Subscribe
Share
Share
Embed
This podcast provides you the ability to listen to new regulatory guidance issued by the National Credit Union Administration, and occasionally the F D I C, the O C C, the F F I E C, or the C F P B. We will focus on new and material agency guidance, and historically important and still active guidance from past years that NCUA cites in examinations or conversations. This podcast is educational only and is not legal advice. We are sponsored by Credit Union Exam Solutions Incorporated. We also have another podcast called With Flying Colors where we provide tips for achieving success with the N C U A examination process and discuss hot topics that impact your credit union.
Samantha: Hello, this is Samantha Shares.
This episode covers the Treasurey
Departments Request for Information
on Uses, Opportunities, and Risks
of Artificial Intelligence in
the Financial Services Sector
The following is an audio version
of that request for information.
This podcast is educational
and is not legal advice.
We are sponsored by Credit Union
Exam Solutions Incorporated, whose
team has over two hundred and
Forty years of National Credit
Union Administration experience.
We assist our clients with N C
U A so they save time and money.
If you are worried about a recent,
upcoming or in process N C U A
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.
Also check out our other podcast called
With Flying Colors where we provide tips
on how to achieve success with N C U A.
And now the request for comment.
Request for Information on
Uses, Opportunities, and Risks
of Artificial Intelligence in
the Financial Services Sector
AGENCY: Departmental Offices,
Department of the Treasury.
ACTION: Request for information.
SUMMARY: The U.S.
Department of the Treasury (Treasury)
is seeking comment through this
request for information (RFI) on
the uses, opportunities and risks
presented by developments and
applications of artificial intelligence
(A.I.) within the financial sector.
Treasury is interested in gathering
information from a broad set of
stakeholders in the financial services
ecosystem, including those providing,
facilitating, and receiving financial
products and services, as well as
consumer and small business advocates,
academics, nonprofits, and others.
DATES: Written comments and
information are requested on or before
[INSERT DATE THAT IS 60 DAYS AFTER
PUBLICATION IN THE FEDERAL REGISTER].
ADDRESSES: Please submit comments
electronically through the
Federal eRulemaking Portal at
http://www.regulations.gov, in accordance
with the instructions on that site.
Comments should
be captioned with ââUses, Opportunities,
and Risks of Artificial Intelligence
in the Financial Services Sector.ââ
In general, Treasury will post all
comments to https://www.regulations.gov,
including any business or
personal information provided
such as names, addresses, email
addresses, or telephone numbers.
All comments, including attachments and
other supporting materials, are part
of the public record and subject to
public disclosure and should not include
confidential information, including
confidential supervisory information.
You should submit only information that
you wish to make available publicly.
Where appropriate, a comment should
include a short Executive Summary (no
more than five single-spaced pages).
SUPPLEMENTARY INFORMATION:
I.
Background
Treasury supports responsible innovation
and competition in the financial sector
and seeks to promote a financial system
that delivers inclusive and equitable
access to financial services that meet
the needs of consumers, businesses,
and investors, while maintaining
stability and market integrity,
protecting critical financial sector
infrastructure, and combating illicit
finance and national security threats.
The use of A.I.
is rapidly evolving, and Treasury is
committed to continuing to monitor
technological developments and their
application and potential impacts in
financial services to help inform any
potential policy deliberations or actions.
To that end, Treasury is seeking
comment on the uses of A.I.
in the financial services sector and
the opportunities and risks presented
by developments and applications of A.I.
within the sector.
Treasury welcomes feedback from all
parties that may have a perspective
as to implications of A.I.
in the financial sector on any question.
âFinancial institutionsâ in this RFI
includes any company that facilitates
or provides financial products or
services.1 The RFI also seeks input on
the potential opportunities and risks
of financial institutionsâ use of A.I.
and how A.I.
may affect impacted entities.
âImpacted entitiesâ in this RFI
includes consumers, investors, financial
institutions, businesses, regulators,
end-users, and any other entity impacted
by financial institutionsâ use of A.I..
Prior and ongoing engagement
This RFI effort is one of many ways that
Treasury is engaging with stakeholders
in improving Treasuryâs understanding of
the developments and application of A.I.
within the financial services sector.
In November 2022, Treasury
explored opportunities and
risks related to the use of A.I.
in its report assessing the impact
of new entrant non-bank firms on
competition in consumer finance markets,
for which Treasury conducted extensive
outreach.2 Among other findings, that
report found that innovations in A.I.
are powering many non-bank
firmsâ capabilities and
product and service offerings.
The report noted that firmsâ use of A.I.
may help expand the provision of financial
products and services to consumers,
particularly in the credit space.
The report also found
that, in deploying A.I.
models and tools, firms use a greater
amount and variety of data than in the
past, leading to an unprecedented demand
for consumer data, which presents new
data privacy and surveillance risks.
Additionally, the report identified
concerns related to bias and
1 To the extent applicable, âfinancial
institutionsâ in this RFI includes banks,
credit unions, insurance companies,
non-bank financial companies, financial
technology companies (also known as
fintech companies), asset managers,
broker-dealers, investment advisors,
other securities and derivatives markets
participants or intermediaries, money
transmitters, and any other company that
facilitates or provides financial products
or services under the regulatory authority
of the federal financial regulators and
state financial or securities regulators.
2 TREASURY, ASSESSING THE IMPACT
OF NEW ENTRANT NON-BANK FIRMS ON
COMPETITION IN CONSUMER FINANCE
MARKETS (2022),
https://home.treasury.gov/system/files/136/Assessing-the-Impact-of-New-Entrant-Nonbank-
Firms.pdf.
(Treasury Non-Bank Report).
discrimination in the use of A.I.
in financial services, including
challenges with explainability â that
is, the ability to understand a modelâs
output and decisions, or how the model
establishes relationships based on the
model input â and ensuring compliance
with fair lending requirements; the
potential for models to perpetuate
discrimination by using and learning from
data that reflect and reinforce historical
biases; and the potential for A.I.
tools to expand capabilities for firms
to inappropriately target specific
individuals or communities (e.g.,
low- to moderate-income communities,
communities of color, women, rural,
tribal, or disadvantaged communities).
The report found that new entrant
non-bank firms and innovations they are
utilizingâincluding developments of A.I.
in financial servicesââmay be able
to help improve financial services,
but that further steps should be
considered to monitor and address
risks to consumers, foster market
integrity, and help ensure the safety
and soundness of the financial system.
