The EC published an initial legislative proposal in 2021, and the European Parliament adopted a revised version as their official position on AI in June 2023, moving the legislation process to its final phase.
This proposed EU AI Act takes a risk management approach to regulating AI. Organisations looking to employ AI must take note: an internal risk management approach to deploying AI would essentially be mandated by the Act. It is likely that other legislative initiatives will follow a similar approach, making the AI Act a potential role model for global legislations (following the trail blazed by the General Data Protection Regulation). The “G7 Hiroshima AI Process”, established at the G7 summit in Japan in May 2023, is a key example of international discussion and collaboration on the topic (with a focus on Generative AI).
Risk Classification and Regulations in the EU AI Act
At the heart of the AI Act is a system to assess the risk level of AI technology, classify the technology (or its use case), and prescribe appropriate regulations to each risk class.
For each of these four risk levels, the AI Act proposes a set of rules and regulations. Evidently, the regulatory focus is on High-Risk AI systems.
Contrasting Approaches: EU AI Act vs. UK’s Pro-Innovation Regulatory Approach
The AI Act has received its share of criticism, and somewhat different approaches are being considered, notably in the UK. One set of criticism revolves around the lack of clarity and vagueness of concepts (particularly around person-related data and systems). Another set of criticism revolves around the strong focus on the protection of rights and individuals and highlights the potential negative economic impact for EU organisations looking to leverage AI, and for EU tech companies developing AI systems.
A white paper by the UK government published in March 2023, perhaps tellingly, named “A pro-innovation approach to AI regulation” emphasises on a “pragmatic, proportionate regulatory approach … to provide a clear, pro-innovation regulatory environment”, The paper talks about an approach aiming to balance the protection of individuals with economic advancements for the UK on its way to become an “AI superpower”.
Further aspects of the EU AI Act are currently being critically discussed. For example, the current text exempts all open-source AI components not part of a medium or higher risk system from regulation but lacks definition and considerations for proliferation.
Adopting AI Risk Management in Organisations: The Singapore Approach
Regardless of how exactly AI regulations will turn out around the world, organisations must start today to adopt AI risk management practices. There is an added complexity: while the EU AI Act does clearly identify high-risk AI systems and example use cases, the realisation of regulatory practices must be tackled with an industry-focused approach.
The approach taken by the Monetary Authority of Singapore (MAS) is a primary example of an industry-focused approach to AI risk management. The Veritas Consortium, led by MAS, is a public-private-tech partnership consortium aiming to guide the financial services sector on the responsible use of AI. As there is no AI legislation in Singapore to date, the consortium currently builds on Singapore’s aforementioned “Model Artificial Intelligence Governance Framework”. Additional initiatives are already underway to focus specifically on Generative AI for financial services, and to build a globally aligned framework.
To Comply with Upcoming AI Regulations, Risk Management is the Path Forward
As AI regulation initiatives move from voluntary recommendation to legislation globally, a risk management approach is at the core of all of them. Adding risk management capabilities for AI is the path forward for organisations looking to deploy AI-enhanced solutions and applications. As that task can be daunting, an industry consortium approach can help circumnavigate challenges and align on implementation and realisation strategies for AI risk management across the industry. Until AI legislations are in place, such industry consortia can chart the way for their industry – organisations should seek to participate now to gain a head start with AI.
The Point Zero Forum is returning for its second edition between 26 to 28 June 2023 in Zurich, Switzerland. The inaugural Forum held in June 2022 attracted over 1,000 leaders and featured more than 200 esteemed speakers from Europe, Asia Pacific, the USA, and MENA. The Forum represents a collaboration between the Swiss State Secretariat for International Finance (SIF) and Elevandi and is organised in cooperation with the BIS Innovation Hub, the Monetary Authority of Singapore (MAS), and the Swiss National Bank.
As we gear up for this year’s Point Zero Forum, let’s take a moment to reflect on some of the pivotal developments that have shaped the Financial Services industry since the previous Forum and also moulded the three key themes that will take centre stage this year: Sustainability, Artificial Intelligence (AI), and Digital Assets.
