Financial institutions increasingly depend on cloud-hosted artificial intelligence (AI) services to operate the three risk-analytics workloads that dominate their operational expenditure: real-time fraud detection, credit risk modelling, and anti-money-laundering (AML) transaction monitoring. Although the three workloads share underlying machine-learning techniques, they impose sharply different latency, accuracy, explainability, and audit requirements, and the major hyperscale providers, Amazon Web Services, Microsoft Azure, and Google Cloud Platform, embody distinct architectural philosophies for delivering them. This paper develops a comparative framework that disentangles workload characteristics from provider capabilities, allowing decision makers to reason about the joint design space instead of comparing platforms on isolated technical dimensions. The framework rests on three axes: a workload axis that decomposes each use case into latency, fairness, explainability, and feedback characteristics; a capability axis that maps managed cloud services to those characteristics; and a governance axis that aligns architectural choices with regulations such as the EU AI Act, the Digital Operational Resilience Act, ISO/IEC 42001, and Basel III. We instantiate the framework on three reference architectures and evaluate them on a unified workload synthesised from 18 published industry case studies and five public benchmarks. The evaluation reports area-under-curve, alert volume, decision latency, scan cost per million transactions, and a composite governance score. Results show that a single provider rarely dominates across all three workloads: gradient-boosting fraud pipelines are insensitive to provider choice, credit-risk pipelines benefit substantially from native interpretability tooling, and AML pipelines depend strongly on graph and entity-resolution primitives that are unevenly distributed across providers. The paper contributes (i) a workload-aware comparative framework that integrates regulatory and economic constraints, (ii) a reproducible measurement protocol that other institutions can apply, and (iii) a set of empirical findings that quantify the magnitude of provider differentiation across the three risk analytics workloads.