In December 2023, Treasury issued
an RFI soliciting input to inform
its development of a national
financial inclusion strategy; that
RFI included questions related to
the use of technologies such as A.I.
in the provision of consumer financial
services, in addition to other topics
related to financial inclusion.3
In March 2024, Treasury
published a report on A.I.
and cybersecurity.
In developing that report, Treasury
conducted extensive industry outreach
on A.I.-related cybersecurity risks
in the financial services sector.4
In the report, Treasury identifies
opportunities and challenges that A.I.
presents to the security and resiliency
of the financial services sector.
The report outlines a series
3 TREASURY, REQUEST FOR INFORMATION
ON FINANCIAL INCLUSION, 88 Fed.
Reg.
88702 (Dec.
22, 2023),
https://www.federalregister.gov/documents/2023/12/22/2023-28263/request-for-information-on-financial-inclusion.
4 TREASURY, MANAGING ARTIFICIAL
INTELLIGENCE-SPECIFIC CYBERSECURITY
RISKS IN THE FINANCIAL SERVICES
SECTOR (Mar.
27, 2024),
https://home.treasury.gov/system/files/136/Managing-Artificial-Intelligence-Specific-
Cybersecurity-Risks-In-The-Financial-Services-Sector.pdf.
(Treasury A.I.
Cybersecurity Report).
of next steps to address A.I.-related
operational risk, cybersecurity, and fraud
challenges, as a response to Executive
Order 14110.5 Treasuryâs efforts to
identify and mitigate cybersecurity,
fraud, and other risks align with
Office of Management and Budget (OMB)
Memorandum M-24- 10 to federal agencies.6
Further, in May 2024, Treasury issued
its 2024 National Strategy for Combatting
Terrorist and Other Illicit Financing
(National Illicit Finance Strategy),7
noting that innovations in A.I., including
machine learning and large language models
such as generative A.I., have significant
potential to strengthen anti-money
laundering/countering the financing
of terrorism (AML/CFT) compliance
by helping financial institutions
analyze large amounts of data and more
effectively identify illicit finance
patterns, risks, trends, and typologies.
One of the objectives identified in
the National Illicit Finance Strategy
is industry outreach to improve
Treasuryâs understanding of how
financial institutions are using A.I.
to comply with applicable
AML/CFT requirements.
Treasury also recognizes the important
work underway across agencies
related to the evolving use of A.I.
in financial services.
This includes the Commodity Futures
Trading Commissionâs (CFTC) request for
comment issued in January 2024 on current
and potential uses and risks of A.I.
in CFTC-regulated derivatives markets,
and the report issued by the Technology
Advisory Committee of the CFTC in May 2024
on Responsible Artificial Intelligence in
5 WHITE HOUSE, E.O.
14110, SAFE, SECURE, AND TRUSTWORTHY
DEVELOPMENT AND USE OF ARTIFICIAL
INTELLIGENCE (Oct.
30, 2023),
https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-
trustworthy-development-and-use-of-artificial-intelligence.
The E.O.
calls for a whole-of-government
approach to meeting the challenges
and opportunities posed by A.I..
6 OMB, MEMORANDUM M-24-10
ADVANCING GOVERNANCE, INNOVATION,
AND RISK MANAGEMENT FOR AGENCY
USE OF ARTIFICIAL INTELLIGENCE (Mar.
28, 2024),
https://www.whitehouse.gov/wp-content/uploads/2024/03/M-24-
10-Advancing-Governance-Innovation-and-Risk-Management-for-Agency-Use-of-Artificial-Intelligence.pdf.
The OMB memorandum establishes new
agency requirements and guidance for A.I.
governance, innovation, and risk
management practices that impact the
rights and safety of the American public.
7 TREASURY, 2024 NATIONAL STRATEGY
FOR COMBATING TERRORIST AND
OTHER ILLICIT FINANCING (2024),
https://home.treasury.gov/system/files/136/2024-Illicit-Finance-Strategy.pdf.
Financial Markets.8 The Securities and
Exchange Commission (SEC) also issued a
proposed rule in July 2023 on addressing
conflicts of interest associated with
broker-dealersâ and investment advisersâ
use of predictive data analytics
and similar technologies, including
A.I..9 Additionally, the Office of the
Comptroller of the Currency (OCC), Board
of Governors of the Federal Reserve
System (FRB), Federal Deposit Insurance
Corporation (FDIC), Consumer Financial
Protection Bureau (CFPB), and National
Credit Union Administration (NCUA)
issued an interagency RFI in 2021 on
financial institutionsâ use of A.I..10
In addition, the Financial
Stability Oversight Council
(FSOC) identified the use of A.I.
in financial services as a vulnerability
for the first time in its 2023 annual
report.11 FSOC noted in its 2023
annual report that the use of A.I.
can introduce certain risks, including
safety and soundness risks like cyber
and model risks, and recommended
monitoring the rapid developments in A.I.
to ensure that oversight structures
account for emerging risks to
the financial system while also
facilitating efficiency and innovation.
In 2018, Treasuryâs Financial Crimes
Enforcement Network (FinCEN) and the
federal banking agencies issued a Joint
Statement on Innovative Efforts to
Combat Money Laundering and Terrorist
Financing,12 which encouraged banks
to use existing tools or adopt new
8 CFTC, CFTC Staff Releases
Request for Comment on the Use
of Artificial Intelligence in
CFTC-Regulated Markets, (Jan.
25, 2024),
https://www.cftc.gov/PressRoom/PressReleases/8853-24.
CFTC, RESPONSIBLE ARTIFICIAL INTELLIGENCE
IN FINANCIAL MARKETS (May 2, 2024),
https://www.cftc.gov/PressRoom/PressReleases/8905-24.
9 SEC, CONFLICTS OF INTEREST
ASSOCIATED WITH THE USE OF PREDICTIVE
DATA ANALYTICS BY BROKER-DEALERS
AND INVESTMENT ADVISERS (Jul.
26, 2023),
https://www.sec.gov/files/rules/proposed/2023/34-97990.pdf.
