On April 27, Customers Bank announced a multi-year strategic partnership with OpenAI. OpenAI engineers will embed inside the $25.9 billion regional bank to build autonomous agents across lending, deposits, and payments over the next 6 to 12 months. CEO Sam Sidhu opened the Q1 earnings call with an AI clone of his own voice, then disclosed that 75% of Customers Bank employees already use OpenAI-powered tools. He also said that bank employees have built more than 500 agents and custom AI models, with about two dozen built in the past two weeks alone.
The numbers are interesting. Customers Bank is forecasting its efficiency ratio dropping from 49% to the low 40s. Commercial loan close times are projected to shrink from 30 to 45 days down to roughly 7 days. Commercial account opening goes from a full day to 20 minutes. By Sidhu’s framing, this isn’t AI as a productivity tool. It’s a fundamental re-engineering of how a regulated bank operates.
This is, by a meaningful margin, the most ambitious agentic AI deployment publicly announced by a US regulated bank to date.
It is also worth understanding alongside one other fact. Customers Bank has been operating under a public Federal Reserve enforcement action since August 2024.
What the Fed Agreement Actually Requires
On August 5, 2024, the Federal Reserve Bank of Philadelphia entered into a written agreement with Customers Bancorp and Customers Bank. The agreement cited significant deficiencies in the bank’s risk management practices and BSA/AML compliance, specifically tied to its digital asset strategy. The agreement is public, formal, and still active.
Among other requirements, the agreement obligates the bank to:
- Submit a written plan to strengthen board oversight of BSA/AML compliance.
- Submit a revised BSA/AML compliance program, customer due diligence program, suspicious activity reporting program, and OFAC compliance program.
- Develop a plan to improve risk management practices specifically with respect to the bank’s digital asset strategy.
- Engage an independent third-party transaction review consultant.
- Provide 30 days written notice to the Federal Reserve before engaging in any new strategic initiative.
That last requirement is worth reading again. The agreement specifically obligates Customers Bank to give regulators advance written notice before launching new strategic initiatives. The bank’s announcement of a multi-year, embedded-engineer partnership with OpenAI, automating core banking workflows in lending, deposits, and payments, is by any reasonable definition a new strategic initiative. Whether that notice was provided, and how the Federal Reserve has responded to it, is not public information.
To be clear, this brief is not suggesting Customers Bank has done anything wrong. The bank may have provided the required notice, may have built the governance infrastructure they describe, and may be operating fully within the boundaries of their agreement. Sidhu publicly stated that the bank “spent the last year building the operational and governance infrastructure to deploy AI at scale.” That claim deserves to be taken at face value.
But the question every other bank watching this should be asking is straightforward. What does that governance infrastructure actually look like, and would my bank be able to demonstrate the equivalent at our next examination?
The Governance Question for the Next Examination Cycle
The Customers Bank announcement is not unusual because it is happening. It is unusual because it is happening in public, at scale, and on a defined timeline. Hundreds of US banks are deploying agentic AI in 2026. Most of them are doing it quietly. The Customers Bank deal makes the governance question concrete.
Sidhu told analysts that 500+ agents are already in production at the bank. He also said that smaller banks “are not going to be expected to have the same level of frameworks as many of the larger banks.” That framing will be tested. Federal Reserve, OCC, and SEC examiners are increasingly using the NIST AI Risk Management Framework as the de facto reference for what good AI governance looks like in regulated financial institutions. NIST AI RMF does not vary by bank size.
For any bank deploying agentic AI in 2026, the questions a Fed examiner is reasonably likely to ask include:
- Do you have a complete inventory of every AI agent and model in production, including the date deployed, owner, business purpose, and decision authority?
- For each agent making decisions that touch lending, account opening, transaction monitoring, or sanctions screening, do you have runtime visibility into what the agent did, what data it used, and what decision it produced?
- When an agent makes a decision that would otherwise have been made by a human under existing risk management procedures, can you produce audit-ready evidence that the decision was made consistent with bank policy, regulatory requirements, and your stated risk appetite?
- What is your drift detection mechanism? When an agent’s behavior deviates from approved patterns, who is notified, and how quickly?
- What is your enforcement posture? Are agents allowed to take action without human-in-the-loop review, and if so, under what specific conditions?
- How does your AI governance program map specifically to the NIST AI RMF Govern, Map, Measure, and Manage functions?
- For BSA/AML and OFAC use cases specifically, how do you ensure that agent-driven transaction monitoring, customer due diligence, and sanctions screening produce equivalent or better outcomes than the human processes they replace?
These are not theoretical questions. They are the questions an examiner will ask, in some form, of every bank deploying agentic AI in lending, payments, or compliance workflows. Most banks today cannot answer them with documented, runtime, audit-ready evidence. That gap is the issue.
The Pattern, Not the Headline
Customers Bank is the most public case. It is not the only case. The pattern across mid-market US banks in 2026 is consistent. Agents are being deployed faster than governance frameworks are being built.
Three converging pressures are bringing this to a head. Bank examiners at the Fed and OCC are starting to ask the runtime governance questions above as part of their standard examination cycle. SEC cybersecurity disclosure rules under Item 1.05 of Form 8-K extend to material AI governance failures, with personal liability exposure for CISOs and General Counsel at public banks. The August 2026 EU AI Act enforcement deadline is a forcing function for any US bank with material EU customer exposure.
The right reading of the Customers Bank announcement is not as a unique event. It is as the most visible expression of a question that every US regional and community bank now has to answer in the next 6 to 18 months. The bank that has documented runtime governance evidence walks into the examination ready. The bank that doesn’t, walks in exposed.
What to Do This Quarter
For CROs, CCOs, and CISOs at any bank deploying agents in production, three concrete actions are worth taking before the next examination cycle.
First, build an inventory. Every agent in production, who owns it, what business process it touches, what data it has access to, what decisions it can make, and whether a human reviews its output. If your bank cannot produce this list in under a week, that itself is a finding.
Second, map your existing AI governance materials against the NIST AI RMF Govern, Map, Measure, and Manage functions. Most banks have fragments of governance scattered across model risk management, vendor risk, and information security. NIST AI RMF asks for them to fit together as a coherent program. The mapping exercise will surface the gaps.
Third, decide your enforcement posture explicitly. For each high-risk use case (lending decisions, transaction monitoring, sanctions screening, customer due diligence), document whether the agent’s output is monitored, whether a human reviews before action, or whether the agent acts autonomously. Examiners will ask. The answer should be deliberate, written down, and signed off by the appropriate risk committee.
None of this requires an OpenAI partnership. None of this requires 500 agents in production. It just requires acknowledging that the regulatory examination of agentic AI in banking is no longer hypothetical. It started this quarter.
The Customers Bank announcement is a useful forcing function for the rest of the industry. The right response is not to wait and see what happens to them. It is to do the governance work now, before an examiner shows up asking the questions for you.
References
— Federal Reserve Board enforcement action against Customers Bancorp and Customers Bank, dated August 5, 2024. Available at federalreserve.gov.
— “OpenAI partners with Customers Bank in push to automate finance,” CNBC, April 27, 2026.
— “OpenAI will embed staff at Customers Bank under multiyear deal,” American Banker, April 28, 2026.
— Customers Bancorp Q1 2026 earnings call transcript.
— NIST AI Risk Management Framework 1.0, January 2023.