Overview

Financial Services and Generative AI: Navigating a New Era of Innovation

How Financial Services Firms are Embracing — and Governing — Generative AI

Generative AI has been unleashed upon the financial services industry, with immense top-down pressure from firm leadership to harness its capabilities. At the same time, users are actively experimenting with use cases both within and outside of existing compliance controls and ambiguous regulatory obligations.

Caught in the middle are compliance officers, who are in an uncomfortable position – not to say “No” to the use of generative AI, but to help guide the firm on “How.”

The bottom line: Modern financial firms must adapt and integrate generative AI within their communications and collaborative technology infrastructures if they wish to stay competitive. Compliance teams must establish the appropriate controls and guardrails to ensure adherence to regulatory requirements. In this e-book, we utilize insights from industry experts to highlight the steps compliance and other risk stakeholders can take to support their firm’s use of this transformative technology.

overview card
  • Evaluating the benefits and risks associated with generative AI adoption
  • Assessing the impact of generative AI on regulatory obligations
  • Creating actionable policies for managing generative AI risks
  • Evaluating and selecting specific generative AI models

Table of Contents

Chapter 1

Making Strategic Decisions About Generative AI and Balancing the Regulatory Risks

How are financial firms thinking about generative AI today?

Financial services firms are approaching generative AI with a mixture of enthusiasm and caution. They recognize its transformative potential while acknowledging the complex regulatory landscape inherent to the industry.

ai ebook ch 1 se 1

Internally, organizations aim to improve efficiency by automating manually intensive tasks and functions, such as searching and retrieving information, summarizing meetings and documents, and strengthening risk management. Externally, firms are exploring client-facing use cases, such as AI-driven customer service solutions, personalized financial advice platforms, and product recommendation systems. Each externally-facing use case intersects with current financial services regulatory obligations, causing firms to pursue these cases more cautiously.

The state of AI regulation plays a significant role in shaping generative AI strategies, particularly for multinationals. Firms are developing implementation plans that account for both current and anticipated regulations, such as the recently enacted EU AI Act. This proactive stance includes identifying potential "high-risk" AI applications early and establishing robust governance structures and documentation practices.

“It's not the tool you use; it’s what these tools could do. The same worries that people have about generative AI were applied to machine learning on structured data around issues like discrimination in consumer lending.”

-- Matthew Bernstein, Information Governance Strategist, MC Bernstein Data

Emerging Best Practices

  • Create a dual-focus strategy for external and internal use cases
  • Focus on high-value areas like customer service, large-scale data analysis and compliance review
  • Adopt a model that combines generative AI automation with human oversight
  • Deploy strategies that account for continuing regulatory fluidity
ch 1 section 2

How are firms evaluating the benefits and risks of generative AI?

Many firms are implementing holistic evaluation processes that examine potential generative AI use cases and associated risks across critical business functions, including IT, information governance, privacy, data management, legal, and compliance risk management.

There's also growing recognition that business units need to view data as a strategic asset and that generative AI initiatives should be aligned with clear business outcomes and value propositions.

Generative AI will remain over-hyped for the foreseeable future. Regulators have already signaled their intent to focus on false or misleading claims over the use of AI (“AI Washing”). Firms need to exercise care to invest in generative AI approaches that have been thoroughly vetted for specific use cases. Many generative AI approaches will never be suitable for regulated firms, and a separation of those that can be characterized as ‘regulatory grade’ will eventually occur. Close collaboration between data science teams from those business and compliance stakeholders will continue to be imperative.

“When assessing whether and how to incorporate generative AI into business processes, consideration should be given by compliance professionals to the limits of the technology to ensure clarity around how it will be used and for what purposes. Transparency and explainability will be key requirements.”

-- Nina Bryant, Senior Managing Director, FTI Consulting

Emerging Best Practices

  • Establish AI governance councils to oversee initiatives, organizational alignment, compliance, and ethical standards
  • Develop comprehensive evaluation frameworks that cover all aspects of generative AI implementation
  • Engage diverse stakeholders across various departments to ensure a holistic assessment
  • Be aware of technology limits by staying in contact with data science teams to surface false and misleading vendor claims

How are stakeholder perspectives integrated into generative AI governance and risk management practices?

Generative AI can be a shiny new toy to some; however, the financial services industry recognizes the importance of balancing innovation with risk mitigation for generative AI use cases.

