The Artificial Intelligence Act officially came into force on 1 August 2024. The Act, one of the first of its kind, establishes a common regulatory and legal framework for AI within the European Union. How will it impact the financial sector?
According to Susie Mackenzie, head of legal analysis at Corlytics, regulating AI represents a challenge to regulators as they seek to balance encouraging innovation with managing its risks.
She said, “The EU Act is an important milestone in the global regulatory framework as it is the first attempt to introduce a comprehensive AI law. With its focus on protecting health, safety and fundamental rights, it seeks to ban a limited set of harmful uses of AI and ensure that the most potentially harmful AI applications are subject to the strictest regulations.”
Despite this, Mackenzie outlined that it ‘remains to be seen’ whether the EU AI Act will have the same global impact as previous EU legislative initiatives such as the GDPR – what she calls the ‘Brussels-effect’ whereby its influence extends far beyond the borders of the EU zone.
“We are seeing a diversity of regulatory strategies worldwide, with different regimes emerging across regions. A unique challenge to establishing rules around the use of AI is the regulation of “unknown, unknowns”: the full potential and use of such a rapidly developing technology are difficult to anticipate and some of the long-term success of this EU AI Act will lie in its ability to adapt in future to the new challenges that arise, whilst ensuring there is freedom to innovate,” said Mackenzie.
The legal analysis head explained that the AI Act will also impose a ‘significant compliance burden’ on firms caught by the Act, especially providers and deployers of high-risk AI systems who will need to have policies and procedures in place covering risk management, data governance, transparency and human oversight.
She detailed, “The Act is deliberately broad in its application and will catch providers, deployers, importers and distributors of AI systems in the EU. Penalties for non-compliance are severe and can be up to €35 million or 7% of global annual turnover, whichever is higher.”
As the AI sector continues to evolve, the role of regulation will grow in being of vital importance. “The AI Act is an ambitious piece of legislation in an area which is in need of regulatory clarity. However, there are concerns that it will stifle innovation with its heavy compliance burden and make the European market less attractive for start-ups,” Mackenzie concluded.”
Uniform framework
In the view of Allison Lagosh, head of compliance at Saifr, the AI Act has now taken effect introducing a uniform framework across all EU countries, based on a forward-looking definition of AI and a risk-based approach.
She added, “The impact will be felt by all firms using AI. Firms will need to evaluate their risk levels appropriately and then align controls, processes, and procedures to comply with the Act requirements.
“Like a risk spectrum, the higher the risk, the more scrutiny and oversight will be needed to control and mitigate the risks. As a result, I think the US will likely follow with a similar framework of regulations, hopefully after observing their growing pains and learning from their lessons.”
Marc Gilman, general counsel and VP of compliance at Theta Lake, also remarked that the primary impact of the AI Act in these early days, will be on prohibited risk systems, which he claims are a small subset of use cases.
He commented, “As the remainder of the Act is implemented, the definitions and guidance regarding High Risk systems, in particular, will be crucial. Although the current lack of clarity around the high risk definition complicates planning, there are still steps organizations can take to prepare.
“At Theta Lake, we have built out AI model risk processes and developed supporting documentation to outline how models are created, tested, deployed, and maintained. Such processes are key regardless of the status of the Act — they essentially demonstrate mature software and AI development and appropriate oversight.”
Copyright © 2024 RegTech Analyst
Copyright © 2018 RegTech Analyst