AI is moving faster than regulatory updates. Where does that leave banks?

Artificial intelligence (AI) has accelerated in capability and practical applications over the past year, including in the financial sector. Major banks and investment firms are rushing to develop their own AI models to become more efficient, improve their performance and protect their revenue.

Among the use cases already in play are setting stock pricing targets, preventing payment fraud by scanning more than a trillion data points for precise real-time decisioning, and streamlining credit decisions. However, as heavily regulated businesses, banks and other financial institutions need to ensure that their AI initiatives don’t lead them into noncompliance with existing laws, or with AI-specific rules.

Emerging guidance in AI in finance and banking

The agencies that regulate the financial industry in the U.S. are already issuing some guidance on the use of AI. For example, the Federal Reserve Bank (FRB) last year signaled that while AI can help lenders and insurers get a clearer picture of applicants’ creditworthiness, it also carries the risk of discrimination and unfairness, perhaps based on the inherent biases in vast amounts of historical data used to train AI models for applicant assessment. Because of concerns about compliance with the Fair Credit Reporting Act, the Consumer Financial Protection Bureau (CFPB) has advanced rules on consumer data collection for AI training. The CFPB also noted that AI-powered customer service chatbots, which are increasingly common in many industries, pose legal risks if they give customers misleading or inaccurate financial information.

Also to combat bias, it said, the Federal Reserve recommended a focus on risk management, AI model explainability and transparency, and a review of historical data to avoid perpetuating bias and violating anti-discrimination laws. Likewise, in 2023, the Securities and Exchange Commission (SEC) proposed regulations it said were designed to prevent conflicts of interest in the use of predictive analytics by brokers and financial advisers. Like the FRB, the SEC raised concerns about bias in AI models, and also voiced concerns about the risks of market disruptions caused by AI, as well as data privacy.

Certainly, the outcome of the 2024 presidential election creates additional unknowns for the exact makeup of the future of AI scrutiny.

But data security likely remains as a major concern across agencies and institutions. There’s an inherent risk of data leakage or theft if banks train their AI models on real customer data, and there are also issues of customer consent to have their data used in that way. This is one reason that some institutions are developing synthetic data for model training.

Another concern is the potential impact of AI-powered algorithmic trading. A June 2024 report by the U.S. Senate Committee on Homeland Security and Governmental Affairs raised concerns about the potential market stability, conflicts of interest, accountability and “direct consumer harm” caused by the use of AI in hedge fund trading and called for Congress and regulators to understand and regulate these risks.

AI regulations for banks in the U.S. yet to emerge

For now, the U.S. federal government is working to catch up with AI’s accelerating trajectory, both to create regulatory safeguards and to support innovation. For example, the Biden administration is leveraging an executive order to require disclosures by major AI technology providers related to critical infrastructure, AI safety test results, and AI services provided to foreign clients.

The fact sheet released by the White House about the executive order and resulting initiatives doesn’t specifically mention the financial sector, but it provides a general roadmap of the administration’s key AI concerns. So does the White House Office of Science and Technology Policy’s Blueprint for an AI Bill of Rights, which outlines five core tenets: system safety, protection from discrimination by algorithms, data privacy, clear communication about the use of AI, and humans in the loop. Proposed legislation such as the Federal AI Governance and Transparency Act, which has bipartisan support, would streamline the few U.S. AI laws that already exist. It would also set requirements for “accurate, ethical, reliable, and effective” AI use by federal agencies. Could similar bipartisan support continue in the new congress?

Meanwhile, the EU is further along in codifying requirements for AI models and their use by businesses. The EU AI Act is set to take effect later this year. While it’s generally considered more prescriptive than what the U.S. is likely to pass, it’s worth monitoring the act’s implementation and impact on financial institutions operating in the EU as elements of the law are phased in over the next three years.

Best practices for adaptation to emerging regulations

Without clear regulations in place now, how can financial institutions balance the need for first mover advantage without becoming the first cautionary tale about AI and compliance? Banks can start by defining or evolving their AI strategy, along with their governance and risk management frameworks, and apply them first to existing AI activities and then to new use cases.

Institutions can evaluate potential AI applications case by case to decide which use cases offer risk/reward profiles worth pursuing, based on the best available compliance information. For example, an AI model that analyzes customer data to assess their creditworthiness might be considered high risk under the EU AI Act, but an AI model that optimizes marketing personalization might not. It’s also important to fully consider the teams that will need to be involved over the lifecycle of an AI model—everything from design and coding to implementation and monitoring—to make sure those resources will be available for each use case.

Creating the right team for each use case is important, to shape and comply with future regulations. These teams should include internal stakeholders—a potentially vast list that spans departments including IT, security, data management, risk management, operations, and line-of-business subject matter experts as well as compliance and legal. Regulators should also have a seat at the table, to provide input and get feedback. Finally, each use case should have a place in the institution’s management framework to align it with current and future relevant governance.

AI regulation in the financial sector is coming

Whatever form AI regulation takes for financial institutions in the U.S., it’s likely that it will be relatively business friendly and supportive of technological innovation. We can presume that early regulation will focus on areas that are already of interest to governing bodies, such as transparency, fairness and data privacy risks.

However, the implementation of AI regulations may not be linear or simple—states and the federal government may have their own rules, international banks will have an even longer list of compliance requirements, and those requirements will be subject to change as AI capabilities evolve. Financial institutions already have expertise in managing regulations across jurisdictions that they can use to balance AI innovation and compliance. That means that financial institutions are further along in AI compliance readiness than they may realize. It’s just a matter of flexing the existing framework to encompass AI-related practices.

Tom Nicholson is Financial Services Manager at Capgemini Invent.