Treasury Issues Request For Information On Uses Of AI



WilmerHale provides legal representation across a comprehensive range of practice areas critical to the success of its clients. With a staunch commitment to public service, the firm is a leader in pro bono representation. WilmerHale is 1,000 lawyers strong with 12 offices in the United States, Europe and Asia.
On June 6, 2024, the U.S. Department of the Treasury issued a Request for Information (RFI) on the uses, opportunities, and risks of artificial intelligence (AI) in the financial services sector.
United States Technology
To print this article, all you need is to be registered or login on

On June 6, 2024, the US Department of the Treasury (Treasury) issued a request for information (RFI) on the "uses, opportunities and risks of artificial intelligence (AI) in the financial services sector."1 The RFI seeks information from a broad range of stakeholders to increase Treasury's understanding of AI as it explores "enhancements to legislative, regulatory, and supervisory frameworks" that may be necessary to govern the use of AI in the financial services sector.2

Given recent statements by senior Treasury officials,3 RFIs from other financial regulators on the use of AI,4 and the increased interest in using the technology on the part of financial institutions,5 this RFI does not come as a surprise.6 Statements by Treasury officials indicate that existing interagency guidance, including the Statement on Model Risk Management and Guidance on Third-Party Relationships,7 may apply when certain financial institutions use AI, but given the potential overlap between AI systems and more traditional models, there have been questions about how to distinguish them and mitigate AI's unique risks.8

Treasury is seeking comments from all parties that may have a perspective on the use of AI in the financial sector or on any question on which it is seeking information. Along with seeking input on the potential opportunities and risks of financial institutions' use of AI, Treasury is seeking information on how AI may affect "impacted entities," which include "consumers, investors, financial institutions, businesses, regulators, end-users, and any other entity impacted by financial institutions' use of AI."9 Comments and information in response to the RFI are due on August 12, 2024.10

What Are Treasury's Objectives in Issuing the RFI?

First, in remarks at the Financial Stability Oversight Council's (FSOC) Conference on AI and Financial Stability, Treasury Secretary Janet Yellen explained that the RFI will serve as a way of "continuing our stakeholder engagement to improve our understanding of AI in financial services."11 Secretary Yellen also announced that Treasury's Federal Insurance Office, which provides expertise on insurance matters to Treasury and other federal agencies, will convene a future roundtable discussion on the "benefits and challenges associated with the use of AI by insurers, best practices, and potential consumer protections to prevent discrimination."12 Given Treasury's focus on mitigating bias in insurance underwriting, this roundtable, along with the RFI, will "contribute to Treasury's improved understanding of how AI impacts different types of financial institutions."13

Second, Treasury is not only seeking to understand AI's role, but is also focused on enhancing supervision to address AI-related risks in the financial services sector. Secretary Yellen announced that FSOC will "continue its efforts to monitor AI's impact on financial stability" and "support efforts to build supervisory capacity to better understand associated risks."14 In particular, Secretary Yellen singled out "scenario analysis, often used by firms and governments to understand opportunities and risks in the context of uncertainty," as potentially "beneficial."15 This suggests that FSOC will enhance its supervision of AI by employing scenario analysis to anticipate AI-related risks and vulnerabilities.

Third, Treasury is prioritizing AI-related enforcement measures. In a separate statement issued in support of the RFI, Under Secretary for Domestic Finance Nellie Liang stated that the Biden Administration "is committed to fostering innovation in the financial sector while ensuring that [it] protect[s] consumers, investors, and our financial system from risks that new technologies pose."16

Key Takeaways

The RFI includes 19 questions that are specific to the use of AI by "a broad set of stakeholders in the financial services ecosystem, including those providing, facilitating, and receiving financial products and services," which are divided into three parts:17

  1. "General uses of AI in financial services";
  2. "Actual and potential opportunities and risks related to AI in financial services"; and
  3. "Further actions".

The key questions and takeaways are as follows:

