Join our mailing list to receive the latest updates and alerts Flag Subscribe

You have likely read many articles about artificial intelligence (AI) and its many benefits for banks and other companies and have seen countless surveys and polls of bankers related to adopting AI within their banks. Many banks lean on third-party vendors for a number of services, and those third parties are always looking for ways to create more efficiency and stand out from their competitors. As a result, some are or will soon adopt the use of AI. Practically speaking, that means a bank that does not use AI directly may have risks indirectly related to their vendors’ use of AI.

Some examples of services where some vendors have indicated they may use AI are BSA/AML monitoring and screening, fraud protection, and customer service. Even vendors that have not indicated that AI is used in their products may be using it behind the scenes for their own operations, product development, and otherwise. This means even if a bank does not believe the service being offered uses AI, there could still be risk that information and data from the bank may be used by AI.

A handful of the important concepts related to AI include: What is AI, and how is it being used (e.g., machine learning, algorithms, and statistical models); what input is being included; what output is being generated, and where does it go; and does any bank data, including that of its customers, get used and if so, what is that data, and how is it protected? The answers to these questions can tease out risks for banks such as issues related to privacy laws and regulations, BSA/AML laws and regulations related to SAR disclosure, loss of intellectual property, and many others.

Great. What Should I Do? Banks should review their current products and services delivered directly to customers versus those delivered with the assistance of a vendor. Banks should decide whether they want to utilize AI for any of the products and services offered to their customers and, if so, which product(s)/service(s). This decision should be based on an understanding of what AI is and how it might be used by the bank. The end result of this decision-making process should include other policy and procedure updates. For example, a review of information security, data protection, privacy, and other policies should be conducted to determine what, if any, revisions should be made. The revisions may be more or less complex based on whether the bank wishes to pursue the use of AI.

Banks should then revise their vendor management processes including diligence related to vendors’ use of AI. As an example, a bank should understand whether a vendor’s product directly uses AI, and then if AI is used, ask many other questions. These could include questions such as:

  • What is AI being used for, and exactly what does the vendor mean by “AI”?
  • Will AI be used solely with respect to the bank’s internal systems?
  • What input is being used, e.g., images, bank data, bank customer data, and other vendor provided information?
  • What output is being created, e.g., computer code, graphics, charts, images, and numbers, and where is that output being shared?
  • How does the vendor protect the bank’s data and the bank’s customer data?
  • Who owns the AI output?

 Banks should then review their vendor agreements and request an amendment to reflect their policy, processes, and decisions. As an example, for a bank not wanting AI to be used, a related provision should be added to agreements. Vendors utilizing AI to improve their processes may well object to an overall prohibition, so a provision related to the prohibition on the use of the bank’s data for the vendor’s AI could be included. A few key items for the vendor agreements would be:

  • Define AI or AI Technology, AI Input, and AI Output.
  • Review and revise, if necessary, definitions of Bank Data, Bank Intellectual Property, and User Data.
  • Include a representation regarding the use of AI and a notice requirement if it changes.
  • Include a provision related to what, if any, data can be used with AI.
  • Include a geographic provision, e.g., must the system be in the United States and, if so, may the system allow access by any foreign computer or device.

AI is changing many things today, and the pace is very likely to accelerate. While this is exciting, banks need to understand how AI impacts them and is used in the products and services they offer. The above are small examples of items related to gaining that understanding and then deciding how banks wish to engage in the use of AI.

Professionals

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.