On May 13, 2022, the United States Office of the Comptroller of the Currency (“OCC”) outlined some of the supervisory expectations regarding how the banks it regulates should manage risks associated with artificial intelligence (“AI”), including machine learning.1 Notably, the plan identifies the parts of the agency’s comprehensive risk management guidelines that are relevant to machine learning activities and explains aspects of how the agency intends to oversee machine learning technology. machine learning. In this legal update, we discuss some of the key AI-related risks and oversight expectations in the OCC’s recent overview.
The outline of supervisory expectations for machine learning was released as part of congressional testimony. In May 2022, Assistant Operational Risk Controller Kevin Greenfield testified before the House Financial Services Committee’s Artificial Intelligence Task Force.2 Mr. Greenfield is well known in the financial services community as an expert in risk management practices and has held various leadership positions at the OCC since 2014. His testimony on AI included a 16-page written statement outlining the OCC’s views on AI, the key risks involved with AI, and some of the agency’s oversight expectations for the banks it regulates.
The overview identifies four key risks associated with AI.
1. Explainability. Explainability refers to the extent to which a bank’s staff understand and can explain the results of its AI processes. Explainability is a risk associated with using AI, as a failure to understand an AI process or outcome could cause the bank to act in a way that harms its customers or fails to meet requirements. of consumer protection. Similarly, a lack of explainability means that a bank may be unable to apply model risk management practices to an AI process or technology, which could undermine safety and soundness.
2. Data management. Data management and governance refers to the risk that poor quality data or data that is not effectively managed by a bank could be used by an AI process in a way that leads to incorrect predictions or results. containing illegal biases.
3. Privacy and Security. Consumer data privacy and security is the risk that an AI process can expose sensitive consumer data to compromise. Additionally, some uses of AI may involve restrictions on the processing of certain types of consumer data.
4. Third party providers. Many AI technologies rely on third-party vendors for development or implementation. These third parties may pose a risk to a bank’s operations and use of AI depending on the criticality of the technology or service provided by the third party.
The sketch identifies five key supervisory expectations that the OCC has for banks that use AI:
1. Risk and compliance management programs. The OCC expects a bank to have well-designed risk management and compliance management programs that cover the use of AI. These programs should generally include controls to monitor the results of the AI process to identify unwarranted risks or violations of consumer protection laws, including fair lending. In addition, large banks should be aware of the broader risk management requirements that apply under the enhanced OCC standards and be prepared to adjust their governance and risk management practices as appropriate. , when introducing or modifying AI activities.
2. Model risk management. The OCC has detailed oversight guidelines regarding a bank’s use of models (including for anti-money laundering compliance). Many AI processes would be considered role models by the OCC under its current leadership. Effective model risk management practices may include appropriate due diligence and risk assessment, sufficient and qualified personnel, governance and controls. These practices will be assessed by examiners using comprehensive procedures and may be subject to follow-up supervision.
3. Third-party risk management. The OCC expects banks to have an effective third-party risk management program that includes robust due diligence, effective contract management, and ongoing third-party monitoring. For AI, this generally means that a bank must control the acquisition and use of technology and must monitor the performance of the third party over time.
4. Principles of new and changed products. The OCC expects banks to put in place appropriate risk management processes to review and approve new and changed activities, including AI activities. Banks should determine whether they have assessed and understood the risks associated with any new or changed AI activities and whether they have determined that the activities align with a bank’s overall business plans and strategies.
5. Responsible Use of Alternative Data. The OCC expects banks to manage the consumer protection implications of using alternative data in underwriting, including in underwriting activities that use AI.3 This is often done by analyzing the relevant consumer protection requirements before implementing AI technology.
The OCC’s exposition of the key supervisory expectations that banks need to meet when using AI may not be as daunting as it first appears. Expectations are generally based on past CCO emissions and will be assessed as part of CCO’s risk-based review process. Therefore, it may be best to think of the CCO’s plan as a prioritized list of expectations that they will examine more closely during exams. Seen in this light, the scheme can be a tool that banks use to allocate their limited compliance resources to areas of greatest regulatory risk.
More broadly, federal banking regulators have been actively engaging on AI issues for several years, including launching a request for information from industry in early 2021.4 The OCC broadly notes that the agency continues to engage with other regulators to determine next steps, possibly including issuing guidance on banks’ use of AI. Hopefully agencies will also engage with banks to ensure that any guidance issued by agencies incorporates the many ideas the industry is constantly developing using machine learning and AI in new and innovative ways.
1. Press release, The assistant controller testifies on artificial intelligence (May 13, 2022), https://occ.gov/news-issues/news-releases/2022/nr-occ-2022-52.html. The OCC regulates domestic banks, federal savings associations, and federal branches and agencies of foreign banking organizations.
2. Working Group on Artificial Intelligence, Tracking the Codes – Using AI for Efficient RegTech (May 13, 2022), https://financialservices.house.gov/events/eventsingle.aspx?EventID=409378.
3. See our legal update on a recent Consumer Financial Protection Bureau draft that addresses algorithmic bias in automated valuation models: https://www.mayerbrown.com/en/perspectives-events/publications/2022/ 03/cfpb-publishes -proposals-to-prevent-algorithmic-bias-in-avms.
4. Please see our legal update on the 2021 request for information: https://www.mayerbrown.com/en/perspectives-events/publications/2021/04/rfi-on-financial-institutions-use- of-ai-offers-the-opportunity-to-shape-the-future-regulatory-framework.
Visit us at mayerbrown.com
Mayer Brown is a global provider of legal services comprised of law firms that are separate entities (the “Mayer Brown Firms”). The Mayer Brown firms are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, two limited liability companies established in Illinois in the United States; Mayer Brown International LLP, a limited liability company incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales under number OC 303359); Mayer Brown, a SELAS based in France; Mayer Brown JSM, a partnership of Hong Kong and its associated entities in Asia; and Tauil & Checker Advogados, a Brazilian legal partnership with which Mayer Brown is associated. “Mayer Brown” and the Mayer Brown logo are registered trademarks of Mayer Brown law firms in their respective jurisdictions.
© Copyright 2020. Mayer Brown Practices. All rights reserved.
This article by Mayer Brown provides information and commentary on interesting legal issues and developments. The foregoing is not a complete treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action regarding the matters discussed here.