AI Training for Finance Teams: What NCUA, FINRA, and Your State CPA Board Actually Require

Your staff is using AI. You may not know the full extent of it.

A credit union loan officer is running client financials through ChatGPT to draft approval narratives. An advisor at your RIA is using AI to generate investment summaries for quarterly client meetings. Your CPAs are using AI to draft client correspondence and research edge cases in the tax code.

This is the current state of AI adoption at small and mid-size financial services firms. Not a projection — what's already happening.

Regulators are catching up. If you operate in a regulated financial services environment and you don't have an AI training program in place, you're behind.

What the Regulators Are Actually Saying

NCUA (Credit Unions)

The National Credit Union Administration has issued supervisory guidance making clear that AI tools fall under existing vendor management, data security, and member privacy requirements. Examiners are asking about:

• Whether staff have been trained on data handling when using AI tools
• Whether there are written policies governing AI use in member-facing interactions
• Whether the credit union has documented its AI risk assessment

"We didn't know they were using it" is not a defensible answer when member data is involved.

FINRA (Broker-Dealers and Registered Representatives)

FINRA's guidance on AI supervision (Regulatory Notice 24-09 and subsequent updates) addresses AI use in member communications, research generation, and client reporting. Key requirements that apply to small broker-dealers and independent RIAs:

• Supervisory systems must extend to AI-assisted communications
• Representatives using AI to generate client-facing content must apply the same review standards as manually written content
• Recordkeeping requirements apply to AI-generated communications

For a 10-person RIA using AI to draft client reports, this means: review before it goes out, keep the record, document that review occurred.

State CPA Boards

Most state boards have issued guidance or are in the process of issuing guidance on AI use in tax preparation, financial statement work, and client advisory services. Common themes:

• AI-generated tax research must be verified against primary sources
• Competency standards require understanding of the tools you use — including their limitations
• CPE requirements are beginning to include AI literacy as a covered topic

The AICPA has published frameworks on AI governance for CPA firms that smaller practices are expected to align with.

The Three Risks Finance Teams Consistently Underestimate

1. Client data in consumer AI tools

A staff accountant runs a client's Schedule K-1 data through ChatGPT to help draft a partnership tax memo. The data includes the client's Social Security number, capital account balances, and income allocation.

Consumer AI tools are not covered under typical financial services data agreements. The data may be retained, may be used in training, and is not subject to your firm's NDAs or data security protocols.

This is a client trust issue. In a regulated environment, it may also be a material breach of your data security policies.

2. AI hallucinations in regulated work product

AI tools produce confident-sounding output that is sometimes factually wrong. In general business writing, this is an annoyance. In financial services, it can be serious.

An AI-generated IRS code citation that doesn't exist. A claim about NCUA reserve requirements that was accurate two years ago and isn't now. A fiduciary analysis that missed a key exception because the model's training data didn't include the relevant guidance.

Staff need to know: AI is a draft tool, not a source. In regulated work, every AI-generated fact needs a human verifying it against primary sources.

3. No documentation when regulators ask

NCUA examiners and FINRA regulators are now including AI governance questions in routine examinations. The question isn't just "do you allow it?" — it's "what training did you provide, and can you show me?"

If your answer is a staff email from six months ago, that's a finding. If your answer is a training completion record showing each employee completed a role-appropriate AI training module, that's a clean examination.

What Role-Specific Training Looks Like in Finance

Generic "Introduction to AI" training doesn't address the specific risks your staff faces. Here's what role-appropriate looks like for each function:

Loan officers and underwriters (credit unions): - What member data can and cannot go into AI prompts - How to use AI for draft narratives while keeping the decision-making human - Review standards before any AI-assisted output goes to a member

Financial advisors and analysts (RIAs): - Fiduciary implications of AI-generated research - What to verify before client-facing reports go out - Recordkeeping requirements for AI-assisted client communications

Tax and accounting staff (CPA firms): - Verification standards for AI-generated tax research - How to cite AI-assisted work in your workflow documentation - Data handling rules for client financial information in AI tools

Operations and administrative staff (all): - What counts as sensitive financial data and why it can't go into consumer tools - Approved tools vs. unapproved tools (your firm's specific list) - Incident reporting: what to do if staff think they've made an error

The Examination Scenario

Picture your Q3 NCUA exam or annual FINRA review. The examiner asks to see your AI governance documentation.

You show: - A written AI use policy - Training completion records: each staff member, module completed, date, assessment score - Role-specific training evidence (not one generic module for everyone)

That's the scenario you're building toward. The records need to exist before the examiner asks — not after.

For a firm that builds this now, Q3 is a non-event. For a firm that starts building after the examiner raises a finding, it's an expensive remediation project with a comment letter attached.

What Small Firms Can Do This Quarter

1. Write a one-page AI use policy. What tools are approved? What data can be used with them? What requires human review before going to a client or regulator? Get it signed off.

2. Train by role. Loan officers, advisors, and CPAs have different AI risks. One training module doesn't adequately cover all three. Use a platform that delivers role-specific paths.

3. Build the audit trail. Completion records with timestamps, tied to specific employees and specific training modules. Export-ready for examiners.

4. Review quarterly. AI tools and regulatory guidance are both moving fast. A training program that was current six months ago may already be behind.

5. Document your risk assessment. If you use AI tools, document why you decided they're appropriate, what controls are in place, and what training supports those controls. This is what examiners are increasingly asking to see.

OpenSkills AI offers role-specific AI training for financial services staff — credit unions, RIA/advisory firms, accounting firms, insurance agencies — with compliance-ready completion records. 14-day free trial, no credit card required. A team of 10 costs $9.99–$29.99/month.

Start your free trial →

OpenSkills AI is not a law firm and this post does not constitute legal advice. For specific NCUA, FINRA, or state CPA board compliance questions, consult qualified legal counsel or a compliance consultant familiar with your regulatory environment.