Regulatory Alert: Navigating the EU AI Act for Financial Services Firms

August 01, 2024by Shaun Hurst
SUBSCRIBE TO BLOG

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Why the EU AI Act Matters:

Financial services firms are faced with an unlimited number of opportunities that AI promises to enable. Pressure from the top is immense, and users continue to identify use cases to experiment with – both within and outside of existing governance controls. Many of these use cases directly touch digital communications tools. The EU Act is the first regulatory framework that helps organizations to identify the appropriate controls – including capture, storage, and oversight – it needs to govern those use cases based upon the risks they generate to the business. It is also the first to outline specific penalties for not implementing those controls.

Moreover, the Act's global implications and hefty penalties for non-compliance underline the urgency for immediate action. By integrating these regulatory standards, companies not only align with legal mandates but also contribute to a more trustworthy AI ecosystem.

Introduction

Ready or not, the European Union's Artificial Intelligence Act (EU AI Act) has officially come into force today, marking a pivotal moment in the regulation of artificial intelligence. This comprehensive legislation aims to ensure the safe and ethical development and use of AI technologies across various sectors, with significant implications for the financial services industry.

The EU AI Act, first proposed in April 2021, has completed its legislative journey and is now binding law across all EU member states. This act represents the world's first broad legal framework for AI, positioning Europe as a global leader in AI governance.

Key features of the Act include:

  • A risk-based approach to AI regulation
  • Strict rules for high-risk AI applications
  • Transparency and explainability requirements
  • Emphasis on data quality and bias mitigation
  • Mandatory human oversight for certain AI systems

The Act's implementation will be gradual, with different provisions coming into effect over the next 36 months. The key stages are:

  • 6 months: Prohibitions on certain AI practices, such as social scoring and real-time biometric identification in public spaces, will become effective.
  • 12 months: Regulations governing general-purpose AI systems will be enforced, affecting a wide range of AI applications across industries.
  • 24 months: Most rules for high-risk AI systems will come into effect, giving businesses time to adapt their more complex AI applications.
  • 36 months: Regulations for high-risk AI systems used as safety components in products will be the last to be enforced, recognizing the complexity of integrating AI into critical product safety features.

This phased approach gives businesses time to adapt but also necessitates immediate action to ensure compliance.
It's important to note the significant penalties for non-compliance, which include:

  • Up to €35 million or 7% of global annual turnover (whichever is higher) for the most serious infringements
  • Up to €15 million or 3% of global annual turnover for certain other infringements
  • Up to €7.5 million or 1.5% of global annual turnover for supplying incorrect information to authorities

Implications for financial services firms

The financial services sector, already heavily regulated, now faces additional compliance challenges with the EU AI Act. Here are the key implications:

Reassessment of AI systems:

Firms must review and categorize their AI applications based on the Act's risk classifications. Many financial services AI systems, such as those used for credit scoring, fraud detection, or algorithmic trading, may fall into the high-risk category, requiring enhanced oversight and compliance measures.

Enhanced transparency:

The Act mandates that high-risk AI systems be transparent and explainable. This requirement may necessitate significant changes in how financial institutions develop and deploy AI, particularly in areas like automated lending decisions or investment recommendations.

Data governance overhaul:

With strict requirements on data quality and bias mitigation, financial firms will need to reassess their data management practices. This includes ensuring the representativeness of training data and implementing robust data governance frameworks.

Human oversight implementation:

For high-risk AI systems, human oversight is mandatory. This could impact the efficiency gains from AI automation, requiring firms to balance compliance with operational effectiveness.

Documentation and reporting:

The Act requires extensive documentation of AI systems, including their development, testing, and ongoing performance. This will necessitate new processes and potentially dedicated resources for AI governance and reporting.

Cross-border considerations:

While the Act applies to the EU, its effects will be felt globally. Financial institutions operating internationally will need to consider how to align their global AI strategies with EU requirements.

Innovation and competitiveness:

While the Act aims to foster trust in AI, there are concerns that stringent regulations might stifle innovation. Financial firms will need to navigate these new rules while maintaining their competitive edge in AI development.

What should firms do now?

With the EU AI Act now in force, financial services firms should take immediate steps to ensure compliance and mitigate risks:

  1. Conduct an AI inventory: Thoroughly catalog all AI systems in use, including those provided by third parties. Classify these systems according to the Act's risk categories.
  2. Gap analysis: Assess current AI governance practices against the Act's requirements. Identify areas needing improvement, particularly for high-risk systems.
  3. Establish an AI governance framework: Develop a comprehensive framework that addresses risk assessment, transparency, data quality, human oversight, and documentation requirements.
  4. Review and update AI development processes: Ensure AI development methodologies align with the Act's principles, including transparency, explainability, and bias mitigation.
  5. Enhance data management: Implement robust data governance practices to ensure high-quality, representative data for AI training and operation.
  6. Train staff: Educate relevant personnel on the EU AI Act's requirements and the organization's compliance strategy.
  7. Engage with regulators and industry bodies: Stay informed about regulatory guidance and participate in industry discussions to shape best practices.
  8. Plan for compliance documentation: Start preparing the extensive documentation required by the Act, including AI system specifications, risk assessments, and ongoing performance monitoring.
  9. Review third-party relationships: Assess the compliance of AI vendors and service providers with the new regulations.
  10. Allocate resources: Consider forming a dedicated AI compliance team or expanding existing compliance functions to handle the new requirements.

Next steps

As the various provisions of the EU AI Act come into effect over the next two years, financial services firms should view this as an opportunity to strengthen their AI governance and build trust with customers and regulators. By taking a proactive approach to compliance, firms can position themselves as responsible AI leaders in the financial sector.

The EU AI Act represents a significant shift in the AI regulatory landscape. While compliance may be challenging, it also offers an opportunity for financial services firms to differentiate themselves through responsible AI use. As the world watches Europe's pioneering approach to AI governance, firms that successfully navigate these new regulations will be well-positioned for the future of AI in finance.

featured guide icon

FEATURED
E-BOOK

Financial Services and Generative AI: Navigating a
New Era of Innovation

How Financial Services Firms are Embracing and Governing Generative AI

Read Now

Share this post!

Shaun Hurst
Latest posts by Shaun Hurst (see all)
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

CONTACT US

FEATURED CONTENT

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

watch it work
CONTACT SALES

More Resources

wiw video cc government
Georgia Public Records: A Guide to Meeting Open Records Requirements and Improving Transparency
by Smarsh
on November 04, 2024
Read more
blue technology network security data featured img
The AI Balancing Act: 2024 FINRA AI Guidance on Juggling Innovation and Compliance
by Tiffany Magri
on November 01, 2024
Read more
cash money bills featured img 600x320
From Penalties to Practices: Decoding the SEC's New Vision for Communication Records
by Tiffany Magri
on October 29, 2024
Read more

Contact Us

Tell us about yourself, and we’ll be in touch right away.