Artificial Intelligence and Financial Services
Leaving Brexit aside for a few paragraphs, the data protection topic of the year to date for the financial services industry has been compliance of its use of Artificial Intelligence with data protection laws. Of course artificial intelligence has been used for years for risk assessment and fraud detection, serenading under the names of big data. In 2019 however it seems to have had its second coming with the regulators showing some concerted interest. The ICO and National Institute for Health Research-funded Greater Manchester Patient Safety Translational Research Centre jointly commissioned a Citizens Jury to gain insight into public perception about artificial intelligence and whether they think:
- people should always get an explanation for an AI-generated decision, even if that means the AI will not reach such accurate conclusions; and
- when and why explanations for AI-generated decisions are important.
Our Rhiannon Webster participated in the jury as a legal expert on the current laws regulating AI. The findings of this research will feed into guidance being produced jointly by the ICO and The Alan Turing Institute that will give organisations a steer about how they can explain AI to users.
This month, Lloyd's has published two reports exploring the trends in AI within the insurance industry. It analysed the associated risks of AI implementation as well as the potential for AI to help insurers improve their operations.
The report identifies four risks areas for AI: trust and transparency, ethics, security and safety. As artificial intelligence systems become more complex, cyber breaches are likely to have an even greater impact, according to the report. Meanwhile, ambiguity and legal uncertainty is contributing to unanswered questions around who is ultimately liable when something does go wrong.
The reports can be accessed here.
FCA and ICO sign new MOU
In February, the ICO and the Financial Conduct Authority ("FCA") updated their Memorandum of Understanding ("MoU"). The purpose of the MoU is to capture the general principles of collaboration between the parties, with the ultimate aim of developing cooperation and knowledge sharing, resulting in a more cohesive approach to investigations.
The broad principles contained in the MoU are set out below:
- Each party agrees to alert the other to potential breaches of the legislation that the other regulates and to provide necessary supporting information (insofar as legal or procedural restriction on disclosure will permit).
- The parties will liaise with each
other on a regular basis to discuss matters of mutual interest and
to address common issues and threats. This may include information
- Investigations and relevant action taken against a person or a firm by one party, which may be relevant to the functions of the other;
- Criminal fraudulent other activity that other might cast doubt on the fitness and propriety of an FCA authorised firm, certified individual or approved person; or
- Intelligence held by the ICO which indicates possible failures of FCA authorised firms' regulated activities (including systems and controls).
- Both parties may request relevant information from each other and if information is gathered by one party which deemed to be materially relevant to the other, notification will be provided in order to allow the other party to request disclosure of such information;
- The parties will consult and co-ordinate (where appropriate) in respect of reviews, cause for evidence and recommendations; and
- In the event of a major incident of mutual interest at an FCA-regulated firm, the parties will work together in line with an agreed incident protocol in order in order to secure the best outcome for consumers, and ensure incidents are dealt with in a coordinated and efficient manner.
Whilst the MoU does make reference to one party taking "the lead" in an investigation if appropriate, it also clearly recognises that there are circumstances where it will be appropriate for both the ICO and the FCA to investigate and take enforcement action. FCA authorised firms should continue to prioritise data protection compliance in order to stay on the right side of both regulators.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.