  • General Uses of AI in Financial Services: Treasury is interested in how institutions are using AI for products, risk management, capital markets, operations, customer service, compliance and marketing.18 Treasury seeks information on the types of AI models used, barriers for small institutions in accessing AI, details on AI model development and deployment, and whether the definition of AI should be broadened or narrowed given the variety of use cases.19
  • Actual and Potential Opportunities and Risks Related to Use of AI in Financial Services: Treasury seeks input on the benefits and risks of using AI in financial services and the best ways to mitigate those risks. In particular, Treasury is concerned with bias, discrimination and privacy risks, and how consumers are "protected from and informed about the potential harms" from financial institutions' use of AI and seeks information on the following topics.20
    • Opportunities and Benefits: Treasury requests examples of the actual and expected benefits of AI to various stakeholders, including financial institutions, regulators, consumers, and underserved communities.21
    • Risks and Risk Management: Treasury seeks to understand AI-related risks, such as oversight issues.22 In particular, Treasury requests information on the risks of using AI models developed in-house, by third parties or based on open-source code. It also seeks to understand financial institutions' policies and practices, governance structures, risk management frameworks and testing methods for AI models. Finally, Treasury seeks information on how institutions address gaps in human capital and the challenges of AI "explainability".23
    • Fair Lending, Data Privacy, Fraud, Illicit Finance and Insurance: Treasury requests information to understand the increased risks to consumers from AI technologies, including discrimination, privacy, fraud and insurance coverage risks.24 Treasury asks how institutions are mitigating AI-associated risks and harms in these areas to consumers, particularly those in underserved communities. It also seeks details on approaches to strengthening existing data privacy protections (such as those in the Gramm-Leach-Bliley Act) and changes implemented by insurers to comply with the National Association of Insurance Commissioners' Model Bulletin on the Use of Artificial Intelligence.25
    • Third-Party Risks: Treasury requests information to understand the risk management challenges associated with third-party AI providers.26 Treasury asks how financial institutions manage these risks and what enhancements are being made to institutions' due diligence and monitoring processes. Treasury also seeks information on the present application of operational risk frameworks to the use of AI, data confidentiality concerns and the management of supply chain risks related to AI.
  • Further Actions: Treasury seeks recommendations on legislative, regulatory or supervisory enhancements to balance innovation with consumer protection and stability, and asks about further actions needed to protect consumers from potential risks and harms.27 Treasury is also interested in how differences in jurisdictional approaches inside and outside the United States impact the management of AI-related risks.

Opportunities for Engagement

As discussed above, Treasury will likely use information submitted in response to the RFI to enhance its supervisory and enforcement approaches to AI. Accordingly, it is important for financial institutions to not only understand the fundamentals and implications of AI but also consider engaging with the RFI through the following actions:

  • Providing Detailed Input on AI Use Cases: Financial institutions should consider sharing examples of AI applications within their operations. This includes successful implementations in product offerings, risk management, capital markets, internal operations, customer service, regulatory compliance and marketing. Highlighting use cases can help shape Treasury's regulatory priorities by providing representative use cases.
  • Identifying Barriers and Proposing Solutions: Financial institutions, especially smaller ones, should consider communicating any challenges or barriers to access they face in accessing AI technologies. For example, Treasury has acknowledged that larger financial institutions that have already migrated some of their systems and data into cloud computing platforms will likely be able to take advantage of AI developments sooner than those that have not.28 Providing insights into these issues and suggesting feasible solutions can help create a more level playing field in the financial sector.
  • Recommending Governance and Risk Management Enhancements: Financial institutions should consider describing current risk management practices at a general level. According to Treasury, financial institutions are embedding AI-specific risk management within their enterprise risk management programs, integrating it with broader risk management practices.29 This aligns with the "three lines of defense" approach outlined by the Basel Committee on Banking Supervision and others, which includes business line responsibility, corporate risk management support and auditing risk controls.30 Providing detailed examples of these frameworks can help Treasury understand the current thinking around oversight and risk management.
  • Addressing Ethical and Compliance Concerns: Treasury is keenly interested in AIrelated issues concerning bias, discrimination and data privacy. Yet financial institutions interviewed by Treasury have stated that they rely on existing risk management methodologies to mitigate AI threats even though these supervisory risk management and operational resiliency expectations may not address AI.31 Financial institutions should consider detailing how they are addressing these concerns, including methodologies to enhance AI explainability and mitigate bias.
  • Engaging in Third-Party Risk Discussions: Treasury has underscored the importance of due diligence in addressing third-party-related AI issues such as technology integration, data privacy, retention policies, and model validation and maintenance.32 By engaging with the RFI, financial institutions may be able to influence the development of tailored third-party risk management frameworks that reflect industry realities and best practices.

