Control 2.19: Customer AI Disclosure and Transparency
Control ID: 2.19 Pillar: Management Regulatory Reference: SEC Reg BI, CFPB UDAAP, FINRA 25-07 (communications recordkeeping), GLBA 501(b), State AI Laws Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Establish formal processes to disclose to customers that they are interacting with AI agents, explain agent capabilities and limitations, and provide clear escalation paths to human representatives, supporting compliance with transparency requirements across federal and state regulations.
Why This Matters for FSI
- SEC Reg BI: Transparency obligations require disclosure of how recommendations are made
- CFPB UDAAP: Failure to disclose AI interaction could constitute deceptive practice
- FINRA 25-07 (Communications Recordkeeping): Requires recordkeeping of AI-assisted customer interactions, which supports disclosure practices
- State AI Laws: CA SB 1001, Utah AI Policy Act, Colorado AI Act mandate AI disclosure
FINRA Notice 25-07 Context
FINRA Regulatory Notice 25-07 (April 2025) is a Request for Comment on workplace modernization rules, not AI governance. It discusses AI only in the limited context of recordkeeping for AI-generated communications. For AI disclosure requirements, refer to FINRA Rule 2210 (Communications) and FINRA Regulatory Notice 24-09 (Gen AI guidance).
Control Description
This control establishes AI disclosure through:
- AI Identification - Persistent disclosure that user is interacting with AI agent
- Capability Explanation - Clear description of what agent can and cannot do
- Limitation Disclosure - Transparent communication about AI limitations
- Human Escalation Path - Clear mechanism to reach human representative at any time
- Data Use Disclosure - Information about how conversation data is used
- Disclosure Versioning - Track changes to disclosure language over time
Key Configuration Points
- Implement AI identification in agent greeting and persistent throughout conversation
- Create capability disclosure template per agent type
- Configure "Transfer to Agent" action in Copilot Studio for human escalation
- Define data use disclosure aligned with privacy policy
- Document disclosure language in Agent Card (Control 3.1)
- Configure state-specific disclosures based on customer jurisdiction
- Version control all disclosure language with approval tracking
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | N/A - personal agents typically not customer-facing | No customer disclosure needed |
| Zone 2 (Team) | Basic disclosure for shared agents with external users | Shared agents may have external exposure |
| Zone 3 (Enterprise) | Full disclosure suite; state-specific compliance; human escalation; capability limits; data use | Customer-facing requires comprehensive transparency |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Compliance Officer | Approve disclosure language, validate regulatory alignment |
| Legal Counsel | Review state-specific requirements, approve data use disclosures |
| AI Governance Lead | Configure disclosures in agents, manage versioning |
| Customer Experience | Design disclosure UX, test escalation paths |
Related Controls
| Control | Relationship |
|---|---|
| 3.1 - Agent Inventory | Disclosure language documented in Agent Card |
| 2.12 - Supervision | Human escalation aligns with supervision |
| 1.6 - Purview DSPM for AI | Data use disclosure aligns with classification |
| 2.13 - Documentation | Disclosure versions maintained per retention |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- AI identification appears in agent greeting and persists throughout conversation
- Capability disclosure accurately reflects agent functionality
- Human escalation ("Transfer to Agent") functions correctly
- Data use disclosure present and aligned with privacy policy
- State-specific disclosures configured based on customer jurisdiction
Additional Resources
- SEC Regulation Best Interest
- CFPB Chatbots in Consumer Finance (Research report identifying risks; binding chatbot regulations pending)
- FINRA 25-07: Communications Recordkeeping
- Microsoft Learn: Human Agent Handoff
Updated: January 2026 | Version: v1.2 | UI Verification Status: Current