Global Regulatory Brief: Digital finance, July edition

The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.

Digital finance regulatory developments

As technology continues to reshape financial services, regulators and policy setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. From financial services use-cases of AI in the EU to data protection in Hong Kong, the following developments in digital finance over the past month stand out:

• Hong Kong: PCPD publishes AI data protection framework 
• Singapore: Deputy Prime Minister launches Model AI Governance Framework for Generative AI 
• EU: ECB consults on cloud outsourcing guidance
• EU: Commission consults on AI in financial services
• Singapore: Monetary Authority publishes White Paper on Emerging Risks and Opportunities of Generative AI for Banks
• Singapore: Monetary Authority publishes Data Governance Information Paper for the financial sector
• US: New York state nearly passes labeling requirements for generative AI
• US: Treasury releases request for information on AI in financial services
• Taiwan: FSC issues final AI guidelines for financial services

Hong Kong Privacy Commissioner publishes AI data protection framework

The Privacy Commissioner for Personal Data (PCPD) in Hong Kong has released a “Model Personal Data Protection Framework for Artificial Intelligence” to guide organizations in developing and using AI systems responsibly. 

Summary: This framework aims to ensure compliance with the Personal Data (Privacy) Ordinance (PDPO) and promote ethical AI practices. 

Key features: The framework includes guidelines on AI strategy and governance, risk assessment and human oversight, customization and management of AI systems, and communication with stakeholders. 

• It encourages a risk-based approach to data protection in AI development and use, and emphasizes on data minimization and purpose limitation
• It also introduces Guidelines for ensuring data accuracy and security and Recommendations for transparency and accountability in AI systems as well as Guidance on conducting privacy impact assessments for AI projects

Future steps: The PCPD plans to engage with stakeholders to refine and improve the framework, encouraging its adoption across various sectors. They will also continue to monitor AI developments and update guidance as needed to address emerging privacy challenges in the rapidly evolving field of AI.

Singapore Deputy Prime Minister launches Model AI Governance Framework for Generative AI and Project Moonshot

Singapore’s Infocomm and Media Development Authority (IMDA) has developed the Model AI Governance Framework for Generative AI to provide non-binding guidance to businesses across the AI supply chain on developing and deploying AI safely.

Singapore’s approach to AI governance: The Framework underscores Singapore’s focus on industry engagement with an emphasis on developing practical AI safety tools and consistent advocacy of international interoperability in AI governance.

In summary: The Framework outlines nine dimensions which should be looked at in totality. These are: Accountability, Data, Trusted Development and Deployment, Incident Reporting, Testing and Assurance, Security, Content Provenance, Safety and Alignment Research & Development, AI for Public Good.

Closely related: IMDA also launched Project Moonshot, an LLM evaluation toolkit, designed to integrate benchmarking, red teaming, and testing baselines.

• It is intended to help developers, compliance teams, and AI system owners manage LLM deployment risks by providing a seamless way to evaluate their applications’ performance, both pre- and post-deployment
• This open-source tool is hosted on GitHub and is currently in beta

ECB consults on cloud outsourcing guidance

The European Central Bank (ECB) launched a public consultation on its Guide on outsourcing cloud services to cloud service providers. 

Who does this apply to? The guidance applies to EU banks directly supervised by the ECB and is intended to clarify legal requirements and supervisory expectations and ensure consistent supervision.

Key elements: The Guide outlines the ECB’s supervisory expectations and best practices for banks’ outsourcing of cloud services on a number of elements, including: governance, availability and resilience of cloud services; ICT security, data confidentiality and integrity; exit strategy and termination rights; oversight, monitoring and internal audits.

Link to EU legislation: While the guidance is not binding and does not supersede the EU law, it is closely related to existing EU legislation, notably the EU Digital Operational Resilience Act (DORA) and the Capital Requirements Directive (CRD), requiring banks to establish effective governance of risk stemming from outsourcing, as well as to build up frameworks for IT security and for cyber resilience. The Guide outlines the ECB’s understanding of these specific rules and how they apply to the banks it supervises.

Next steps: The stakeholder consultation period is open until July 15, 2024. The ECB will subsequently publish the comments received, together with a feedback statement and the final Guide.

