5 min read

Understanding the EU AI Act: Insights & Actions for UK Banks.

As the European Union (EU) introduces its Artificial Intelligence (AI) Act, UK banks need to prepare for major regulatory changes that could affect their operations. 

We created this guide in accordance with the EU AI Act, and after various discussions (prompt threads) with Revvy, our GenAI GPT trained by Revvence on finance systems transformation and related topics. The guide explains the key points that UK banks should be aware of and how they can prepare to adhere to the new regulations.

Overview of the EU AI Act

The EU AI Act, as outlined in the European Parliament legislative resolution of 13 March 2024, establishes consistent rules on artificial intelligence (AI) to guarantee the secure and reliable development, deployment, and usage of AI systems within the European Union.

Key Provisions of the EU AI Act

 

Scope and Objectives:
  • Protective Measures: Ensures high levels of protection for health, safety, and fundamental rights against the harmful effects of AI systems.
  • Innovation Support: Aims to foster innovation while maintaining strict oversight and governance of AI systems.
  • AI Risk Classification:
     
    • Unacceptable Risk: AI systems with the potential to cause significant harm, such as those predicting criminal behaviour, are prohibited.
    • High Risk: AI systems with serious potential for harm, including biometric identification and critical infrastructure AI, must comply with stringent pre and post-market requirements.
    • Limited and Minimal Risk: Systems with lower risks, like spam filters and AI-enabled games, have fewer obligations but must ensure transparency and informed usage.
  • General-Purpose AI (GPAI) Requirements:
     
    • Documentation and Proactive Risk Mitigation: Providers of GPAI models must adhere to new documentation duties and mitigate systemic risks proactively.
    • Penalties for Non-Compliance: Fines can reach up to 7% of global turnover or €35 million, significantly higher than penalties under the GDPR.

  • Governance and Accountability:
     
    • Stakeholder Identification: Banks must identify key stakeholders for compliance and establish clear roles and responsibilities.
    • Continuous Monitoring: Implementing robust monitoring mechanisms for AI usage, particularly generative AI, is crucial.

Specific Implications for Banks

1. Creditworthiness and Risk Assessments:

AI-based creditworthiness assessments by banks are considered high-risk AI use cases and will need to comply with heightened requirements for such AI applications.

2. Customer Interaction and Data Privacy:

AI systems interacting with customers or handling sensitive data must ensure transparency, non-discrimination, and privacy protection.

3. Operational and Strategic Impacts:

Banks must evaluate their AI strategies, ensuring alignment with the Act’s requirements and fostering a culture of compliance and innovation.

Compliance Timelines

The EU AI Act establishes a clear timeline for compliance that banks need to follow:

  • Immediate Preparations:
     
    • Understanding Requirements: Begin by understanding the key provisions and classifications of AI systems under the Act.
    • Stakeholder Identification: Identify key internal stakeholders and establish roles and responsibilities.

  • Short-Term (Within 6 Months):
     
    • Risk Management and Classification: Map out all AI systems in use or development and classify them by risk level.
    • Initial Governance Framework: Establish a preliminary governance framework aligned with the EU AI Act.

  • Medium-Term (6-12 Months):
     
    • Compliance Audits: Conduct audits to assess current practices against the EU AI Act requirements.
    • Documentation and Monitoring: Implement documentation practices and continuous monitoring systems for high-risk AI systems.

  • Long-Term (1-2 Years):
     
    • Full Compliance Implementation: Ensure all high-risk AI systems meet the Act’s mandatory requirements.
    • Ongoing Adaptation: Stay updated on regulatory changes and continuously adapt AI systems and governance practices.

Preparing for the EU AI Act: A Checklist for UK Banks

Here, we outline a checklist for UK banks to follow to be prepared for the EU AI regulation.

 

Understanding Regulatory Requirements
Familiarisation:

Action:

Designate a task force comprising legal, compliance, IT, and business unit leaders.

Steps:

- Schedule a series of workshops to review the EU AI Act.

- Develop a detailed presentation on the Act’s provisions, focusing on definitions, risk tiers, and obligations.

- Distribute reading materials and summaries of the Act to all relevant stakeholders.

Tools:

- Use compliance management software to track training and understanding across teams.

- Utilise GenAI for personalised learning modules and interactive Q&A sessions.

Outcome:

All relevant personnel should thoroughly understand the EU AI Act within two months.

 


Identifying Differences and Requirements:

Action:

Conduct a gap analysis.

Steps:

- Compare current AI practices with the requirements of the EU AI Act.

- Identify discrepancies and areas needing change.

Tools:

- Compliance audit tools and AI system inventory spreadsheets.

- GenAI can assist in generating detailed reports and analysing large compliance data sets.

Outcome:

A comprehensive report detailing gaps and required changes.

 

 

Risk Management and Classification
Mapping AI Systems:

Action:

Create an inventory of all AI systems.

Steps:

- Conduct interviews with department heads to identify AI usage.

- Compile a list of all AI systems, including those in development.

Tools:

- Inventory management software and AI asset tracking systems.

- Leverage GenAI to automate data collection and validation processes.

