Prepare for new regulations on artificial intelligence
New rules regarding the use of artificial intelligence (AI) will affect how financial institutions operate. The changes will come into effect in 2024, but the time to act is now. Many of the stipulations align with DXC Luxoft’s best practice recommendations — we can guide you through the adoption of new practices for the successful, compliant use of AI.
What has been announced?
The EU has released a draft Artificial Intelligence Act (AIA) that details planned regulations covering the use of AI. The AIA will potentially affect many current use cases for financial services, including credit scoring, fraud detection, portfolio management and enterprise risk calculation. The rules will apply extra-territorially if the output of AI-driven systems is used within the EU.
As a Financial Institution — even though the regulations are not scheduled to come into effect until 2024 — you need to act now to ensure you have a clear view of how you currently use AI, how you plan to use AI, and how you may be impacted when the regulations go live. Practitioners also need to take note of the emerging rules, and embed them into their design processes for any new applications and services that leverage AI technology.
Which activities are affected?
The draft seeks to categorize AI applications by level of potential risk, each with corresponding levels of control:
Minimal risk — no controls
Limited risk — certain controls
High risk — strict controls and obligations
Unacceptable risk — complete ban
Particular attention should be paid to high-risk areas, as certain financial services activities look set to be placed in this category. For example, the draft rules cite one high-risk activity as “credit scoring denying citizens the opportunity to obtain a loan.” This clearly applies to the use of AI-based retail credit scoring and similar capabilities used by banks.
What controls do you need to put in place?
For high risk applications, the new EU regulations require:
Adequate risk assessment and mitigation systems
High quality of datasets (to minimize risk and discriminatory outcomes)
Logging of activity to ensure traceability of results
Detailed documentation to enable authorities to assess compliance of the system and its purpose
Clear and adequate information to the user
Appropriate human oversight measures to minimize risk
High level of robustness, security and accuracy
Penalties for noncompliance
Financial penalties and other punitive actions could be stiff. Fines being proposed can amount to 6% of revenues for governance-related violations, with high risk AI applications attracting penalties of up to €20 million or 4% of revenues. Noncompliance also brings added risk to reputation and the associated damages.
How are practitioners responding?
The industry response so far has been an acknowledgment of the impact of the AIA, and the anticipation that other regulators may follow suit. The risk-based approach is generally welcomed, and there is also an expectation of some further changes as we get closer to 2024. However, given the scope of the regulations and the examples they contain, plus the proliferation of AI within financial services, it is fair to say that virtually all financial institutions operating in the EU will likely be impacted.
We expect some clarifications to the regulations before they come into effect: For instance, the EU’s definition of AI includes ‘statistical approaches’, this could mean that techniques like regression analysis (in use for over 200 years) would also fall within the scope of the regulations, probably an unintended consequence.
What should you be doing now?
First, identify what will be impacted, and which functional areas are likely to be designated ‘high risk.’ These may include AI solutions that are directly used in relation to client data (such as credit scoring); AI solutions that directly or indirectly impact clients (such as client line of business portfolio management); and AI solutions used for decision making at enterprise level (such as for risk or capital management).
For any affected applications, you will need to put in place and demonstrate compliance with the regulations, including explainability and reproducibility. Regulators want to ensure that AI technology is applied in a transparent, consistent and nondiscriminatory way. To address these aims, AI Platforms and new AI developments will need to have regulatory compliance built-in (noting that responsibility of compliance will lie with the regulated entity).
Help from a trusted partner
Enlisting the expertise of a skilled partner will help ensure your compliance measures are introduced quickly and easily. We believe that many of the rules outlined under AIA are sensible, and would feature in our best practice recommendations.
You have the opportunity to act immediately to assess and adapt your use of AI, and create a catalog of data points for discussions with partners and regulators. This requires preparation; to catalog and classify the AI already in use and identify any likely shortfalls and remediation.
We offer a range of services to help financial institutions plan, implement and challenge these wide–ranging regulatory impacts. Contact one of our consultants to discuss how to use AI with expertise and compliance.
Paul Hewitt leads the Data and Analytics practice for BCM Consulting
EMEA at DXC Luxoft. This spans all advisory and consultancy in Data
and Analytics, and delivery of all projects from POCs to larger multi-year
projects. He has worked with Luxoft Financial Services for 3 years, and has
over 20 years of industry experience.