10 OCC, FRB, FDIC, CFPB, & NCUA,
REQUEST FOR INFORMATION AND
COMMENT ON FINANCIAL INSTITUTIONSâ
USE OF ARTIFICIAL INTELLIGENCE,
INCLUDING MACHINE LEARNING, 86 Fed.
Reg.
16837 (Mar.
31, 2021),
https://www.federalregister.gov/documents/2021/03/31/2021-06607/request-for-information-and-comment-on-
financial-institutions-use-of-artificial-intelligence.
11 See FSOC, ANNUAL REPORT (2023),
https://home.treasury.gov/system/files/261/FSOC2023AnnualReport.pdf.
FSOCâs 2022 report also discussed A.I..
See FSOC, ANNUAL REPORT (2022),
https://home.treasury.gov/system/files/261/FSOC2022AnnualReport.pdf.
12 FinCEN, FRB, FDIC, NCUA, & OCC,
JOINT STATEMENT ON INNOVATIVE
EFFORTS TO COMBAT MONEY
LAUNDERING AND TERRORIST FINANCING (Dec.
3, 2018),
https://www.fincen.gov/news/news-releases/joint-
statement-innovative-efforts-combat-money-laundering.
technologies, including A.I.,
to identify and report money
laundering, terrorist financing, and
other illicit financial activity.
Pursuant to requirements and authorities
outlined in the Anti-Money Laundering
Act of 2020 (the AML Act), FinCEN
is also taking several steps to
create the necessary regulatory and
examination environment to support
AML/CFT-related innovation that can
enhance the effectiveness and efficiency
of the Bank Secrecy Act (BSA) regime.
Section 6209 of the AML Act requires
the Secretary of the Treasury to issue
a rule specifying standards for testing
technology and related technology internal
processes designed to facilitate effective
compliance with the BSA by financial
institutions, and these standards
may include an emphasis on innovative
approaches to compliance, such as the
use of machine learning.13 The rulemaking
would follow the issuance of the April
2021 Statement and separate Request for
Information on Model Risk Management
issued by FinCEN and the OCC, Federal
Reserve, FDIC, and NCUA.14 As part of the
regulatory process, FinCEN may consider
how financial institutions are currently
using innovative approaches to compliance,
like machine learning and A.I., and the
potential benefits and risks of specifying
standards for those technologies.
In February 2023, FinCEN hosted a FinCEN
Exchange that brought together law
enforcement, financial institutions,
and other private sector and
government entities to discuss how A.I.
is used for monitoring and detecting
illicit financial activity.
FinCEN also regularly engages
financial institutions on the
13 Treasuryâs 2024 Illicit Finance
Strategy outlined measures to encourage
private sector use of technology
to improve AML/CFT programs and
compliance, including the rulemaking
required under AML Act section 6209.
https://home.treasury.gov/system/files/136/2024-Illicit-Finance-Strategy.pdf.
14 OCC, FRB, FDIC, NCUA, & FinCEN,
Joint Statement on Bank Secrecy Act
/ Anti-Money Laundering Compliance (Apr.
09, 2021),
https://www.fincen.gov/news/news-releases/agencies-issue-statement-and-request-
information-bank-secrecy-actanti-money.
OCC, FRB, FDIC, NCUA, & FinCEN,
REQUEST FOR INFORMATION AND COMMENT:
EXTENT TO WHICH MODEL RISK MANAGEMENT
PRINCIPLES SUPPORT COMPLIANCE WITH
BANK SECRECY ACT/ ANTI-MONEY LAUNDERING
AND OFFICE OF FOREIGN ASSETS CONTROL
REQUIREMENTS, 86 FR 18978 (Apr.
12, 2021),
https://www.federalregister.gov/documents/2021/04/12/2021-07428/request-for-information-and-comment-extent-
to-which-model-risk-management-principles-support.
topic through the BSA Advisory Group
Subcommittee on Innovation and Technology,
and BSAAG Subcommittee on Information
Security and Confidentiality.15
Given the rapidly evolving nature of
A.I., this RFI builds on the work that
Treasury has done to date and seeks
to gather additional perspectives.
Current RFI
Treasury understands that financial
institutions are exploring the
use of A.I., and is interested
in gaining insights into those
current and potential uses.
The RFI also seeks input on the
potential benefits and challenges of
financial institutionsâ use of A.I.
for impacted entities.
This RFI adopts the definition of A.I.
utilized in President Bidenâs
Executive Order on Safe, Secure, and
Trustworthy Development and Use of A.I.:
The term âartificial
intelligenceâ or âA.I.â has the
meaning set forth in 15 U.S.C.
9401(3): a machine-based system that
can, for a given set of human-defined
objectives, make predictions,
recommendations, or decisions
influencing real or virtual environments.
Artificial intelligence systems use
machine and humanââ based inputs to
perceive real and virtual environments;
abstract such perceptions into models
through analysis in an automated manner;
and use model inference to formulate
options for information or action.16
Treasury interprets this definition to
describe a wide range of models and tools
that utilize data, patterns, and other
informational inputs to generate outputs
â including statistical relationships,
forecasts, content, and recommendations
â for a given set of objectives.
For the purposes of this RFI,
Treasury is seeking comment on
the latest developments in A.I.
technologies
15 The OCC, FDIC, FRB and NCUA
also participate actively in
BSAAG and the subcommittees.
16 WHITE HOUSE, supra note 5.
and applications, including but not
limited to advancements in existing A.I.
(e.g., machine learning models that
learn from data and automatically
adapt and improve with minimal human
interference, rather than relying on
explicit programming) and emerging A.I.
technologies including deep learning
neutral network such as generative A.I.
and large language models (LLMs).17
Use of A.I.
Through this RFI, Treasury seeks to
increase its understanding of how A.I.
is being used within the financial
services sector and the opportunities
and risks presented by developments
and applications of A.I.
within the sector, including
potential obstacles for
facilitating responsible use of A.I.
within financial institutions, the effect
on impacted entities through use of A.I.
by financial institutions, and
recommendations for enhancements
to legislative, regulatory, and
supervisory frameworks applicable to A.I.
in financial services.18
Treasury is interested in gaining
insights into the uses of A.I.
by financial institutions, including
but not limited to those outlined below:
⢠Provision of products and services:
Financial institutionsâ use of A.I.
to assist in decisions related to
offering financial products or services,
such as whether to offer transaction
17 As used here, generative A.I.
is defined as a kind of A.I.
capable of generating new content
such as code, images, music, text,
simulations, 3D objects, and videos.
