Here is QA Financial’s monthly review of new developments and initiatives in compliance and regulation that affect the management of software at financial firms.
Biden announces AI regulation
US President Joe Biden [pictured] has announced an Executive Order to regulate and mitigate risks of AI. The Executive Order also: “ensures that we continue to lead the way in innovation and competition,” said the White House.
The Executive Order, which instructs Congress to pass relevant legislation, includes also a provision which requires that: “developers of the most powerful AI systems share their safety test results and other critical information with the US government.”
In addition to this, the executive order defines several other actions including:
-
The development of standards, tools and tests to help ensure that AI systems are safe, secure and trustworthy.
-
The establishment of an advanced cybersecurity program to develop AI tools to find and fix software vulnerabilities.
-
The prioritisation of federal support for accelerating the development and use of data privacy focussed techniques.
Commenting on the announcement, Biden said: “To realise the promise of AI and avoid the risk, we need to govern this technology.”
Full details here.
FCA data chief says firms remain responsible for OpRes
In a conference speech, the Financial Conduct Authority’s (FCA) Chief Data, Information and Intelligence Officer, Jessica Rusu [Pictured], has reiterated the FCA’s view that financial firms are responsible for ensuring their own operational resilience.
Rusu said: “The key message is that firms remain responsible for their own operational resilience, including any services that they outsource to third parties. That is not changing, and firms are still required to meet their commitments no matter how they choose to deliver their services.”
Full details here.
Bank of England publishes AI discussion feedback
The Bank of England in conjunction with the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) collectively referred to as ‘the supervisory authorities’, has released a feedback statement on Artificial Intelligence and Machine Learning. This statement is a follow-up to an October 2022 discussion paper aimed at deepening the understanding of the impacts of AI on financial firms. The paper received 54 responses from various stakeholders, including industry bodies, banks, and other institutions.
Key points include:
-
Respondents want ‘live’ regulatory guidance to continually update guidance and examples of best practice.
-
Respondents want more coordination and alignment between regulators, as they consider the regulatory landscape to be complex and fragmented with respect to AI.
-
Respondents want increased regulatory guidance regarding the use of third-party models and data.
Full details available here.
NIS2 compliance deadline looms
There are now just 12 months to go until the European Union’s Network and Information Security 2 (NIS2) directive goes live on October 18th 2024. NIS2 will serve as an extensive update to the original NIS directive (published in 2016), with the goal of strengthening cybersecurity measures across EU firms.
NIS2 addresses the increasing cyber threats and vulnerabilities by setting out measures to ensure a high common level of network and information security. It expands the scope of entities covered, including more sectors like public administrations and medium-sized enterprises. The directive emphasises the importance of risk management and introduces stricter supervisory measures for national authorities. It also mandates incident reporting to relevant national authorities, with the aim of ensuring timely and effective responses to cyber threats.
Full article here.
BaFin launches DORA information site
The German Federal Financial Supervisory Authority, BaFin, has launched an information site designed to provide guidance to financial institutions on the EU Digital Operational Resilience Act (DORA).
The site provides an overview of DORA, as well as giving updates on the current state of DORA consultations being carried out by the European supervisory authorities – the EU regulatory advisory body comprised of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).
Full article available here.
MAS investigates disruptions at DBS and Citibank
The Monetary Authority of Singapore (MAS), the Singaporean central bank and financial regulator, has instructed DBS bank and Citibank to investigate recent disruptions to their digital banking services. MAS said it will take “appropriate supervisory actions after gathering the necessary facts.”
MAS requires that all banks put measures in place to ensure that their critical systems and services are resilient to disruption. They are required to have back-up data centres and systems, which are tested periodically to ensure that these critical systems and services can be restored within 4 hours following an outage.
On October 14th the primary data centres of both banks failed to perform normally. Whilst they activated their back-up data systems, neither were able to fully recover their systems within the required 4-hour timeframe.
[Image Source: Wikipedia]