Generative AI has united functional stakeholders around one common element: the intellectual capital and risk associated with the firm’s information. Generative AI can be embedded in, on, around, or with the firm’s IP, which has broadened interest in the topic beyond the risk and data science teams.

ai ebook ch 1 se 3

What we have also found is that many organizations rely heavily on external expertise, indicating a shortage of in-house knowledge. This expertise gap underscores the need for substantial internal capacity building in AI governance. Firms are increasingly recognizing the value of diverse stakeholder input in generative AI decision-making processes, aiming to ensure that their strategies are both innovative and responsible.

“What I'm seeing is a lot of focus on the process up front, and a real effort to try to balance the desire to innovate with the desire to mitigate risk.”

-- Amy Longo, Partner, Ropes & Gray LLP

Emerging Best Practices

  • Establish C-level executive risk-awareness to balance innovation potential and mitigating risk
  • Enable cross-functional collaboration so risk stakeholders can learn from other teams’ experiences
  • Invest in internal expertise development to build robust in-house AI governance capabilities
  • Engage in strategic external partnerships to stay abreast of best practices

Chapter 2

Regulatory and Risk Implications: How to Be Ready

What methods are being used to identify, assess and prioritize generative AI risks?

Firms are emphasizing comprehensive data lifecycle management within generative AI systems. This includes rigorous examination of data privacy and security protocols, scrutiny of AI model training processes and data sources, and careful consideration of how proprietary data is used and stored.

These measures are crucial for maintaining regulatory compliance, protecting sensitive financial information, and mitigating potential biases that could arise from training data.

ai ebook ch 2 se 1

“Firms are putting a lot of importance on testing, for example, to prevent issues like hallucinations. There's extensive testing around the output of tools, and firms are figuring out the right balance between using AI and ensuring necessary human involvement.”

-- Amy Longo, Partner, Ropes & Gray LLP

Emerging Best Practices

  • Employ rigorous data lifecycle management protocols
  • Integrate human oversight throughout the AI lifecycle
  • Create and document specific protocols for addressing unique generative AI risks
  • Adopt a "trustworthy AI" framework that incorporates ethical considerations

How are firms assessing the impact of generative AI upon specific regulatory obligations

While recent enforcement actions primarily address basic issues of truthful representation, the industry anticipates more complex cases in the future. These potential cases may delve deeper into the actual operation of AI technologies and their alignment with existing regulations, such as investment advisers' fiduciary duty or the best interest rule for broker-dealers.

At the most fundamental level, firms can expect regulators to examine if AI-enabled systems are reasonably designed. Additionally, firms must be able to defend the methods used by the system to arrive at decisions made by the firm.

ai ebook ch 2 se 2

“Everyone may be talking about AI, but when it comes to investment advisers, broker-dealers and public companies, they should make sure what they say to investors is true.”

-- Gary Gensler, Chair, U.S. Securities and Exchange Commission

Emerging Best Practices

  • Implement comprehensive regulatory monitoring
  • Emphasize output and outcomes of generative AI use cases
  • Leverage AI to enhance compliance with escalating regulatory demands
  • Establish robust AI risk management programs
  • Regularly review and update AI governance structures

How are firms monitoring developments related to industry standards?

Many firms are utilizing traditional methods like closely following regulatory communications, including consultation papers, webinars, and other published content from regulatory bodies. They are also leveraging industry expertise by relying on specialists who summarize and interpret regulatory statements to provide deeper insights.

However, in spite of the leadership of NIST in the US and the EU AI Act, forward-thinking firms recognize that relying solely on current regulatory guidance is insufficient. These companies are adopting more proactive approaches to stay ahead of emerging trends. This includes monitoring communications from AI development companies to anticipate future technological advancements that may impact industry standards.

ai ebook ch 2 se 3

“What you need to do is look ahead and recognize not just what AI is today, but where it might be tomorrow, because relying on regulator guidance alone may be insufficient.”

-- Christian Hunt, Founder, Human Risk Limited

Emerging Best Practices

  • Compile and analyze up-to-date information on AI-related regulations
  • Work with external experts and participating in industry forums
  • Regularly review AI systems and practices against evolving standards
  • Monitor communications from AI development companies
  • Track global regulatory differences

Chapter 3

Generative AI and the Impact on Compliance

How are risks being translated into actionable policies for managing generative AI?