It is often used to describe
algorithms (such as ChatGPT) that
can be used to create new content.
LLM is defined as a class of language
models that use deep-learning
algorithms and are trained on
extremely large textual datasets that
can be multiple terabytes in size.
LLMs can be classified as two
types: generative or discriminatory.
Generative LLMs are models that output
text, such as the answer to a question
or an essay on a specific topic.
They are typically unsupervised
or semi-supervised learning
models that predict what the
response is for a given task.
Discriminatory LLMs are supervised
learning models that usually
focus on classifying text, such
as determining whether a text
was made by a human or A.I..
See U.S.
DEPARTMENT OF COMMERCE, NATIONAL
INSTITUTE OF STANDARDS AND TECHNOLOGY,
THE LANGUAGE OF TRUSTWORTHY A.I.: AN IN-
DEPTH GLOSSARY OF TERMS (Mar.
22, 2023),
https://airc.nist.gov/A.I._RMF_Knowledge_Base/Glossary.
18 See also PAUL TIERNO,
ARTIFICIAL INTELLIGENCE AND MACHINE
LEARNING IN FINANCIAL SERVICES
(CONGRESSIONAL RESEARCH SERVICE, 2024),
https://crsreports.congress.gov/product/pdf/R/R47997.
accounts, credit, or insurance, and the
terms and conditions of such offerings,
as well as financial forecasting
products and pattern recognition tools;
⢠Risk management: Financial institutionsâ
use and potential use of A.I.
for managing various types of risk,
including credit risk, market risk,
operational risk, cyber risk, fraud
and illicit finance risk, compliance
risk (including fraud risk), reputation
risk, interest rate risk, liquidity
risk, model risk, counterparty risk,
and legal risk, as well as the extent
to which financial institutions
may be exploring the use of A.I.
for treasury management or
asset-liability management;
⢠Capital markets: Financial
institutionsâ use of A.I.
to assist in capital markets
activities, including identifying
investment opportunities, allocating
capital, executing trades, and
providing financial advisory services;
⢠Internal operations: Financial
institutionsâ use of A.I.
to manage internal operations, such
as payroll, HR functions, training,
performance management, communications,
cybersecurity, software development, and
other internal operational functions;
⢠Customer service: Financial
institutionsâ use of A.I.
in customer management, including
complaint handling, investor relations,
website management, claims management,
or other external-facing functions;
⢠Regulatory compliance: Financial
institutionsâ use of A.I.
to manage regulatory requirements,
including capital and liquidity
requirements, regulatory reporting
or disclosure requirements,
BSA/AML requirements, consumer and
investor protection requirements,
and license management; and
⢠Marketing: Financial
institutionsâ use of A.I.
to market to individuals,
groups of individuals, or
institutional counterparties.
Potential Opportunities and Risks
A.I.
has the potential to offer
improved efficiency and enhanced
capabilities across the use cases
outlined above and others, to
the benefit of impacted entities.
For example, A.I.
can process certain forms of, and large
amounts of, information that may otherwise
be impractical or impossible to use, thus
unlocking new insights and capabilities.
This could translate to tangible
benefits, including cost savings for
financial institutions and expanded
access to products and services
that may be more individually
tailored to impacted entities.
Nevertheless, the use of A.I.,
particularly the use of emerging A.I.
technologies, can present a variety of
challenges to existing risk mitigation
strategies, particularly as more
complex models and tools evolve.
Potential types of risk
associated with A.I.
use by financial institutions
include model risks, operational
risks, compliance risks, and
third-party risks, among others.
Potential risks associated with A.I.
use for impacted entities may include
bias, discrimination, monoculture,
concentration, fraud, herding,
hallucinations, explainability, conflicts,
reputational risk, and data privacy
risks, among others.19 More generally,
concerns have been expressed about A.I.
being used in connection with
cyber threats or contributing
to job displacement.
Financial institutions typically
manage A.I.-related risks through
existing risk management frameworks,
the most common of which include model
risk, operational risk, compliance
risk (including compliance with
laws and regulations related to
consumer protection and AML/CFT),
and third-party risk management).20
However, as noted in the Treasury A.I.
Cybersecurity Report,
19 For a discussion of such potential
risks, see Gary Gensler, âA.I., Finance,
Movies, and the Lawâ Prepared Remarks
before the Yale Law School (Feb.
13, 2024),
https://www.sec.gov/news/speech/gensler-ai-021324.
20 FSOC, supra note 11.
some financial institutions
have reported that existing risk
management frameworks may not be
adequate to address emerging A.I.
technologies.21
Oversight of A.I.
- Explainability and Bias
The rapid development of emerging A.I.
technologies has created challenges
for financial institutions
in the oversight of A.I..
Financial institutions may have an
incomplete understanding of where
the data used to train certain A.I.
models and tools was acquired and
what the data contains, as well as
how the algorithms or structures
are developed for those A.I.
models and tools.
For instance, machine-learning
algorithms that internalize data based
on relationships that are not easily
mapped and understood by financial
institution users create questions and
concerns regarding explainability, which
could lead to difficulty in assessing
the conceptual soundness of such A.I.
models and tools.22
Financial regulators have issued
guidance on model risk management
principles, encouraging financial
institutions to effectively identify
and mitigate risks associated with
model development, model use, model
validation (including validation of
vendor and third-party models), ongoing
monitoring, outcome analysis, and
model governance and controls.23 These
principles are technology-agnostic but
may not be applicable to certain A.I.
models and tools.
21 TREASURY, supra note 4.
22 FSOC, supra note 11.
23 See, e.g., FEDERAL HOUSING FINANCE
AGENCY, ARTIFICIAL INTELLIGENCE
/ MACHINE LEARNING RISK MANAGEMENT (Feb.
10, 2022),
https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/Advisory-
Bulletin-2022-02.pdf; OCC, SOUND PRACTICES
FOR MODEL RISK MANAGEMENT: SUPERVISORY
GUIDANCE ON MODEL RISK MANAGEMENT, (Apr.
4, 2011), https://www.occ.gov/news-
issuances/bulletins/2011/bulletin-2011-12.html;
FDIC, SUPERVISORY GUIDANCE ON
MODEL RISK MANAGEMENT (Jun.
