Hummingbird
Hummingbird RegTech, Inc. · EFROS US AI Vendor Governance Index entry
Composite governance score
C = mixed posture. Acceptable for non-regulated use; requires meaningful additional controls in regulated workloads.
About this vendor
Modern compliance operations platform — BSA/AML case management, investigations, SAR filing, transaction monitoring overlay. Used by community banks, credit unions, and crypto-adjacent institutions for examiner-ready AML workflow.
- Enterprise tier
- Hummingbird AML Case Management, Investigations, SAR Filing
- Vendor homepage
- https://www.hummingbird.co
Twelve-axis governance scoring
Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).
| Axis | Status | EFROS note | Source |
|---|---|---|---|
| BAA / DPA available | Yes | Hummingbird signs DPAs for enterprise customers; BAA-eligible where PHI overlap exists. | Hummingbird Security |
| Training-data opt-out | Yes | Customer case data not used for cross-customer model training. | Hummingbird Privacy |
| US data residency option | Yes | US data residency standard. | Hummingbird Security |
| SOC 2 Type II report | Yes | Hummingbird holds SOC 2 Type II. | Hummingbird Security |
| ISO/IEC 42001 attestation | No | No ISO/IEC 42001 attestation. | Public posture review |
| NIST AI RMF self-attestation | No | No public NIST AI RMF self-attestation. Hummingbird positions primarily as a workflow tool rather than an AI decisioning system; AI features (investigation summarization, transaction analytics) score lighter on RMF posture. | Public posture review |
| Colorado AI Act readiness | No | No Colorado AI Act-specific public statement. | Public posture review |
| HHS-OCR Section 1557 readiness | N/A | Banking-vertical positioning. | Hummingbird positioning |
| FRB SR 11-7 readiness | Partial | Hummingbird workflow does not directly perform credit decisioning; SR 11-7 applies to upstream transaction-monitoring model vendors. Hummingbird documents the audit trail expected for examiner-facing case management. | Hummingbird customer documentation |
| ABA Formal Op 512 readiness | N/A | Banking-vertical positioning. | Hummingbird positioning |
| Subprocessor list public | Partial | Subprocessor list available to enterprise customers. | Hummingbird Security |
Trust-center maturity
Security documentation mature; AI-specific governance documentation absent. Strong workflow audit-trail features for BSA/AML examiner readiness.
Source: Hummingbird Security
Deep dive
Overview
Hummingbird is best understood as an AML workflow + audit-trail platform with AI overlay, rather than a decisioning AI vendor. The governance posture reflects this — strong on platform fundamentals (SOC 2, DPA, US residency) but light on AI-specific governance (NIST AI RMF, Colorado AI Act). SR 11-7 applies indirectly: Hummingbird documents the workflow, but upstream transaction-monitoring vendors own model risk.
Strengths
- SOC 2 Type II, US residency, DPA standard
- Mature BSA/AML workflow + examiner audit trail
- Default tenant isolation
Weaknesses
- No NIST AI RMF self-attestation
- No Colorado AI Act statement
- AI-specific governance documentation thin
- Workflow-positioned rather than AI decisioning — model risk lives upstream
Best-fit use case
Community banks, credit unions, and crypto-adjacent institutions needing modern BSA/AML case management with examiner-ready audit trails. Pair with a dedicated transaction-monitoring model vendor (Unit21, Verafin, NICE Actimize) for the AI model risk piece.
Avoid when
Institutions looking for a single-vendor BSA/AML AI solution — Hummingbird is workflow + investigation, not the underlying decisioning model.
Operator's take
Deploy Hummingbird when community banks, credit unions, and crypto-adjacent institutions needing modern BSA/AML case management with examiner-ready audit trails. Pair with a dedicated transaction-monitoring model vendor (Unit21, Verafin, NICE Actimize) for the AI model risk piece. The composite score of 56 (grade C) reflects a mixed posture for regulated US workloads. Skip the vendor when institutions looking for a single-vendor BSA/AML AI solution — Hummingbird is workflow + investigation, not the underlying decisioning model. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.
How this scoring is computed
The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.
Read the full methodology →Disagree with this scoring?
EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).
Disagree with a score?
Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Hummingbird, submit a formal challenge — we re-verify against the source and respond within 14 days.
Other vendors in banking
Same category, scored on the same twelve axes. Useful for head-to-head shortlisting.
Take the scoring into production
The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.