Michigan DIFS Sets AI Program Expectations for Finance Firms | TLY

AI Regulation Tracker  /  United States

Michigan DIFS Tells Financial Service Providers to Keep a Written AI Systems Program

On January 14, 2026, Michigan's Department of Insurance and Financial Services issued Bulletin 2026-03, setting out its expectations that regulated financial service providers govern their use of AI through a written AI Systems Program. It is guidance and a statement of expectations, not a new rule, and it does not change any existing legal duty.

The Leveraged Years AI Regulation News

On January 14, 2026, Director Anita G. Fox signed DIFS Bulletin 2026-03. The bulletin exists to remind the financial service providers Michigan regulates of a simple point. If you use advanced analytical tools, including AI systems, to make or support decisions that may affect consumers, those decisions still have to follow every law and regulation that already applies to you. The tool does not change the duty. What the bulletin adds is a clear picture of how DIFS expects providers to govern that AI use, and what an examiner may ask to see.

The bulletin covers a specific list of providers: depository institutions, mortgage brokers, lenders and servicers, money transmitters, consumer lenders, motor vehicle sales finance companies, and similar licensees. It does not cover insurers, even though DIFS is the same agency that regulates insurance in the state. That is worth flagging, because the AIS Program framework the bulletin uses is the same language the NAIC built for insurers. Michigan has taken that architecture and pointed it at the banking, credit union, and consumer finance side of the house.

What the bulletin actually asks for

The core of it is one expectation. As DIFS puts it, "all Financial Service Providers are expected to develop, implement, and maintain a written AI Systems Program (an 'AIS Program') for the responsible use of AI Systems that make or support decisions related to regulated Financial Service Providers practices." The program is meant to reduce the risk of what the bulletin calls Adverse Consumer Outcomes, meaning a decision that harms a consumer in a way that breaks the standards DIFS enforces.

The bulletin is explicit that this is proportional, not one size fits all. The controls a provider builds should reflect the degree and nature of the risk its AI actually poses to consumers, considering things like how central the AI is to the decision, how much potential harm is on the table, how much a human is involved at the end, how transparent the outcome is to the consumer, and how much the provider leans on third-party data and models. A firm that uses AI to draft internal summaries is not expected to build the same program as a firm that uses a model to price or deny credit.

What the AIS Program should address, per the bulletin, is familiar to anyone who has run a controls program: governance, risk management controls, and internal audit. It should put a named senior leader in charge, accountable to the board or a board committee. It should cover the full life cycle of an AI system, from design and validation through monitoring, updating, and retirement, and it should cover systems built in-house and systems bought from a vendor. It should also include a way to tell consumers when AI systems are in use.

On vendors, the bulletin draws a hard line that finance leaders should read twice. In its words, "A Financial Service Provider cannot outsource its fundamental risk management responsibility, even when a third party performs a service." Buying a model does not move the accountability. The provider still answers to the regulator for how that model behaves.

What it is, and what it is not

I want to be precise, because it is easy to over-read a regulator's name at the top of a document.

This is guidance. The bulletin says plainly that it "does not prescribe specific practices or documentation requirements," and that providers "may demonstrate compliance with the laws that regulate their conduct in the state in their use of AI Systems through alternative means." It is not a statute. It is not a new rule with its own penalties. It does not impose a filing, a disclosure form, or a mandatory control on anyone. What it does is set expectations and describe the questions DIFS will ask in an investigation or examination.

That said, do not treat "guidance" as "optional." The reason the AIS Program matters is Section 4 of the bulletin, where DIFS lists what an examiner may request: the written program, evidence that it was adopted, its scope, how it is tailored to the provider's risk, and documentation on specific models, including data sourcing, bias analysis, and model drift. The underlying duties are the ones already in law. As the bulletin states, existing standards require "that decisions made by Financial Service Providers are not inaccurate, arbitrary, capricious, or unfairly discriminatory," and it adds that "the use of AI does not relieve Financial Services Providers of their obligation to refrain from discrimination" under Michigan's civil rights act. The AIS Program is how you show your work when DIFS comes asking.

Where the bulletin points for a framework

DIFS does not tell providers to invent a program from scratch. It names two anchors. The first is the US Department of the Treasury's December 2024 report, "Artificial Intelligence in Financial Services," which the bulletin recognizes as an appropriate source of guidance and cites for its principles of fairness, accountability, transparency, and safe and secure systems. The second is the NIST AI Risk Management Framework, which the bulletin says a provider may adopt or rely on, in whole or in part, where appropriate. If you have already mapped your AI governance to NIST, you are pointed in the direction DIFS wants.