17, 2017),
https://www.fdic.gov/news/financial-institution-
letters/2017/fil17022.html; and FRB,
GUIDANCE ON MODEL RISK MANAGEMENT (Apr.
4, 2011),
https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm.
Due to their inherent
complexity, however, A.I.
models and tools may exacerbate
certain risks that may warrant further
scrutiny and risk mitigation measures.
This is particularly true in
relation to the use of emerging A.I.
technologies.
Furthermore, the rapid
development of emerging A.I.
technologies may create a human capital
shortage in financial institutions,
where sufficient knowledge about a
potential risk or bias of those A.I.
technologies may be lacking such that
staff may not be able to effectively
manage the development, validation,
and application of those A.I.
technologies.
Some financial institutions may
rely on third-party providers
to develop and validate A.I.
models and tools, which may also create
challenges in ensuring alignment with
relevant risk management guidance.
Challenges in explaining A.I.-assisted
or A.I.-generated decisions also create
questions about transparency generally,
and raise concerns about the potential
obfuscation of model bias that can
negatively affect impacted entities.
In the Non-Bank Report, Treasury
noted the potential for A.I.
models to perpetuate discrimination
by utilizing and learning from data
that reflect and reinforce historical
biases.24 These challenges of
managing explainability and bias may
impede the adoption and use of A.I.
by financial institutions.
Consumer Protection and Data Privacy
Use of A.I.
in financial services â particularly
use of emerging A.I.
technologies â may negatively impact
consumers and complicate efforts
for financial institutions to ensure
compliance with fair lending and
anti-discrimination laws, or laws
prohibiting unfair, deceptive or abusive
acts or practices, potentially leading to
legal violations.25 Some stakeholders have
24 TREASURY, supra note 2.
25 Fair lending and anti-discrimination
laws include the Fair Housing
Act, Equal Credit Opportunity Act,
and Fair Credit Reporting Act.
In September 2023, the CFPB
issued guidance about certain
legal requirements that lenders
expressed concerns that A.I.-powered
capabilities that enable financial
institutions to offer more personalized
products and services can also be used
to inappropriately target consumers
in ways that might be unfair, abusive,
and discriminatory.26 In response
to these challenges, methods for
testing and addressing potential
biases â including adversarial testing27
and less discriminatory alternatives
(LDA) testing28â continue to evolve,
and some research has indicated that
carefully designed and monitored A.I.
models and tools can help reduce bias in
the provision of financial services.29
Additionally, use of A.I.
may present new or increased data privacy
risks for impacted entities and compliance
risks for financial institutions.
Existing approaches to comply with
must adhere to when using A.I.
and other complex models.
The guidance describes how lenders must
use specific and accurate reasons when
taking adverse actions against consumers.
CFPB, CFPB Issues Guidance on
Credit Denials by Lenders Using
Artificial Intelligence, (Sept.
19, 2023),
https://www.consumerfinance.gov/about-
us/newsroom/cfpb-issues-guidance-on-credit-denials-by-lenders-using-artificial-intelligence.
The CFPB published guidance on adverse
action notification requirements that
are technology-agnostic and stated
that creditors subject to the CFPBâs
Regulation B are not permitted to
use A.I., complex algorithms, or
âblack-boxâ models which the creditors
may not understand sufficiently; when
the creditor is not able to accurately
identify the specific reasons for denying
credit or taking other adverse actions
against consumers, the creditor may
not be meeting its legal obligations
under federal consumer financial laws.
CFPB, ADVERSE ACTION NOTIFICATION
REQUIREMENTS AND THE PROPER
USE OF THE CFPBâS SAMPLE FORMS
PROVIDED IN REGULATION B,
Consumer Financial Protection
Circular 2023-03 (Sept.
19, 2023),
https://www.consumerfinance.gov/compliance/circulars/circular-2023-03-adverse-action-notification-requirements-
and-the-proper-use-of-the-cfpbs-sample-forms-provided-in-regulation-b/.
CFPB, ADVERSE ACTION NOTIFICATION
REQUIREMENTS IN CONNECTION
WITH CREDIT DECISIONS BASED ON
COMPLEX ALGORITHMS, Consumer
Financial Protection Circular
2022-03 (May 26, 2022),
https://www.consumerfinance.gov/compliance/circulars/circular-2022-03-adverse-action-notification-requirements-
in-connection-with-credit-decisions-based-on-complex-algorithms/.
26 TREASURY, supra note 2.
27 Adversarial machine learning is defined
as a practice concerned with the design
of machine learning algorithms that can
resist security challenges and a field to
study vulnerabilities of machine learning
approaches in adversarial settings to
develop techniques to make learning
robust to adversarial manipulation.
See U.S.
DEPARTMENT OF COMMERCE, NATIONAL
INSTITUTE OF STANDARDS AND TECHNOLOGY,
THE LANGUAGE OF TRUSTWORTHY A.I.: AN IN-
DEPTH GLOSSARY OF TERMS (Mar.
22, 2023),
https://airc.nist.gov/A.I._RMF_Knowledge_Base/Glossary.
28 LDA testing used here refers
to the practice of searching for
less discriminatory alternatives
as part of the model testing.
See CFPB, Interactive Bureau Regulations,
12 CFR Part 1002 (Regulation B), Comment
for 1002.6â Rules Concerning Evaluation
of Applications, 6(a)-2 Effects test,
https://www.consumerfinance.gov/rules-
policy/regulations/1002/interp-6/#6-a-Interp-2.
29 See, e.g., ROBERT BARTLETT ET
AL., CONSUMER-LENDING DISCRIMINATION
IN THE FINTECH ERA (UNIVERSITY OF
CALIFORNIA BERKELEY, 2019),
https://doi.org/10.1016/j.jfineco.2021.05.047.
While the research found reduced
disparities in interest rates
charged to borrowers that identified
as racial or ethnic minorities,
disparities were still found to exist.
The research found that fintech lenders
still charged borrowers that identified
as Black or Latino interest rates 7.9
basis points higher than those charged
to otherwise-equivalent borrowers.
privacy laws that involve anonymizing
or de-identifying data before selling
data may be, or may become, ineffective
as models develop and become capable of
more readily and accurately identifying
owners of previously anonymized data.
A.I.
models and tools require great amounts
of data to train and operate, creating a
demand for more or new sources of data.
