A Q&A on AI’s uncharted risk and policy considerations

For all the efficiencies AI can create, including streamlining risk-management and policy-management practices, financial institutions must have a plan in place for downside risks, says Sylwia Czajkowska, Associate Director at RMA. Top among those risks is AI’s inherent bias, such as in lending decisions. On the other hand, our industry can lean on the power of AI to fill significant human talent vacancies needed to counter fast-moving fraud and cybersecurity risks, says Chris Boersma, Manager – Compliance at BAI. Both join us to walk through AI’s top risk-management and compliance challenges and opportunities.

Don’t miss the other insights, methods and tools that can help your financial institution shape and evolve its AI strategy in the BAI Deep Dive: A practical approach to AI.

You might also be interested in:

• Artificial Intelligence Policy Considerations
• What you need to know about AI
• AI and banks: Unlocking opportunity without creating risk

TRANSCRIPT:

Question: What risks arise when banks use AI?

Sylwia Czajkowska, Associate Director, ORM/ERM at Risk Management Association (RMA): The risk of AI use for banks largely involves relying on incorrect and biased outputs that the AI creates. As I recall, the bias and not having transparent information on AI uses was a very first concern from the beginning of AI appearing in our discussion. And it is still so, even if AI has evolved. For example, banks have been striving to ensure that the models they use to make leading decision reflect risk accurately and that they do not show bias against any group of the borrowers, which is especially important because all of the fair lending practices. AI has a potential to supercharge the effectiveness of the models, but if it misfires, it can also amplify inaccuracies and bias. At the same time, AI has become more advanced. It has become more difficult to explain exactly how AI reaches its conclusion, making its black box more of an issue.

Another aspect that is important to mention is that human relationship factor. Banks are also concerned about the effect of losing that personal touch with their customer by relying on AI chatbots and that bankers will also lose important critical thinking skills and other skills as certain tasks are being more and more automated. So you might be losing that connectivity of risks and processes and how one decision can have an impact on another areas of your bank. So similarly, you can recall issues when we started the internet banking processes and then pandemic preferred us more for dealing with the technology.

Question: AI remains unregulated in U.S. financial services. How substantial much self-regulation be?

Chris Boersma, CRCM, CISA, CAMS, CC, Manager – Compliance at BAI: It’s true, AI is not regulated right now for financial institutions or for really any industry in the world as of right now. And the reason we’re actually exploring regulation in this is not because AI is something that’s new, it’s been around for a while, it’s due to the popularity growth. It’s really exploded over the last 12 to 18 months. So without regulation out there, what we need to consider is self-regulation. There’s a number of significant risk to employees and to their organizations for employees that are currently using it. So one of the risks is legal risks. It could happen with copyright infringement, accuracy concerns, potential data privacy infringement, and that can make it really challenging to enforce any kind of self-regulation in an organization. So one of the things we really have to be concerned with is regulation by litigation. So if somebody does something that trips a legal parameter of some sort, somebody can come after them with some sort of lawsuit.

So what I would recommend institutions consider is to develop an artificial intelligence risk assessment. So what that’s going to do is identify things you can do, things you can’t do, the controls you’re going to have in place. That could be policies, it could be system controls, it could be any of those things. And with that risk assessment, you’re going to use that to develop and implement policies and procedures for your organization to show what is considered permissible and what’s prohibited. With that, once you have the policies that are developed, you’re going to provide that to all of your employees throughout the organization because you want them to be aware of what the repercussions are if they don’t use it correctly and then receive an acknowledgement from those employees that they understand the policy and that they plan on complying with the requirements that are listed throughout those documents.

Question: Regulatory status check: Could the U.S. match E.U. action? What about state-vs-federal jurisdiction?

Chris: There was a communication that occurred just about 12 months ago where basically regulators were stating that they want to enforce existing laws that are out there and use those to mitigate the risk of AI. One thing that we were talking about recently is the only legislation that we’re aware of is the European Union just created an AI law probably just a few weeks ago. So will any of the other countries follow that example that was put out there? And the likely answer is yes. So one concern of mine is that the federal government usually takes a long time to develop any type of legislation. It just does. The process takes a while to get everybody on board even to vote on the legislation.

So, what I could see possibly happening is that states will develop legislation before the federal government does, which there’s actually one state with a proposal out there and that’s New York. And my concern with that is that there’s a similar issue with privacy. So the federal government is a little bit behind on current privacy legislation. So there’s 14 states that have passed privacy bills with another 18 that have introduced legislation. So that’s happened over the last three or four years. I could see a similar type of approach to this with AI if the federal government doesn’t step in quickly to address this need.

Question: With the absence of regulation, in what ways are banks most vulnerable to compliance and legal repercussions? And are common AI risk management practices emerging?

