WEBVTT NOTE This file was generated by Descript 00:00:00.470 --> 00:00:02.370 Samantha: Hello, this is Samantha Shares. 00:00:03.010 --> 00:00:06.540 This episode covers the Treasurey Departments Request for Information 00:00:06.540 --> 00:00:10.450 on Uses, Opportunities, and Risks of Artificial Intelligence in 00:00:10.450 --> 00:00:12.110 the Financial Services Sector 00:00:12.789 --> 00:00:16.129 The following is an audio version of that request for information. 00:00:16.659 --> 00:00:19.829 This podcast is educational and is not legal advice. 00:00:20.279 --> 00:00:24.269 We are sponsored by Credit Union Exam Solutions Incorporated, whose 00:00:24.269 --> 00:00:27.279 team has over two hundred and Forty years of National Credit 00:00:27.279 --> 00:00:29.199 Union Administration experience. 00:00:29.729 --> 00:00:33.379 We assist our clients with N C U A so they save time and money. 00:00:33.829 --> 00:00:37.789 If you are worried about a recent, upcoming or in process N C U A 00:00:37.789 --> 00:00:42.149 examination, reach out to learn how they can assist at Mark Treichel DOT COM. 00:00:42.499 --> 00:00:46.859 Also check out our other podcast called With Flying Colors where we provide tips 00:00:46.859 --> 00:00:49.459 on how to achieve success with N C U A. 00:00:50.163 --> 00:00:51.833 And now the request for comment. 00:00:52.502 --> 00:00:56.002 Request for Information on Uses, Opportunities, and Risks 00:00:56.002 --> 00:00:59.292 of Artificial Intelligence in the Financial Services Sector 00:01:00.047 --> 00:01:03.667 AGENCY: Departmental Offices, Department of the Treasury. 00:01:04.407 --> 00:01:06.517 ACTION: Request for information. 00:01:07.172 --> 00:01:08.702 SUMMARY: The U.S. 00:01:09.162 --> 00:01:12.192 Department of the Treasury (Treasury) is seeking comment through this 00:01:12.192 --> 00:01:16.292 request for information (RFI) on the uses, opportunities and risks 00:01:16.292 --> 00:01:19.762 presented by developments and applications of artificial intelligence 00:01:19.762 --> 00:01:22.112 (A.I.) within the financial sector. 00:01:22.792 --> 00:01:26.142 Treasury is interested in gathering information from a broad set of 00:01:26.142 --> 00:01:30.682 stakeholders in the financial services ecosystem, including those providing, 00:01:30.722 --> 00:01:34.942 facilitating, and receiving financial products and services, as well as 00:01:34.942 --> 00:01:39.732 consumer and small business advocates, academics, nonprofits, and others. 00:01:40.438 --> 00:01:44.608 DATES: Written comments and information are requested on or before 00:01:44.608 --> 00:01:48.738 [INSERT DATE THAT IS 60 DAYS AFTER PUBLICATION IN THE FEDERAL REGISTER]. 00:01:49.512 --> 00:01:52.942 ADDRESSES: Please submit comments electronically through the 00:01:52.942 --> 00:01:58.102 Federal eRulemaking Portal at http://www.regulations.gov, in accordance 00:01:58.102 --> 00:01:59.652 with the instructions on that site. 00:02:00.262 --> 00:02:01.072 Comments should 00:02:01.782 --> 00:02:06.172 be captioned with ‘‘Uses, Opportunities, and Risks of Artificial Intelligence 00:02:06.172 --> 00:02:10.552 in the Financial Services Sector.’’ In general, Treasury will post all 00:02:10.552 --> 00:02:13.852 comments to https://www.regulations.gov, 00:02:14.709 --> 00:02:17.699 including any business or personal information provided 00:02:17.699 --> 00:02:21.739 such as names, addresses, email addresses, or telephone numbers. 00:02:22.289 --> 00:02:26.329 All comments, including attachments and other supporting materials, are part 00:02:26.329 --> 00:02:30.329 of the public record and subject to public disclosure and should not include 00:02:30.329 --> 00:02:34.709 confidential information, including confidential supervisory information. 00:02:35.209 --> 00:02:38.889 You should submit only information that you wish to make available publicly. 00:02:39.439 --> 00:02:43.229 Where appropriate, a comment should include a short Executive Summary (no 00:02:43.229 --> 00:02:45.339 more than five single-spaced pages). 00:02:45.996 --> 00:02:47.466 SUPPLEMENTARY INFORMATION: 00:02:48.225 --> 00:02:48.435 I. 00:02:48.945 --> 00:02:49.555 Background 00:02:50.293 --> 00:02:54.673 Treasury supports responsible innovation and competition in the financial sector 00:02:54.723 --> 00:02:58.833 and seeks to promote a financial system that delivers inclusive and equitable 00:02:58.833 --> 00:03:03.083 access to financial services that meet the needs of consumers, businesses, 00:03:03.153 --> 00:03:06.763 and investors, while maintaining stability and market integrity, 00:03:07.053 --> 00:03:11.213 protecting critical financial sector infrastructure, and combating illicit 00:03:11.213 --> 00:03:13.423 finance and national security threats. 00:03:14.113 --> 00:03:14.903 The use of A.I. 00:03:15.353 --> 00:03:19.243 is rapidly evolving, and Treasury is committed to continuing to monitor 00:03:19.243 --> 00:03:23.093 technological developments and their application and potential impacts in 00:03:23.093 --> 00:03:28.183 financial services to help inform any potential policy deliberations or actions. 00:03:28.933 --> 00:03:32.493 To that end, Treasury is seeking comment on the uses of A.I. 00:03:32.933 --> 00:03:36.833 in the financial services sector and the opportunities and risks presented 00:03:36.833 --> 00:03:38.933 by developments and applications of A.I. 00:03:39.453 --> 00:03:40.373 within the sector. 00:03:40.923 --> 00:03:44.513 Treasury welcomes feedback from all parties that may have a perspective 00:03:44.513 --> 00:03:46.163 as to implications of A.I. 00:03:46.573 --> 00:03:48.733 in the financial sector on any question. 00:03:49.523 --> 00:03:51.883 “Financial institutions” in this RFI 00:03:52.607 --> 00:03:56.607 includes any company that facilitates or provides financial products or 00:03:56.607 --> 00:04:01.827 services.1 The RFI also seeks input on the potential opportunities and risks 00:04:01.827 --> 00:04:04.027 of financial institutions’ use of A.I. 00:04:04.547 --> 00:04:05.357 and how A.I. 00:04:05.737 --> 00:04:07.537 may affect impacted entities. 00:04:08.317 --> 00:04:12.847 “Impacted entities” in this RFI includes consumers, investors, financial 00:04:12.847 --> 00:04:18.257 institutions, businesses, regulators, end-users, and any other entity impacted 00:04:18.257 --> 00:04:20.517 by financial institutions’ use of A.I.. 00:04:21.263 --> 00:04:23.023 Prior and ongoing engagement 00:04:23.802 --> 00:04:28.262 This RFI effort is one of many ways that Treasury is engaging with stakeholders 00:04:28.332 --> 00:04:32.442 in improving Treasury’s understanding of the developments and application of A.I. 00:04:32.902 --> 00:04:34.852 within the financial services sector. 00:04:35.606 --> 00:04:39.076 In November 2022, Treasury explored opportunities and 00:04:39.076 --> 00:04:40.926 risks related to the use of A.I. 00:04:41.266 --> 00:04:45.006 in its report assessing the impact of new entrant non-bank firms on 00:04:45.006 --> 00:04:49.756 competition in consumer finance markets, for which Treasury conducted extensive 00:04:49.756 --> 00:04:54.356 outreach.2 Among other findings, that report found that innovations in A.I. 00:04:54.686 --> 00:04:57.666 are powering many non-bank firms’ capabilities and 00:04:57.666 --> 00:04:59.326 product and service offerings. 00:04:59.986 --> 00:05:02.136 The report noted that firms’ use of A.I. 00:05:02.616 --> 00:05:06.826 may help expand the provision of financial products and services to consumers, 00:05:06.966 --> 00:05:08.746 particularly in the credit space. 00:05:09.346 --> 00:05:11.976 The report also found that, in deploying A.I. 00:05:12.356 --> 00:05:16.546 models and tools, firms use a greater amount and variety of data than in the 00:05:16.546 --> 00:05:21.546 past, leading to an unprecedented demand for consumer data, which presents new 00:05:21.546 --> 00:05:23.686 data privacy and surveillance risks. 00:05:24.286 --> 00:05:28.166 Additionally, the report identified concerns related to bias and 00:05:28.939 --> 00:05:33.909 1 To the extent applicable, “financial institutions” in this RFI includes banks, 00:05:34.029 --> 00:05:38.709 credit unions, insurance companies, non-bank financial companies, financial 00:05:38.709 --> 00:05:42.889 technology companies (also known as fintech companies), asset managers, 00:05:43.059 --> 00:05:47.439 broker-dealers, investment advisors, other securities and derivatives markets 00:05:47.439 --> 00:05:51.969 participants or intermediaries, money transmitters, and any other company that 00:05:51.969 --> 00:05:56.699 facilitates or provides financial products or services under the regulatory authority 00:05:56.699 --> 00:06:01.179 of the federal financial regulators and state financial or securities regulators. 00:06:01.948 --> 00:06:05.978 2 TREASURY, ASSESSING THE IMPACT OF NEW ENTRANT NON-BANK FIRMS ON 00:06:05.978 --> 00:06:08.028 COMPETITION IN CONSUMER FINANCE 00:06:08.678 --> 00:06:16.838 MARKETS (2022), https://home.treasury.gov/system/files/136/Assessing-the-Impact-of-New-Entrant-Nonbank- 00:06:17.208 --> 00:06:17.648 Firms.pdf. 00:06:18.048 --> 00:06:19.598 (Treasury Non-Bank Report). 00:06:20.346 --> 00:06:22.126 discrimination in the use of A.I. 00:06:22.536 --> 00:06:26.386 in financial services, including challenges with explainability – that 00:06:26.386 --> 00:06:31.106 is, the ability to understand a model’s output and decisions, or how the model 00:06:31.106 --> 00:06:35.336 establishes relationships based on the model input – and ensuring compliance 00:06:35.336 --> 00:06:39.486 with fair lending requirements; the potential for models to perpetuate 00:06:39.486 --> 00:06:44.086 discrimination by using and learning from data that reflect and reinforce historical 00:06:44.086 --> 00:06:46.446 biases; and the potential for A.I. 00:06:46.876 --> 00:06:50.986 tools to expand capabilities for firms to inappropriately target specific 00:06:51.016 --> 00:06:55.016 individuals or communities (e.g., low- to moderate-income communities, 00:06:55.186 --> 00:06:59.786 communities of color, women, rural, tribal, or disadvantaged communities). 00:07:00.336 --> 00:07:04.086 The report found that new entrant non-bank firms and innovations they are 00:07:04.086 --> 00:07:06.346 utilizing–including developments of A.I. 00:07:06.716 --> 00:07:10.346 in financial services––may be able to help improve financial services, 00:07:10.746 --> 00:07:13.856 but that further steps should be considered to monitor and address 00:07:13.856 --> 00:07:18.376 risks to consumers, foster market integrity, and help ensure the safety 00:07:18.376 --> 00:07:20.296 and soundness of the financial system. 