In addition, A.I.
may create or exacerbate issues related to
data accuracy, and the use of inaccurate
data or providing inaccurate information
may also lead to a violation of law.
Some financial institutions are
using certain types of âalternative
dataâ30 for credit or insurance
underwriting, or to inform other
types of financial decision-making
affecting impacted entities.
Federal agencies have encouraged the
responsible use of alternative data
and described risk mitigation measures
for institutions using such data.31
The Treasury Non-Bank Report noted
concerns that the use of alternative
data could subject growing amounts of
behavior to commercial surveillance.32
In particular, Treasury noted concerns
that the use of data regarding
individual behavior â even behavior
that is not explicitly related
to financial products -- in A.I.
models that are used to inform
decisions to offer financial products
and services, such as credit products,
could have unintended spillover effects.
Additionally, A.I.-powered predictive
analytics are enabling firms to conjecture
about the attributes or behavior of
an individual based on analysis of
data gathered on other individuals.
Such capabilities have the potential
to undermine privacy (including
the privacy of others) and
30 As used here, âalternative dataâ refers
to information not typically found in
credit files of credit reporting agencies.
Generally, alternative data used in
financial services is financial data,
such as account balance and cash- flow
data, or rent and utility payments.
However, other fields, such as
education data, have been known
to be used in credit underwriting.
31 FRB, CFPB, FDIC, NCUA, & OCC,
INTERAGENCY STATEMENT ON THE USE
OF ALTERNATIVE DATA IN CREDIT
UNDERWRITING (Dec.
3, 2019),
https://files.consumerfinance.gov/f/documents/cfpb_interagency-
statement_alternative-data.pdf.
The interagency statement explained
risk mitigation measures such as (1)
conducting a thorough analysis of
relevant consumer protection laws and
regulations to ensure firms understand
the opportunities, risks, and compliance
requirements before using alternative
data, and (2) using data that has a
âdirect relation to consumersâ finances.â
32 TREASURY, supra note 2.
dilute the power of existing âopt-outâ
privacy protections, especially
when a consumer may not be aware
of the information being used about
them or the way it may be used.
Third-Party Risks
Many financial institutions rely on
third-party providers for business
operations, including the use of A.I..
This reliance, as well as the
increasing complexity of the A.I.
technologies provided, may exacerbate
third-party and related risks.33
In 2023, federal banking agencies issued
interagency guidance on third-party
risk management, which replaced
prior guidance on third-party risk
management and provided a standardized,
principles-based approach for assessing
and managing risks associated with
third- party relationships.34 The
principlesâincluding those related to
due diligence, contract management, and
ongoing monitoringâ may be applicable
to financial institutionsâ use of A.I.
developed by third-party vendors.
The guidance specifies that covered
financial institutions are responsible
for ensuring compliance for all
activities performed, including
those conducted by third-parties.
Further, the SEC has taken steps to
update its expectations for third-party
risk management for investment advisers.
In 2022, the SEC proposed a rule under
the Investment Advisers Act of 1940
that would require registered investment
advisers to perform due diligence prior
to outsourcing certain services or
functions to service providers and to
periodically monitor the performance
of models developed by third-parties.35
33 Id.
34 FRB, FDIC, & OCC, INTERAGENCY
GUIDANCE ON THIRD-PARTY
RELATIONSHIPS: RISK MANAGEMENT (Jun.
9,
2023),
https://www.federalregister.gov/documents/2023/06/09/2023-12340/interagency-guidance-on-third-party-
relationships-risk-management.
35 SEC, OUTSOURCING BY
INVESTMENT ADVISERS, 87 Fed.
Reg.
68816 (Oct.
26, 2022),
https://www.federalregister.gov/documents/2022/11/16/2022-23694/outsourcing-by-investment-
advisers#:~:text=SUMMARY%3A,without%20first%20meeting%20minimum%20requirements.
In addition, the National Association
of Insurance Commissioners (NA.I.C)
adopted the Model Bulletin on the Use
of Artificial Intelligence Systems by
Insurers in December 2023.36 The model
bulletin provides principles-based
guidance reminding insurers that
decisions or actions impacting consumers
that are made or supported by advanced
analytical and computational technologies,
including A.I., must comply with all
applicable insurance laws and regulations.
The bulletin states that insurers are
expected to develop and maintain a written
program for the responsible use of A.I.
and encourages insurers to use
verification and testing methods âto
identify errors and biasâ and the
potential for unfair discrimination
in predictive models and other A.I.
systems.
II.
Overview of Questions
The questions in this RFI
are organized into parts A
through C in section III below.
Part A solicits comment on the
uses of A.I., including use cases,
types of models being employed, and
variability in use and access to A.I.
across financial institutions.
Part B focuses on opportunities and risks
associated with financial institutionsâ
use of A.I., and how financial
institutions are exploring or pursuing
potential benefits and managing risks.
In addition, Part B presents questions on
impacted entitiesâboth opportunities and
risks, particularly those related to bias
and discrimination, as well as privacy.
Part C seeks input on potential further
actions to advance responsible innovation
and competition within the financial
sector with respect to the use of A.I..
III.
Request for Information
36 NA.I.C, NA.I.C MODEL BULLETIN ON
THE USE OF ARTIFICIAL INTELLIGENCE
SYSTEMS BY INSURERS (Dec.
4, 2023),
https://content.naic.org/sites/default/files/inline-files/2023-12-4%20Model%20Bulletin_Adopted_0.pdf.
Treasury welcomes input on any matter
that commenters believe is relevant to
Treasuryâs efforts to understand the
uses, opportunities, and risks of A.I.
in financial services.
Treasury is interested in gathering
information from a broad set of
stakeholders in the financial services
ecosystem, including those providing,
facilitating, and receiving financial
products and services, as well as
consumer and small business advocates,
academics, nonprofits, and others
interested in providing information
to Treasury on potential opportunities
and risks related to the use of A.I.
in financial services.
Treasury is further interested in
comments on the extent to which
stakeholders can undertake additional
actions to manage the risks posed by A.I.
and comply with existing legal and
regulatory requirements, as well as
the extent to which existing legal
and regulatory requirements may
need to be enhanced to manage the
risks posed by A.I., and whether
commenters have recommendations
for legislative, regulatory, or
supervisory enhancements that may be
appropriate to both foster innovation
and ensure responsible use of A.I.
in the financial services sector.
