Thinking specifically about the impact on the financial sector, we have noticed a few key takeaways that leaders at financial institutions should pay close attention to.Download the AI Checklist
On October 30th, the Biden-Harris administration released a comprehensive 63-page executive order on the “safe, secure, and trustworthy development and use of artificial intelligence.” Since releasing a blueprint for an AI bill of rights last October, the White House and federal agencies in the United States have been moving towards AI guidelines and regulations. The National Institute of Standards & Technology (NIST) released its Artificial Intelligence Risk Management Framework (RMF) in January, and major tech companies—like Amazon, Google, and Microsoft—committed to AI safeguards this summer.
With the release of this executive order, the White House is outlining specific AI risks and prescribing some regulations for agencies to comply with in the next 90 to 365 days. Thinking specifically about the impact on the financial sector, I have noticed a few key takeaways that leaders at financial institutions should pay attention to.
The executive order called upon several different agencies to put forth different guidelines and best practices for financial services. By March 28, 2024, the Secretary of the Treasury must release a public report on best practices for financial institutions to manage AI-specific security risks. AI introduces a whole new realm of cybersecurity risks. Hackers and bad actors can use AI as a weapon to infiltrate systems, such as using generative AI in social engineering to emulate someone’s voice or create very personalized phishing campaigns. Financial institutions will need to consider different strategies, such as updating cybersecurity practices or enhancing training for employees, to protect against these types of risks.
By April 27, 2024, the Secretary of Homeland Security must incorporate NIST’s AI RMF and other security guidance into relevant safety and security guidelines for critical infrastructure owners and operators. Critical infrastructure as defined in the Patriot Act includes financial services. After these guidelines are completed, agencies have 240 days to help the Federal Government mandate them and enforce them through regulatory or other appropriate action. Finally, independent regulatory agencies are encouraged to consider mandating guidance themselves.
NIST has long been at the forefront of evolving regulation. As part of the executive order, NIST has been called upon to complete very specific activities. By July 26, 2024, NIST must:
Foundation model providers, such as OpenAI, are receiving special scrutiny. The government recognizes that many companies leverage these foundation models to create specialized AI applications. By providing further guidelines and regulations to these models, the government is essentially working towards protections and regulations across all these specialized AI applications through the root of the foundation model.
Finally, one of the most interesting quotes in the entire document that could directly affect banks is: “Agencies are discouraged from imposing broad general bans or blocks on agency use of generative AI… With appropriate safeguards in place, [agencies should] provide their personnel and programs with access to secure and reliable generative AI capabilities.” The Federal Government is implying that agencies that are avoiding AI are making the wrong choice and should instead look for ways to experiment or implement AI for “routine tasks that carry a low risk of impacting Americans’ rights.” I am very encouraged by this. Not only is the Federal Government leaning in to protect citizens’ rights, but also recognizing that systems are enabling efficiencies and providing real value. They aren’t simply toys or a new “fad.”
While the executive order itself serves more like a plan or roadmap for a variety of agencies, regulation will be fast approaching in the spring and summer of 2024. While agencies and creators of AI models will be directly impacted by these guidelines and regulations, financial institutions themselves need to also prepare for upcoming regulation. To avoid getting caught off guard, financial institutions should take two key actions at the close of 2023 and into the start of 2024:
Posh will continue to watch for releases on best practices, guidelines, and regulations from federal agencies and provide insights and takeaways for the financial services industry. If you have specific questions about the new executive order and what it means for you and your business, reach out to Posh.