00:07:21.061 --> 00:07:25.901 In December 2023, Treasury issued an RFI soliciting input to inform 00:07:25.901 --> 00:07:29.691 its development of a national financial inclusion strategy; that 00:07:29.691 --> 00:07:33.961 RFI included questions related to the use of technologies such as A.I. 00:07:34.551 --> 00:07:38.991 in the provision of consumer financial services, in addition to other topics 00:07:38.991 --> 00:07:40.931 related to financial inclusion.3 00:07:41.669 --> 00:07:45.149 In March 2024, Treasury published a report on A.I. 00:07:45.439 --> 00:07:46.519 and cybersecurity. 00:07:47.209 --> 00:07:51.269 In developing that report, Treasury conducted extensive industry outreach 00:07:51.269 --> 00:07:55.869 on A.I.-related cybersecurity risks in the financial services sector.4 00:07:55.869 --> 00:07:59.829 In the report, Treasury identifies opportunities and challenges that A.I. 00:08:00.259 --> 00:08:04.249 presents to the security and resiliency of the financial services sector. 00:08:04.959 --> 00:08:06.659 The report outlines a series 00:08:07.427 --> 00:08:12.107 3 TREASURY, REQUEST FOR INFORMATION ON FINANCIAL INCLUSION, 88 Fed. 00:08:12.577 --> 00:08:12.897 Reg. 00:08:12.897 --> 00:08:15.097 88702 (Dec. 00:08:15.567 --> 00:08:17.007 22, 2023), 00:08:17.778 --> 00:08:28.738 https://www.federalregister.gov/documents/2023/12/22/2023-28263/request-for-information-on-financial-inclusion. 00:08:29.564 --> 00:08:33.834 4 TREASURY, MANAGING ARTIFICIAL INTELLIGENCE-SPECIFIC CYBERSECURITY 00:08:33.834 --> 00:08:35.714 RISKS IN THE FINANCIAL SERVICES 00:08:36.395 --> 00:08:37.155 SECTOR (Mar. 00:08:37.485 --> 00:08:43.065 27, 2024), https://home.treasury.gov/system/files/136/Managing-Artificial-Intelligence-Specific- 00:08:43.065 --> 00:08:48.765 Cybersecurity-Risks-In-The-Financial-Services-Sector.pdf. 00:08:49.195 --> 00:08:50.215 (Treasury A.I. 00:08:50.545 --> 00:08:51.815 Cybersecurity Report). 00:08:52.661 --> 00:08:57.901 of next steps to address A.I.-related operational risk, cybersecurity, and fraud 00:08:57.901 --> 00:09:03.281 challenges, as a response to Executive Order 14110.5 Treasury’s efforts to 00:09:03.281 --> 00:09:07.531 identify and mitigate cybersecurity, fraud, and other risks align with 00:09:07.531 --> 00:09:12.871 Office of Management and Budget (OMB) Memorandum M-24- 10 to federal agencies.6 00:09:13.589 --> 00:09:18.779 Further, in May 2024, Treasury issued its 2024 National Strategy for Combatting 00:09:18.779 --> 00:09:22.759 Terrorist and Other Illicit Financing (National Illicit Finance Strategy),7 00:09:23.359 --> 00:09:27.899 noting that innovations in A.I., including machine learning and large language models 00:09:27.899 --> 00:09:31.889 such as generative A.I., have significant potential to strengthen anti-money 00:09:31.889 --> 00:09:35.289 laundering/countering the financing of terrorism (AML/CFT) compliance 00:09:35.289 --> 00:09:39.279 by helping financial institutions analyze large amounts of data and more 00:09:39.279 --> 00:09:44.139 effectively identify illicit finance patterns, risks, trends, and typologies. 00:09:44.599 --> 00:09:48.359 One of the objectives identified in the National Illicit Finance Strategy 00:09:48.409 --> 00:09:51.669 is industry outreach to improve Treasury’s understanding of how 00:09:51.669 --> 00:09:53.889 financial institutions are using A.I. 00:09:54.389 --> 00:09:56.919 to comply with applicable AML/CFT requirements. 00:09:57.589 --> 00:10:01.479 Treasury also recognizes the important work underway across agencies 00:10:01.479 --> 00:10:03.459 related to the evolving use of A.I. 00:10:03.979 --> 00:10:05.319 in financial services. 00:10:05.909 --> 00:10:09.919 This includes the Commodity Futures Trading Commission’s (CFTC) request for 00:10:09.919 --> 00:10:14.889 comment issued in January 2024 on current and potential uses and risks of A.I. 00:10:15.229 --> 00:10:20.209 in CFTC-regulated derivatives markets, and the report issued by the Technology 00:10:20.209 --> 00:10:25.869 Advisory Committee of the CFTC in May 2024 on Responsible Artificial Intelligence in 00:10:26.566 --> 00:10:28.116 5 WHITE HOUSE, E.O. 00:10:28.506 --> 00:10:33.586 14110, SAFE, SECURE, AND TRUSTWORTHY DEVELOPMENT AND USE OF ARTIFICIAL 00:10:34.333 --> 00:10:35.383 INTELLIGENCE (Oct. 00:10:36.093 --> 00:10:45.003 30, 2023), https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and- 00:10:45.003 --> 00:10:49.523 trustworthy-development-and-use-of-artificial-intelligence. 00:10:50.323 --> 00:10:50.893 The E.O. 00:10:51.213 --> 00:10:54.343 calls for a whole-of-government approach to meeting the challenges 00:10:54.343 --> 00:10:56.303 and opportunities posed by A.I.. 00:10:57.003 --> 00:11:01.533 6 OMB, MEMORANDUM M-24-10 ADVANCING GOVERNANCE, INNOVATION, 00:11:01.583 --> 00:11:03.313 AND RISK MANAGEMENT FOR AGENCY 00:11:04.033 --> 00:11:06.023 USE OF ARTIFICIAL INTELLIGENCE (Mar. 00:11:06.383 --> 00:11:14.933 28, 2024), https://www.whitehouse.gov/wp-content/uploads/2024/03/M-24- 00:11:14.933 --> 00:11:19.063 10-Advancing-Governance-Innovation-and-Risk-Management-for-Agency-Use-of-Artificial-Intelligence.pdf. 00:11:19.963 --> 00:11:24.113 The OMB memorandum establishes new agency requirements and guidance for A.I. 00:11:24.653 --> 00:11:28.463 governance, innovation, and risk management practices that impact the 00:11:28.463 --> 00:11:30.643 rights and safety of the American public. 00:11:31.357 --> 00:11:35.697 7 TREASURY, 2024 NATIONAL STRATEGY FOR COMBATING TERRORIST AND 00:11:35.737 --> 00:11:37.767 OTHER ILLICIT FINANCING (2024), 00:11:38.549 --> 00:11:45.179 https://home.treasury.gov/system/files/136/2024-Illicit-Finance-Strategy.pdf. 00:11:46.026 --> 00:11:50.106 Financial Markets.8 The Securities and Exchange Commission (SEC) also issued a 00:11:50.106 --> 00:11:54.746 proposed rule in July 2023 on addressing conflicts of interest associated with 00:11:54.746 --> 00:11:58.816 broker-dealers’ and investment advisers’ use of predictive data analytics 00:11:58.816 --> 00:12:03.226 and similar technologies, including A.I..9 Additionally, the Office of the 00:12:03.226 --> 00:12:07.026 Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve 00:12:07.026 --> 00:12:12.206 System (FRB), Federal Deposit Insurance Corporation (FDIC), Consumer Financial 00:12:12.206 --> 00:12:16.796 Protection Bureau (CFPB), and National Credit Union Administration (NCUA) 00:12:16.836 --> 00:12:22.046 issued an interagency RFI in 2021 on financial institutions’ use of A.I..10 00:12:22.780 --> 00:12:25.760 In addition, the Financial Stability Oversight Council 00:12:25.760 --> 00:12:27.880 (FSOC) identified the use of A.I. 00:12:28.180 --> 00:12:32.770 in financial services as a vulnerability for the first time in its 2023 annual 00:12:32.770 --> 00:12:37.400 report.11 FSOC noted in its 2023 annual report that the use of A.I. 00:12:37.740 --> 00:12:42.360 can introduce certain risks, including safety and soundness risks like cyber 00:12:42.360 --> 00:12:46.680 and model risks, and recommended monitoring the rapid developments in A.I. 00:12:47.090 --> 00:12:50.460 to ensure that oversight structures account for emerging risks to 00:12:50.460 --> 00:12:54.690 the financial system while also facilitating efficiency and innovation. 00:12:55.429 --> 00:12:59.749 In 2018, Treasury’s Financial Crimes Enforcement Network (FinCEN) and the 00:12:59.749 --> 00:13:03.839 federal banking agencies issued a Joint Statement on Innovative Efforts to 00:13:03.839 --> 00:13:07.929 Combat Money Laundering and Terrorist Financing,12 which encouraged banks 00:13:07.929 --> 00:13:10.229 to use existing tools or adopt new 00:13:10.976 --> 00:13:15.366 8 CFTC, CFTC Staff Releases Request for Comment on the Use 00:13:15.366 --> 00:13:19.346 of Artificial Intelligence in CFTC-Regulated Markets, (Jan. 00:13:19.796 --> 00:13:27.106 25, 2024), https://www.cftc.gov/PressRoom/PressReleases/8853-24. 00:13:27.872 --> 00:13:33.272 CFTC, RESPONSIBLE ARTIFICIAL INTELLIGENCE IN FINANCIAL MARKETS (May 2, 2024), 00:13:34.090 --> 00:13:39.210 https://www.cftc.gov/PressRoom/PressReleases/8905-24. 00:13:39.925 --> 00:13:43.655 9 SEC, CONFLICTS OF INTEREST ASSOCIATED WITH THE USE OF PREDICTIVE 00:13:43.655 --> 00:13:45.755 DATA ANALYTICS BY BROKER-DEALERS 00:13:46.509 --> 00:13:48.189 AND INVESTMENT ADVISERS (Jul. 00:13:48.889 --> 00:13:57.129 26, 2023), https://www.sec.gov/files/rules/proposed/2023/34-97990.pdf. 00:13:58.038 --> 00:14:03.308 10 OCC, FRB, FDIC, CFPB, & NCUA, REQUEST FOR INFORMATION AND 00:14:03.308 --> 00:14:07.158 COMMENT ON FINANCIAL INSTITUTIONS’ USE OF ARTIFICIAL INTELLIGENCE, 00:14:07.438 --> 00:14:09.878 INCLUDING MACHINE LEARNING, 86 Fed. 00:14:10.168 --> 00:14:10.518 Reg. 00:14:10.998 --> 00:14:13.078 16837 (Mar. 00:14:13.598 --> 00:14:15.028 31, 2021), 00:14:15.771 --> 00:14:28.751 https://www.federalregister.gov/documents/2021/03/31/2021-06607/request-for-information-and-comment-on- financial-institutions-use-of-artificial-intelligence. 00:14:29.446 --> 00:14:36.776 11 See FSOC, ANNUAL REPORT (2023), https://home.treasury.gov/system/files/261/FSOC2023AnnualReport.pdf. 00:14:36.776 --> 00:14:42.176 FSOC’s 2022 report also discussed A.I.. 00:14:42.506 --> 00:14:51.406 See FSOC, ANNUAL REPORT (2022), https://home.treasury.gov/system/files/261/FSOC2022AnnualReport.pdf. 00:14:52.283 --> 00:14:57.293 12 FinCEN, FRB, FDIC, NCUA, & OCC, JOINT STATEMENT ON INNOVATIVE 00:14:57.413 --> 00:14:58.793 EFFORTS TO COMBAT MONEY 00:14:59.509 --> 00:15:01.569 LAUNDERING AND TERRORIST FINANCING (Dec. 00:15:02.369 --> 00:15:08.439 3, 2018), https://www.fincen.gov/news/news-releases/joint- 00:15:08.439 --> 00:15:09.859 statement-innovative-efforts-combat-money-laundering. 00:15:10.627 --> 00:15:14.327 technologies, including A.I., to identify and report money 00:15:14.327 --> 00:15:18.457 laundering, terrorist financing, and other illicit financial activity. 00:15:19.087 --> 00:15:22.887 Pursuant to requirements and authorities outlined in the Anti-Money Laundering 00:15:22.887 --> 00:15:27.137 Act of 2020 (the AML Act), FinCEN is also taking several steps to 00:15:27.137 --> 00:15:30.947 create the necessary regulatory and examination environment to support 00:15:30.947 --> 00:15:34.927 AML/CFT-related innovation that can enhance the effectiveness and efficiency 00:15:34.927 --> 00:15:37.357 of the Bank Secrecy Act (BSA) regime. 