Principle 1:

Security and Trust

AI financial products must minimize risk, and protect consumers from misuse, data breaches, and unauthorized financial harms.1

Security Practices

  • Sensitive or personally identifiable information is never exposed during user interactions, including through invalid inputs, expired sessions, or cross-user data leakage.
    • Sensitive or personally identifiable information is never exposed during interactions with the user, including after a session has expired or in response to invalid inputs.
    • Sensitive information from other users’ interactions is not recalled, surfaced, or otherwise made accessible.
  • Session management controls prevent unauthorized access, including automatic termination or locking of sessions after a defined period.
    • Reauthentication is required to resume a session after it expires.
    • High-risk or high-value actions, such as changing account details or initiating transfers, require reauthentication or verification before execution.
  • User data is stored, processed, and accessed securely, with internal access limited through role-based controls consistent with the principle of least privilege.
    • The entity that offers the product imposes role-based access restrictions internally and strictly limits access to user data to what is necessary to carry out specific functions.
    • The entity applies role-based access restrictions and limitations across all system components, including AI agents, microservices, and other automated processes that interact with user data.
    • User data collected through the product is stored in a secure manner that may include but is not limited to multiple hardening steps at both the network and storage layers.
    • Data shared with third parties is transmitted securely and limited to clearly defined necessary or service-essential functions, excluding secondary uses such as advertising, profiling, and model training in a secure manner.
  • Security incidents are effectively managed, including timely containment, prevention of data exposure, and clear notification to users where applicable.
    • Proactive and continuous monitoring is in place to detect unauthorized access, data leakage or loss, improperly stored credentials, or any other security incident.
    • When incidents occur, they are addressed and resolved in a timely manner, with risks contained, and personally identifiable or sensitive user data is not exposed.
    • In the event a security incident did occur, the entity that offers the product or service properly notifies affected customers and provides alternatives for recourse.
    • The entity is not subject to recent enforcement actions related to the product or its associated data practices.
  • Users and stakeholders can access compliance and security audit information without requiring a formal request.
    • The entity voluntarily publishes summaries of audit reports for internal controls related to the product.
    • The entity voluntarily publishes summaries, certifications, or attestations of their security and compliance audits.
  • The product’s infrastructure is shown to withstand known threat vectors and conform to recognized security standards through regular testing.
    • The entity’s system architecture follows defense-in-depth security principles, with evidence of regular penetration testing and documented alignment with National Institute of Standards and Technology (NIST) Cybersecurity Frameworks or an equivalent standard.
    • All user data is encrypted at rest and in transit, and Social Security numbers and/or similarly sensitive information receive additional protection.
    • For large language models (LLMs): The product is evaluated against known LLM-specific threat categories, including those identified in the Open Worldwide Application Security Project (OWASP) Top 10 for LLM Applications, including prompt injection, system-prompt extraction, and training data leakage.

Limiting Systemic Financial Risk

  • The entity that offers the product monitors systemic financial market trends that may be influenced by the scale, adoption rate, and collateral impacts of the product.

Error Validation

  • Prompts that are malicious, adversarial, or designed to extract harmful outputs are identified and rejected before harm occurs.2
    • The product is able to identify when a task or prompt falls outside of its capabilities.
    • The product identifies prompts that attempt to manipulate it into producing outputs harmful to the user or third parties—including social engineering scripts, impersonation requests, and prompts designed to bypass the product’s safety architecture—and rejects them rather than complying.
  • Users are protected from content that impersonates financial institutions, bank representatives, or regulators, and cannot be exposed to material that facilitates social engineering or phishing attacks.
    • Outputs do not facilitate impersonation, social engineering, or fraudulent activity. The product rejects adversarial prompts requesting message templates, scripts, or content that could be used for fraudulent activities that might harm users.

Fraud Protection

  • Users are safeguarded from financial exploitation, with fraud, scams, and malicious inputs identified and neutralized before harm occurs.
    • The product is able to identify fraud indicators in real time, and coordinates fraud detection and intelligence across linked accounts and devices while maintaining privacy boundaries.
    • The product provides users recourse for fraudulent transactions, including dispute resolution mechanisms for AI-initiated transactions contested by the user.
    • The product is able to identify malicious prompts and rejects such prompts rather than providing the requested information.
    • Suspicious activity triggers appropriate security responses, including additional verification and transaction safeguards.
    • High-value or irreversible financial actions require explicit, multistep user confirmation and cannot be executed autonomously without verified user intent.
    • Cooling-off periods are implemented for irreversible transactions above defined thresholds.
    • Where the product uses multiagent coordination, interagent communications are authenticated and tested for privilege escalation or goal-manipulation vulnerabilities, consistent with applicable frameworks for agentic AI security.
Back to all principles Read next Principle
Back to Paragraph
1

Governs harmful input blocking. Good-faith prompt accuracy is addressed in Principle 4.
2

Covers harmful input detection only; not good-faith response accuracy. See Principle 4.