Notably absent is the NAIC model bulletin on AI use by insurers. The AIS Program name and structure are lifted from that insurer framework, but this bulletin does not cite it and does not apply to insurers. If you cover both sides of a diversified financial firm, keep the two tracks straight.

What this means for auditors and finance teams

If you sit inside a Michigan-regulated bank, credit union, mortgage shop, or lender, the action is direct. You are now expected to have a written AIS Program, proportional to how you actually use AI, with a named owner accountable to the board. If you already run model risk management or an enterprise risk program, the bulletin lets you fold the AIS Program into it rather than stand up something separate. The gaps to close are usually the same three: an AI system inventory, documented bias and validation testing, and clear vendor accountability.

For US CPAs and finance leaders outside Michigan, the value is comparative. DIFS is not your regulator, and this bulletin carries no authority over you. But it is a clear, current read on where a state financial regulator is landing, and the pattern travels. A written program, proportional controls, a human accountable for AI-assisted decisions, real testing for bias and drift, and no outsourcing of responsibility to a vendor. That posture lines up with how the Treasury report and NIST already frame the same tools, and with the multistate wave of AI governance bulletins that started on the insurance side and is now reaching banking and consumer finance. Treat Michigan as a benchmark for your own controls, not as a duty you have to adopt.

The through line is governance you can evidence. The items DIFS says an examiner will request, where the data came from, who tested the model, who signed off, and whether you can show it, are the same items that turn into findings when they are missing. The bulletin does not force you to build those controls. It tells you the regulator will ask for them.

What to do now

Read the finding, not the headline. The takeaway is that DIFS expects a written, risk-proportional AI Systems Program, not that Michigan has banned or blessed any particular AI use. Inventory where AI already touches consumer-facing decisions in your shop, since that is what the program has to cover. Name a senior owner accountable to the board for the program. Write down your governance answers before an examiner asks: data provenance, bias and validation testing, model drift monitoring, and vendor accountability. If you use a vendor model, confirm your contract gives you audit rights and regulator cooperation, because the responsibility stays with you. And if you are outside Michigan, use this to benchmark, then base any change on your own applicable standards and your auditor's advice, not on another state's bulletin.

Questions professionals are asking

Did Michigan pass a new AI law for financial firms?

No. This is DIFS Bulletin 2026-03, issued January 14, 2026. It is guidance that sets the Department's expectations for how regulated financial service providers govern AI. The bulletin states it does not prescribe specific practices or documentation requirements and does not create, change, or remove any legal duty. The underlying obligations, including the ban on unfair discrimination, already exist in law.

What is an AIS Program?

An AI Systems Program. The bulletin expects each regulated financial service provider to develop, implement, and maintain a written one, covering governance, risk management controls, and internal audit for its AI use. It should be sized to the risk the provider's AI poses to consumers, owned by a named senior leader accountable to the board, and it should cover the full life cycle of both in-house and vendor AI systems.

Does this bulletin apply to insurers or adopt the NAIC model?

No. Despite the agency's name, this bulletin applies to financial service providers such as banks, credit unions, mortgage lenders and servicers, money transmitters, and consumer lenders, not insurers. It does not cite the NAIC model AI bulletin. It uses the same AIS Program structure but points to the US Treasury's December 2024 report and the NIST AI Risk Management Framework for guidance.

Does this affect finance teams outside Michigan?

Not directly. DIFS regulates Michigan financial service providers, and the bulletin carries no authority elsewhere. For US finance leaders outside the state it is a useful benchmark on where a financial regulator is landing on AI governance, and it fits the wider multistate wave of AI bulletins, but it is not a requirement you have to adopt.

Can we rely on a vendor's AI model to meet the expectations?

You can use vendor models, but you keep the responsibility. The bulletin states that a financial service provider cannot outsource its fundamental risk management responsibility even when a third party performs the service, and it expects due diligence, audit rights, and regulator cooperation terms in vendor contracts. The provider remains accountable to DIFS for how the model behaves.

RELATED BRIEFINGS

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal, accounting, or compliance advice. Confirm how any bulletin or standard applies to your situation with qualified professionals in the relevant jurisdiction.