00:15:37.727 --> 00:15:42.277 Section 6209 of the AML Act requires the Secretary of the Treasury to issue 00:15:42.277 --> 00:15:46.807 a rule specifying standards for testing technology and related technology internal 00:15:46.807 --> 00:15:51.087 processes designed to facilitate effective compliance with the BSA by financial 00:15:51.087 --> 00:15:55.137 institutions, and these standards may include an emphasis on innovative 00:15:55.137 --> 00:15:59.587 approaches to compliance, such as the use of machine learning.13 The rulemaking 00:15:59.587 --> 00:16:03.657 would follow the issuance of the April 2021 Statement and separate Request for 00:16:03.657 --> 00:16:07.807 Information on Model Risk Management issued by FinCEN and the OCC, Federal 00:16:07.807 --> 00:16:13.337 Reserve, FDIC, and NCUA.14 As part of the regulatory process, FinCEN may consider 00:16:13.337 --> 00:16:17.607 how financial institutions are currently using innovative approaches to compliance, 00:16:17.687 --> 00:16:21.987 like machine learning and A.I., and the potential benefits and risks of specifying 00:16:21.987 --> 00:16:23.817 standards for those technologies. 00:16:24.477 --> 00:16:29.127 In February 2023, FinCEN hosted a FinCEN Exchange that brought together law 00:16:29.127 --> 00:16:32.797 enforcement, financial institutions, and other private sector and 00:16:32.797 --> 00:16:35.037 government entities to discuss how A.I. 00:16:35.347 --> 00:16:38.917 is used for monitoring and detecting illicit financial activity. 00:16:39.307 --> 00:16:42.957 FinCEN also regularly engages financial institutions on the 00:16:43.721 --> 00:16:48.281 13 Treasury’s 2024 Illicit Finance Strategy outlined measures to encourage 00:16:48.281 --> 00:16:52.071 private sector use of technology to improve AML/CFT programs and 00:16:52.071 --> 00:16:57.391 compliance, including the rulemaking required under AML Act section 6209. 00:16:58.101 --> 00:17:04.731 https://home.treasury.gov/system/files/136/2024-Illicit-Finance-Strategy.pdf. 00:17:05.689 --> 00:17:11.719 14 OCC, FRB, FDIC, NCUA, & FinCEN, Joint Statement on Bank Secrecy Act 00:17:11.759 --> 00:17:13.989 / Anti-Money Laundering Compliance (Apr. 00:17:14.439 --> 00:17:20.439 09, 2021), https://www.fincen.gov/news/news-releases/agencies-issue-statement-and-request- 00:17:20.649 --> 00:17:23.669 information-bank-secrecy-actanti-money. 00:17:24.475 --> 00:17:29.725 OCC, FRB, FDIC, NCUA, & FinCEN, REQUEST FOR INFORMATION AND COMMENT: 00:17:30.175 --> 00:17:33.845 EXTENT TO WHICH MODEL RISK MANAGEMENT PRINCIPLES SUPPORT COMPLIANCE WITH 00:17:33.845 --> 00:17:38.245 BANK SECRECY ACT/ ANTI-MONEY LAUNDERING AND OFFICE OF FOREIGN ASSETS CONTROL 00:17:38.245 --> 00:17:42.205 REQUIREMENTS, 86 FR 18978 (Apr. 00:17:42.785 --> 00:17:44.085 12, 2021), 00:17:44.844 --> 00:17:57.474 https://www.federalregister.gov/documents/2021/04/12/2021-07428/request-for-information-and-comment-extent- to-which-model-risk-management-principles-support. 00:17:58.297 --> 00:18:02.777 topic through the BSA Advisory Group Subcommittee on Innovation and Technology, 00:18:03.137 --> 00:18:07.547 and BSAAG Subcommittee on Information Security and Confidentiality.15 00:18:08.298 --> 00:18:12.578 Given the rapidly evolving nature of A.I., this RFI builds on the work that 00:18:12.578 --> 00:18:16.348 Treasury has done to date and seeks to gather additional perspectives. 00:18:17.068 --> 00:18:17.968 Current RFI 00:18:18.733 --> 00:18:22.163 Treasury understands that financial institutions are exploring the 00:18:22.163 --> 00:18:25.503 use of A.I., and is interested in gaining insights into those 00:18:25.503 --> 00:18:27.163 current and potential uses. 00:18:27.863 --> 00:18:31.833 The RFI also seeks input on the potential benefits and challenges of 00:18:31.833 --> 00:18:33.993 financial institutions’ use of A.I. 00:18:34.533 --> 00:18:35.933 for impacted entities. 00:18:36.662 --> 00:18:39.042 This RFI adopts the definition of A.I. 00:18:39.392 --> 00:18:43.602 utilized in President Biden’s Executive Order on Safe, Secure, and 00:18:43.602 --> 00:18:45.732 Trustworthy Development and Use of A.I.: 00:18:46.504 --> 00:18:49.914 The term “artificial intelligence” or “A.I.” has the 00:18:49.914 --> 00:18:53.044 meaning set forth in 15 U.S.C. 00:18:53.044 --> 00:18:57.664 9401(3): a machine-based system that can, for a given set of human-defined 00:18:57.664 --> 00:19:01.544 objectives, make predictions, recommendations, or decisions 00:19:01.544 --> 00:19:03.974 influencing real or virtual environments. 00:19:04.534 --> 00:19:08.384 Artificial intelligence systems use machine and human–– based inputs to 00:19:08.384 --> 00:19:13.204 perceive real and virtual environments; abstract such perceptions into models 00:19:13.204 --> 00:19:17.704 through analysis in an automated manner; and use model inference to formulate 00:19:17.704 --> 00:19:20.374 options for information or action.16 00:19:21.101 --> 00:19:25.591 Treasury interprets this definition to describe a wide range of models and tools 00:19:25.591 --> 00:19:30.221 that utilize data, patterns, and other informational inputs to generate outputs 00:19:30.291 --> 00:19:34.721 – including statistical relationships, forecasts, content, and recommendations 00:19:34.721 --> 00:19:36.301 – for a given set of objectives. 00:19:36.931 --> 00:19:40.511 For the purposes of this RFI, Treasury is seeking comment on 00:19:40.511 --> 00:19:42.171 the latest developments in A.I. 00:19:42.701 --> 00:19:43.481 technologies 00:19:44.216 --> 00:19:48.916 15 The OCC, FDIC, FRB and NCUA also participate actively in 00:19:48.946 --> 00:19:50.536 BSAAG and the subcommittees. 00:19:51.225 --> 00:19:53.515 16 WHITE HOUSE, supra note 5. 00:19:54.315 --> 00:19:58.695 and applications, including but not limited to advancements in existing A.I. 00:19:59.235 --> 00:20:02.775 (e.g., machine learning models that learn from data and automatically 00:20:02.775 --> 00:20:07.085 adapt and improve with minimal human interference, rather than relying on 00:20:07.085 --> 00:20:09.495 explicit programming) and emerging A.I. 00:20:09.855 --> 00:20:14.155 technologies including deep learning neutral network such as generative A.I. 00:20:14.605 --> 00:20:16.955 and large language models (LLMs).17 00:20:17.724 --> 00:20:18.424 Use of A.I. 00:20:19.184 --> 00:20:23.354 Through this RFI, Treasury seeks to increase its understanding of how A.I. 00:20:23.824 --> 00:20:27.584 is being used within the financial services sector and the opportunities 00:20:27.584 --> 00:20:30.744 and risks presented by developments and applications of A.I. 00:20:31.214 --> 00:20:34.214 within the sector, including potential obstacles for 00:20:34.214 --> 00:20:36.404 facilitating responsible use of A.I. 00:20:36.864 --> 00:20:41.634 within financial institutions, the effect on impacted entities through use of A.I. 00:20:42.194 --> 00:20:45.614 by financial institutions, and recommendations for enhancements 00:20:45.614 --> 00:20:50.144 to legislative, regulatory, and supervisory frameworks applicable to A.I. 00:20:50.574 --> 00:20:53.784 in financial services.18 Treasury is interested in gaining 00:20:53.784 --> 00:20:55.714 insights into the uses of A.I. 00:20:56.174 --> 00:21:00.814 by financial institutions, including but not limited to those outlined below: 00:21:01.573 --> 00:21:06.033 • Provision of products and services: Financial institutions’ use of A.I. 00:21:06.383 --> 00:21:10.503 to assist in decisions related to offering financial products or services, 00:21:10.803 --> 00:21:12.823 such as whether to offer transaction 00:21:13.503 --> 00:21:15.933 17 As used here, generative A.I. 00:21:16.233 --> 00:21:17.823 is defined as a kind of A.I. 00:21:18.113 --> 00:21:22.623 capable of generating new content such as code, images, music, text, 00:21:22.693 --> 00:21:25.343 simulations, 3D objects, and videos. 00:21:25.883 --> 00:21:28.963 It is often used to describe algorithms (such as ChatGPT) that 00:21:28.963 --> 00:21:30.533 can be used to create new content. 00:21:31.193 --> 00:21:35.003 LLM is defined as a class of language models that use deep-learning 00:21:35.003 --> 00:21:38.923 algorithms and are trained on extremely large textual datasets that 00:21:38.923 --> 00:21:41.073 can be multiple terabytes in size. 00:21:41.513 --> 00:21:45.723 LLMs can be classified as two types: generative or discriminatory. 00:21:46.273 --> 00:21:50.893 Generative LLMs are models that output text, such as the answer to a question 00:21:50.893 --> 00:21:52.953 or an essay on a specific topic. 00:21:53.593 --> 00:21:56.783 They are typically unsupervised or semi-supervised learning 00:21:56.783 --> 00:21:59.823 models that predict what the response is for a given task. 00:22:00.573 --> 00:22:04.103 Discriminatory LLMs are supervised learning models that usually 00:22:04.103 --> 00:22:07.923 focus on classifying text, such as determining whether a text 00:22:07.923 --> 00:22:09.813 was made by a human or A.I.. 00:22:10.103 --> 00:22:10.713 See U.S. 00:22:11.043 --> 00:22:15.053 DEPARTMENT OF COMMERCE, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, 00:22:15.343 --> 00:22:17.673 THE LANGUAGE OF TRUSTWORTHY A.I.: AN IN- 00:22:18.350 --> 00:22:20.060 DEPTH GLOSSARY OF TERMS (Mar. 00:22:20.690 --> 00:22:26.460 22, 2023), https://airc.nist.gov/A.I._RMF_Knowledge_Base/Glossary. 00:22:27.187 --> 00:22:31.167 18 See also PAUL TIERNO, ARTIFICIAL INTELLIGENCE AND MACHINE 00:22:31.167 --> 00:22:32.867 LEARNING IN FINANCIAL SERVICES 00:22:33.604 --> 00:22:41.294 (CONGRESSIONAL RESEARCH SERVICE, 2024), https://crsreports.congress.gov/product/pdf/R/R47997. 