Artificial intelligence has settled into investment banking, asset management and credit desks. But inside a supervised intermediary the question is not only what the AI can do: it is how it does it, on what legal basis, and with what assurances toward Consob, Banca d'Italia and ESMA. Three regulatory frameworks set the perimeter: MiFID II for the provision of investment services, the MAR Regulation on market abuse, and the GDPR on data protection. Here is how an intermediary can use AI while respecting all three, without slowing analysts down.
MiFID II: governance, traceability and human accountability
MiFID II does not prohibit the use of AI models in analysis and decision support, but it requires clear governance. The intermediary remains accountable for the recommendations and assessments produced: the AI is a tool, not a decision maker. That means every output must be verifiable and reconstructable after the fact, consistent with the record keeping obligations that already govern communications and orders.
The concrete risk to avoid is hallucination: a system that cites a balance sheet figure that does not exist, or attributes to a half year report a value it never contained. In an investment committee memo or a credit memo this is not a technical detail, it is an error that can taint a decision and trigger challenges from supervisors. This is why Amaril always answers with a source citation: every number, every clause, every sentence links back to the exact document, page and paragraph. The analyst does not get a claim, the analyst gets a claim attached to its evidence. When a model cannot find the source, it says so instead of inventing one.
The result is a complete audit trail: who asked what, against which documents, with which answer and which sources. A compliance function can retrace the entire reasoning, exactly as expected for an investment recommendation or a lending file.
MAR: inside information must be managed, not merely protected
The MAR Regulation is where many AI initiatives stop, and rightly so. An intermediary routinely handles inside information: due diligence on a target ahead of a takeover bid, a data room on an unannounced M&A deal, data on an issuer listed on Euronext Milan or Deutsche Börse before a price sensitive announcement. Feeding these documents into a generic AI service means, at best, losing control over where the data ends up.
Proper handling requires three things. First, segregation: information must stay confined to the authorised perimeter, consistent with insider lists and internal information barriers. Second, no unnecessary persistence: content must not be stored or reused beyond what is strictly needed, least of all to train shared models. Third, access traceability, to demonstrate at any moment who saw what.
Amaril is built on these principles: zero retention on client data, no reuse of documents for training, and the option of on-premise deployment for those who cannot let data leave their perimeter. Inside information stays where it belongs, and the analyst's activity produces evidence the MAR function can consult.
GDPR and EU data residency: legal basis, minimisation, sovereignty
Financial statements, term sheets and credit files contain personal data: directors, guarantors, beneficial owners in anti money laundering checks. The GDPR requires minimisation, purpose limitation and safeguards on transfers. The structural answer is to keep processing inside the European Union. Amaril operates on EU cloud with end to end encryption, avoiding the friction of transfers to third countries and offering the data sovereignty that an authority such as Banca d'Italia or the supervisory data protection authority expects from a regulated intermediary.
The combination with zero retention matters: less data stored means less risk surface, fewer documentation obligations and a stronger position in case of an access request or an inspection. Compliance is not a layer bolted on afterward, it is part of the architecture.
Takeaway for decision makers
AI inside a financial intermediary is regulatorily sustainable under three precise conditions. First: every output must be verifiable and anchored to its source, because without citation there is no audit trail, and without an audit trail there is no defensibility toward Consob or ESMA. Second: inside information must be managed with segregation, zero retention and traceability, not simply entrusted to a generic vendor. Third: data stays in the EU, on GDPR compliant infrastructure, with the on-premise option when the perimeter demands it. Amaril is designed to satisfy all three at once: source citation, no hallucinations, EU cloud and GDPR. Analysts move faster, compliance sleeps soundly.
