Legal and Operational Perspectives on AI applications

Written By

giuseppe dagostino Module
Giuseppe D'Agostino

Of Counsel
Italy

I joined Bird & Bird in March 2020 as Of Counsel, taking up the position of Co-Head of the International Finance & Financial Regulation Practice with a focus on regulatory compliance and FinTech.

The integration of artificial intelligence (AI) into the financial sector promises transformative advancements, ranging from enhanced customer assistance and personalised financial services to improved fraud detection and operational efficiency. However, the adoption of AI in the financial services landscape brings forth a complex array of legal and operational challenges.

Regulatory Framework for AI in Financial Services:

The EU AI Act represents a significant step toward regulating AI technologies across various sectors, including finance. Relative requirements have an impact on the processes on which many financial services could be built or operated.

In the financial sector, the only areas covered by high-risk AI system requirements are:

  • AI systems for individual creditworthiness assessment (excluding those used for detecting financial fraud);
  • AI systems for risk assessment in health or life insurance (determining risk and pricing for individuals seeking insurance).

For these use cases AI Act requires rigorous maintenance of all technical documentation for compliance, monitoring of operations and incidents, specification of responsibilities, risk assessment policies and procedures.

However, the AI Act does not explicitly cover any financial services other than those mentioned above, nor other important processes based on AI models or systems, which raises the question of the specific rules to be applied in these cases.

To this end, financial institutions (with the assistance of their - internal and/or external - legal experts) should:

  • Harmonise the AI Act rules with corporate governance, risk management and conduct of business rules established by the Capital Requirements Regulation(CRR) and the Capital Requirements Directive (CRD) for credit institutions and other regulations such as Solvency II and Insurance Distribution Directive(IDD) regarding insurance companies and distributors, the Markets in Financial Instruments Directive(MiFID II) regarding investment firms, the revised Payment Services Directive (PSD2),  the Undertakings for Collective Investment in Transferable Securities Directive(UCITS), etc.
  • Align AI Act standards with the digital operational resilience strategy as required by the Digital Operational Resilience Act (DORA), the pivotal regulation for the governance of ICT risks for financial institutions.

Integrating AI Governance with ICT Governance

The Digital Operational Resilience Act (DORA), which comes into force on 17 January 2025, requires financial institutions to maintain secure and resilient network and information systems that support their business models.

It is interesting to note that the AI Act does not specifically cover AI in investment services, while DORA lacks specific guidance on AI in investment services or, for example, collective asset management services.

Financial institutions must harmonise AI-specific regulations with the existing ICT governance framework under DORA to ensure compliance and operational resilience. This involves adopting internal rules for designing, implementing, and monitoring their digital strategy, including AI systems and data sets.

As DORA does not explicitly regulate AI systems, the AI Regulation's provisions on governance and risk management of AI (and datasets) can be used to address AI systems that are not classified as high risk, taking into account the principle of proportionality and also drawing on other important guidance from EU supervisory authorities or international organisations.

Financial institutions must ensure AI systems perform as expected throughout their lifecycle by establishing the algorithmic framework, documenting rationale and assumptions, describing expected output and quality, explaining technical trade-offs, defining responsibilities, and implementing robust risk management.

Implications for Human Resources

It is crucial to have suitably skilled human resources to manage the complex tasks involved in AI governance and ICT strategy. This includes expertise in AI development, data management, cybersecurity, and regulatory compliance. Ensuring that staff have the necessary skills and training is essential for maintaining the integrity, security, and efficiency of AI systems.

Concrete Examples of AI Applications

Robo-Advisors: these are AI-based tools that provide online financial advice with minimal human intervention, offering personalised investment strategies based on financial goals, risk tolerance, and time horizon;

Fraud Detection: AI systems are extensively used for fraud detection in banking and financial services through machine learning capable to analyze vast amounts of transaction data to identify patterns indicative of fraudulent activities; and

Credit scoring: AI is improving the accuracy of credit scoring models by being able to consider alternative data sources, such as social media activity, transaction history and even mobile phone usage patterns, alongside traditional data. This allows individuals with limited credit histories to receive a more comprehensive assessment of their creditworthiness.

Implementation outlook

AI implementation in the financial sector presents risks and challenges, including:

  • opaque decision-making ("Black Box"), leading to accountability and compliance issues;
  • data biases, which can result in discriminatory outcomes in credit scoring and insurance pricing;
  • privacy concerns, as AI systems require extensive personal data, necessitating stringent data protection and GDPR compliance.

In the financial sector, human oversight is also critical to mitigating AI risks. Individuals should have the authority to withhold, override or reverse AI outputs and ensure the safe cessation of AI activities to address anomalies and maintain system integrity and financial stability.

In conclusion, integrating AI into the financial sector offers significant opportunities and challenges. By aligning the AI Act with existing regulations and integrating AI governance into DORA's ICT frameworks, institutions can create AI systems that are compliant, transparent, and resilient. Financial institutions must stay adaptive to evolving technology and regulatory landscapes.


For further information, please contact Giuseppe D’Agostino.

This article was published in the special AI edition of our monthly Connected newsletter, to view the full newsletter or to sign-up to receive future newsletters for the latest Regulatory & Public Affairs news and updates, see below:

Connected newsletter July 2024: Special AI edition

TO SUBSCRIBE TO OUR CONNECTED NEWSLETTER CLICK HERE

Latest insights

More Insights
Curiosity line blue background

ASIC’s 2025 enforcement priorities – what’s on the corporate regulator’s mind?

Nov 21 2024

Read More
featured image

Understanding the Impact of the Transposition of the CER Directive into Irish Law

5 minutes Nov 19 2024

Read More
The European Commission Modern office buildings in Brussels, Belgium.

VAT in the Digital Age (“ViDA”): prepare your business with Bird & Bird – 10 key insights for success

Nov 15 2024

Read More