00:22:42.033 --> 00:22:46.563 accounts, credit, or insurance, and the terms and conditions of such offerings, 00:22:46.903 --> 00:22:50.833 as well as financial forecasting products and pattern recognition tools; 00:22:51.589 --> 00:22:55.989 • Risk management: Financial institutions’ use and potential use of A.I. 00:22:56.289 --> 00:23:00.719 for managing various types of risk, including credit risk, market risk, 00:23:00.869 --> 00:23:05.929 operational risk, cyber risk, fraud and illicit finance risk, compliance 00:23:05.929 --> 00:23:10.689 risk (including fraud risk), reputation risk, interest rate risk, liquidity 00:23:10.689 --> 00:23:15.639 risk, model risk, counterparty risk, and legal risk, as well as the extent 00:23:15.639 --> 00:23:19.019 to which financial institutions may be exploring the use of A.I. 00:23:19.559 --> 00:23:22.599 for treasury management or asset-liability management; 00:23:23.432 --> 00:23:27.012 • Capital markets: Financial institutions’ use of A.I. 00:23:27.372 --> 00:23:31.122 to assist in capital markets activities, including identifying 00:23:31.122 --> 00:23:35.532 investment opportunities, allocating capital, executing trades, and 00:23:35.532 --> 00:23:37.832 providing financial advisory services; 00:23:38.565 --> 00:23:42.475 • Internal operations: Financial institutions’ use of A.I. 00:23:42.925 --> 00:23:47.885 to manage internal operations, such as payroll, HR functions, training, 00:23:47.975 --> 00:23:52.945 performance management, communications, cybersecurity, software development, and 00:23:52.945 --> 00:23:55.085 other internal operational functions; 00:23:55.826 --> 00:23:59.506 • Customer service: Financial institutions’ use of A.I. 00:23:59.956 --> 00:24:04.276 in customer management, including complaint handling, investor relations, 00:24:04.416 --> 00:24:08.986 website management, claims management, or other external-facing functions; 00:24:09.725 --> 00:24:13.715 • Regulatory compliance: Financial institutions’ use of A.I. 00:24:14.125 --> 00:24:18.045 to manage regulatory requirements, including capital and liquidity 00:24:18.045 --> 00:24:21.945 requirements, regulatory reporting or disclosure requirements, 00:24:22.145 --> 00:24:26.145 BSA/AML requirements, consumer and investor protection requirements, 00:24:26.345 --> 00:24:28.225 and license management; and 00:24:28.931 --> 00:24:32.141 • Marketing: Financial institutions’ use of A.I. 00:24:32.641 --> 00:24:35.811 to market to individuals, groups of individuals, or 00:24:35.811 --> 00:24:37.381 institutional counterparties. 00:24:38.147 --> 00:24:40.037 Potential Opportunities and Risks 00:24:40.743 --> 00:24:41.183 A.I. 00:24:41.513 --> 00:24:44.683 has the potential to offer improved efficiency and enhanced 00:24:44.683 --> 00:24:48.303 capabilities across the use cases outlined above and others, to 00:24:48.303 --> 00:24:50.223 the benefit of impacted entities. 00:24:50.773 --> 00:24:51.963 For example, A.I. 00:24:52.483 --> 00:24:56.883 can process certain forms of, and large amounts of, information that may otherwise 00:24:56.883 --> 00:25:02.103 be impractical or impossible to use, thus unlocking new insights and capabilities. 00:25:02.683 --> 00:25:06.293 This could translate to tangible benefits, including cost savings for 00:25:06.293 --> 00:25:10.283 financial institutions and expanded access to products and services 00:25:10.283 --> 00:25:13.383 that may be more individually tailored to impacted entities. 00:25:14.110 --> 00:25:18.130 Nevertheless, the use of A.I., particularly the use of emerging A.I. 00:25:18.460 --> 00:25:22.910 technologies, can present a variety of challenges to existing risk mitigation 00:25:22.910 --> 00:25:27.140 strategies, particularly as more complex models and tools evolve. 00:25:27.670 --> 00:25:30.250 Potential types of risk associated with A.I. 00:25:30.650 --> 00:25:34.510 use by financial institutions include model risks, operational 00:25:34.510 --> 00:25:38.600 risks, compliance risks, and third-party risks, among others. 00:25:39.130 --> 00:25:41.300 Potential risks associated with A.I. 00:25:41.650 --> 00:25:46.150 use for impacted entities may include bias, discrimination, monoculture, 00:25:46.260 --> 00:25:51.400 concentration, fraud, herding, hallucinations, explainability, conflicts, 00:25:51.480 --> 00:25:56.260 reputational risk, and data privacy risks, among others.19 More generally, 00:25:56.520 --> 00:25:58.500 concerns have been expressed about A.I. 00:25:58.810 --> 00:26:01.820 being used in connection with cyber threats or contributing 00:26:01.820 --> 00:26:03.070 to job displacement. 00:26:03.834 --> 00:26:08.024 Financial institutions typically manage A.I.-related risks through 00:26:08.024 --> 00:26:12.314 existing risk management frameworks, the most common of which include model 00:26:12.314 --> 00:26:16.384 risk, operational risk, compliance risk (including compliance with 00:26:16.384 --> 00:26:20.194 laws and regulations related to consumer protection and AML/CFT), 00:26:20.454 --> 00:26:24.914 and third-party risk management).20 However, as noted in the Treasury A.I. 00:26:25.184 --> 00:26:26.524 Cybersecurity Report, 00:26:27.276 --> 00:26:32.926 19 For a discussion of such potential risks, see Gary Gensler, “A.I., Finance, 00:26:32.976 --> 00:26:36.856 Movies, and the Law” Prepared Remarks before the Yale Law School (Feb. 00:26:37.576 --> 00:26:43.786 13, 2024), https://www.sec.gov/news/speech/gensler-ai-021324. 00:26:44.590 --> 00:26:46.740 20 FSOC, supra note 11. 00:26:47.365 --> 00:26:50.655 some financial institutions have reported that existing risk 00:26:50.655 --> 00:26:54.695 management frameworks may not be adequate to address emerging A.I. 00:26:55.125 --> 00:26:56.265 technologies.21 00:26:57.069 --> 00:26:58.099 Oversight of A.I. 00:26:58.669 --> 00:27:00.249 - Explainability and Bias 00:27:00.937 --> 00:27:03.077 The rapid development of emerging A.I. 00:27:03.397 --> 00:27:06.877 technologies has created challenges for financial institutions 00:27:06.877 --> 00:27:08.167 in the oversight of A.I.. 00:27:08.617 --> 00:27:12.137 Financial institutions may have an incomplete understanding of where 00:27:12.137 --> 00:27:14.107 the data used to train certain A.I. 00:27:14.427 --> 00:27:18.477 models and tools was acquired and what the data contains, as well as 00:27:18.477 --> 00:27:21.777 how the algorithms or structures are developed for those A.I. 00:27:22.067 --> 00:27:23.207 models and tools. 00:27:23.527 --> 00:27:27.277 For instance, machine-learning algorithms that internalize data based 00:27:27.277 --> 00:27:30.927 on relationships that are not easily mapped and understood by financial 00:27:30.927 --> 00:27:35.687 institution users create questions and concerns regarding explainability, which 00:27:35.687 --> 00:27:39.687 could lead to difficulty in assessing the conceptual soundness of such A.I. 00:27:40.087 --> 00:27:41.607 models and tools.22 00:27:42.318 --> 00:27:45.908 Financial regulators have issued guidance on model risk management 00:27:45.908 --> 00:27:50.208 principles, encouraging financial institutions to effectively identify 00:27:50.208 --> 00:27:54.398 and mitigate risks associated with model development, model use, model 00:27:54.398 --> 00:27:59.048 validation (including validation of vendor and third-party models), ongoing 00:27:59.048 --> 00:28:03.508 monitoring, outcome analysis, and model governance and controls.23 These 00:28:03.508 --> 00:28:08.068 principles are technology-agnostic but may not be applicable to certain A.I. 00:28:08.558 --> 00:28:09.718 models and tools. 00:28:10.444 --> 00:28:12.564 21 TREASURY, supra note 4. 00:28:13.358 --> 00:28:15.638 22 FSOC, supra note 11. 00:28:16.362 --> 00:28:21.362 23 See, e.g., FEDERAL HOUSING FINANCE AGENCY, ARTIFICIAL INTELLIGENCE 00:28:21.362 --> 00:28:23.412 / MACHINE LEARNING RISK MANAGEMENT (Feb. 00:28:24.072 --> 00:28:25.192 10, 2022), 00:28:25.937 --> 00:28:35.637 https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/Advisory- Bulletin-2022-02.pdf; OCC, SOUND PRACTICES 00:28:35.637 --> 00:28:38.237 FOR MODEL RISK MANAGEMENT: SUPERVISORY 00:28:39.026 --> 00:28:41.336 GUIDANCE ON MODEL RISK MANAGEMENT, (Apr. 00:28:41.866 --> 00:28:49.836 4, 2011), https://www.occ.gov/news- issuances/bulletins/2011/bulletin-2011-12.html; 00:28:49.956 --> 00:28:53.516 FDIC, SUPERVISORY GUIDANCE ON MODEL RISK MANAGEMENT (Jun. 00:28:53.946 --> 00:29:01.156 17, 2017), https://www.fdic.gov/news/financial-institution- 00:29:01.156 --> 00:29:05.936 letters/2017/fil17022.html; and FRB, GUIDANCE ON MODEL RISK MANAGEMENT (Apr. 00:29:06.596 --> 00:29:07.906 4, 2011), 00:29:08.648 --> 00:29:14.218 https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm. 00:29:14.962 --> 00:29:17.792 Due to their inherent complexity, however, A.I. 00:29:18.132 --> 00:29:21.932 models and tools may exacerbate certain risks that may warrant further 00:29:21.932 --> 00:29:24.192 scrutiny and risk mitigation measures. 00:29:24.792 --> 00:29:28.482 This is particularly true in relation to the use of emerging A.I. 00:29:28.862 --> 00:29:29.692 technologies. 00:29:30.452 --> 00:29:33.372 Furthermore, the rapid development of emerging A.I. 00:29:33.792 --> 00:29:37.882 technologies may create a human capital shortage in financial institutions, 00:29:38.152 --> 00:29:41.842 where sufficient knowledge about a potential risk or bias of those A.I. 00:29:42.262 --> 00:29:46.122 technologies may be lacking such that staff may not be able to effectively 00:29:46.122 --> 00:29:49.882 manage the development, validation, and application of those A.I. 00:29:50.242 --> 00:29:51.082 technologies. 00:29:51.602 --> 00:29:55.152 Some financial institutions may rely on third-party providers 00:29:55.152 --> 00:29:56.922 to develop and validate A.I. 00:29:57.362 --> 00:30:01.562 models and tools, which may also create challenges in ensuring alignment with 00:30:01.562 --> 00:30:03.482 relevant risk management guidance. 00:30:04.157 --> 00:30:09.707 Challenges in explaining A.I.-assisted or A.I.-generated decisions also create 00:30:09.707 --> 00:30:14.027 questions about transparency generally, and raise concerns about the potential 00:30:14.027 --> 00:30:18.167 obfuscation of model bias that can negatively affect impacted entities. 00:30:18.847 --> 00:30:22.077 In the Non-Bank Report, Treasury noted the potential for A.I. 00:30:22.407 --> 00:30:26.337 models to perpetuate discrimination by utilizing and learning from data 00:30:26.367 --> 00:30:30.287 that reflect and reinforce historical biases.24 These challenges of 00:30:30.287 --> 00:30:34.467 managing explainability and bias may impede the adoption and use of A.I. 00:30:35.017 --> 00:30:36.587 by financial institutions. 00:30:37.300 --> 00:30:39.550 Consumer Protection and Data Privacy 00:30:40.254 --> 00:30:41.074 Use of A.I. 00:30:41.474 --> 00:30:44.724 in financial services – particularly use of emerging A.I. 00:30:45.204 --> 00:30:49.154 technologies – may negatively impact consumers and complicate efforts 00:30:49.154 --> 00:30:52.944 for financial institutions to ensure compliance with fair lending and 00:30:52.944 --> 00:30:57.964 anti-discrimination laws, or laws prohibiting unfair, deceptive or abusive 00:30:58.044 --> 00:31:03.574 acts or practices, potentially leading to legal violations.25 Some stakeholders have 00:31:04.350 --> 00:31:06.400 24 TREASURY, supra note 2. 