EU consults on AI in financial services

The European Commission team responsible for financial markets (‘DG FISMA’) has opened a consultation on Artificial Intelligence (AI) in the financial sector to generate feedback on where guidance is needed for the implementation of the upcoming AI Act in specific market areas of financial services.

Objective: The goal is to identify the main use cases and the benefits, barriers and risks related to the development of AI applications in the financial sector. 

• DG FISMA notes that this consultation should not lead to new policy work, but instead help them understand the challenges firms face in the implementation of the AI Act and existing financial services legislation
• Competition policy issues are not included in this consultation

Structure: The consultation asks a number of more general questions on the development of AI, covering a number of important issues including data access, obstacles in the development of AI applications, dependencies on a ‘small number’ of third party providers, using and scaling GPAI. 

The consultation then asks questions around specific use cases in finance, mainly targeting banking, market infrastructure, securities markets, insurance & pensions and asset management.

AI Act application in the financial sector: The AI Act will establish two high risk use cases for the financial sector: 

1. AI systems used to evaluate the creditworthiness of natural persons (excl. detecting financial fraud)
2. AI systems used for risk assessment and pricing in relation to natural persons in the case of life and health insurance

Monetary Authority of Singapore outlines emerging risks and opportunities of generative AI for banks

The Monetary Authority of Singapore (MAS)-led industry consortium MindForge – comprising of Accenture, Citi, DBS, Google, HSBC, Microsoft, OCBC, Standard Chartered, The Association of Banks in Singapore and UOB – published a whitepaper setting out the banking sector’s perspective on the responsible use of Generative AI.

In summary: This paper draws primarily on consortium members’ experience with language-based Generative AI systems (supported by LLMs), the earliest forms of Generative AI to gain widespread adoption among financial institutions (FIs).

• Common use cases identified in the paper include development assistant, risk identification, knowledge management, market research, sales efficiency, hyper-personalized marketing and personalized explanation for denial.
• While the paper recognises that the adoption of Generative AI has significant potential to improve customer satisfaction, enhance employee experience while augmenting their productivity, reduce costs, enhance decision-making, and mitigate risks, it also examines risks posed by Generative AI systems.
• Specifically, the paper looks at how such risks extend beyond the scope of current Fairness, Ethics, Accountability and Transparency (FEAT) Principles, published in 2018.

Risk mapping: Key risk dimensions identified which should be considered beyond FEAT Principles are Intellectual Property and Privacy, Monitoring and Stability, and Cyber and Data Security.

• The paper also noted the greater role played by third-party technology firms providing Foundation Model and Large Language Model products/services
• The consortium recommended that roles of AI and Data Analytics providers be defined, and clarified FIs’ responsibility to set out necessary service level agreements and contractual terms with third-party vendors, including the need for regulatory access when required

Industry use case: The paper outlined an experimental proof-of-concept jointly developed by UOB, Accenture, SCB, HSBC, Citi and Microsoft – the Compliance Co-Pilot, an intelligent assistant powered by Generative AI, to assist FIs in managing complex tasks that are effort-intensive throughout the policy lifecycle in a context-specific manner.

The use case serves to assess Generative AI capabilities in compliance management, and design a security framework that helps facilitate secure and responsible sharing, storage and processing of proprietary/confidential data from banks.

Monetary Authority of Singapore publishes data governance information paper for the financial sector

The Monetary Authority of Singapore published a paper setting out supervisory expectations on financial institutions (FIs)’ data governance practices with a particular focus on data quality risk. The paper also shares best practices observed from MAS’ thematic inspection on data governance and management of systemically important banks in Singapore. 

Important context: MAS’ expectations are based on requirements set by the Basel Committee on Banking Supervision under its “Principles for effective risk data aggregation and risk reporting”. 

In more detail: MAS highlighted the importance of data to the financial services industry which is used for a wide range of use-cases, such as fraud surveillance, liquidity management, and investment management. 

• MAS noted that as FIs step up their use of data, including for AI and machine learning, the need for robust data governance must not be overlooked
• Data governance plays a vital role in ensuring that data relied upon for the above purposes is accurate, consistent, and complete
• Privacy and confidentiality breaches must also be mitigated against to address the risk of data being misused

Supervisory expectations: FIs are expected to benchmark their data governance and management practices, including against international standards, taking into account their organizational structure, business model, scale of operations and risk profile.