Treasury is also interested in
understanding how the use of A.I.
may differ across financial
institutions of different sizes and
complexity, and the extent to which
such variance may impact competition.
In particular, Treasury is interested in
comments about the extent to which small
financial institutions may face unique
challenges in accessing and using A.I..
Commenters are encouraged to address
any of the questions relevant
to them and may respond to all
or a subset of the questions.
When responding to one or more of
the questions below, please note in
your response the number(s) of the
questions to which you are responding.
To the extent possible, please cite
data or provide specific examples
that support your responses.
A.
General Use of A.I.
in Financial Services
Treasury is interested in
understanding the evolving use of A.I.
in financial services.
In particular, Treasury is interested
in how financial institutions are
using or exploring the use of A.I.
in the provision of products and services,
risk management, capital markets,
internal operations, customer services,
regulatory compliance, and marketing, as
outlined in the background section above.
Treasury is also seeking to
understand the types of A.I.
being used, in particular new
developments made to existing A.I.
and emerging A.I.
technologies, and how they are developed
and deployed by financial institutions.
Finally, Treasury is interested in gaining
insights into the general accessibility
of A.I.âin terms of economic viability
of developing or purchasing A.I.
technologies, as well as the human
resources and infrastructure to support
their useâacross financial institutions,
and whether asymmetries with respect to
accessibility could impact competition.
Question 1:
Is the definition of A.I.
used in this RFI appropriate
for financial institutions?
Should the definition be broader
or narrower, given the uses of A.I.
by financial institutions
in different contexts?
To the extent possible, please
provide specific suggestions
on the definitions of A.I.
used in this RFI.
Question 2:
What types of A.I.
models and tools are
financial institutions using?
To what extent and how do financial
institutions expect to use A.I.
in the provision of products and services,
risk management, capital markets,
internal operations, customer services,
regulatory compliance, and marketing?
Question 3:
To what extent does the type of A.I.,
the development of A.I., or A.I.
applied use cases differ
within a financial institution?
Please describe the various types of A.I.
and their applied use cases
within a financial institution.
Are there additional use cases for which
financial institutions are applying A.I.
or for which financial institutions
are exploring the use of A.I.?
Are there any related reputation
risk concerns about using A.I.?
If so, please provide specific examples.
Question 4:
Are there challenges or barriers
to access for small financial
institutions seeking to use A.I.?
If so, why are these barriers present?
Do these barriers introduce risks
for small financial institutions?
If so, how do financial institutions
expect to mitigate those risks?
B.
Actual and Potential Opportunities
and Risks Related to Use of A.I.
in Financial Services
A.I.
provides opportunities for financial
institutions to improve efficiency,
reduce costs, strengthen risk controls,
and expand impacted entitiesâ access
to financial products and services.
At the same time, the use of A.I.
in financial services can pose
a variety of risks for impacted
entities, depending on its application.
Treasury is interested in perspectives
on actual and potential benefits and
opportunities to financial institutions
and impacted entities of the use of A.I.
in financial services, as well as views
on the optimal methods to mitigate risks.
In particular,
Treasury is interested in perspectives
on bias and potential discrimination
as well as privacy risks, the extent to
which impacted entities are protected from
and informed about the potential harms
from financial institutionsâ use of A.I.
in financial services.
Actual and Potential
Opportunities and Benefits
Question 5:
What are the actual and expected
benefits from the use of A.I.
to any of the following stakeholders:
financial institutions, financial
regulators, consumers, researchers,
advocacy groups, or others?
Please describe specific benefits
with supporting data and examples.
How has the use of A.I.
provided specific benefits to
low-to-moderate income consumers and/or
underserved individuals and communities
(e.g., communities of color, women, rural,
tribal, or disadvantaged communities)?
How has A.I.
been used in financial services to improve
fair lending and consumer protection,
including substantiating information?
To what extent does A.I.
improve the ability of financial
institutions to comply with
fair lending or other consumer
protection laws and regulations?
Please be as specific as possible,
including details about cost savings,
increased customer reach, expanded
access to financial services,
time horizon of savings, or other
benefits after deploying A.I..
Actual and Potential
Risks and Risk Management
Oversight of A.I.
â Explainability and Bias Question 6:
To what extent are the A.I.
models and tools used by
financial institutions developed
in- house, by third-parties,
or based on open-source code?
What are the benefits
and risks of using A.I.
models and tools developed
in-house, by third-parties,
or based on open-source code?
To what extent are a particular
financial institutionâs A.I.
models and tools connected to other
financial institutionsâ models and tools?
What are the benefits and
risks to financial institutions
and consumers when the A.I.
models and tools are interconnected
among financial institutions?
Question 7:
How do financial institutions expect
to apply risk management or other
frameworks and guidance to the use of
A.I., and in particular, emerging A.I.
technologies?
Please describe the governance
structure and risk management
frameworks financial institutions
expect to apply in connection with the
development and deployment of A.I..
Please provide examples of policies and/or
practices, to the extent applicable.
What types of testing methods
are financial institutions
utilizing in connection with the
development and deployment of A.I.
models and tools?
Please describe the testing purpose
and the specific testing methods
utilized, to the extent applicable.
To what extent are financial institutions
evaluating and addressing potential gaps
in human capital to ensure that staff
can effectively manage the development
and validation practices of A.I.
models and tools?
What challenges exist for
addressing risks related to A.I.
explainability?
What methodologies are being deployed
to enhance explainability and
protect against potential bias risk?
Question 8:
What types of input data are financial
institutions using for development of A.I.
models and tools, particularly models
and tools relying on emerging A.I.
technologies?
Please describe the data governance
structure financial institutions
expect to apply in confirming the
quality and integrity of data.
Are financial institutions using
ânon-traditionalâ forms of data?
If so, what forms of
ânon-traditionalâ data are being used?
Are financial institutions
using alternative forms of data?
If so, what forms of
alternative data are being used?
Fair Lending, Data Privacy, Fraud,
Illicit Finance, and Insurance Question 9:
How are financial institutions
evaluating and addressing any increase
in risks and harms to impacted
entities in using emerging A.I.
technologies?