Financial institutions, however, need not restrict themselves to the RFI questions in their responses. Below are a few additional points not covered in the RFI that may be worth including in comments to the RFI:

  • Evaluating Scenario Analysis for AI Risks: Financial institutions should consider commenting on the efficacy of applying scenario analyses to monitor for AI-related risks, which Secretary Yellen suggested. Given the significant data and modeling gaps banks faced during the Federal Reserve's recent Pilot Climate Scenario Analysis,33 similar issues could likely arise in an AI scenario analysis, especially given rapidly evolving AIrelated risks. Treasury should address these potential challenges and propose solutions to enhance resilience and accuracy before any AI scenario analyses are approved.
  • Data Quality, Interconnections and "Data/Model Poisoning" Risks: Financial institutions should consider commenting on the "interconnections that emerge as many market participants rely on the same data and models," a point also raised by Secretary Yellen.34 This issue is compounded when larger institutions rely on data of varying (or uncertain) provenance, which can lead to "model collapse" or other systemic failures.35 Similarly, in the context of generative AI, as AI-generated content increasingly fills the internet, it "poisons" the training data for future models, creating a cycle of degraded data quality.36 Financial institutions should seek clarity on how Treasury plans to address these potential systemic risks and ensure the integrity of AI training data, or offer their thoughts about how to do so effectively.


As financial institutions and consumers continue to explore the use of novel forms of AI, regulators are seeking to understand the technology and the impact its increased adoption would have on the broader financial system. Treasury indicated that it would use the information gathered from this process to inform future AI-related initiatives and support more formal supervisory processes and enforcement actions. As a result, financial institutions should consider submitting comments and information in response to the RFI to ensure that Treasury has broad information about the potential uses and risks of AI as it contemplates additional enhancements to its legislative, regulatory and supervisory frameworks.


1 Departmental Offices, US Dep't of the Treasury, Request for Information on Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector (June 6, 2024),

2 RFI at 9.

3 We previously addressed Treasury and other regulators' guidance on AI use in our webinar series. See, e.g., AI & Financial Services – Part One, WilmerHale (Mar. 14, 2024),; AI & Financial Services – Part Two, WilmerHale (Apr. 16, 2024), ai-and-financial-services-part-two

4 See, e.g., CFTC Staff, Request for Comment on the Use of Artificial Intelligence in CFTC-Regulated Markets (Jan. 25, 2024),; CFTC Issues Request for Comment on Uses of AI, WilmerHale (Feb. 2, 2024), /media/files/shared_content/editorial/publications/wh_publications/client_alert_pdfs/20240202-cftc-issuesrequest-for-comment-on-uses-of-ai.pdf.

5 "To the extent applicable,'financial institutions' in this RFI includes banks, credit unions, insurance companies, non-bank financial companies, financial technology companies (also known as fintech companies), asset managers, broker-dealers, investment advisors, other securities and derivatives markets participants or intermediaries, money transmitters, and any other company that facilitates or provides financial products or services under the regulatory authority of the federal financial regulators and state financial or securities regulators." RFI at n.1.

6 See, e.g., Remarks by Under Secretary for Domestic Finance Nellie Liang on Artificial Intelligence in Finance, Dep't of the Treasury (May 22, 2024), ("focus[ing] on how financial policymakers are learning about the use of new AI tools by financial firms, and what kinds of risks these tools could introduce to the financial system"); Remarks by Assistant Secretary for Financial Institutions Graham Steele at the George Washington University Law School Business & Finance Law Program, Dep't of the Treasury (Jan. 18, 2024), (noting "the work that we are undertaking on the implications of artificial intelligence (AI) on financial services sector cybersecurity"); Remarks by Assistant Secretary Graham Steele at the Federal Insurance Office and NYU Stern Volatility and Risk Institute Conference on Catastrophic Cyber Risk and a Potential Federal Insurance Response, Dep't of the Treasury (Nov. 17, 2023), (stating that "Treasury's . . . upcoming work that we are undertaking on the implications of artificial intelligence, or 'AI,' on financial services sector cybersecurity" is "one of the most important issues of the day"); Remarks by Assistant Secretary for Financial Institutions Graham Steele at the Amazon Web Services (AWS) Gov2Gov Summit on Responsible Artificial Intelligence Innovation for the Public Sector, Dep't of the Treasury (Oct. 24, 2023), ("shar[ing] my views on some of the potential benefits and risks of AI that we at Treasury have been thinking about, including in the consumer finance and insurance industries").

7 Federal Reserve, FDIC & OCC, Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed. Reg. 37,920 (June 9, 2023),; Federal Reserve, SR 11-7 (Apr. 4, 2011), Attachment (Supervisory Guidance on Model Risk Management),; OCC, Bulletin 2011-12 (Apr. 4, 2011), Attachment (Supervisory Guidance on Model Risk Management),; see also FDIC, FIL-22-2017, Adoption of Supervisory Guidance on Model Risk Management (June 7, 2017),

8 Remarks by Under Secretary for Domestic Finance Nellie Liang, supra note 6 (explaining that "principles of model . . . [and] third-party risk management . . . . [f]air lending, fair credit, and data privacy laws . . . , [and] securities laws . . . . [w]hile not specific to AI . . . appl[y] to AI and [are] designed to address risks regardless of the technology used"). But see id. ("It is from this starting point that we consider whether AI presents risks that are not adequately addressed in the existing framework. These risks could be of the same type, but of greater magnitude, or they may be entirely new types of risks.").

