Time to Design AI Risk Practices
By: Tyler Brown
SEPTEMBER 3, 2024
Artificial intelligence (AI) is fraught with risks for financial institutions (FIs) that a few years ago didn’t exist on the same scale — particularly in the context of regulations that were written for another era. The sheer volume of data, the growing number of data sources, and increasingly complex mechanisms for analyzing data foretell rules that today are only nascent.
Today, the development of AI in financial services is well ahead of the regulatory process. But regulators don’t want to be caught flat-footed in the face of AI-driven violations or when something unanticipated goes awry. They’re trying to catch up with education, preliminary rulemaking, and by articulating best practices. In June, for example, the Department of the Treasury, which said that it’s working on “initial rulemaking efforts” on AI in financial services, published a request for information (RFI) . Public comments are now in.
Risk and compliance leaders at FIs would be wise to keep an eye on how rulemaking and standards-setting for AI evolves. For those that haven’t followed potential AI-related rules, reviewing the Treasury document and comment letters would be a good place to start. Regulatory scrutiny will come for AI applications in banking, and bankers had best be prepared for it as AI-driven tools become integral to the tech stack.
First, bankers should educate themselves about what AI means for them and to regulators (in one sample of banking professionals, as we wrote , few bankers were doing much if anything to prepare for AI). Per the RFI, the Treasury Department interprets the statutory definition of AI “to describe a wide range of models and tools that utilize data, patterns, and other informational inputs to generate outputs, including statistical relationships, forecasts, content, and recommendations for a given set of objectives.”
Filtering out the buzzwords, the good news is that the Treasury’s RFI doesn’t point to anything shocking. Its outline of the uses, opportunities, and risks of AI, implications for rulemaking, and best practices retreads a lot of existing ground. One issue that stands out is when AI-driven tools’ behavior is hard to follow — as we also wrote , AI-driven underwriting tools may for example violate fair lending and anti-discrimination laws, including unfair, deceptive, or abusive acts or practices (UDAAP), and perpetuate illegal biases.
For future regulation of AI in financial services, comments suggested a “risk-based approach” with rules tailored to the potential negative impact of AI-driven applications, with a focus on critical functions. Comments also suggested rules related to transparency and explainability, including disclosure of algorithm design and clear rationale for outputs; bias mitigation, such as testing for discriminatory or inappropriately skewed outcomes; and reiterating standards for consumer privacy and data security while preserving the private sector’s ability to innovate.
Following recent publications and outreach by regulators, risk and compliance leaders should have an idea of what about AI in financial services rules will target over the next few years. Now is the time to game out what that will mean for FIs’ technology strategies, vendor selection, and ongoing risk and compliance practices.
领英推荐
Addressing Scale Challenges in Risk and Compliance?
SEPTEMBER 5, 2024
By: Tyler Brown
Bank Technology and Data
Operating a robust compliance program gets harder as a financial institution (FI) grows in size and complexity. As we’ve written , those challenges multiply when that FI expands beyond direct channels to third-party partners that are responsible for acquiring and directly overseeing end customers. Amid enforcement actions and proposed regulation , perhaps it’s counterintuitive that a survey from Alloy fielded early this summer found that 61% of 51 respondents from a sample of Banking-as-a-Service (BaaS) sponsor banks with more than $2 billion in assets reported six to ten partnerships and another 27% reported 11 to 20.
These BaaS (referred to in the study as embedded finance) partnerships are a lot for a bank’s risk and compliance teams to handle, particularly in the community-bank segment. Banks that depend on manual processes and the sheer size of their risk and compliance teams to mitigate potential problems introduce fixed costs that a sponsor bank may be unwilling or unable to bear. Suboptimal compliance practices — passing spreadsheets back and forth between the bank and partners, doing manual reviews, and conducting periodic but only occasional audits — cause delays, lag the high growth typical of BaaS partnerships, and introduce additional risk.
Enter the idea of programmatic compliance orchestration. It in theory makes managing partner compliance more efficient and cost-effective (it’s offered by at least several providers, and we’ve touched on it before). From the bank’s perspective, it means real-time oversight of partners’ compliance policies and practices and the ability to adjust and enforce policies in near-real time. It also means that, ideally, a platform doesn’t require programming expertise, and the risk and compliance teams can make changes with little to no back-and-forth with the IT team, avoiding lengthy in-house development cycles.
Risk management and compliance orchestration extends to platform integrations, including the data sources banks use in risk decisioning and point solutions that may provide certain functions, like monitoring for AML compliance or KYC, for example. The outputs flow downstream from the bank to program partners to provide parameters for policies, visibility into outcomes based on those policies, and the ability to make quick changes.
As we’ve written , and as Parilee Wang, chief product officer at Alloy, reiterated in an interview with CCG Catalyst, there’s a balance sponsor banks need to strike between responsible growth and innovation. As the cost of compliance for sponsor banks grows, some will make the right investments in oversight and control. Others that aren’t willing to commit will exit or scale down BaaS, or in the context of new entrants, never start a program. To create a healthy long-term BaaS ecosystem, that’s for the best.