Outcome:

A complete and up-to-date inventory of AI systems.

 


Classifying AI Systems by Risk Level:

Action:

Develop a classification framework.

Steps:

- Define criteria for risk levels based on the EU AI Act.

- Classify each AI system according to these criteria.

Tools:

- Risk assessment matrices classification guidelines.

- GenAI can be used to develop predictive risk assessment and classification models.

Outcome:

All AI systems are classified into risk categories.

 


Governance and Monitoring
Establishing Governance Process:

Action:

Form an AI governance committee.

Steps:

- Define the roles and responsibilities of the committee.

- Develop governance policies and procedures aligned with the EU AI Act.

Tools:

- Governance frameworks policy management tools.

- Utilise GenAI to draft governance documents and ensure they are updated with the latest regulations.

Outcome:

A formalised AI governance structure.

 


Continuous Monitoring:

Action:

Implement AI monitoring systems.

Steps:

- Set up monitoring tools to track AI performance and compliance.

- Schedule regular reviews and audits.

Tools:

- AI monitoring software audit management systems.

- GenAI can help automate the monitoring process and provide real-time compliance insights.

Outcome:

Continuous oversight and timely identification of compliance issues.

 

 

Adopting Strategic Management Practices
Raising Awareness:

Action:

Develop an internal communication strategy.

Steps:

- Create informative materials about the impact of the EU AI Act.

- Conduct training sessions for all employees.

Tools:

- Intranet platforms, training software.

- GenAI can assist in creating engaging training content and interactive learning experiences.

Outcome:

Increased awareness and understanding among all staff.

 


Developing Responsibility Lines:

Action:

Define and document roles and responsibilities.

Steps:

- Outline clear responsibilities for compliance, IT, and business units.

- Ensure each role is aware of their specific tasks related to the Act.

Tools:

- Responsibility assignment matrices and RACI charts.

- GenAI can help streamline the documentation process and ensure clarity in role assignments.

Outcome:

A clear understanding of individual and departmental responsibilities.

 


Federated Governance Approach
Exploring Governance Models:

Action:

Evaluate centralised vs. federated governance models.

Steps:

- Assess the pros and cons of each model for your organisation.

- Pilot the chosen model in a few departments before a full rollout.

Tools:

- Governance model assessment tools pilot program management software.

- GenAI can provide simulations and scenario analyses to determine the best governance approach.

Outcome:

A well-suited governance model that ensures transparency and accountability.

 

 

Continuous Learning and Adaptation
Staying Updated:

Action:

Subscribe to regulatory updates and industry newsletters.

Steps:

- Identify key sources for updates on AI regulations.

- Assign team members to monitor these sources and report back.

Tools:

- Subscription services, news aggregators.

- GenAI can automate the aggregation and summarisation of regulatory updates.

Outcome:

Up-to-date knowledge of regulatory changes.

 



Participating in Educational Initiatives:

Action:

Engage in industry training and webinars.

Steps:

- Identify relevant webinars and training sessions.

- Encourage staff to participate and share learnings.

Tools:

- Webinar platforms and learning management systems.

- GenAI can recommend personalised learning paths and track progress.

Outcome:

Continuous professional development and readiness for compliance.



Has the UK Adopted the EU AI Act?

 

The UK has not yet adopted the EU AI Act. The European Parliament formally adopted it in March 2024, and it is currently being endorsed by the European Council. However, the UK is taking a different approach to AI regulation.

The UK government has indicated that it prefers to implement sector-specific measures combined with overarching principles from its national AI strategy rather than enacting comprehensive legislation like the EU AI Act. This approach aims to support AI innovation while addressing regulatory needs within specific sectors.

The UK government has identified AI technology as a key priority for national growth. It has published responses and roadmaps to develop the AI ecosystem. However, there is still uncertainty about whether the UK will update its product liability rules to explicitly cover AI systems liability, as the EU has done.

Businesses operating in or interacting with the EU must understand and comply with the EU AI Act, which has an extraterritorial reach similar to the GDPR. UK banks and companies providing AI systems or services used within the EU will need to adhere to the regulations outlined in the EU AI Act.



How can we help?

Revvence can help in several valuable ways:

  • Review your existing core finance processes and recommend GenAI use cases.
  • Create a proof-of-concept to demonstrate potential outcomes and help build your business case.
  • The design and delivery of end-to-end GenAI applications in the finance function.
  • Check out Revvy, our Narrow-GPT for Finance Transformation. Read all about Revvy here.

 

 

Leveraging Generative AI for Enhanced Risk and Compliance in Banking.

The banking sector increasingly leverages innovative technologies to boost risk and compliance management. Generative AI (GenAI) stands out as a...

Read More

Rewiring Banking for Gen AI: Unlocking Operational Efficiency in 2024.

Introduction Generative AI (GenAI) is set to transform the banking industry by automating tasks, enhancing decision-making, and creating new...

Read More

A Metrics-Driven Approach to Evaluating GenAI Use Cases in the Finance Function.

Global banks and financial services businesses are considering the role of Generative AI (GenAI) in the finance function. We believe that using a...

Read More