bankingPrimary sector: BankingLast reviewed: May 12, 2026

Hummingbird

Name: Hummingbird — AI Governance Scoring (EFROS Index)
Creator: Stefan Efros
Published: 2026-05-13
License: https://creativecommons.org/licenses/by/4.0/

Hummingbird RegTech, Inc. · EFROS US AI Vendor Governance Index entry

By Stefan Efros, CEO & Founder, EFROS

Updated · June 4, 2026

Composite governance score

56/ 100C

C = mixed posture. Acceptable for non-regulated use; requires meaningful additional controls in regulated workloads.

Axes scored: 9 / 11

Trust-center maturity: 3 / 5

Sector weighting: Banking

About this vendor

Modern compliance operations platform: BSA/AML case management, investigations, SAR filing, transaction monitoring overlay. Used by community banks, credit unions, and crypto-adjacent institutions for examiner-ready AML workflow.

Enterprise tier: Hummingbird AML Case Management, Investigations, SAR Filing
Vendor homepage: https://www.hummingbird.co

Twelve-axis governance scoring

Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).

Axis	Status	EFROS note	Source
BAA / DPA available	Yes	Hummingbird signs DPAs for enterprise customers; BAA-eligible where PHI overlap exists.	Hummingbird Security
Training-data opt-out	Yes	Customer case data not used for cross-customer model training.	Hummingbird Privacy
US data residency option	Yes	US data residency standard.	Hummingbird Security
SOC 2 Type II report	Yes	Hummingbird holds SOC 2 Type II.	Hummingbird Security
ISO/IEC 42001 attestation	No	No ISO/IEC 42001 attestation.	Public posture review
NIST AI RMF self-attestation	No	No public NIST AI RMF self-attestation. Hummingbird positions primarily as a workflow tool rather than an AI decisioning system; AI features (investigation summarization, transaction analytics) score lighter on RMF posture.	Public posture review
Colorado AI Act readiness	No	No Colorado AI Act-specific public statement.	Public posture review
HHS-OCR Section 1557 readiness	N/A	Banking-vertical positioning.	Hummingbird positioning
FRB SR 11-7 readiness	Partial	Hummingbird workflow does not directly perform credit decisioning; SR 11-7 applies to upstream transaction-monitoring model vendors. Hummingbird documents the audit trail expected for examiner-facing case management.	Hummingbird customer documentation
ABA Formal Op 512 readiness	N/A	Banking-vertical positioning.	Hummingbird positioning
Subprocessor list public	Partial	Subprocessor list available to enterprise customers.	Hummingbird Security

Trust-center maturity

3/ 5

Security documentation mature. AI-specific governance documentation absent. Strong workflow audit-trail features for BSA/AML examiner readiness.

Source: Hummingbird Security

Deep dive

Overview

Hummingbird is best understood as an AML workflow and audit-trail platform with AI overlay, rather than a decisioning AI vendor. The governance posture reflects this. Strong on platform fundamentals (SOC 2, DPA, US residency) but light on AI-specific governance (NIST AI RMF, Colorado AI Act). SR 11-7 applies indirectly. Hummingbird documents the workflow, but upstream transaction-monitoring vendors own model risk.

Strengths

SOC 2 Type II, US residency, DPA standard
Mature BSA/AML workflow and examiner audit trail
Default tenant isolation

Weaknesses

No NIST AI RMF self-attestation
No Colorado AI Act statement
AI-specific governance documentation thin
Workflow-positioned rather than AI decisioning. Model risk lives upstream

Best-fit use case

Community banks, credit unions, and crypto-adjacent institutions needing modern BSA/AML case management with examiner-ready audit trails. Pair with a dedicated transaction-monitoring model vendor (Unit21, Verafin, NICE Actimize) for the AI model risk piece.

Avoid when

Institutions looking for a single-vendor BSA/AML AI solution. Hummingbird is workflow and investigation, not the underlying decisioning model.

Operator's take

Deploy Hummingbird when community banks, credit unions, and crypto-adjacent institutions needing modern BSA/AML case management with examiner-ready audit trails. Pair with a dedicated transaction-monitoring model vendor (Unit21, Verafin, NICE Actimize) for the AI model risk piece. The composite score of 56 (grade C) reflects a mixed posture for regulated US workloads. Skip the vendor when institutions looking for a single-vendor BSA/AML AI solution. Hummingbird is workflow and investigation, not the underlying decisioning model. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.

How this scoring is computed

The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.

Read the full methodology →

Disagree with this scoring?

EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).

Disagree with a score?

Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Hummingbird, submit a formal challenge — we re-verify against the source and respond within 14 days.

Similar vendors (same category or sector)

Vendors in the same category as Hummingbird, padded with vendors that share its primary sector. All scored on the same twelve axes — useful for head-to-head shortlisting.

B80 / 100

FICO Falcon Fraud Manager + FICO Score AI

Fair Isaac Corporation

View posture →

B74 / 100

Zest AI

View posture →

B74 / 100

Upstart

Upstart Holdings, Inc.

View posture →

C68 / 100

Unit21

Unit21, Inc.

View posture →

Where Hummingbird shows up in the rest of the Index

Hummingbird is scored in every state and (where applicable) sector slice of the Index. Use these views to compare Hummingbird against its peers from a state or sector lens rather than category.

banking sector view →california view →colorado view →new york view →illinois view →texas view →

Disclaimer. Scoring as of 2026-05-13. Posture changes frequently — re-verify with the vendor's trust center before contract. This page is informational; it is not legal advice. EFROS clients get a refreshed posture review as part of the AI Governance Audit.

Take the scoring into production

The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.

Reserve $5K AI Governance Audit Run AI Risk Score →See full Index →