00:31:07.066 --> 00:31:11.386 25 Fair lending and anti-discrimination laws include the Fair Housing 00:31:11.386 --> 00:31:15.446 Act, Equal Credit Opportunity Act, and Fair Credit Reporting Act. 00:31:16.056 --> 00:31:20.066 In September 2023, the CFPB issued guidance about certain 00:31:20.066 --> 00:31:21.836 legal requirements that lenders 00:31:22.549 --> 00:31:26.869 expressed concerns that A.I.-powered capabilities that enable financial 00:31:26.869 --> 00:31:31.049 institutions to offer more personalized products and services can also be used 00:31:31.049 --> 00:31:35.269 to inappropriately target consumers in ways that might be unfair, abusive, 00:31:35.409 --> 00:31:39.459 and discriminatory.26 In response to these challenges, methods for 00:31:39.459 --> 00:31:44.049 testing and addressing potential biases – including adversarial testing27 00:31:44.049 --> 00:31:48.889 and less discriminatory alternatives (LDA) testing28– continue to evolve, 00:31:49.309 --> 00:31:53.149 and some research has indicated that carefully designed and monitored A.I. 00:31:53.549 --> 00:31:58.349 models and tools can help reduce bias in the provision of financial services.29 00:31:59.123 --> 00:32:00.723 Additionally, use of A.I. 00:32:01.143 --> 00:32:06.233 may present new or increased data privacy risks for impacted entities and compliance 00:32:06.233 --> 00:32:08.223 risks for financial institutions. 00:32:08.793 --> 00:32:10.723 Existing approaches to comply with 00:32:11.429 --> 00:32:13.309 must adhere to when using A.I. 00:32:13.719 --> 00:32:15.239 and other complex models. 00:32:15.769 --> 00:32:19.959 The guidance describes how lenders must use specific and accurate reasons when 00:32:19.959 --> 00:32:22.249 taking adverse actions against consumers. 00:32:22.829 --> 00:32:27.399 CFPB, CFPB Issues Guidance on Credit Denials by Lenders Using 00:32:27.399 --> 00:32:29.189 Artificial Intelligence, (Sept. 00:32:29.509 --> 00:32:36.669 19, 2023), https://www.consumerfinance.gov/about- 00:32:36.669 --> 00:32:39.329 us/newsroom/cfpb-issues-guidance-on-credit-denials-by-lenders-using-artificial-intelligence. 00:32:39.975 --> 00:32:44.255 The CFPB published guidance on adverse action notification requirements that 00:32:44.255 --> 00:32:48.665 are technology-agnostic and stated that creditors subject to the CFPB’s 00:32:48.665 --> 00:32:53.235 Regulation B are not permitted to use A.I., complex algorithms, or 00:32:53.435 --> 00:32:57.735 “black-box” models which the creditors may not understand sufficiently; when 00:32:57.735 --> 00:33:02.015 the creditor is not able to accurately identify the specific reasons for denying 00:33:02.015 --> 00:33:06.345 credit or taking other adverse actions against consumers, the creditor may 00:33:06.345 --> 00:33:10.645 not be meeting its legal obligations under federal consumer financial laws. 00:33:11.325 --> 00:33:15.255 CFPB, ADVERSE ACTION NOTIFICATION REQUIREMENTS AND THE PROPER 00:33:15.255 --> 00:33:17.505 USE OF THE CFPB’S SAMPLE FORMS 00:33:18.205 --> 00:33:21.585 PROVIDED IN REGULATION B, Consumer Financial Protection 00:33:21.585 --> 00:33:25.775 Circular 2023-03 (Sept. 00:33:25.915 --> 00:33:35.295 19, 2023), https://www.consumerfinance.gov/compliance/circulars/circular-2023-03-adverse-action-notification-requirements- 00:33:35.295 --> 00:33:38.315 and-the-proper-use-of-the-cfpbs-sample-forms-provided-in-regulation-b/. 00:33:39.061 --> 00:33:43.001 CFPB, ADVERSE ACTION NOTIFICATION REQUIREMENTS IN CONNECTION 00:33:43.001 --> 00:33:44.741 WITH CREDIT DECISIONS BASED ON 00:33:45.483 --> 00:33:48.993 COMPLEX ALGORITHMS, Consumer Financial Protection Circular 00:33:49.023 --> 00:34:01.793 2022-03 (May 26, 2022), https://www.consumerfinance.gov/compliance/circulars/circular-2022-03-adverse-action-notification-requirements- 00:34:01.873 --> 00:34:03.733 in-connection-with-credit-decisions-based-on-complex-algorithms/. 00:34:04.454 --> 00:34:06.584 26 TREASURY, supra note 2. 00:34:07.303 --> 00:34:12.003 27 Adversarial machine learning is defined as a practice concerned with the design 00:34:12.003 --> 00:34:16.313 of machine learning algorithms that can resist security challenges and a field to 00:34:16.313 --> 00:34:20.393 study vulnerabilities of machine learning approaches in adversarial settings to 00:34:20.393 --> 00:34:24.333 develop techniques to make learning robust to adversarial manipulation. 00:34:24.963 --> 00:34:25.583 See U.S. 00:34:25.833 --> 00:34:29.753 DEPARTMENT OF COMMERCE, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, 00:34:30.033 --> 00:34:32.413 THE LANGUAGE OF TRUSTWORTHY A.I.: AN IN- 00:34:33.109 --> 00:34:34.819 DEPTH GLOSSARY OF TERMS (Mar. 00:34:35.439 --> 00:34:41.289 22, 2023), https://airc.nist.gov/A.I._RMF_Knowledge_Base/Glossary. 00:34:42.039 --> 00:34:45.889 28 LDA testing used here refers to the practice of searching for 00:34:45.889 --> 00:34:49.189 less discriminatory alternatives as part of the model testing. 00:34:49.689 --> 00:34:56.259 See CFPB, Interactive Bureau Regulations, 12 CFR Part 1002 (Regulation B), Comment 00:34:56.259 --> 00:35:01.959 for 1002.6– Rules Concerning Evaluation of Applications, 6(a)-2 Effects test, 00:35:02.159 --> 00:35:09.319 https://www.consumerfinance.gov/rules- policy/regulations/1002/interp-6/#6-a-Interp-2. 00:35:10.074 --> 00:35:14.724 29 See, e.g., ROBERT BARTLETT ET AL., CONSUMER-LENDING DISCRIMINATION 00:35:14.724 --> 00:35:16.594 IN THE FINTECH ERA (UNIVERSITY OF 00:35:17.449 --> 00:35:24.649 CALIFORNIA BERKELEY, 2019), https://doi.org/10.1016/j.jfineco.2021.05.047. 00:35:25.249 --> 00:35:28.329 While the research found reduced disparities in interest rates 00:35:28.329 --> 00:35:32.179 charged to borrowers that identified as racial or ethnic minorities, 00:35:32.489 --> 00:35:34.569 disparities were still found to exist. 00:35:35.239 --> 00:35:39.149 The research found that fintech lenders still charged borrowers that identified 00:35:39.149 --> 00:35:43.779 as Black or Latino interest rates 7.9 basis points higher than those charged 00:35:43.779 --> 00:35:45.579 to otherwise-equivalent borrowers. 00:35:46.352 --> 00:35:50.732 privacy laws that involve anonymizing or de-identifying data before selling 00:35:50.732 --> 00:35:55.662 data may be, or may become, ineffective as models develop and become capable of 00:35:55.662 --> 00:36:00.042 more readily and accurately identifying owners of previously anonymized data. 00:36:00.382 --> 00:36:00.742 A.I. 00:36:01.252 --> 00:36:05.862 models and tools require great amounts of data to train and operate, creating a 00:36:05.862 --> 00:36:08.002 demand for more or new sources of data. 00:36:08.642 --> 00:36:09.752 In addition, A.I. 00:36:10.272 --> 00:36:15.262 may create or exacerbate issues related to data accuracy, and the use of inaccurate 00:36:15.262 --> 00:36:19.722 data or providing inaccurate information may also lead to a violation of law. 00:36:20.282 --> 00:36:23.912 Some financial institutions are using certain types of “alternative 00:36:23.912 --> 00:36:27.972 data”30 for credit or insurance underwriting, or to inform other 00:36:27.972 --> 00:36:31.522 types of financial decision-making affecting impacted entities. 00:36:32.032 --> 00:36:35.902 Federal agencies have encouraged the responsible use of alternative data 00:36:36.012 --> 00:36:40.602 and described risk mitigation measures for institutions using such data.31 00:36:41.346 --> 00:36:45.166 The Treasury Non-Bank Report noted concerns that the use of alternative 00:36:45.166 --> 00:36:49.296 data could subject growing amounts of behavior to commercial surveillance.32 00:36:49.296 --> 00:36:53.176 In particular, Treasury noted concerns that the use of data regarding 00:36:53.176 --> 00:36:56.876 individual behavior – even behavior that is not explicitly related 00:36:56.876 --> 00:36:58.546 to financial products -- in A.I. 00:36:58.876 --> 00:37:02.496 models that are used to inform decisions to offer financial products 00:37:02.496 --> 00:37:07.406 and services, such as credit products, could have unintended spillover effects. 00:37:08.101 --> 00:37:13.121 Additionally, A.I.-powered predictive analytics are enabling firms to conjecture 00:37:13.121 --> 00:37:16.901 about the attributes or behavior of an individual based on analysis of 00:37:16.901 --> 00:37:18.991 data gathered on other individuals. 00:37:19.531 --> 00:37:23.291 Such capabilities have the potential to undermine privacy (including 00:37:23.291 --> 00:37:24.821 the privacy of others) and 00:37:25.607 --> 00:37:30.477 30 As used here, “alternative data” refers to information not typically found in 00:37:30.477 --> 00:37:32.907 credit files of credit reporting agencies. 00:37:33.507 --> 00:37:37.737 Generally, alternative data used in financial services is financial data, 00:37:38.037 --> 00:37:42.457 such as account balance and cash- flow data, or rent and utility payments. 00:37:43.097 --> 00:37:46.767 However, other fields, such as education data, have been known 00:37:46.767 --> 00:37:48.597 to be used in credit underwriting. 00:37:49.351 --> 00:37:55.181 31 FRB, CFPB, FDIC, NCUA, & OCC, INTERAGENCY STATEMENT ON THE USE 00:37:55.181 --> 00:37:56.861 OF ALTERNATIVE DATA IN CREDIT 00:37:57.640 --> 00:38:00.420 UNDERWRITING (Dec. 00:38:00.530 --> 00:38:05.510 3, 2019), https://files.consumerfinance.gov/f/documents/cfpb_interagency- 00:38:05.510 --> 00:38:06.110 statement_alternative-data.pdf. 00:38:06.990 --> 00:38:10.930 The interagency statement explained risk mitigation measures such as (1) 00:38:10.930 --> 00:38:14.790 conducting a thorough analysis of relevant consumer protection laws and 00:38:14.790 --> 00:38:19.270 regulations to ensure firms understand the opportunities, risks, and compliance 00:38:19.270 --> 00:38:23.610 requirements before using alternative data, and (2) using data that has a 00:38:23.750 --> 00:38:26.340 “direct relation to consumers’ finances.” 00:38:27.193 --> 00:38:29.263 32 TREASURY, supra note 2. 