In effectSB 149 (2024); amended by SB 226, HB 452, SB 332 (2025)Utah

Utah Artificial Intelligence Policy Act for Financial Services

How Utah Artificial Intelligence Policy Act applies to financial services organizations and the obligations to plan for.

Effective

May 1, 2024

Max penalty

$5K

Applies to

deployer + vendor

Why this law matters for financial services

Banks, lenders, insurers, broker-dealers, and fintech firms using AI for credit decisions, underwriting, fraud detection, and consumer interaction.

Financial services AI deployments sit inside Utah's high-risk-AI definition after SB 226 whenever they combine sensitive financial information with personalized financial recommendations — credit underwriting, robo-advice, AI-driven loan modification, and account-opening assistants are typical triggers. The Division of Consumer Protection enforces Chapter 77; the safe harbor is the practical compliance pattern. Organizations operating in Utah should treat this law as part of the baseline regulatory obligations alongside any sector-specific federal rules.

Key obligations

disclosure→ deployerUtah Code § 13-2-12(2)
Persons in regulated occupations using generative AI must proactively disclose at the start of an interaction that the consumer is interacting with generative AI; other consumer-facing entities must disclose upon consumer inquiry.
Deadline: at_interaction

Industry-specific compliance considerations

Utah's generative-AI rules reach financial services through the high-risk-AI definition added by SB 226 (effective May 7, 2025), not through a sector-specific carve-out. The combination of sensitive personal information (financial data) plus personalized recommendations on significant financial decisions is the exact statutory trigger, and the Division of Consumer Protection (DCP) — not a banking regulator — administers enforcement.

Does the Utah AI Policy Act apply to banks and financial-services firms?

Banks, credit unions, broker-dealers, investment advisers, and fintech lenders are not enumerated regulated occupations under Utah Code Title 13, Chapter 77. Coverage instead comes from Chapter 77 consumer-protection liability for Gen AI output and the post-SB 226 disclosure rule, which is triggered when a consumer-facing AI interaction is a "high-risk AI interaction."

SB 226 defines a high-risk AI interaction as one that involves both (i) collection of sensitive personal information — explicitly including financial data — and (ii) personalized recommendations or advice that could reasonably be relied upon to make a significant personal decision, with financial guidance named among those decisions. Routine, non-personalized account servicing automations fall outside the high-risk definition.

Which financial-services AI use cases sit inside the high-risk definition under SB 226?

Use cases that combine the two triggers and therefore sit inside the post-SB 226 disclosure obligation include: AI-driven credit underwriting and pricing recommendations that consume applicant financial data; robo-advisory and AI-assisted investment recommendations that ingest portfolio and income data; AI-powered debt-restructuring or loan-modification chatbots; insurance underwriting AI for products like deposit insurance or financial guaranty that collect financial PII; and AI-powered KYC, fraud-scoring, or account-opening flows that issue personalized recommendations affecting access to financial services.

Lower-risk financial use cases — branch-locator chatbots, balance-readback IVR flows, generic fraud-alert delivery, and appointment-scheduling helpers — generally fall outside the high-risk definition because they neither collect new sensitive financial PII nor issue personalized financial recommendations. SB 226 also explicitly excluded systems "not designed to simulate human conversation" (such as routine appointment reminders) from the tightened Gen AI definition.

What does the SB 226 safe harbor look like in a financial-services deployment?

SB 226 added an enforcement safe harbor: a person is not subject to a Gen AI disclosure violation if the AI itself clearly and conspicuously discloses its non-human nature at the outset of, and throughout, the interaction. The practical pattern in a financial-services chatbot or assistant is a persistent "You are interacting with an AI assistant" banner plus an on-load utterance that names the AI and offers a human-handoff path.

The safe harbor does not displace Chapter 77 consumer-protection liability for AI output — the firm remains responsible for any deceptive or unfair practice produced by the assistant. It also does not displace federal financial-services obligations: Regulation B adverse-action notice requirements, Regulation Z disclosure requirements, FCRA accuracy obligations, and FINRA / SEC supervisory rules continue to apply independently of Utah.

What are the financial-services penalty exposures and who enforces them?

DCP administers Chapter 77 through the Department of Commerce. Administrative fines are capped at $2,500 for each Chapter 77 violation, and violations of administrative or court orders can trigger civil penalties up to $5,000 per violation. Each consumer Gen AI interaction can constitute a discrete violation, so a financial-services deployment serving thousands of Utah users a day faces meaningful cumulative exposure.

There is no private right of action under either UAIPA or the new Chapter 72a mental-health-chatbot regime. Financial firms should still expect state Attorney General coordination and federal regulator interest where AI-driven decisions touch fair-lending, suitability, or consumer-protection obligations.

How should financial-services compliance programs operationalize Utah today?

A workable Utah financial-services AI checklist starts with an inventory of consumer-facing Gen AI deployments mapped against the high-risk definition. For each high-risk deployment, implement the SB 226 safe harbor through persistent AI-status disclosure, log the disclosure point and retention for evidence, and route any consumer "is this an AI" question to a clear and unambiguous response. Document the determination of "not high-risk" for assistants that fall outside the definition so the rationale is defensible if challenged.

Compliance programs typically pair these Utah-specific controls with NIST AI RMF Map and Manage functions and ISO/IEC 42001 clause 6.1.4 risk treatment, since the primary Utah control vector is disclosure plus safe-harbor evidence rather than substantive model controls. The AI Learning Laboratory pathway at the Office of AI Policy is available for novel deployments where a negotiated mitigation agreement is preferable to a strict-compliance posture.

Primary sources

Utah SB 149 (2024 enrolled text) — retrieved 2026-05-15
Utah SB 226 (2025 enrolled text) — retrieved 2026-05-15
Utah Code Chapter 77 (Generative AI consumer disclosures) — retrieved 2026-06-09
Utah Code Title 13 Chapter 72 (Artificial Intelligence Policy Act) — retrieved 2026-05-15
Office of Artificial Intelligence Policy — retrieved 2026-05-15
Utah Division of Consumer Protection — retrieved 2026-05-15

Last verified: 2026-06-09

Recommended next steps

Inventory AI systems used in financial services workflows that may fall within Utah Artificial Intelligence Policy Act's scope.
Map each system against the obligations above and identify the responsible role (developer vs deployer).
Adopt a structured framework — see NIST AI RMF and ISO/IEC 42001 — to demonstrate due care and produce audit-ready evidence.
Document obligations satisfied and gaps in a single register, refreshed at the cadence required by the law (typically annual).

Related

We may receive referral commissions from recommended compliance tools. Recommendations are based on product fit and not on commission size. Links marked “partner link” include a tracked redirect.