AI really is having a moment, isn’t it? After years of the technology appearing on numerous lists of predictions for the “next big thing”, it feels like it has finally landed, and in a big way. It’s by no means a new technology (and, indeed, has been used in various forms across the financial services sector for quite some time), but the arrival of generative AI onto the scene has catapulted AI to the top of board agendas and public consciousness. 

And it’s not just the technology itself that is on the rise. Following in the footsteps of the EU, which announced (extensive!) world-first legislative proposals for AI back in April 2021, many countries and regions have been carefully considering how they regulate this powerful technology. 

There is no doubt that regulation has an important part to play in how we move forward as a society with AI. Although aspects of the technology are already regulated through existing frameworks, such as data protection, consumer protection, competition and financial services rules, AI poses potentially significant risks to both individuals and businesses, and it is important to ensure that no risky use cases can fall through the gaps in the current regimes. But, it is equally important that businesses have space to innovate and reap the benefits of AI which customers will no doubt come to expect as an inherent part of their experience. 

Here in the UK, a very different approach has been taken to the EU’s approach to date, with the government proposing a flexible, agile, “pro-innovation” approach to regulation, whereby existing regulators will be tasked with implementing certain key AI principles within their own regulatory sphere. Even the UK government, though, appears to be reconsidering this approach to a degree, with the Department for Science, Innovation and Technology recently indicating that it is considering introducing legislation to govern the most powerful AI foundation models. 

Building societies will no doubt be looking themselves at how they can leverage the exciting potential of AI, but simultaneously concerned about the risks it poses for customers and societies. So, in an environment where the extent and impact of regulation is unclear, how can societies make the most of the opportunities for innovation that AI brings, whilst remaining within ever-moving regulatory parameters? 

• Be needs-led, not tech-led: All too often, there is a temptation to dive in at the deep end without first considering the needs of the business and whether a solution (particularly an AI-based one) is required. Problems should always be identified before solutions, to ensure that there is a legitimate need for the technology, which in turn will help demonstrate compliance with existing and emerging regulatory frameworks. 

• Implement robust AI governance: Internal governance is becoming an increasingly important part of AI strategy for organisations across the board, particularly as the use of AI becomes more pervasive. Having robust delineations of responsibility, lines of accountability within the organisation, and processes to ensure that these are followed, will help societies ensure that there is always an appropriate level of visibility over AI deployments across the business, and that these deployments are carried out in compliance with relevant requirements. 

• Assign accountability: Not only is internal accountability important (someone needs to be comfortable taking ultimate responsibility for signing off on decisions; both decisions to deploy AI and decisions made on the basis of AI outputs), but accountability throughout the supply chain should be considered too. Societies are likely to be heavily reliant on vendors for their AI deployments; thorough due diligence and robust contracts will be important to make sure that societies are confident in the reliability of the solutions they are intending to use. 

• Carry out thorough risk assessments: Data protection impact assessments (DPIAs) are already fairly well-embedded in many societies’ risk assessment frameworks, and are a helpful way to demonstrate that key risks have been taken into account in implementing AI tools that impact personal data. Expanding DPIAs into full AI risk assessments will enable societies to consider the wider impact of AI deployments, in line with emerging regulation, and ensure that solutions are implemented with regulatory requirements at the forefront of societies’ minds. 

What’s become clear in recent months and years is that this is not just a “moment”. AI is not going anywhere, and striking the balance between innovating responsibly and complying with legal and regulatory requirements will continue to present challenges for societies as they look at their AI strategies over the coming years. Taking a considered, needs-led and well thought-out approach to AI implementation can help societies to deploy AI in a way that works for both the business and its customers. 

Find out more: visit https://www.tlt.com/

The views, opinions and positions expressed within guest blogs are those of the authors and do not necessarily represent those of the BSA.