Industry
AI chatbot for financial services: the compliance check
An AI chatbot at a financial services firm is not a reskinned support bot. The legal framework is different, liability is different, and what you can and cannot delegate to AI is set in law. Five questions you must be able to answer before you start.
1. GDPR, DORA and MiFID-II — in one line
GDPR governs personal data. DORA requires resilience of your IT chain (vendor contracts included). MiFID-II touches suitability assessments, transparency and appropriateness obligations. Your chatbot touches all three the moment it answers customer questions about financial products — not only when it advises.
Common mistake
Assuming that “only answering FAQs” keeps you outside MiFID-II. The moment the FAQ touches costs, risks or product suitability, you're in scope.
2. What you must never delegate to a bot
Three categories are legally off-limits for AI, however good the model is. Not because it can't technically — because the law requires a human or registered advisor:
- Suitability and appropriateness assessments — a bot must never complete or record these autonomously.
- Definitive product advice (recommending a specific mortgage, policy or investment).
- Accepting changes that have financial consequences — only with human confirmation.
What the bot may do: explain what a suitability test is, schedule an appointment, give product information. At Hypadvies that's exactly how it works: 91.8% resolution, but the moment it tips into advice or finalising, it goes to an advisor.
3. The “mandatory interruption” — legal information duties
In financial services you're required to share certain information — before an offer, before advice, often before a follow-up question. Your bot must know when to forcibly interrupt the conversation for a known disclaimer or signposting. Those aren't chat messages — they're legal artefacts with traceability.
Practical
Make every legally required text its own tagged button or message. Logging shows when it was displayed — not only when it was clicked.
4. Logging you can still produce in 5 years
MiFID-II requires retention of communications with a (prospective) customer for 5 years. For some products 7 years. That includes chatbot conversations. Three demands on your logging:
- Full transcript per conversation, including timestamps and shown buttons/links.
- Immutability (append-only or a hash chain) — not freely editable in a dashboard.
- Exportable in a format a regulator understands (JSON or CSV with an encrypted audit trail).
A vendor that can't tell you where the logs live, how long they're retained and how to export them is one to skip — regardless of how good the AI model is.
5. When you must prove authorship
In a dispute you have to demonstrate what was written by a human and what was generated by AI. Sounds absurd, but it's where regulators are heading. Practically: make sure your system distinguishes between human-edited FAQ answers (reviewed, signed) and AI-generated answers (generated, logged, with the prompt attached).
What's coming
The EU AI Act classifies “financial advice” as high-risk. That means: documentation of your training data, your prompts, your test suite — not by 2027, but before go-live.
A short go-live compliance checklist
- DPA with a transparent hosting region (ISO 27001-certified), appropriate safeguards for cross-border transfers (SCCs or DPF) + opt-out for model training
- Source prompt explicitly forbids product advice and suitability judgements
- Legal disclaimers as tagged, forced messages
- Logging immutable, ≥5 years, exportable
- Clear distinction between human-edited and AI-generated answers
Hypadvies operates under this framework. So yes, it works. But not by accident — only by explicitly addressing these five points before go-live.
Ready to make this happen for your team?
Book a short demo and we'll show how Chatwize fits your customer questions, channels and processes.