BizTech Law Blog

Introduction

The State of Michigan’s Department of Insurance and Financial Services (“DIFS”) has issued Bulletin 2026-03-BT/CF/CU, titled Use of Artificial Intelligence Systems by Financial Service Providers (the “Bulletin”).

The 10-page Bulletin reminds financial service providers regulated by DIFS that if analytical and computational technologies, including artificial intelligence (“AI”) systems, are used to make decisions that may impact consumers, such actions must comply with all applicable laws, rules, and regulations. Among other topics, the Bulletin outlines DIFS’ expectation that financial service providers develop, implement, and maintain a written AIS Program for the responsible use of AI Systems that make or support decisions related to regulated financial service providers’ practices.

Applicable Laws and Regulatory Guidance

Michigan law prohibits financial service providers from discriminating on the basis of the following protected classes, pursuant to the Elliott-Larsen Civil Rights Act, MCL §§ 37.2101 to 37.2804 (the “ELCRA”): religion, race, color, national origin, age, sex, sexual orientation, gender identity or expression, height, weight, familial status, or marital status. DIFS emphasizes in the Bulletin that the use of AI systems are not to relieve financial service providers of these legal obligations.

DIFS also recognizes the report issued by the United States Department of the Treasury (“DOT”) in December 2024 titled Artificial Intelligence in Financial Services – Report on the Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector (the “Report”) as an appropriate source of guidance for Michigan-based financial service providers as they determine how and if to create and implement AI systems into their services. The Report emphasizes the importance of fair and ethical use of AI technologies, as well as the need for accountability, transparency, compliance, and security practices to be deployed to ensure a safe and equitable AI system is developed. View the Report here for more information.

The Bulletin further explains that financial service providers should ensure decisions made by such providers – as well as any AI system they implement – are not “inaccurate, arbitrary, capricious, or unfairly discriminatory”, while acknowledging the faults AI technologies possess to increase these risks. To that end, the Bulletin discusses the expectation that all financial service providers generate and maintain a written AI systems program (“AIS Program”) to govern the responsible use of AI systems to be utilized by such providers and their employees. Even if a financial service provider chooses to not formally engage in the use of AI systems to support its practices, DIFS encourages all providers to establish an employee AI use policy at a minimum to ensure acceptable use (if any) is specified in writing by the organization.

AIS Programs are intended to mitigate any adverse outcomes to consumers and should encourage testing of any AI systems to be implemented by financial service providers in order to assess the likelihood of errors, hallucinations, and bias.

AIS Program Guidelines

In general, AIS Programs should prioritize mitigating risks that could result in adverse consumer outcomes and address key elements such as governance, risk management controls, and internal audit functions. Senior management of financial service providers, accountable to the board or a designated committee, must oversee the development, implementation, and ongoing monitoring of the AIS Program. The scope and rigor of an AIS Program should be tailored to the provider’s specific use and reliance on AI, with controls and procedures commensurate with the degree of potential consumer impact. Additionally, the AIS Program may integrate established frameworks from recognized third-party standard organizations, like the National Institute of Standards and Technology’s (“NIST”) Artificial Intelligence Risk Management Framework, where appropriate.

Effective governance of an AIS Program is emphasized, requiring transparent policies and accountability structures for all stages of the AI system lifecycle (e.g., design, development, use, and retirement). Providers must document compliance, establish multidisciplinary committees, delineate responsibilities, and ensure ongoing training and supervision over AI systems.

Risk management and internal control protocols of AIS Programs should cover oversight for the adoption or development of AI systems, robust data practices and accountability procedures, security measures, validation processes, data and record retention practices, and protection of non-public information.

For AI systems and predictive models developed or procured from third parties, the Bulletin’s guidelines call for due diligence, contractual safeguards (e.g., audit rights and notification protocols), and clear responsibilities to ensure regulatory compliance and consumer protection. Overall, the AIS Program must ensure that financial service providers remain ultimately accountable for the risks and outcomes associated with their use of AI, regardless of third-party involvement.

DIFS’ Oversight and Examination

Financial service providers should expect DIFS to ask about their development, deployment, and use of AI systems if such technology is implemented. A DIFS examiner may ask questions regarding any specific AI model, system, or their applications, or request documentation or information including, but not limited to, the following: (i) a copy of the written AIS Program, as well as details and documents related to it; (ii) information related to the due diligence performed prior to acquiring the relevant AI systems and/or technology; (iii) evidence of the financial service provider’s monitoring and audit activities respecting compliance with the Bulletin; and (iv) details regarding data practices, accountability procedures, data security and testing, and related monitoring, among others.

Conclusion

Financial service providers should review the Bulletin and consider how it affects their ongoing AI use. DIFS expects financial service providers to maintain a written AIS Program scaled to the nature of the use case and potential consumer impact, with senior management oversight accountable to the board (or a board committee) and appropriate governance, risk management controls, and internal audit functions. DIFS also signals that examinations and investigations may request AIS Program documentation and information about validation/testing, monitoring, data practices, third‑party due diligence, and contractual safeguards (e.g., audit rights and notification protocols, where appropriate).

Please contact us for AIS Program drafting and review needs, and any related issues, including strengthening vendor diligence and contracting and other financial institution compliance matters.

• Taylor Gast...517.371.8238...tgast@fosterswift.com
• Lindsey Mead...517.371.8326...lmead@fosterswift.com