Emerging technology lawyers Therese Craparo, Anthony Diana and Howard Womersley Smith discuss the rapid advancements in AI in the financial services industry. AI systems have much to offer but most bank compliance departments cannot keep up with the pace of integration. The speakers explain: If financial institutions turn to outside vendors to implement AI systems, they must work to achieve effective risk management that extends out to third-party vendors.
Transcript:
Intro: Hello and welcome to Tech Law Talks, a podcast brought to you by Reed Smith's Emerging Technologies Group. In each episode of this podcast, we will discuss cutting edge issues on technology, data, and the law. We will provide practical observations on a wide variety of technology and data topics to give you quick and actionable tips to address the issues you are dealing with every day.
Therese: Hello, everyone. Welcome to Tech Law Talks and our series on AI. Over the coming months, We'll be exploring the key challenges and opportunities within the rapidly evolving AI landscape. And today we'll be focusing on AI in banking and the specific challenges we're seeing in the financial services industry and how the financial services industry are approaching those types of challenges with AI. My name is Therese Craparo. I am a partner in our Emerging Technologies Group here at Reed Smith, and I will let my colleagues on this podcast introduce themselves. Anthony?
Anthony: Hey, this is Anthony Diana, partner in the New York office of Reed Smith, also part of the Emerging Technologies Group, and also, for today's podcast, importantly, I'm part of the Bank Tech Group.
Howard: Hello, everyone. My name is Howard Womersley Smith. I'm a partner in the Emerging Technologies Group at Reed Smith in London. As Anthony says, I'm also part of the Bank Tech Group. So back to you, Therese.
Therese: All right. So just to start out, what are the current developments or challenges that you all are seeing with AI in the financial services industry?
Anthony: Well, I'll start. I think a few things. Number one, I think we've seen that the financial services industry is definitely all in on AI, right? I mean, there's definitely a movement in the financial services industry. All the consultants have said this, that this is one of the areas where they expect AI, including gender of AI, to really have an impact. And I think that's one of the things that we're seeing is there's a tremendous amount of pressure from the legal and compliance departments because the businesses are really pushing to be AI forward and really focusing on AI. So one of the challenges is that this is here. It’s now. It's not something you can plan for. I think half of what we're seeing is AI tools are coming out frequently, sometimes not even with the knowledge of legal compliance, sometimes with knowledge of the business, where because it's in the cloud, they just put in an AI feature. So that is one of the challenges that we're dealing with right now, which is catch up. Things are moving really quickly, and then people are trying to catch up to make sure that they're compliant with whatever regs that are out there. Howard?
Howard: I agree with that. I think that banks are all in with the AI hype cycle, and I certainly think it is a hype cycle. I think that generally the sector is at the same pace, and at the moment we're looking at an uptick of interest and procurement of AI systems into the infrastructure of banks. I think that, you know, from the perspective of, you know, what the development phase is, I think we are just looking at the stage where they are buying in AI. We are beyond the look and see, the sourcing phase, looking at the buying phase and the impingement of AI into those banks. And, you know, what are the challenges there for? Well, challenges are twofold. One, it's from an existential perspective. Banks are looking to increase shareholder value, and they are looking to drive down costs, help, and we've seen that too with dependency technology that banks have had over the past 15 or more years. AI is an advantage of that, and it's an ability for banks to impose more automation within their organizations and less focus on humans and personnel. And we'll talk a bit more about what that involves and the risks, particularly, that could be created from relying solely on technology and not involving humans, which some proponents of AI anticipate.
Therese: And I think what's interesting, just picking up on what both of you are saying, in terms of how those things come together, including from a regulatory perspective, is that historically the financial industry has used variations of AI in a lot of different ways for trading analysis, for data analysis and the like. Like, so it's not, the concept of AI is not unheard of in the financial services industry, but I do think is interesting to talk about Howard talking about the hype cycle around generative AI. That's what's throwing kind of a wrench in the process, not just for traditional controls around, you know, AI modeling and the like, but also for business use, right? Because, you know, as Howard's saying, the focus is currently is how do we use all of these generative AI tools to improve efficiencies, to save costs, to improve business operations, which is different than the use cases that we've seen in the past. And at the same time, Anthony, as you're saying, it's coming out so quickly and so fast. The development is so fast, relatively speaking. The variety of use cases is coming across so broad in a way that it hasn't than before. And the challenges that we're seeing is that the regulatory landscape, as usual with technology, isn't really keeping up. We've got guidance coming from, you know, various regulators in the U.S. The SEC has issued guidance. FINRA has issued guidance. The CFPB has issued guidance. And all of their focus is a little bit different in terms of their concerns, right? There's concerns about ethical use and the use with consumers and the accuracy and transparency and the like. But there's concerns about disclosure and appropriate due diligence and understanding of the AI that's being used. And then there's concerns about what data it's being used on and the use of AI on highly confidential information like MNPI, like CSI, like consumer data and the like. And none of it is consolidated or clear. And that's in part because the regulators are trying to keep up. And they do tend not to want to issue strict guidance on technology as it's developing, right, because they're still trying to figure out what the appropriate use is. So we have this sort of confluence of brand new use cases, democratization, the ability to, you know, extend the use of AI very broadly to users, and then the speed of development that I think the financial services industry is struggling to keep up with themselves.