What are the specific risks to consumers
and other stakeholder groups, including
low- to moderate-income consumers and/or
underserved individuals and communities
(e.g., communities of color, women, rural,
tribal, or disadvantaged communities)?
How are financial institutions
protecting against issues such as dark
patterns â user interface designs that
can potentially manipulate impacted
entities in decision-making â and
predatory targeting emerging in
the design of A.I.?
Please describe specific risks and
provide examples with supporting data.
Question 10:
How are financial institutions addressing
any increase in fair lending and other
consumer- related risks, including
identifying and addressing possible
discrimination, related to the use
of A.I., particularly emerging A.I.
technologies?
What governance approaches throughout the
development, validation, implementation,
and deployment phases do financial
institutions expect to establish to
ensure compliance with fair lending and
other consumer-related laws for A.I.
models and tools prior to
deployment and application?
In what ways could existing fair
lending requirements be strengthened or
expanded to include fair access to other
financial services outside of lending,
such as access to bank accounts, given
the rapid development of emerging A.I.
technologies?
How are consumer protection requirements
outside of fair lending, such as
prohibitions on unfair, deceptive and
abusive acts and practices, considered
during the development and use of A.I.?
How are related risks expected
to be mitigated by financial
institutions using A.I.?
Question 11:
How are financial institutions
addressing any increase in data
privacy risk related to the use of A.I.
models, particularly emerging A.I.
technologies?
Please provide examples of how
financial institutions have assessed
data privacy risk in their use of A.I..
In what ways could existing data
privacy protections (such as those
in the Gramm-Leach- Bliley Act (Pub.
L.
No.
106-102)) be strengthened for
impacted entities, given the
rapid development of emerging A.I.
technologies, and what examples can
you provide of the impact of A.I.
usage on data privacy protections?
How have technology companies
or third-party providers of A.I.
assessed the categories
of data used in A.I.
models and tools within the context
of data privacy protections?
Question 12:
How are financial institutions, technology
companies, or third-party service
providers addressing and mitigating
potential fraud risks caused by A.I.
technologies?
What challenges do organizations
face in countering these fraud risks?
Given A.I.âs ability to mimic biometrics
(such as a photos/video of a customer
or the customerâs voice) what methods
do financial institutions plan to use
to protect against this type of fraud
(e.g., multifactor authentication)?
Question 13:
How do financial institutions,
technology companies, or third-party
service providers expect to use A.I.
to address and mitigate
illicit finance risks?
What challenges do organizations
face in adopting A.I.
to counter illicit finance risks?
How do financial institutions use A.I.
to comply with applicable
AML/CFT requirements?
What risks may such uses create?
Question 14:
As states adopt the NA.I.Câs Model
Bulletin on the Use of Artificial
Intelligence Systems by Insurers and
other states develop their own regulations
or guidance, what changes have insurers
implemented and what changes might they
implement to comply or be consistent
with these laws and regulatory guidance?
How do insurers using A.I.
make certain that their underwriting,
rating, and pricing practices and
outcomes are consistent with applicable
laws addressing unfair discrimination?
How are insurers currently covering
A.I.-related risks in existing policies?
Are the coverage, rates, or
availability of insurance for financial
institutions changing due to A.I.
risks?
Are insurers including exclusions
for A.I.-related risks or
adjusting policy wording for A.I.
risks?
Third-party Risks
Question 15:
To the extent financial institutions
are relying on third-parties to
develop, deploy, or test the use of
A.I., and in particular, emerging A.I.
technologies, how do financial
institutions expect to
manage third-party risks?
How are financial institutions
applying third-party risk management
frameworks to the use of A.I.?
What challenges exist to mitigating
third-party risks related to A.I.,
and in particular, emerging A.I.
technologies, for financial institutions?
How have these challenges varied
or affected the use of A.I.
across financial institutions
of various sizes and complexity?
Question 16:
What specific concerns over
data confidentiality does
the use of third-party A.I.
providers create?
What additional enhancements to existing
processes do financial institutions expect
to make in conducting due diligence prior
to using a third-party provider of A.I.
technologies?
What additional enhancements to
existing processes do financial
institutions expect to make in
monitoring an ongoing third-party
relationship, given the advances in A.I.
technologies?
How do financial institutions manage
supply chain risks related to A.I.?
Question 17:
How are financial institutions
applying operational risk management
frameworks to the use of A.I.?
What, if any, emerging risks have
not been addressed in financial
institutionsâ existing operational
risk management frameworks?
How are financial institutions
ensuring their operations are resilient
to disruptions in the integrity,
availability, and use of A.I.?
Are financial institutions using A.I.
to preserve continuity
of other core functions?
If so, please provide examples.
C.
Further actions
As noted, Treasury supports responsible
innovation and competition in the
financial sector and seeks to promote
a financial system that delivers
inclusive and equitable access to
financial services that meet the
needs of consumers and businesses,
while maintaining stability and
market integrity, protecting critical
financial sector infrastructure,
and combating illicit finance
and national security threats.
Question 18:
What actions are necessary to promote
responsible innovation and competition
with respect to the use of A.I.
in financial services?
What actions do you recommend
Treasury take, and what actions
do you recommend others take?
What, if any, further actions are needed
to protect impacted entities, including
consumers, from potential risks and harms?
Please provide specific feedback on
legislative, regulatory, or supervisory
enhancements related to the use of A.I.
that would promote a financial system
that delivers inclusive and equitable
access to financial services that meet
the needs of consumers and businesses,
while maintaining stability and integrity,
protecting critical financial sector
infrastructure, and combating illicit
finance and national security threats.
What enhancements, if any, do you
recommend be made to existing governance
structures, oversight requirements,
or risk management practices as
they relate to the use of A.I.,
and in particular, emerging A.I.
technologies?
Question 19:
To what extent do differences in
jurisdictional approaches inside and
outside the United States pose concerns
for the management of A.I.-related
risks on an enterprise-wide basis?
To what extent do such differences have
an impact on the development of products,
competition, or other commercial matters?
To what extent do such differences
have an impact on consumer protection
or availability of services?
This concludes the Request for
Information on Uses, Opportunities,
and Risks of Artificial Intelligence
in the Financial Services Sector
If your Credit union could use assistance
with your exam, reach out to Mark Treichel
on LinkedIn, or at mark Treichel dot com.
This is Samantha Shares and
we Thank you for listening.