Key themes: MAS’ observations and suggested best practices are grouped into 5 themes:

• Board and Senior Management Oversight
• Data Management Organisation
• Data Quality Management and Controls
• Data Quality Issues Identification and Escalation
• Observations Relating to BCBS 239

New York State nearly enacts generative AI warning requirements

State legislators in New York came close to passing what would have been first in the nation labeling requirements for artificial intelligence systems. 

In more detail: The State Senate passed the bill (SB 9450), prior to the adjournment of the legislative session for the year on June 8th, but the Assembly did not. 

• The legislation stemmed from a generative AI system creating inaccurate stories about New York State legislators facing accusations of sexual harassment
• Notably, the bill also contained a broad definition of “artificial intelligence system” and “artificial intelligence”

Why it matters: Absent federal action on AI regulation, states are increasingly taking steps to implement their own regulatory regimes. 

• To date, these efforts have largely been focused on specific issues like deep fakes or election related content
• This dynamic is typical of the U.S. system, where states will at times act as testing grounds for legislative and regulatory proposals when there has been no federal action on a particular issue

Looking ahead: Expect to see continued movement on AI regulation at the state level  in the coming months. As for this particular bill, it would not be surprising to see it come back in the next legislative session. 

U.S. Treasury releases request for information on AI in Financial Services

The U.S. Treasury issued a Request for Information (RFI) on the use of AI in financial services in an effort to better understand the “opportunities and risks” posed by AI to the sector. 

The intention: The RFI is purposefully broad in scope and is positioned to provide Treasury with insights as to how AI impacts the financial system broadly. 

Looking ahead: The  Treasury has indicated that it would like to hear feedback on potential enhancements to legislative, regulatory and supervisory frameworks that are applicable to AI in the financial services space. 

• While this may seem fairly open ended, it is largely in line with what President Biden’s 2023 Executive Order on AI directed federal agencies to do
• Namely, this Executive Order directed federal agencies to assess the impact of AI within their regulatory purview and then determine the best course of action
• Comments are due by August 12, 2024

Taiwan regulator issues final AI guidelines

Taiwan’s Financial Supervisory Commission (FSC) has released comprehensive guidelines for the use of Artificial Intelligence in the financial industry.

In summary: The guidelines aim to encourage financial institutions to responsibly innovate and develop trustworthy AI applications for financial services. They were drafted based on six core principles established in October 2023, incorporating input from various stakeholders and international best practices.

Key Features: The guidelines are divided into two parts:

• General Principles: Consisting of AI-related definitions, the AI system lifecycle, factors considered in risk assessment, ways to implement core principles based on risk, and supervision and management of third-party providers, among other common matters
• Six Main Chapters: Consisting of how the financial industry should focus on key areas and adopt measures when implementing six core principles, according to the AI lifecycle and assessed risks. This includes objectives, key concepts, corresponding considerations for each principle, implementation methods, or measures to be taken

The intention: The guidelines aim to provide flexibility for financial institutions to choose appropriate risk management measures based on specific AI use cases.

• The guidelines emphasize governance, accountability, fairness, privacy protection, system robustness, transparency, and sustainable development
• The guidelines also addresses third-party vendor management, emphasizing the importance of clearly defined responsibilities

Risk management in focus: Risk assessment factors are provided as examples, allowing institutions to determine risk levels independently and external audits for risk management are mentioned though details are not fully specified in the given excerpt.

Next Steps: While not explicitly stated, the release of these guidelines suggests that Taiwanese financial institutions will be expected to implement AI systems in accordance with the provided framework. The FSC will likely monitor adoption and may refine the guidelines based on industry feedback and evolving AI technologies.

View the additional regulatory briefs from this month:

• Trading and markets
• Risk, capital and financial stability
• Green finance

Sign up to receive these updates in your inbox first.

How we can help

Bloomberg’s Public Policy and Regulatory team brings you insight and analysis on policy developments to help navigate the complex and fast changing global regulatory landscape. To discuss regulatory solutions, please get in touch with our specialists or read more insights from our Regulatory team.