COP27, the rise of blended finance and the groundbreaking Net-Zero Public Data Utility
In November 2022, the Government of the Arab Republic of Egypt hosted the 27th session of the Conference of the Parties of the UNFCCC (COP27), with a view to accelerate the transition to a low-carbon future. In the build-up to COP27, Ravi Menon, the Managing Director of the MAS spoke at the inaugural Transition Finance towards Net-Zero conference and shared with the audience that the world is currently not on a trajectory to achieve net-zero emissions by 2050. And according to the UN Emissions Gap report 2021, based on the current policies in place, the world is 55% short of the emissions reduction target for 2030. He also elaborated on the significant role that blended finance can play in tackling climate change, a theme that widely resonated with the global leaders at COP27. To enable easy and transparent reporting on climate commitments, the Climate Data Steering Committee (CDSC) outlined the next steps on its recommended plans for the Net-Zero Data Public Utility (NZDPU) at COP 27. NZDPU aims to aid efforts to transition to a net-zero economy by addressing data gaps, inconsistencies, and barriers to information that slow climate action.
The Point Zero Forum 2023 will deep-dive into the data, technologies, and capital and risk management solutions that can accelerate the fair transition towards a low-carbon future.
Panel Discussion Highlight: The opening panel discussion, “Data for Net-Zero: Views from the Climate Data Steering Committee,” scheduled for 26 June, will feature members of the CDSC, which include the Financial Conduct Authority, the MAS, Glasgow Financial Alliance for Net Zero (GFANZ), and the Swiss State Secretariat for International Finance. The panel will discuss the role of new technologies and collaborative platforms in promoting greater accessibility of transition data and innovative business models.
The launch of ChatGPT by OpenAI and its record for the fastest 100M monthly active users
The Point Zero Forum 2023 will deep-dive into Generative AI’s potential for enhancing efficiency, improving risk management, and providing better customer experience in the Financial Services industry, while highlighting the need for ensuring fair, ethical, accountable, and transparent use of these technologies.
Panel Discussion Highlight: The session “Breaking New Ground with Generative AI: Project MindForge”, scheduled for 27 June, will feature global leaders from NVIDIA, the MAS, Citigroup and Bloomberg. The panel will discuss the opportunities of Generative AI for the Financial Services sector.
MiCA regulation gets adopted by the EU lawmakers and sets a precedent for digital asset regulations
The Point Zero Forum 2023 will do a stocktake on key global regulatory frameworks, market infrastructure, and use cases for the widespread adoption of digital assets, asset tokenisation, and distributed ledger technology.
Panel Discussion Highlight: The sessions “State of Global Digital Asset Regulation: Navigating Opportunities in an Evolving Landscape” and “Interoperability and Regulatory Compliance: Building the Future of Digital Asset Infrastructure”, scheduled on 26 and 27 June respectively, will feature global leaders from both public sector (such as the MAS, Bank of Italy, Bank of Thailand, U.S. Commodity Futures Trading Commission, EU Parliament) and private sector organisations (such as JP Morgan, Sygnum, SBI Digital Assets, Chainalysis, GBBC, SIX Digital Exchange). The discussions will centre around digital asset regulations and key considerations in the rapidly evolving world of digital assets.
Register here at https://www.pointzeroforum.com/registration. Receive 10% off the Industry Pass by entering the code ‘JB10’ at check out. (Policymakers, regulators, think tanks, and academics receive complimentary access/ Founders of tech companies (incorporated for less than 3 years) can apply for a discounted Founder’s Pass)
One key element that DORA introduces is the Critical Third Party (CTP) oversight framework, expanding the scope of the financial services regulatory perimeter and granting the European Supervisory Authorities (ESAs) substantial new powers to supervise CTPs and address resilience risks they might pose to the sector.