00:38:29.944 --> 00:38:34.424 dilute the power of existing “opt-out” privacy protections, especially 00:38:34.424 --> 00:38:37.774 when a consumer may not be aware of the information being used about 00:38:37.774 --> 00:38:39.564 them or the way it may be used. 00:38:40.292 --> 00:38:41.492 Third-Party Risks 00:38:42.128 --> 00:38:46.048 Many financial institutions rely on third-party providers for business 00:38:46.048 --> 00:38:48.638 operations, including the use of A.I.. 00:38:49.158 --> 00:38:52.688 This reliance, as well as the increasing complexity of the A.I. 00:38:53.078 --> 00:38:58.028 technologies provided, may exacerbate third-party and related risks.33 00:38:58.749 --> 00:39:03.689 In 2023, federal banking agencies issued interagency guidance on third-party 00:39:03.689 --> 00:39:07.409 risk management, which replaced prior guidance on third-party risk 00:39:07.409 --> 00:39:11.809 management and provided a standardized, principles-based approach for assessing 00:39:11.809 --> 00:39:15.769 and managing risks associated with third- party relationships.34 The 00:39:15.799 --> 00:39:20.179 principles—including those related to due diligence, contract management, and 00:39:20.179 --> 00:39:24.469 ongoing monitoring— may be applicable to financial institutions’ use of A.I. 00:39:24.939 --> 00:39:26.809 developed by third-party vendors. 00:39:27.279 --> 00:39:31.249 The guidance specifies that covered financial institutions are responsible 00:39:31.249 --> 00:39:35.089 for ensuring compliance for all activities performed, including 00:39:35.089 --> 00:39:36.849 those conducted by third-parties. 00:39:37.616 --> 00:39:41.996 Further, the SEC has taken steps to update its expectations for third-party 00:39:41.996 --> 00:39:44.176 risk management for investment advisers. 00:39:44.766 --> 00:39:49.796 In 2022, the SEC proposed a rule under the Investment Advisers Act of 1940 00:39:49.796 --> 00:39:54.056 that would require registered investment advisers to perform due diligence prior 00:39:54.056 --> 00:39:58.296 to outsourcing certain services or functions to service providers and to 00:39:58.296 --> 00:40:02.996 periodically monitor the performance of models developed by third-parties.35 00:40:03.804 --> 00:40:04.754 33 Id. 00:40:05.496 --> 00:40:10.106 34 FRB, FDIC, & OCC, INTERAGENCY GUIDANCE ON THIRD-PARTY 00:40:10.106 --> 00:40:12.526 RELATIONSHIPS: RISK MANAGEMENT (Jun. 00:40:12.866 --> 00:40:13.246 9, 00:40:14.056 --> 00:40:21.096 2023), https://www.federalregister.gov/documents/2023/06/09/2023-12340/interagency-guidance-on-third-party- 00:40:21.096 --> 00:40:26.306 relationships-risk-management. 00:40:27.096 --> 00:40:31.346 35 SEC, OUTSOURCING BY INVESTMENT ADVISERS, 87 Fed. 00:40:31.776 --> 00:40:32.056 Reg. 00:40:32.056 --> 00:40:34.636 68816 (Oct. 00:40:35.296 --> 00:40:36.766 26, 2022), 00:40:37.546 --> 00:40:55.526 https://www.federalregister.gov/documents/2022/11/16/2022-23694/outsourcing-by-investment- advisers#:~:text=SUMMARY%3A,without%20first%20meeting%20minimum%20requirements. 00:40:56.230 --> 00:41:00.160 In addition, the National Association of Insurance Commissioners (NA.I.C) 00:41:00.160 --> 00:41:04.060 adopted the Model Bulletin on the Use of Artificial Intelligence Systems by 00:41:04.060 --> 00:41:08.920 Insurers in December 2023.36 The model bulletin provides principles-based 00:41:08.920 --> 00:41:13.220 guidance reminding insurers that decisions or actions impacting consumers 00:41:13.220 --> 00:41:17.600 that are made or supported by advanced analytical and computational technologies, 00:41:17.920 --> 00:41:22.590 including A.I., must comply with all applicable insurance laws and regulations. 00:41:22.910 --> 00:41:26.840 The bulletin states that insurers are expected to develop and maintain a written 00:41:26.840 --> 00:41:29.140 program for the responsible use of A.I. 00:41:29.510 --> 00:41:33.360 and encourages insurers to use verification and testing methods “to 00:41:33.360 --> 00:41:37.800 identify errors and bias” and the potential for unfair discrimination 00:41:37.800 --> 00:41:39.950 in predictive models and other A.I. 00:41:40.370 --> 00:41:40.970 systems. 00:41:42.136 --> 00:41:42.436 II. 00:41:42.986 --> 00:41:44.186 Overview of Questions 00:41:44.901 --> 00:41:47.881 The questions in this RFI are organized into parts A 00:41:47.881 --> 00:41:50.081 through C in section III below. 00:41:50.621 --> 00:41:54.411 Part A solicits comment on the uses of A.I., including use cases, 00:41:54.611 --> 00:41:59.131 types of models being employed, and variability in use and access to A.I. 00:41:59.481 --> 00:42:01.261 across financial institutions. 00:42:01.721 --> 00:42:06.471 Part B focuses on opportunities and risks associated with financial institutions’ 00:42:06.471 --> 00:42:10.501 use of A.I., and how financial institutions are exploring or pursuing 00:42:10.501 --> 00:42:12.741 potential benefits and managing risks. 00:42:13.251 --> 00:42:17.941 In addition, Part B presents questions on impacted entities—both opportunities and 00:42:17.941 --> 00:42:22.901 risks, particularly those related to bias and discrimination, as well as privacy. 00:42:23.401 --> 00:42:28.271 Part C seeks input on potential further actions to advance responsible innovation 00:42:28.271 --> 00:42:32.141 and competition within the financial sector with respect to the use of A.I.. 00:42:33.448 --> 00:42:33.718 III. 00:42:34.118 --> 00:42:35.498 Request for Information 00:42:36.252 --> 00:42:41.022 36 NA.I.C, NA.I.C MODEL BULLETIN ON THE USE OF ARTIFICIAL INTELLIGENCE 00:42:41.022 --> 00:42:42.532 SYSTEMS BY INSURERS (Dec. 00:42:43.202 --> 00:42:44.382 4, 2023), 00:42:45.165 --> 00:42:53.575 https://content.naic.org/sites/default/files/inline-files/2023-12-4%20Model%20Bulletin_Adopted_0.pdf. 00:42:54.463 --> 00:42:58.563 Treasury welcomes input on any matter that commenters believe is relevant to 00:42:58.563 --> 00:43:03.123 Treasury’s efforts to understand the uses, opportunities, and risks of A.I. 00:43:03.443 --> 00:43:04.763 in financial services. 00:43:05.193 --> 00:43:08.653 Treasury is interested in gathering information from a broad set of 00:43:08.653 --> 00:43:13.113 stakeholders in the financial services ecosystem, including those providing, 00:43:13.113 --> 00:43:17.353 facilitating, and receiving financial products and services, as well as 00:43:17.353 --> 00:43:22.023 consumer and small business advocates, academics, nonprofits, and others 00:43:22.023 --> 00:43:25.953 interested in providing information to Treasury on potential opportunities 00:43:25.953 --> 00:43:28.043 and risks related to the use of A.I. 00:43:28.433 --> 00:43:29.793 in financial services. 00:43:30.489 --> 00:43:33.659 Treasury is further interested in comments on the extent to which 00:43:33.659 --> 00:43:38.289 stakeholders can undertake additional actions to manage the risks posed by A.I. 00:43:38.849 --> 00:43:43.109 and comply with existing legal and regulatory requirements, as well as 00:43:43.109 --> 00:43:46.779 the extent to which existing legal and regulatory requirements may 00:43:46.779 --> 00:43:50.359 need to be enhanced to manage the risks posed by A.I., and whether 00:43:50.359 --> 00:43:53.979 commenters have recommendations for legislative, regulatory, or 00:43:53.979 --> 00:43:58.009 supervisory enhancements that may be appropriate to both foster innovation 00:43:58.239 --> 00:44:00.129 and ensure responsible use of A.I. 00:44:00.649 --> 00:44:02.389 in the financial services sector. 00:44:03.113 --> 00:44:06.583 Treasury is also interested in understanding how the use of A.I. 00:44:07.093 --> 00:44:10.383 may differ across financial institutions of different sizes and 00:44:10.383 --> 00:44:14.763 complexity, and the extent to which such variance may impact competition. 00:44:15.313 --> 00:44:19.513 In particular, Treasury is interested in comments about the extent to which small 00:44:19.513 --> 00:44:24.413 financial institutions may face unique challenges in accessing and using A.I.. 00:44:25.288 --> 00:44:28.418 Commenters are encouraged to address any of the questions relevant 00:44:28.418 --> 00:44:32.088 to them and may respond to all or a subset of the questions. 00:44:32.558 --> 00:44:35.988 When responding to one or more of the questions below, please note in 00:44:35.988 --> 00:44:39.348 your response the number(s) of the questions to which you are responding. 00:44:39.928 --> 00:44:44.188 To the extent possible, please cite data or provide specific examples 00:44:44.188 --> 00:44:45.738 that support your responses. 00:44:46.499 --> 00:44:46.729 A. 00:44:47.279 --> 00:44:48.539 General Use of A.I. 00:44:48.889 --> 00:44:50.229 in Financial Services 00:44:50.937 --> 00:44:54.267 Treasury is interested in understanding the evolving use of A.I. 00:44:54.607 --> 00:44:56.017 in financial services. 00:44:56.607 --> 00:45:00.417 In particular, Treasury is interested in how financial institutions are 00:45:00.417 --> 00:45:02.647 using or exploring the use of A.I. 00:45:03.097 --> 00:45:07.327 in the provision of products and services, risk management, capital markets, 00:45:07.407 --> 00:45:12.767 internal operations, customer services, regulatory compliance, and marketing, as 00:45:12.767 --> 00:45:14.867 outlined in the background section above. 00:45:15.437 --> 00:45:18.427 Treasury is also seeking to understand the types of A.I. 00:45:18.737 --> 00:45:22.537 being used, in particular new developments made to existing A.I. 00:45:22.857 --> 00:45:23.847 and emerging A.I. 00:45:24.217 --> 00:45:28.587 technologies, and how they are developed and deployed by financial institutions. 00:45:29.207 --> 00:45:33.747 Finally, Treasury is interested in gaining insights into the general accessibility 00:45:33.747 --> 00:45:38.387 of A.I.—in terms of economic viability of developing or purchasing A.I. 00:45:38.747 --> 00:45:42.977 technologies, as well as the human resources and infrastructure to support 00:45:42.977 --> 00:45:47.317 their use—across financial institutions, and whether asymmetries with respect to 00:45:47.317 --> 00:45:49.657 accessibility could impact competition. 00:45:50.366 --> 00:45:51.106 Question 1: 00:45:51.833 --> 00:45:53.233 Is the definition of A.I. 00:45:53.773 --> 00:45:57.173 used in this RFI appropriate for financial institutions? 00:45:57.653 --> 00:46:01.473 Should the definition be broader or narrower, given the uses of A.I. 00:46:01.943 --> 00:46:04.573 by financial institutions in different contexts? 00:46:05.203 --> 00:46:08.653 To the extent possible, please provide specific suggestions 00:46:08.653 --> 00:46:10.033 on the definitions of A.I. 00:46:10.333 --> 00:46:11.563 used in this RFI. 00:46:12.343 --> 00:46:13.033 Question 2: 00:46:13.814 --> 00:46:14.834 What types of A.I. 00:46:15.244 --> 00:46:18.154 models and tools are financial institutions using? 