Artificial intelligence is increasingly making its presence felt in the financial sector, opening up new opportunities for automation, data analysis and the personalisation of services. However, as the use of AI grows, so do the challenges of integrating it with existing regulations. Key aspects of this integration include compliance with the Digital Operational Resilience Act (DORA). From the perspective of Polish entities and the specificities of the Polish financial sector, the Polish Financial Supervision Authority’s (KNF) guidelines on the use of cloud computing are also relevant.
We look at how the implementation of AI-based solutions fits into current financial sector regulations, and what changes are necessary to allow the financial sector to fully benefit from the potential of artificial intelligence.
AI in the age of DORA
The DORA, which aims to increase the digital resilience of the financial sector, places particular emphasis on managing the risks associated with information and communication technology (ICT) services.
Services provided using artificial intelligence systems, which are in principle considered software under the AI Act, will include a number of types of services that DORA considers to be ICT services. This means that banks and other financial institutions need to ensure their compliance with this regulation.
AI can help improve digital resilience by, among other things:
- Early detection of cyber threats
- Automating system monitoring
- Optimising decision making
However, in order for financial institutions to realise the full potential of AI in line with DORA, they must ensure the transparency of the implemented technologies. This can be achieved by:
- Ensuring data security
- Carrying out a risk assessment
- Applying appropriate security measures
- Developing incident reporting procedures
Integrating AI with DORA requirements also requires the implementation of appropriate mechanisms for controlling and monitoring services.
A mandatory digital resilience testing programme includes software analysis or source code review, which in practice means ensuring that the algorithms used are designed and implemented in a way that minimises risk.
DORA also requires consideration of the potential impact of the solutions used on service continuity and availability. To minimise risk, banks should possess redundancy via alternative solutions and mechanisms for manual intervention, for example when algorithms fail or do not perform as expected.
Financial institutions should note the similarities between DORA and the AI Act. A streamlined approach to implementing each of these regulations could result in lower costs and improved risk and resilience management.
Establishing a single, well-documented framework that clearly identifies risks arising from the use of artificial intelligence systems, including any cyber threats, and identifying measures to address those risks, can help ensure compliance with legislation such as DORA and the AI Act.
In developing such a framework, the risks arising from the processing of personal data should not be overlooked.
AI and Cloud Communication
The relationship between the cloud and artificial intelligence is inextricable.
The cloud is a natural environment for the development of AI, as it allows for the easy creation and subsequent management of AI-powered applications, as well as the processing of massive amounts of data, which is critical to the efficiency of algorithms. However, such implementation presents additional challenges for financial institutions, such as ensuring compliance with cloud usage guidelines.
The Cloud Communication, a set of guidelines for supervised entities, imposes a number of obligations on these entities in relation to data security.
As AI technologies are largely cloud-based, the financial sector will routinely need to consider the requirements of the Communication when implementing artificial intelligence systems, which will involve, among other things, the need to:
- Ensure adequate staff competence
- Develop an information processing plan
- Monitor the processing environment
- Regularly document the activities carried out
GDPR and other regulations
When discussing the implementation of AI-based solutions, it is important to consider the appropriate protection of personal data in accordance with applicable legislation, most notably the GDPR.
Notwithstanding data protection regulations, banks and financial institutions interested in implementing solutions from third-party AI providers should consider the regulations applicable to their business that set out the requirements for regulated outsourcing (e.g. banking, insurance or payments), as well as other recommendations of the supervisory authority, including Recommendation D.
In summary, integrating AI into the financial sector is no small challenge. However, above all it is a tremendous opportunity to improve process efficiency and operational security, and thus to deliver services more efficiently.
The increasing use of AI in banking will bring greater convenience to customers and competitive advantage to banks.
And to achieve this, it is particularly important to synergise the solutions implemented with the regulatory environment in order to fully exploit the potential of AI for financial actors.
Any questions? Contact us