Skip to content
Article

Privacy Can Be the Compass for Banks’ AI Governance Efforts

December 20, 2024 | 1 minutes reading time | By Ben Shorten

Prior experience offers guideposts for navigating uncharted regulatory waters.

The pace of change and innovation around generative AI is dizzying. Many banks are now shifting from an initial focus on efficiency and cost optimization to a strong push on value and growth. Return on investment is the name of the game, and some, like JPMorgan Chase, have predicted revenues in the billions from GenAI.

As use cases in banking expand to areas like risk management and customer service, having the right governance mechanisms in place to ensure that artificial intelligence systems are safe, fair, ethical, transparent and secure can’t be overlooked.

For many, it’s a topic of great concern and uncertainty as the regulatory guidance around AI is in its infancy. A 2023 U.S. executive order on the development and use of AI offered a framework at the federal level.

bshorten-160x170Accenture’s Ben Shorten: Strategic ‘North Star.’

Meanwhile, some states have attempted to fill the void, including the New York State Department of Financial Services with its recent AI cybersecurity guidance and recommended controls. Colorado was the first to approve a more comprehensive set of rules – though changes may be coming before the law is even implemented – and California, Texas and others will consider their own next year.

The recent U.S. elections are sure to bring more change. Whether we see more federal guidance or continued state-driven efforts, AI governance will be expected to go from 0 to 60 miles per hour quickly to establish stature in financial institutions.

The Privacy Template

The banks that get this wrong could be subject to significant regulatory fines, a diminished reputation and brand, loss of trust and, ultimately, increased customer attrition.

The good news, though, is that there’s already a template that banks can follow within their organizations. Another program that faced regulatory uncertainty and had to rapidly adapt to a new set of expectations in its organizations in the face of increased customer scrutiny: Privacy.

Banks can look to the privacy function and the strategic actions that chief privacy officers have taken as its North Star to establish proper AI governance procedures and controls.

There are three reasons for this.

1. Speed to stature in an era of imperfect regulatory guidance – Whisper it, but privacy felt like a backwater topic in most banks until the 1999 Gramm-Leach-Bliley Act required financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. But even after that law was enacted, it wasn’t top of mind for many. 

The European Union General Data Protection Regulation (GDPR) and state legislation like the California Consumer Privacy Act added a new dimension, giving customers more control of their data and the right to be forgotten. Privacy suddenly went from having little stature to having to rapidly establish a defensible and sustainable firm-wide approach to compliance.

Time Pressure

Privacy leaders had to learn new skills quickly, in a manner in which colleagues around the table didn’t. Where some compliance and anti-money laundering officers, for example, had a decade or more of industry consent orders to guide certain actions and roll up their capabilities, privacy had 12-18 months.

AI may see an even more compressed cycle as the speed of technology change and product-development lifecycles exponentially accelerates. 

Banking compliance professionals must operate with a sense of testing, learning and continuous improvement – the exact same way privacy operated. The function hardened its controls quicker as a result, while contending with thorny issues such as geopolitics and cross-border challenges that are likely to crop up again with AI.

2. Data usage and data lifecycles – Both privacy and AI governance hinge on the protection and responsible use of data. Banks’ privacy functions had to quickly understand data lifecycles and data usage to enable effective controls. This includes how data manifests itself within the organization, how that data is used, and ultimately, how long the data is retained.

These lifecycle principles can hold the key to effective AI controls by, for example, leveraging data-usage governance models.

Banks that lack this understanding and fail to revisit data classification and permissions could see significant consequences, including sensitive data exposed to hackers, bias and discrimination, and unintended information leakage.

3. The battle for C-suite attention – Banks walk a regulatory tightrope. Similar to privacy, AI governance may struggle to compete for C-level and board attention. Given the volume of financial services regulations, it could be easy to see governance taking a back seat to topics like fair-lending risk. Add in new regulations around capital requirements, card payments and open banking, and it becomes even more difficult to make inroads on the C-suite agenda.

Chief privacy officers have fought this battle before, establishing pragmatic, risk-based investment plans that can similarly help AI governance leaders break through and command an audience internally.

All of these point to why privacy should be a template for AI governance in banking.

The banks that get this right and allocate resources to strengthen AI governance – including for privacy, security and risk – are expected to experience 35% more revenue growth than those that don’t, according to Gartner. These organizations also report higher regulatory compliance and cost optimization.

And they don’t have to start from scratch.

 

Ben Shorten leads Accenture’s Finance, Risk and Compliance practice for Banking and Capital Markets in North America, and the Consumer Protection practice cross-industry. He has extensive experience partnering with organizations in the U.S., Canada, U.K., Japan and continental Europe to define and deliver approaches to regulatory compliance as well as establishing sustainable risk and control frameworks.

Topics: Regulation & Compliance

Advertisement

Share

Trending