Anthony: Yeah, and I think the regulators have been pretty clear on that point. Again, they're not giving specific guidance, I would say, but they say two of the things that they most are concerned with is like the AI washing, which is, and they've already done some finds where if you tout you're using AI, you know, for trading strategies or whatever, and you're not, that you're going to get dinged. So that's obviously going to be part of whatever financial services due diligence you're going to be doing on a product, like making sure that actually is AI is going to be important, because that's something the regulators care about. And then the other thing, as you said, is it's the sensitive information, whether it's material, non-public information. I expect, like you said, the confidential supervisory information, any AI touching on those things is going to be highly sensitive. And I think, you know, one of the challenges that most financial institutions have is they don't know where all this data is, right? Or they don't have controls around that data. So I think that's, you know, again, that's part of the challenge is as much as they're, you know, every financial institution is going out there saying, we're going to be leveraging AI extensively. And whether they are or not remains to be seen. There is potential regulatory issues with saying that and not actually doing it, which is, I think, somewhat new. And I think just, again, as we sort of talked about this, is are the financial institutions really prepared for this level of change that's going on? And I think that's one of the challenges that we're seeing, is that, in essence, they're not built for this, right? And Howard, you're seeing it on the procurement side a lot as they're starting to purchase this. Therese and I are seeing it on the governance side as they try to implement this, and they're just not ready because of the risks involved to actually fully implement or use some of these technologies.
Therese: So then what are they doing? What do we see the financial services industry doing to kind of approach the management governance of AI in the current environment?
Howard: Well, I can answer that from an operational perspective before we go into a government's perspective. From an operational perspective, it's what Anthony was alluding to, which is banks cannot keep up with the pace of innovation. And therefore, they need to look out into the market for technological solutions that advance them over their competitors. And when they're all looking at AI, they're all clambering over each other to look at the best solutions to procure and implement into their organizations. We're seeing a lot of interest from banks at buying AI systems from third-party providers. From a regulatory landscape, that draws in a lot of concern because there are existing regulations in the US, in the UK and EU around how you control your supply chain and make sure that you manage your organization responsibly and faithfully with adequate risk management systems, which extends all the way out to your reliance on third party vendors. And so the way that we're seeing banks implement these risk management systems in the context of procurement is through contracts. And that's what we get in a lot. How do they govern the purchasing of AI systems into their organization from third-party vendors? And to what extent can they legislate against everything? They can't. And so the contracts have to be extremely fit for purpose and very keenly focused on the risks that AI, when deployed within their business, and this is all very novel. And this, for my practice, is the biggest challenge I'm seeing. Once they deploy it into the organization, that's where Anthony and Therese, I'll pass it back to you.
Anthony: Yeah. And I think, Howard, I think one of the things that we're seeing instead of the consequence here is that oftentimes, and this is one of the challenges, is really a lot of the due diligence in terms of how does the tool work? How will it be implemented? Should be done before the contracting? I think that's one of the things that we're seeing. When does the due diligence come in? We're seeing it a lot. They contract it already. Now we're doing the due diligence, testing it and the like. And I think that's one of the challenges I think that we're going to be seeing. I think one of the things, just from a governance perspective, and this is probably the biggest challenge, is just when you think about governance and hopefully you have a committee, I think a lot of organizations have some type of committee or whatever that's sort of reviewing this. I think one of the things that we've seen and where these committees and governance is failing is that it's not accounting for everything. It's going to the committee and they're signing off on data use, for example, and saying, okay, this type of data is appropriate use or it's not training the model and stuff like that, which are very high level and very important topics to cover. But it's not everything. And I think one of the things that we're seeing from a governance perspective is where do you do the due diligence? Where do you get the transparency? You could have a contractual relationship and say that the tool works a certain way. It's only doing this. But are we just going to rely on representations? Or are we actually going to do the due diligence, asking the questions, really probing, figuring out the settings, all of that? The earlier you do that, the better. Frankly, a lot of it, if it was before the contract, would be better because then if you find some certain risks, the contracts can sort of reflect those risks. So that's one of, I think, the governance challenges we have as we move forward here. And also, as I talked about earlier, sometimes the contracts are already set and then they put in an AI feature. That often is another gap that we're seeing in a lot of organizations where they may have third-party governance on the procurement side and they have contracts and the like, but then they don't really have governance on new features coming in on a contract that's in existence already, and then you have to go back. And again, the ideal situation is you'd have, if they had that, you'd go back and look at the contract and say, do we need the amendment contract? Probably should, to account for the fact that you're now using AI. So those are some of the, I think, some of the governance challenges that we've been seeing.