9 RFI at 3.

10 Press Release: US Department of Treasury Releases Request for Information on Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector, US Dep't of the Treasury (June 6, 2024),

11 Remarks by Secretary of the Treasury Janet L. Yellen at the Financial Stability Oversight Council Conference on Artificial Intelligence and Financial Stability (June 6, 2024),

12 Id.

13 Id.

14 Id.

15 Id.

16 US Department of Treasury Releases Request for Information, supra note 11.

17 RFI at 18.

18 RFI at 19.

19 The RFI adopts the meaning of AI from President Biden's Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (Executive order 14110). This definition includes systems that use model inferences to process information or act. Yet, the RFI acknowledges that existing model guidance might be insufficient for regulating AI. RFI at 8 (citing 15 U.S.C. 9401(3)). This definition of AI is set forth in Section 3(b) of Executive Order 14110 and in 15 U.S.C. 9401(3): The term "artificial intelligence" or "AI" has the meaning set forth in 15 U.S.C. 9401(3): a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. Artificial intelligence systems use machine- and human based inputs to perceive real and virtual environments; abstract such perceptions into models through analysis in an automated manner; and use model inference to formulate options for information or action.

20 RFI at 21.

21 RFI at 21.

22 RFI at 21–23.

23 "Explainability" is a technical term that refers to the ability to describe the behavior of a machine learning model in human-understandable terms. With complex models, often termed "black boxes," it can be very difficult to explain how and why their inner mechanics influence the predictions they make. See generally What Is Explainable AI?, IBM, (accessed June 10, 2024).

24 RFI at 23–26.

25 RFI at 25–26.

26 RFI at 26–27.

27 RFI at 27–28.

28 US Dep't of the Treasury, Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector 13-14 (Mar. 27, 2024) [hereinafter March 2024 Treasury Report],

29 Id. at 26.

30 See, e.g., Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk (June 2011),; Institute of Internal Auditors, Three Lines Model: An Update to the Three Lines of Defense (Sept. 9, 2020),

31 March 2024 Treasury Report, supra note 28, at 26.

32 Id. at 29 (noting that "financial institutions should consider expanding their typical third-party due diligence and monitoring to account for AI-specific factors").

33 The exercise included the following six banks: Bank of America, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley and Wells Fargo. As they attempted their own climate scenario analysis, participating banks reported "significant data and modeling challenges in estimating climate-related financial risks," including "a lack of comprehensive and consistent data related to building characteristics, insurance coverage, and counterparties' plans to manage climate-related risks. In many cases, participants relied on external vendors to fill data and modeling gaps." Federal Reserve, Pilot Climate Scenario Analysis Exercise: Summary of Participants' Risk-Management Practices and Estimate (May 2024),

34 Remarks by Secretary of the Treasury Janet L. Yellen at the Financial Stability Oversight Council Conference on Artificial Intelligence and Financial Stability, supra note 10.

35 See generally Rahul Rao, AI-Generated Data Can Poison Future AI Models, Scientific Am. (July 28, 2023), ("Researchers can watch AI's poisoning in action. For instance, start with a language model trained on human-produced data. Use the model to generate some AI output. Then use that output to train a new instance of the model and use the resulting output to train a third version, and so forth. With each iteration, errors build atop one another. The 10th model, prompted to write about historical English architecture, spews out gibberish about jackrabbits. . . . Shumailov and his colleagues call this phenomenon 'model collapse.'").

36 Id.; see also March 2024 Treasury Report at 50 (defining "data poisoning" as "poisoning attacks [that] occur in the training phase by introducing corrupted data. An example would be slipping numerous instances of inappropriate language into conversation records, so that a chatbot interprets these instances as common enough parlance to use in its own customer interactions"); id. at 2 (explaining that AI systems are "more vulnerable to these concerns than traditional software systems because of the dependency of an AI system on the data used to train and test it."). CFTC, Release Number 8905-24, CFTC Technology Advisory Committee Advances Report and Recommendations to the CFTC on Responsible Artificial Intelligence in Financial Markets (May 2, 2024), (stating that "'poisoning' real world data sources encountered by the AI model" is a "well-known AI risk.").

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More