Outsourcing / External partnering
The first decision re new tech implementation will often be to who to partner with as its unlikely the technology solutions such as AI can be developed in-house. This will require the full spectrum of controls for outsourcing and third-party risk management such as due diligence and risk assessments as, if these are delivering regulated activities, it’s difficult to see how these would not be critical outsourced or third-party relationships.
‘Black Box risk’
Transparency is an essential enabler of trust. Compliance professionals can support with the ‘black box’ risk – e.g. ensuring the working of the technology can be explained in plain language to customers. Also, for categories of vulnerable customer, tools driven by e.g. AI may not be appropriate or at least this cohort will need additional support. What if the decision-making cannot be explained? Is it still ethical to deploy?
Data Protection
AI is driven by algorithms and by big data leading to data protection risks, and compliance professionals are well versed in analysing these risks through data protection impact assessments.
Looking at some of the data protection challenges – How can you incorporate data protection by design into the new tech – especially if you are not the developer – what will you take as assurance from the developers on data protection by design? Do we have a lawful basis to use customer data collected to service the customer account to also be fed into an algorithmic model? At application level, is there a very clear objective defined for the solution? In blockchain technology – who is the data controller, and what jurisdiction is the governing regulatory framework in a distributed database? What level of human intervention is there especially if customer facing? To name just a few.
Given the complexity of these new systems, it can be difficult to mitigate the full suite of data security risks. So are business continuity plans and exit strategies in place should these systems be attacked.
Incorrect Decisions
Technology is not infallible. How do we guard against the garbage in, gospel out syndrome? Does e.g. a decision engine turn down customers who should get loans? How do you detect? What are the risks to our customers if incorrect decisions which may lead to potentially unfair outcomes for customers? Is there a guardrail system to switch off a tool to revert to traditional models if the models are producing incorrect outputs that produce poor or detrimental outcomes for customers?
How to monitor results,
Skills Gaps
If you build or buy, you need internal skillsets to maintain the systems. What happens if problems arise during deployment? For risk management the compliance team need to have an understanding of data, tech and their specific governance.
Ethical Underpinning:
need to ensure the models don't conflict with laws, and regulation and are 'non-discriminatory'. Without proper direction models can double down in a very biased manner.
So some actions for the compliance professional include;
Engage with the internal innovators, know what is being planned in the IT strategy
Develop an understanding of how different customer cohorts might interact with technology
Develop a full picture of a customer’s online journey
A full Risk Framework Implementation may be warranted across the 3 lines of defence
Consider how to build compliance and risk systems around an algorithm that is designed to learn and adapt; and
AI Ethics – is beyond compliance - start with the EU’s Ethical Guidelines and familiarise yourself with the ethical issues(EU, Ethics Guidelines for Trustworthy AI, 2019).
The EU has responded with the Proposal for an Artificial Intelligence Regulation published by the European Commission in April this year. This regulation, which aims to promote the uptake of AI by creating an ‘ecosystem of trust’ borrows heavily from GDPR for inspiration seeks to provide a regulatory framework for this new technology. This as a welcome development that the EU have been brave enough to have attempted to regulate this early before mass adoption and avoid playing catch-up with such powerful technology. And it creates a role for the Compliance professional in our comfort zone and traditional role of interpretation of regulation.