00:46:18.714 --> 00:46:22.674 To what extent and how do financial institutions expect to use A.I. 00:46:23.104 --> 00:46:27.354 in the provision of products and services, risk management, capital markets, 00:46:27.434 --> 00:46:32.424 internal operations, customer services, regulatory compliance, and marketing? 00:46:33.089 --> 00:46:33.879 Question 3: 00:46:34.600 --> 00:46:38.630 To what extent does the type of A.I., the development of A.I., or A.I. 00:46:38.990 --> 00:46:42.280 applied use cases differ within a financial institution? 00:46:42.760 --> 00:46:44.950 Please describe the various types of A.I. 00:46:45.440 --> 00:46:48.650 and their applied use cases within a financial institution. 00:46:49.387 --> 00:46:53.737 Are there additional use cases for which financial institutions are applying A.I. 00:46:54.187 --> 00:46:57.687 or for which financial institutions are exploring the use of A.I.? 00:46:58.167 --> 00:47:01.747 Are there any related reputation risk concerns about using A.I.? 00:47:02.187 --> 00:47:04.937 If so, please provide specific examples. 00:47:05.643 --> 00:47:06.363 Question 4: 00:47:07.166 --> 00:47:10.506 Are there challenges or barriers to access for small financial 00:47:10.506 --> 00:47:12.616 institutions seeking to use A.I.? 00:47:13.106 --> 00:47:15.236 If so, why are these barriers present? 00:47:15.686 --> 00:47:19.426 Do these barriers introduce risks for small financial institutions? 00:47:19.856 --> 00:47:23.896 If so, how do financial institutions expect to mitigate those risks? 00:47:24.443 --> 00:47:24.733 B. 00:47:25.173 --> 00:47:29.093 Actual and Potential Opportunities and Risks Related to Use of A.I. 00:47:29.523 --> 00:47:30.883 in Financial Services 00:47:31.616 --> 00:47:32.016 A.I. 00:47:32.356 --> 00:47:36.236 provides opportunities for financial institutions to improve efficiency, 00:47:36.456 --> 00:47:41.506 reduce costs, strengthen risk controls, and expand impacted entities’ access 00:47:41.506 --> 00:47:43.436 to financial products and services. 00:47:44.136 --> 00:47:45.976 At the same time, the use of A.I. 00:47:46.246 --> 00:47:49.826 in financial services can pose a variety of risks for impacted 00:47:49.826 --> 00:47:52.126 entities, depending on its application. 00:47:52.826 --> 00:47:56.696 Treasury is interested in perspectives on actual and potential benefits and 00:47:56.696 --> 00:48:01.186 opportunities to financial institutions and impacted entities of the use of A.I. 00:48:01.576 --> 00:48:06.206 in financial services, as well as views on the optimal methods to mitigate risks. 00:48:06.836 --> 00:48:07.616 In particular, 00:48:08.377 --> 00:48:12.457 Treasury is interested in perspectives on bias and potential discrimination 00:48:12.457 --> 00:48:17.407 as well as privacy risks, the extent to which impacted entities are protected from 00:48:17.617 --> 00:48:21.887 and informed about the potential harms from financial institutions’ use of A.I. 00:48:22.327 --> 00:48:23.657 in financial services. 00:48:24.418 --> 00:48:27.088 Actual and Potential Opportunities and Benefits 00:48:27.770 --> 00:48:28.520 Question 5: 00:48:29.394 --> 00:48:32.524 What are the actual and expected benefits from the use of A.I. 00:48:33.034 --> 00:48:37.184 to any of the following stakeholders: financial institutions, financial 00:48:37.184 --> 00:48:41.464 regulators, consumers, researchers, advocacy groups, or others? 00:48:41.994 --> 00:48:45.814 Please describe specific benefits with supporting data and examples. 00:48:46.344 --> 00:48:47.574 How has the use of A.I. 00:48:47.914 --> 00:48:52.034 provided specific benefits to low-to-moderate income consumers and/or 00:48:52.034 --> 00:48:57.104 underserved individuals and communities (e.g., communities of color, women, rural, 00:48:57.194 --> 00:48:59.434 tribal, or disadvantaged communities)? 00:49:00.149 --> 00:49:01.119 How has A.I. 00:49:01.509 --> 00:49:05.939 been used in financial services to improve fair lending and consumer protection, 00:49:06.169 --> 00:49:08.289 including substantiating information? 00:49:08.779 --> 00:49:10.239 To what extent does A.I. 00:49:10.569 --> 00:49:13.709 improve the ability of financial institutions to comply with 00:49:13.709 --> 00:49:17.479 fair lending or other consumer protection laws and regulations? 00:49:18.089 --> 00:49:22.439 Please be as specific as possible, including details about cost savings, 00:49:22.589 --> 00:49:26.569 increased customer reach, expanded access to financial services, 00:49:26.809 --> 00:49:30.659 time horizon of savings, or other benefits after deploying A.I.. 00:49:31.419 --> 00:49:34.009 Actual and Potential Risks and Risk Management 00:49:34.810 --> 00:49:35.850 Oversight of A.I. 00:49:36.170 --> 00:49:38.520 – Explainability and Bias Question 6: 00:49:39.256 --> 00:49:40.856 To what extent are the A.I. 00:49:41.346 --> 00:49:44.596 models and tools used by financial institutions developed 00:49:44.596 --> 00:49:48.256 in- house, by third-parties, or based on open-source code? 00:49:48.836 --> 00:49:51.216 What are the benefits and risks of using A.I. 00:49:51.596 --> 00:49:54.696 models and tools developed in-house, by third-parties, 00:49:54.966 --> 00:49:56.716 or based on open-source code? 00:49:57.371 --> 00:50:00.771 To what extent are a particular financial institution’s A.I. 00:50:01.141 --> 00:50:05.441 models and tools connected to other financial institutions’ models and tools? 00:50:05.931 --> 00:50:08.861 What are the benefits and risks to financial institutions 00:50:08.861 --> 00:50:10.471 and consumers when the A.I. 00:50:10.761 --> 00:50:14.391 models and tools are interconnected among financial institutions? 00:50:15.015 --> 00:50:15.905 Question 7: 00:50:16.670 --> 00:50:20.580 How do financial institutions expect to apply risk management or other 00:50:20.580 --> 00:50:25.020 frameworks and guidance to the use of A.I., and in particular, emerging A.I. 00:50:25.310 --> 00:50:26.180 technologies? 00:50:26.650 --> 00:50:29.470 Please describe the governance structure and risk management 00:50:29.470 --> 00:50:33.420 frameworks financial institutions expect to apply in connection with the 00:50:33.420 --> 00:50:35.210 development and deployment of A.I.. 00:50:35.550 --> 00:50:40.210 Please provide examples of policies and/or practices, to the extent applicable. 00:50:40.995 --> 00:50:43.985 What types of testing methods are financial institutions 00:50:43.985 --> 00:50:47.355 utilizing in connection with the development and deployment of A.I. 00:50:47.925 --> 00:50:49.015 models and tools? 00:50:49.435 --> 00:50:53.105 Please describe the testing purpose and the specific testing methods 00:50:53.105 --> 00:50:55.135 utilized, to the extent applicable. 00:50:55.874 --> 00:51:00.464 To what extent are financial institutions evaluating and addressing potential gaps 00:51:00.464 --> 00:51:04.784 in human capital to ensure that staff can effectively manage the development 00:51:04.784 --> 00:51:06.754 and validation practices of A.I. 00:51:07.174 --> 00:51:08.264 models and tools? 00:51:08.887 --> 00:51:12.317 What challenges exist for addressing risks related to A.I. 00:51:12.707 --> 00:51:13.647 explainability? 00:51:14.167 --> 00:51:17.747 What methodologies are being deployed to enhance explainability and 00:51:17.747 --> 00:51:19.817 protect against potential bias risk? 00:51:20.482 --> 00:51:21.092 Question 8: 00:51:21.923 --> 00:51:26.353 What types of input data are financial institutions using for development of A.I. 00:51:26.833 --> 00:51:31.373 models and tools, particularly models and tools relying on emerging A.I. 00:51:31.643 --> 00:51:32.493 technologies? 00:51:33.013 --> 00:51:36.453 Please describe the data governance structure financial institutions 00:51:36.533 --> 00:51:40.013 expect to apply in confirming the quality and integrity of data. 00:51:40.633 --> 00:51:44.503 Are financial institutions using “non-traditional” forms of data? 00:51:45.053 --> 00:51:48.793 If so, what forms of “non-traditional” data are being used? 00:51:49.253 --> 00:51:52.613 Are financial institutions using alternative forms of data? 00:51:52.993 --> 00:51:56.163 If so, what forms of alternative data are being used? 00:51:56.823 --> 00:52:02.003 Fair Lending, Data Privacy, Fraud, Illicit Finance, and Insurance Question 9: 00:52:02.832 --> 00:52:06.732 How are financial institutions evaluating and addressing any increase 00:52:06.732 --> 00:52:10.522 in risks and harms to impacted entities in using emerging A.I. 00:52:10.932 --> 00:52:11.782 technologies? 00:52:12.222 --> 00:52:16.572 What are the specific risks to consumers and other stakeholder groups, including 00:52:16.572 --> 00:52:21.012 low- to moderate-income consumers and/or underserved individuals and communities 00:52:21.372 --> 00:52:26.312 (e.g., communities of color, women, rural, tribal, or disadvantaged communities)? 00:52:26.822 --> 00:52:30.592 How are financial institutions protecting against issues such as dark 00:52:30.592 --> 00:52:34.562 patterns – user interface designs that can potentially manipulate impacted 00:52:34.562 --> 00:52:38.282 entities in decision-making – and predatory targeting emerging in 00:52:38.939 --> 00:52:40.059 the design of A.I.? 00:52:40.469 --> 00:52:44.669 Please describe specific risks and provide examples with supporting data. 00:52:45.411 --> 00:52:46.221 Question 10: 00:52:46.971 --> 00:52:51.291 How are financial institutions addressing any increase in fair lending and other 00:52:51.291 --> 00:52:55.401 consumer- related risks, including identifying and addressing possible 00:52:55.401 --> 00:52:59.671 discrimination, related to the use of A.I., particularly emerging A.I. 00:53:00.111 --> 00:53:00.971 technologies? 00:53:01.451 --> 00:53:05.591 What governance approaches throughout the development, validation, implementation, 00:53:05.681 --> 00:53:09.701 and deployment phases do financial institutions expect to establish to 00:53:09.701 --> 00:53:13.971 ensure compliance with fair lending and other consumer-related laws for A.I. 00:53:14.491 --> 00:53:17.551 models and tools prior to deployment and application? 00:53:18.114 --> 00:53:21.874 In what ways could existing fair lending requirements be strengthened or 00:53:21.874 --> 00:53:26.494 expanded to include fair access to other financial services outside of lending, 00:53:26.654 --> 00:53:31.044 such as access to bank accounts, given the rapid development of emerging A.I. 00:53:31.524 --> 00:53:32.334 technologies? 