Germany’s Supply Chain Due Diligence Act (SCDDA). On January 1, 2023, the Supply Chain Due Diligence Act took effect. It requires all companies with head offices, principal places of business, or administrative headquarters in Germany – with more than 3,000 employees in the country – to comply with core human rights and certain environmental provisions in their supply chains. SCDDA is far-reaching and impacts multiple facets of the supply chain, from human rights to sustainability, and legal accountability throughout the third-party ecosystem. It will address foundational supply chain issues like anti-bribery and corruption diligence.
From 2024, the number of employees will be lowered from 3,000 to 1,000. And Switzerland, The Netherlands, and the European Union also have similar drafts of regulation in the books.
PCI DSS 4.0. Payment Card Industry Data Security Standard (PCI DSS) is the core component of any credit card company’s security protocol. In an increasingly cashless world, card fraud is a growing concern. Any company that accepts, transmits, or stores a cardholder’s private information must be compliant. PCI compliance standards help avoid fraudulent activity and mitigate data breaches by keeping the cardholder’s sensitive financial information secure.
PCI compliance standards require merchants to consistently adhere to the PCI Standards Council’s guidelines which include 78 base requirements, more than 400 test procedures, and 12 key requirements.
Looking at how PCI has evolved over the years up to PCI 4.0, there is a departure from specific technical requirements toward the general concept of overall security. PCI 4.0 requirements were released in March 2022 and will become mandatory in March 2024 for all organisations that process or store cardholder data.
The costs of maintaining compliance controls and security measures are only part of what businesses should consider for PCI certification. Businesses should also account for audit costs, yearly fees, remediation expenses, and employee training costs in their budgets as well as technical upgrades to meet compliance standards.
Tech Trend Changes
Zero Trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data, and assets. Zero Trust as a model assumes all requests are from an open network and verifies each request this way. PCI 4.0 does not mention Zero Trust architecture specifically, but it is evident that the Security Standards Council is going that way as a future consideration.
Passwordless authentication has gained a lot of attention and traction recently. large tech providers such as Google, Apple, and Microsoft, are introducing passwordless authentication based on passkeys. This is a clear sign that the game is about to change. As the PCI DSS focuses on avoiding fraudulent activity, so does newer authentication protocol approaches to verify and confirm identity.
Third-party risk management is quickly evolving into third-party trust management (TPTM), with the SCDDA creating a clear line in the sand for global organisations. TPTM is a critical consideration when standing up an enterprise trust strategy. Enterprise trust is a driver of business development that depends on cross-domain collaboration. It goes beyond cybersecurity and focuses on building trusted and lasting third-party relationships across the core critical risk domains: security, privacy, ethics & compliance, and ESG.
Final thought – Cyber Insurance in 2023
If some of these compliance drivers lead to a desire for financial protection, cyber insurance is one mitigation element for strategy to address C-level concerns. But wait – this is not as easy as it used to be.
Five years ago, a firm could fill out a one-page cyber insurance application and answer a handful of questions. Fast forward to today’s world of ransomware attacks and other cyber threats – now getting insurance with favourable terms, conditions, pricing, coverage and low retention is tough.
Insurance companies prefer enterprises that are instituting robust security controls and incident response plans — especially those prepared to deep dive into their cybersecurity architectures and with planned roadmaps. In terms of compliance strategy development, there needs to be a risk-based approach to cybersecurity to allow an insurer to offer a favourable insurance option.
Transparency through Smart Contracts. As businesses and platforms scale applications and capabilities through global partnerships, there is a need for trusted, transparent transactions. Symbiont‘s partnership with Swift and BNB Chain‘s tie-up with Google Cloud are some recent examples.
Evolution of Digital Payments. Digital payments have come a long way from the early days of online banking services and is now set to move beyond digital wallets such as the Open Finance Association and EU initiatives to interlink domestic CBDCs.
Banks Continue to Innovate. They are responding to market demands and focus on providing their customers with easy, secure, and enhanced experiences. NAB is working on digital identity to reduce fraud, while Standard Chartered Bank is collaborating with Bukalapak to introduce new digital services.