Therese: But I do think what's interesting is that we are seeing financial services work to put in place more comprehensive governance structures for AI, which is a new thing, right? As Anthony's saying, we are seeing committees or working groups formed that are responsible for reviewing AI use within the organization. We are seeing folks trying to structure or update their third-party governance mechanisms to route applications that may have an AI feature to review. We are seeing folks trying to bring in the appropriate personnel. So sometimes, as Anthony's saying, they're not perfect yet. They're only focused on data use or IP. But we are more and more seeing people pull in compliance and legal and other personnel to focus on governance items. We're seeing greater training, real training of users, a lot of heavy focus on user training, appropriate use, appropriate use cases in terms of the use of AI, greater focus on the data that's being used, and how do they put controls in place, which is challenging right now, but to minimize the use of AI on highly confidential information, or if it is being used, to have appropriate safeguards in place. And so I think what's interesting with AI that's different than what we've seen with other types of emerging technologies is that both the regulators and the financial services industry are looking toward putting in place more comprehensive strategies, guidance, controls around the use of AI. It isn't perfect yet. It's not there yet. There's a lot of sort of trial and error in development. But I think it's interesting that with AI, we are seeing kind of a coalescence around an attempt. To have greater management, oversight, governance around the use of the technology, which isn't something, frankly, that we've seen necessarily in a wide scale with other types of emerging technologies, which of course are happening in the financial services industry all the time.
Anthony: Yeah. And I think just to highlight this, right, it starts with the contract, as Howard said, because that's the way you start. So once you do the contracting, testing and validation is critical. And I think that's one of the things that I think a lot of organizations are dealing with because they want to understand the model. There's not a lot of transparency around how the model works. That's just the way it is. So you have to do the testing and validation. And that's the due diligence that I was talking about before. And then documenting decisions, right? So what we're seeing is you've got a governance council. You have to make sure the contract's there. You're doing the testing and validation. All of this is documented, right? To me, that's the most important thing because when the regulators come and say, how do you deal with this, you've got to have documentation that say, here's the way we're deploying AI in organizations. Here's the documentation that shows we're doing it the right way. We're testing it. We're validating it. We have good contracts in place. All of that is, I think, critical. Again, I think the biggest challenge is the scale. This is moving so quickly that you probably have to prioritize. I think this goes back to the data use that we were talking about before, is you probably should be focusing on those AI tools that are really customer facing, that are dealing with material non-public information. If it's dealing with sensitive personal information and it's dealing with CSI, and that becomes a data governance issue. Figuring out, okay, what are the systems where I'm going to employ AI that touch upon these high risk areas, that probably should be where the priorities are. That's where we've seen a lot of concern. If you don't have your data governance in place and you know which tools have highly sensitive information, it's really hard to have a governance structure around AI. So that's where, again, we're seeing a lot of financial institutions playing catch up.
Therese: All right. Well, thanks for that, Anthony. And thanks to Howard as well. I think we have maybe barely scratched the surface of AI in banking. But thanks to everyone for joining us today. And please do join us for our next episode in our AI series.
Outro: Tech Law Talks is a Reed Smith production. Our producers are Ali McCardell and Shannon Ryan. For more information about Reed Smith's emerging technologies practice, please email techlawtalks@reedsmith.com. You can find our podcasts on Spotify, Apple Podcasts, Google Podcasts, reedsmith.com, and our social media accounts.
Disclaimer: This podcast is provided for educational purposes. It does not constitute legal advice and is not intended to establish an attorney-client relationship, nor is it intended to suggest or establish standards of care applicable to particular lawyers in any given situation. Prior results do not guarantee a similar outcome. Any views, opinions, or comments made by any external guest speaker are not to be attributed to Reed Smith LLP or its individual lawyers.
All rights reserved.
Transcript is auto-generated.