Sylwia: While it’s not too early to say that AI risk management practices that are emerging are common, there are some similarities in the approaches that RMA members are taking. For example, we are hearing from many that being thoughtful and methodical in rolling out AI capabilities in their organization is the key. They say that they are aware of the pressure to keep up with the competing institutions that are already using AI, but luckily, they have take into consideration that rushing to keep up without fully understanding the implications of a powerful new technology are likely to be risky. It’s really reassuring to see that members take their time to understand the benefits, weighed in the impacts and risks as they plan their AI strategy. With that in mind, banks are also setting the centralized group that field requests from across the organization to use AI and everybody can weighed in the risk opportunities before giving a go ahead for a particular use case.

I think communication and training on the bank’s strategy and how it applies to particular areas seems to be a leading practice. For AI that’s in use, banks are developing comprehensive controls and policies that address how it’s being used, who is it used by and its output, including model outputs. But we have to remember that AI is not only present on the internal practices. Banks are also working with their vendors and their third parties and they’re trying to learn how they are using AI and also the risk that that may be exposing the bank to. So constantly trying to stay ahead and learn if any new AI practices have been implemented by the vendor. If and how bank’s data is being used is a challenge. So to stay up front of the issue, banks design standards, requirements, create AI acceptable use policy for the third parties to help them better control the uses.

Chris: There’s still compliance and legal repercussions that can happen. Some of the things I mentioned in the earlier answer is copyright issues, data accuracy, fair lending concerns and unequal opportunities to employment. So, the big thing I want institutions to focus on if you’re considering using AI in your organization is that you cannot just implement it and leave it be, treat it like a third-party risk. So, you’re going to have to have controls in place to monitor their activities, that AI is doing exactly what you want it to do and that there are no issues that it’s causing when you thought it was operating in a certain manner.

Question: How can generative AI (gen AI) mitigate risk and detect fraud?

Sylwia: The example of how generative AI can be used to mitigate risk have to do with its ability to sift through massive data sets, identify patterns and learn. Anything that helps you quickly analyze the data that otherwise would take a lot of time to review, for example, looking at the complaints data, it improves efficiency and gives you an advantage to allocate your time in other areas. When it comes to the credit risk, AI could help uncover new relationships and factors that increase risk and banks can respond by offering an pricing funding more appropriately. Other example would be to find correlations of products that can be offered to the customers based on the data sets available.

AI is already being used to detect fraud by scanning data for anomalies and other potential signs of fraud and will become more effective going forward. I think potentially it gets you closer to that just-in-time inventory of issues, red flags to help you be true risk manager and focus your time and attention to proactively implement controls to mitigate or minimize the risks as they might be on a horizon. Because AI constantly learns, the human factor and review aspect is absolutely critical to look at the outcomes to help it learn better and stop any bias pattern in time. AI will be able to detect new kinds of exploits and emerging risks as they develop, including fraud that uses AI.

Chris: Fraud is still a huge issue for financial institutions. It’s an issue with check fraud. It’s an issue with people trying to open up deposit accounts and open up loan transactions as well, try to obtain money from that institution. Using AI for fraud in cybersecurity first makes a lot of sense for a couple of different reasons. First, AI can be used for fraud because it can identify particular behaviors and it can predict future fraud attempts. Another thing I want to address is the huge need for artificial intelligence in the cybersecurity space. In 2023, there were almost five million cybersecurity jobs in the world. With that, there were still approximately three to four million open cybersecurity jobs in this space, which leaves a vacancy of 60 to 80%. So AI can be used to fill the gap where there are not qualified individuals to help in this particular area. Things it can do would be fixing vulnerabilities and cybersecurity programs, applying patches, implementing and executing contingency plans, it can be used to automate onboarding and offboarding of users and then predict future cybersecurity attacks.

Question: Looking ahead, what overall impact could AI and gen AI have on our industry?

Sylwia: The overall impact for banks in terms of increased capabilities and cost savings promises to be significant. A recent McKinsey study said AI can improve bank’s productivity by 5% and save the industry between 200 billion and 340 billion per year. Generative AI is coming into wide usage at an important time for banks. The disruptions, rapid digitization and high inflation and interest rates that were caused by the pandemic have expanded the risk exposure of banks and squeezed their net interest margins. Even if you look at the recent RMA survey of chief risk officers and community banks executives, you will find that risk management leaders plan to significantly increase the time and attention they pay to the credit risk, cybersecurity and interest rate risk. To no surprise, however, they do not expect to have significant higher budgets or increased resources.

So, one would wonder how can you make that work and how can banks mitigate more risks with the same resources? The answer is going to include the use of generative AI and automation that is becoming more powerful each day as it should help you become more efficient in streamlining all of those processes that are very manual at this point. Overall, to speak on a good note, as more risk management tasks will be automated, that will free time and resources for risk management team to address the ever-expanding universe of risk.