Artificial Intelligence

Navigating the Uncertain Seas of Global AI Regulations

October 11, 2024by Robert Cruz

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Quick take

Generative AI demands a delicate balance between fostering innovation and addressing risk. This challenge becomes even more challenging against the backdrop of evolving, diverse regulations across jurisdictions. The burden is on the multinational firm to stay updated on the global AI regulatory environment and ensure that risk controls meet new obligations as they arise.

The global tidal wave of generative AI is upon us, and it does not understand or respect regulatory borders. Its potential impact on business and compliance practices of multinational firms has not yet been determined, but it’s clear that we will not be spared its force. Prepared or not, executives are riding its waves and employees are dipping their toes in the water.

However, attempting to erect protective barricades through regulation across multiple jurisdictions will create unique complexities. Each government regulatory body will attempt to foster the growth and innovation of generative AI technologies within their market, while providing protections to individuals, investors, and markets.

Deep fakes, cyber risks, and misuse of personal information are top concerns amongst the 700+ unique AI risks called out by MIT’s AI Risk Repository. Striking the balance between innovation and risk protection will be approached differently by regulators in the US, EU, UL, Japan, Canada, India and others. Even within the US, roughly a third of the states have already enacted regulations related to the use of generative AI on a variety of topics, including data privacy, consumer protection and discrimination.

Where generative AI regulation stands today

In the US financial services industry, firms are preparing for additional AI guidance from the SEC, FINRA, CFTC and a variety of other federal agencies that oversee the financial system. Many are hopeful that the implementation and adoption of standards proposed by the National Institute of Standards and Technology (NIST) will help simplify and streamline compliance obligations with common risk frameworks.

Clearly, cooperation across regulatory bodies is vital to the objective of streamlining compliance burdens, as is the case when extending the discussion to include the UK and EU. Ultimately, the burden will be on the multinational firm to stay updated on the AI regulatory environment and ensure that risk controls meet new obligations as they arise.

Regulators have, and will continue to, target a wide variety of risks ranging from cyber fraud, cyberattacks, identity theft, investor protection, introduction and management of biases, and more.

While generative AI and the regulatory response continues to rapidly evolve, leading securities industry advocacy organizations including SIFMA and AFME continue to advocate against additional regulation. They emphasize that specific generative AI use cases touching existing regulatory obligations should continue to be governed under a principles-based, technologically agnostic approach.

However, in its recently published AI white paper, SIFMA advocated for a national data privacy standard in order to head off issues regarding the use of personal data in generative AI model training.

We’re going to need a bigger boat

The storm of generative AI will surface a multitude of use cases — some of which have never been encountered — and touch multiple regulatory obligations in different jurisdictions.

On one hand – this is not new. Global banks have operated in multiple jurisdictions for decades and are accustomed to the challenge of maintaining an active inventory of applicable regulations that they need to be aware of — and adhere to. Just like with GDPR, financial institutions operating internationally will need to consider how to align their global strategies with requirements from other geographic markets.

What is new is the wide spectrum of risk that needs to be addressed, ranging from regulatory to data privacy to information security to intellectual property protection. In some cases, firms may need to consider jurisdiction-specific versions of their AI systems or services, tailoring them to meet local regulatory demands while maintaining global standards where feasible.

Ultimately, managing evolving — and potentially conflicting — regulations will require a delicate balance of legal expertise, technological adaptability, and cross-functional decision-making at the highest levels of the organization to weather the storm.

Share this post!

Robert Cruz
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Contact Us

Tell us about yourself, and we’ll be in touch right away.