AI Consulting for Financial Services: GenAI Integration with Compliance Built In — From Day One
Banks, insurers, and FinTechs want to leverage GenAI — but compliance, data protection, and DORA create hurdles that can quickly derail projects without structured governance. I combine GenAI concept design (chatbot, RAG, LangChain) with regulatory context (DORA, MaRisk, BAIT, VAIT, EU AI Act, GDPR) and create the foundation for AI projects that pass internal and external audits — as a Business Analyst and Project Manager bridging innovation and regulation.
Typical Situations
- Financial institution wants to introduce an internal AI assistant, but compliance and the Data Protection Officer haven't approved yet
- A GenAI pilot is running, but DORA requirements for ICT risk and third-party risk weren't considered
- The regulator (BaFin, FCA, ECB) has questions about AI-powered decision processes — documentation is missing or inadequate
- Bank wants to introduce RAG-based policy search, but data flows and model selection haven't been compliantly documented
- EU AI Act requirements are taking effect — the institution has no risk classification for existing AI systems
- IT developed a LangChain PoC, but MaRisk requirements for model governance and auditability remain open
- Insurer wants to support underwriting with GenAI — VAIT requirements and GDPR clearance are pending
Deliverables
Steering & Governance
AI Project Steering in Regulated Environments: Structured steering of AI projects in financial institutions — from use case prioritization and compliance clearance through sprint reviews and regulatory milestones to go-live approval. Decision papers for board, compliance committees, and IT governance. DORA-compliant change management.
Model & Prompt Governance (MaRisk-compliant): Versioned prompt library, documented model decisions (provider, model version, fine-tuning rationale), API usage monitoring, and token cost control. RAID log with AI-specific risks (hallucinations, vendor lock-in, data leaks). Foundation for auditable AI decisions in the spirit of MaRisk AT 7.2 and BAIT.
EU AI Act & DORA Compliance Documentation: Documented decisions on AI risk classification (EU AI Act), ICT risk assessment (DORA), Data Protection Impact Assessment (GDPR Art. 35), and bias reviews. Audit-ready documentation for regulators, internal auditors, and external reviewers — standard in regulated institutions.
Regulatory Requirements: DORA · EU AI Act · MaRisk · GDPR
AI projects in financial institutions touch multiple regulatory frameworks simultaneously. I work closely with compliance, data protection, and IT governance teams to:
- Ensure DORA compliance: ICT risk assessment for AI systems, third-party risk documentation for external model providers, incident reporting processes
- Implement EU AI Act requirements: risk classification, transparency obligations, conformity assessment for high-risk systems
- Meet MaRisk AT 7.2 / BAIT / VAIT requirements for outsourcing and model governance: documentation, monitoring, exit strategies
- Complete GDPR clearance: DPIA, processing register, legal basis assessment, international data transfers (e.g., to US providers)
- Integrate hallucination risks and bias reviews into the regulatory risk management framework
Project contexts are anonymized. Roles and outcomes are accurately described; details available under NDA.
Project Examples (Anonymized)
German Financial Institution: Compliance Chatbot with DORA and GDPR Clearance
German Financial Institution — AI-Powered Compliance Automation
Challenge: The institution wanted to introduce a RAG-based chatbot for internal compliance queries. DORA requirements (ICT risk, third-party risk for OpenAI), GDPR clearance (DPIA), and MaRisk requirements for outsourcing stood in the way of rapid implementation.
Role: Business Analyst and Project Manager: regulatory assessment, requirements specification, DORA conformity check, GDPR DPIA, and handover to development team
Results:
- DORA ICT risk assessment for AI system completed — third-party risk for OpenAI integration documented
- GDPR DPIA prepared and aligned with Data Protection Officer: legal basis Art. 6(1)(f), no personal data transferred to model provider
- MaRisk-compliant outsourcing documentation for cloud model provider prepared
- Chatbot requirements specification with 52 user stories — fully compliant documentation
Note: Project contexts are drawn from previous consulting and industry roles. Content is anonymized; roles and results are accurately described.
Insurance Group: EU AI Act Risk Classification and RAG Governance
DACH Insurance Group — AI Governance
Challenge: The group had launched several AI pilot projects but had not conducted systematic EU AI Act risk classification. With requirements coming into force, existing systems faced compliance risk.
Role: Business Analyst: EU AI Act gap assessment, risk classification of existing AI systems, and development of a governance framework
Results:
- EU AI Act risk classification for 6 AI systems: 4x Limited Risk, 2x High Risk with remediation plan
- Governance framework with prompt versioning, model update processes, and incident reporting established
- VAIT-compliant documentation for AI-assisted underwriting support prepared
- EU AI Act compliance roadmap with milestones and responsibilities handed over
Frequently Asked Questions
Related Services
GenAI Integration
Comprehensive GenAI consulting: use case evaluation, chatbot concept design, RAG architectures, and LangChain governance
Chatbot Consulting
From use case definition through conversation flow design to governance — structured and compliance-ready
DORA Implementation
ICT risk, third-party risk, and resilience testing — DORA compliance for financial institutions
Let's talk about your project
No-obligation initial conversation - get concrete insights about your initiative.
Last updated: February 2026