The Emergence of Embedded Finance. In the future, we will see more instances of embedded financial services within consumer products and services that allows seamless financial transactions throughout customer journeys. LG Electronics‘ new NFT offering is a clear instance.
In September this year, China – the world’s largest emitter of greenhouse gases – announced it would achieve carbon neutrality by 2060. Japan and Korea, too, have upped their mid-century targets to bring net emissions to zero.
The New Zealand Government has set a legislated goal for the country to be carbon neutral by 2050; has amended our Emissions Trading System (ETS) to ensure price signals encourage a move to low carbon; set up a green investment fund; invested heavily in research into reducing emissions from livestock production; and, most recently, made carbon-related financial disclosures mandatory for specified companies, banks, insurers and investment managers. We have also made it our mission to encourage governments to phase out fossil fuel subsidies (some US$400bn each year) that promote excessive consumption.
The Ripples Reach Cities and Businesses…
The political signals have flowed through to regional and local government. The C40 group (cities around the world working towards sustainability goals) now has 96 participating members – with many cities finding opportunities to collaborate with others in the network on joint projects.
It is becoming obvious that fossil fuel industries are at a disadvantage against increasingly cost-competitive renewable energy. Governments are working out how to manage a ‘just transition’ for the energy sector, while forward-leaning energy companies are re-shaping their business models in anticipation of a low carbon future.
Political signals encourage businesses to factor climate change into their planning and investment decisions. Businesses everywhere have read the political tea leaves and we see weekly announcements of pledges for carbon neutrality, ethical investing, green financing and so on. Whether it is Blackrock or NZ Super Fund making environmental, social, and governance (ESG) considerations integral to their investments, or Ikea’s IWAY (its ESG code of conduct for itself and its suppliers), business is showing a deeper commitment to sustainability than ever before.
Some industries will have to be more invested than others in emissions reduction, but this opens a world of opportunity and innovation. Energy & Utilities companies are implementing waste-to-energy solutions – Singapore’s Integrated Waste Management Facility (IWMF) is set to be the world’s largest energy recovery facility – and adoption of carbon capture, utilisation and storage (CCUS) facilities is at last gathering momentum across energy systems. Industries like aviation and maritime, too, have to play a key role in a circular economy.
… And Individuals (the Last – and First – Pieces of the Puzzle)
The ripples have spread to individuals – people like you and me. I know there are still plenty of climate deniers around. But mindsets are changing – and when that happens, the ripples become a tidal wave of real change. If we each start thinking we can do it and we will do it, the change will happen. If we make it clear, in our preferences as consumers, and in our expectations of the businesses we buy from or invest in, the change will happen.
The numbers who recognise we must live within our planetary boundaries are growing, values are changing (especially in light of the pandemic), and our low-carbon future is a high-tech one – not hemp shirts and home-made candles (unless of course these are your thing). Digital is a critical part of the story. Blockchain and distributed ledger technology (DLT) is being used to cater to a new generation of consumers, conscious of buying what is good for the world in the face of climate change and biodiversity loss. Food products are being branded using track-and-trace capabilities of Blockchain for ‘farm to fork’ visibility.
Who doesn’t want to breathe clean air, have lower energy bills, and eat safe and healthy food? Maybe we will see more initiatives like America’s Pledge, bringing together an entire ecosystem committed to fighting climate change, growing the economy, and protecting public health – an ecosystem of states, cities, businesses, universities, and citizens.
We now have the rules, the policy tools, the technologies, and – increasingly – we have the will to act. As we re-build our economies, our businesses, and our lives, let us re-build better. So, I would echo Sir David Attenborough’s optimism – it is just that we do not have his (95 years) lifetime left to put things right.
Singapore FinTech Festival 2020: Impact Summit
For more insights, attend the Singapore FinTech Festival 2020: Impact Summit which will cover topics tied to climate change and sustainability to build a better future