00:53:32.844 --> 00:53:36.764 How are consumer protection requirements outside of fair lending, such as 00:53:36.764 --> 00:53:41.624 prohibitions on unfair, deceptive and abusive acts and practices, considered 00:53:41.624 --> 00:53:43.564 during the development and use of A.I.? 00:53:43.984 --> 00:53:47.284 How are related risks expected to be mitigated by financial 00:53:47.284 --> 00:53:48.874 institutions using A.I.? 00:53:49.554 --> 00:53:50.464 Question 11: 00:53:51.231 --> 00:53:54.681 How are financial institutions addressing any increase in data 00:53:54.681 --> 00:53:57.081 privacy risk related to the use of A.I. 00:53:57.521 --> 00:53:59.891 models, particularly emerging A.I. 00:54:00.361 --> 00:54:01.201 technologies? 00:54:01.661 --> 00:54:05.201 Please provide examples of how financial institutions have assessed 00:54:05.201 --> 00:54:07.391 data privacy risk in their use of A.I.. 00:54:08.148 --> 00:54:11.788 In what ways could existing data privacy protections (such as those 00:54:11.788 --> 00:54:13.788 in the Gramm-Leach- Bliley Act (Pub. 00:54:14.418 --> 00:54:14.628 L. 00:54:14.998 --> 00:54:15.308 No. 00:54:15.758 --> 00:54:19.728 106-102)) be strengthened for impacted entities, given the 00:54:19.728 --> 00:54:21.748 rapid development of emerging A.I. 00:54:22.088 --> 00:54:25.988 technologies, and what examples can you provide of the impact of A.I. 00:54:26.338 --> 00:54:28.468 usage on data privacy protections? 00:54:29.149 --> 00:54:32.629 How have technology companies or third-party providers of A.I. 00:54:33.209 --> 00:54:36.089 assessed the categories of data used in A.I. 00:54:36.469 --> 00:54:40.179 models and tools within the context of data privacy protections? 00:54:40.824 --> 00:54:41.554 Question 12: 00:54:42.479 --> 00:54:46.869 How are financial institutions, technology companies, or third-party service 00:54:46.869 --> 00:54:51.129 providers addressing and mitigating potential fraud risks caused by A.I. 00:54:51.419 --> 00:54:52.299 technologies? 00:54:52.749 --> 00:54:56.459 What challenges do organizations face in countering these fraud risks? 00:54:57.009 --> 00:55:01.579 Given A.I.’s ability to mimic biometrics (such as a photos/video of a customer 00:55:01.609 --> 00:55:05.859 or the customer’s voice) what methods do financial institutions plan to use 00:55:05.859 --> 00:55:09.849 to protect against this type of fraud (e.g., multifactor authentication)? 00:55:10.545 --> 00:55:11.435 Question 13: 00:55:12.224 --> 00:55:16.154 How do financial institutions, technology companies, or third-party 00:55:16.154 --> 00:55:18.544 service providers expect to use A.I. 00:55:18.954 --> 00:55:21.674 to address and mitigate illicit finance risks? 00:55:22.244 --> 00:55:25.434 What challenges do organizations face in adopting A.I. 00:55:25.924 --> 00:55:27.804 to counter illicit finance risks? 00:55:28.334 --> 00:55:30.634 How do financial institutions use A.I. 00:55:31.124 --> 00:55:33.634 to comply with applicable AML/CFT requirements? 00:55:34.124 --> 00:55:36.014 What risks may such uses create? 00:55:36.714 --> 00:55:37.644 Question 14: 00:55:38.388 --> 00:55:42.248 As states adopt the NA.I.C’s Model Bulletin on the Use of Artificial 00:55:42.248 --> 00:55:46.618 Intelligence Systems by Insurers and other states develop their own regulations 00:55:46.618 --> 00:55:50.988 or guidance, what changes have insurers implemented and what changes might they 00:55:51.018 --> 00:55:55.398 implement to comply or be consistent with these laws and regulatory guidance? 00:55:56.007 --> 00:55:57.757 How do insurers using A.I. 00:55:58.227 --> 00:56:01.817 make certain that their underwriting, rating, and pricing practices and 00:56:01.847 --> 00:56:06.207 outcomes are consistent with applicable laws addressing unfair discrimination? 00:56:06.894 --> 00:56:11.814 How are insurers currently covering A.I.-related risks in existing policies? 00:56:12.314 --> 00:56:15.904 Are the coverage, rates, or availability of insurance for financial 00:56:15.904 --> 00:56:18.004 institutions changing due to A.I. 00:56:18.444 --> 00:56:18.974 risks? 00:56:19.444 --> 00:56:23.274 Are insurers including exclusions for A.I.-related risks or 00:56:23.274 --> 00:56:25.174 adjusting policy wording for A.I. 00:56:25.634 --> 00:56:26.134 risks? 00:56:26.762 --> 00:56:27.902 Third-party Risks 00:56:28.588 --> 00:56:29.518 Question 15: 00:56:30.219 --> 00:56:33.769 To the extent financial institutions are relying on third-parties to 00:56:33.769 --> 00:56:38.719 develop, deploy, or test the use of A.I., and in particular, emerging A.I. 00:56:38.999 --> 00:56:42.169 technologies, how do financial institutions expect to 00:56:42.169 --> 00:56:43.789 manage third-party risks? 00:56:44.339 --> 00:56:47.909 How are financial institutions applying third-party risk management 00:56:47.909 --> 00:56:49.509 frameworks to the use of A.I.? 00:56:50.225 --> 00:56:54.315 What challenges exist to mitigating third-party risks related to A.I., 00:56:54.495 --> 00:56:56.575 and in particular, emerging A.I. 00:56:56.955 --> 00:56:59.405 technologies, for financial institutions? 00:56:59.875 --> 00:57:03.055 How have these challenges varied or affected the use of A.I. 00:57:03.465 --> 00:57:07.145 across financial institutions of various sizes and complexity? 00:57:07.736 --> 00:57:08.786 Question 16: 00:57:09.476 --> 00:57:12.706 What specific concerns over data confidentiality does 00:57:12.706 --> 00:57:14.376 the use of third-party A.I. 00:57:14.796 --> 00:57:15.766 providers create? 00:57:16.446 --> 00:57:21.196 What additional enhancements to existing processes do financial institutions expect 00:57:21.196 --> 00:57:25.576 to make in conducting due diligence prior to using a third-party provider of A.I. 00:57:25.986 --> 00:57:26.776 technologies? 00:57:27.462 --> 00:57:30.882 What additional enhancements to existing processes do financial 00:57:30.882 --> 00:57:34.732 institutions expect to make in monitoring an ongoing third-party 00:57:34.732 --> 00:57:37.252 relationship, given the advances in A.I. 00:57:37.692 --> 00:57:38.532 technologies? 00:57:38.982 --> 00:57:43.212 How do financial institutions manage supply chain risks related to A.I.? 00:57:43.948 --> 00:57:44.898 Question 17: 00:57:45.708 --> 00:57:49.278 How are financial institutions applying operational risk management 00:57:49.278 --> 00:57:50.848 frameworks to the use of A.I.? 00:57:51.428 --> 00:57:54.878 What, if any, emerging risks have not been addressed in financial 00:57:54.878 --> 00:57:58.608 institutions’ existing operational risk management frameworks? 00:57:59.237 --> 00:58:03.067 How are financial institutions ensuring their operations are resilient 00:58:03.067 --> 00:58:06.877 to disruptions in the integrity, availability, and use of A.I.? 00:58:07.197 --> 00:58:09.577 Are financial institutions using A.I. 00:58:10.017 --> 00:58:12.607 to preserve continuity of other core functions? 00:58:13.107 --> 00:58:15.177 If so, please provide examples. 00:58:15.862 --> 00:58:16.282 C. 00:58:16.752 --> 00:58:17.712 Further actions 00:58:18.408 --> 00:58:22.428 As noted, Treasury supports responsible innovation and competition in the 00:58:22.428 --> 00:58:26.528 financial sector and seeks to promote a financial system that delivers 00:58:26.528 --> 00:58:28.878 inclusive and equitable access to 00:58:29.580 --> 00:58:33.140 financial services that meet the needs of consumers and businesses, 00:58:33.450 --> 00:58:37.190 while maintaining stability and market integrity, protecting critical 00:58:37.190 --> 00:58:41.020 financial sector infrastructure, and combating illicit finance 00:58:41.020 --> 00:58:42.750 and national security threats. 00:58:43.393 --> 00:58:44.193 Question 18: 00:58:44.992 --> 00:58:49.182 What actions are necessary to promote responsible innovation and competition 00:58:49.182 --> 00:58:50.842 with respect to the use of A.I. 00:58:51.252 --> 00:58:52.622 in financial services? 00:58:53.002 --> 00:58:56.222 What actions do you recommend Treasury take, and what actions 00:58:56.222 --> 00:58:57.722 do you recommend others take? 00:58:58.262 --> 00:59:02.972 What, if any, further actions are needed to protect impacted entities, including 00:59:02.972 --> 00:59:05.542 consumers, from potential risks and harms? 00:59:06.158 --> 00:59:10.768 Please provide specific feedback on legislative, regulatory, or supervisory 00:59:10.768 --> 00:59:12.848 enhancements related to the use of A.I. 00:59:13.308 --> 00:59:17.068 that would promote a financial system that delivers inclusive and equitable 00:59:17.068 --> 00:59:21.298 access to financial services that meet the needs of consumers and businesses, 00:59:21.628 --> 00:59:25.878 while maintaining stability and integrity, protecting critical financial sector 00:59:25.878 --> 00:59:30.388 infrastructure, and combating illicit finance and national security threats. 00:59:30.918 --> 00:59:34.878 What enhancements, if any, do you recommend be made to existing governance 00:59:34.878 --> 00:59:39.078 structures, oversight requirements, or risk management practices as 00:59:39.078 --> 00:59:42.908 they relate to the use of A.I., and in particular, emerging A.I. 00:59:43.418 --> 00:59:44.248 technologies? 00:59:44.879 --> 00:59:45.759 Question 19: 00:59:46.460 --> 00:59:50.230 To what extent do differences in jurisdictional approaches inside and 00:59:50.230 --> 00:59:54.630 outside the United States pose concerns for the management of A.I.-related 00:59:54.630 --> 00:59:56.900 risks on an enterprise-wide basis? 00:59:57.480 --> 01:00:01.640 To what extent do such differences have an impact on the development of products, 01:00:02.350 --> 01:00:04.680 competition, or other commercial matters? 01:00:05.270 --> 01:00:09.340 To what extent do such differences have an impact on consumer protection 01:00:09.370 --> 01:00:11.080 or availability of services? 01:00:11.668 --> 01:00:15.388 This concludes the Request for Information on Uses, Opportunities, 01:00:15.468 --> 01:00:19.298 and Risks of Artificial Intelligence in the Financial Services Sector 01:00:20.016 --> 01:00:24.266 If your Credit union could use assistance with your exam, reach out to Mark Treichel 01:00:24.266 --> 01:00:26.946 on LinkedIn, or at mark Treichel dot com. 01:00:27.466 --> 01:00:30.136 This is Samantha Shares and we Thank you for listening.