A focus for firms today is to understand the output of each of the targeted generative AI use cases to recognize where a regulatory or internal policy obligation exists. Will AI-generated content be accessible externally or will it be used to enable decision making about a product or service of the firm? Or is it accessible only to a firm employee as a productivity tool? Does the output represent value or risk to the firm’s business?

These questions will help determine whether that output satisfies a firm’s retention and/or oversight obligation that requires automated control before deploying that application into the firm’s operations.

ai ebook ch 3 se 1

“There's a bright line between what tools can be taken on unless they've been whitelisted by the relevant approver.”

-- Amy Longo, Partner, Ropes & Gray LLP

Emerging Best Practices

  • Conduct rigorous generative AI tool vetting
  • Establish balanced innovation and control
  • Oversee AI tool usage
  • Make dynamic policy updates

Chapter 4

Governance, Accountability and Model Safety

How are organizations implementing generative AI governance?

More firms are integrating generative AI governance by updating crucial policies and processes. These updates often include revising privacy assessments, acceptable use policies, access controls, data retention policies, and third-party risk management evaluations to address generative AI-specific concerns.

Ch 4 Se 1 01

“Without embracing and understanding generative AI, compliance officers cannot be very effective at understanding the risks that your business is running.”

-- Christian Hunt, Founder, Human Risk Limited

Emerging Best Practices

  • Create dedicated positions or teams for generative AI oversight and management
  • Implement robust processes for human review and judgment in deploying and operating generative AI tools
  • Ensure close collaboration between legal, compliance, IT, and business departments in developing and implementing generative AI governance
  • Develop and communicate clear guidelines for ethical AI use, including specific boundaries and explanations for these parameters.
  • Actively invest in developing AI and generative AI expertise within compliance teams

How are firms providing due diligence on existing applications that are now embedding generative AI?

Firms are paying close attention to software update schedules and release notes, acknowledging that AI capabilities can be introduced at any time, potentially altering the risk landscape. Firms are also emphasizing employee awareness and engagement, encouraging an "if you see something, say something" culture.

Ch 4 Se 2 01

“You could have brought something in on the presumption it was one thing, and it becomes something fundamentally different. The approval process that would have got that in through the door wouldn't have asked the kinds of questions that the addition of, say, Copilot embedded in Microsoft would add into it.”

-- Christian Hunt, Founder, Human Risk Limited

Emerging Best Practices

  • Conduct ongoing risk assessment of applications that use generative AI to document and track changes in capabilities
  • Anticipate and prepare for potential risk profile changes resulting from generative AI integration
  • Establish systems for ongoing monitoring and reassessment of risk profiles for applications integrating generative AI features
  • Adopt a process where updates to generative AI-integrated applications are limited in use until independently evaluated and approved
  • Foster a culture of awareness and reporting among employees regarding generative AI integrations and potential issues

How are firms evaluating and selecting specific generative AI models?

Increasingly, more firms appear to be moving toward a platform-agnostic approach to model selection to mitigate the concentration of risk relying upon a single provider's foundational model offerings.

Ch 4 Se 3 01

Financial institutions are also developing sophisticated approaches to evaluate and select generative AI models, focusing on comprehensive assessment frameworks and flexible integration strategies. These assessment frameworks typically consider multiple factors:

  • Defining the business problem or opportunity the AI model aims to address
  • Assessing potential revenue growth, cost savings, efficiency gains, and overall impact on business objectives
  • Evaluating potential regulatory, reputational, operational, and financial risks
  • And more (covered in the full e-Book)

Companies are increasingly recognizing the need for subject matter experts in compliance and audit roles who thoroughly understand generative AI capabilities. These experts are crucial for designing effective governance frameworks and conducting meaningful risk assessments.

“What I would expect is that the trend of company-specific/industry-specific generative pre-trained transformers (GPTs) and models are easier to use, cheaper to run, where control teams can apply domain expertise against a specific use case. You use the right tool for the right job.”

-- Matthew Bernstein, Information Governance Strategist, MC Bernstein Data

Emerging Best Practices

  • Develop performance metrics specific to intended use cases rather than defaulting to a single provider's offerings
  • Adopt policies to address the use of these tools by employees on personal devices or external platforms
  • Cultivate expertise in generative AI by fostering technological awareness across traditionally non-tech roles
  • Apply model criteria that balance performance, business value, risk mitigation, ethical considerations, and implementation feasibility
  • Make data security a priority when evaluating generative AI models

Get the e-book

Download the e-book to help you support your firm's compliant adoption and use of generative AI.