrated.
Frequently asked questions
Do EBA guidelines apply to LatAm banks?
Not directly — EBA guidelines bind EBA member states (EU). Their relevance to LatAm banks is that they define the standard used by globally-minded boards, international investors, and correspondent banking counterparties when evaluating AI governance maturity. Additionally, CNBV, SFC Colombia, and BCRA have adopted EBA guidance as a reference framework in their own AI risk guidance.
What are the five EBA 2026 AI governance requirements?
Model inventory (Art. 76a), risk tiering (Art. 76b), governance body (Art. 76c), monitoring protocol (Art. 76d), and incident reporting (Art. 76e). Together they form the minimum AI governance framework for a credit institution under EBA.
How long does it take to implement an AI governance framework from scratch?
90 days for a defensible framework — with two elements requiring no technology investment (governance body charter, risk tier policy), one requiring a spreadsheet (model inventory), one requiring documented monitoring plans, and one requiring an incident response procedure tested in a tabletop exercise.
Related posts
LatAm Banking Risk Priorities 2026: What Changed and What Your Board Expects
Fraud and cyber ranked #1 and #2 on the CEO risk list for the first time in the Bank Director 2026 Risk Survey. What changed, what it means for the board, and an 8-item preparedness checklist.
The 6 CNBV Fraud Behaviors, Operationalised
CNBV Circular 14/2021 requires banks to monitor six behavioral patterns. Monitoring and operationalising are not the same thing. The five structural controls that close the gap, plus an internal audit checklist.
Want the template that runs these formulas?
View the product details and get it today →