AI Act and its impacts on the European financial sector

With the adoption of the Artificial Intelligence (AI) Act, the European Union has positioned itself at the forefront of AI regulation from a global perspective. While the AI Act is an important milestone, much remains to be done to implement it, to promote the responsible use of AI in the financial sector and to enable European citizens to harness the benefits of AI and the data economy.

The AI Act will impact the financial sector in a number of ways.

On the one hand, AI-based creditworthiness assessments by banks, as well as pricing and risk assessments in life and health insurance are considered high-risk AI use cases, and will therefore have to comply with heightened requirements for such AI applications.

These requirements are expected to be further developed by European standardisation bodies. Subsequently national competent authorities (NCAs) will need to ensure that financial institutions comply with the new AI governance and risk management requirements and standards, while assessing the extent to which more detailed sectoral guidance may be required for these AI use cases.

The AI Act will also introduce new requirements for so-called general purpose AI systems, including large language models and generative AI applications. Working closely with service providers such as Bigtechs, financial institutions are already experimenting with these new tools and assessing how they can take advantage of the significant opportunities they offer. The expectation is that these tools will become mainstream rather soon.

The European Commission's new AI Office, which will be responsible for enforcing and overseeing the new rules for general-purpose AI systems, should ensure that service providers fulfil their responsibilities and assist users in implementing these systems. Under sectorial legislation financial institutions remain ultimately responsible for the tools and services they outsource. The oversight framework set out in the Digital Operational Resilience Act (DORA) for so-called "critical third-party service providers" could be useful here.

The remaining uses of AI in the financial services sector would largely be developed and used in accordance with existing legislation, without additional legal obligations arising from the AI Act. Given that the use of AI in use cases such as claims management, anti-money laundering or fraud detection in the financial services industry is already quite extensive, supervisors need to assess the extent to which existing rules are sufficient and where additional guidance may be needed for specific use cases. This would take into account considerations such as proportionality, fairness, explainability and accountability.

From another perspective, the European data strategy, which includes legislation such as the Data Act and the Data Governance Act, also plays a key role in shaping the landscape for the use of AI in the European financial sector. It facilitates the re-use of public sector databases or access to private datasets from connected devices, such as health wearables or connected cars, which could enable financial institutions to develop more innovative and tailored products and services, thereby making broadening competition in access to and use of data.

This is also the aim of the proposed Financial Data Access (FiDA) regulation, which will open consumers’ data held by financial institutions to third parties. In the insurance sector FIDA could facilitate the development of insurance dashboards, where consumers can access information about their insurance products from different providers on a single platform. This could potentially increase competition and enable consumers to make more informed choices.

Open questions remain about what data should be made available, how it is used, and on consumer protection. These will need to be addressed during the legislative process. Financial institutions should not be disadvantaged compared to non-financial ones, and consumer should always remain in effective control of where their data goes and how it is used.

NCAs will need to ensure that they integrate these new frameworks into their day-to-day supervisory activities. To this end, initiatives such as the ESA's Digital Finance Supervisory Academy can bring economies of scale and support more agile up-skilling. In addition, NCAs should also progressively embrace the use of new technologies for supervisory purposes (Suptech), for instance deriving actionable insights from large datasets through AI.

Finally, it is also important to promote convergence, taking into account emergent European regulation, at the international level, as the International Association of Insurance Supervisors (IAIS) expects to do with the development of an AI application paper in the course of 2024.

Thanks to Julian Arevalo for his contribution to this article.