On May 13, 2022, the US Office of the Comptroller of the Currency (“OCC”) outlined some of the supervisory expectations for how the banks it regulates should manage risks associated with artificial intelligence (“AI”), including machine learning.1 Notably, the outline identifies parts of the agency’s comprehensive guidance on risk management that are relevant to machine learning activities and explains aspects of how the agency intends to supervise machine learning technology. In this Legal Update, we discuss some of the key risks associated with AI and the supervisory expectations in the OCC’s recent outline.
The outline of supervisory expectations for machine learning was issued as part of testimony before Congress. In May 2022, Deputy Comptroller for Operational Risk Kevin Greenfield testified before the Task Force on Artificial Intelligence of the House Committee on Financial Services.2 Mr. Greenfield is well-known in the financial services community as an expert on risk management practices and has served in various leadership roles at the OCC since 2014. His testimony on AI included a 16-page written statement describing the OCC’s views on AI, key risks that are implicated by AI and some of the agency’s supervisory expectations for the banks that it regulates.
The outline identifies four key risks associated with AI.
1. Explainability. Explainability refers to the extent that a bank’s personnel understand and can explain the outcomes of its AI processes. Explainability is a risk associated with using AI because a failure to understand an AI process or outcome could result in the bank acting in a way that harms its customers or fails to comply with consumer protection requirements. Relatedly, a lack of explainability means that a bank may be unable to apply model risk management practices to an AI process or technology, which could impair safety and soundness.
2. Data Management. Data management and governance refers to the risk that poor quality data or data that is not managed effectively by a bank may be used by an AI process in a way that results in incorrect predictions or outcomes containing illegal bias.
3. Privacy and Security. Consumer privacy and data security is the risk that an AI process may expose sensitive consumer data to compromise. Further, some uses of AI may implicate restrictions on processing certain types of consumer data.
4. Third-Party Providers. Many AI technologies rely on third-party providers for development or implementation. These third parties may pose a risk to a bank’s operations and use of AI depending on the criticality of the technology or the service being provided by the third party.
The outline identifies five key supervisory expectations that the OCC has for banks that use AI:
1. Risk and Compliance Management Programs. The OCC expects a bank to have well-designed risk management and compliance management programs that cover the use of AI. These programs generally should include controls for monitoring AI process outcomes to identify unwarranted risks or violations of consumer protection laws, including fair lending. Further, larger banks should be cognizant of the more extensive risk management requirements that apply under the OCC’s heightened standards and be prepared to adjust their risk governance and management practices as appropriate when introducing or altering AI activities.
2. Model Risk Management. The OCC has extensive supervisory guidance around a bank’s use of models (including for anti-money laundering compliance). Many AI processes would be viewed as models by the OCC under its existing guidance. Effective model risk management practices can include appropriate due diligence and risk assessment, sufficient and qualified staffing, governance and controls. These practices will be assessed by examiners using comprehensive procedures and may be subject to supervisory follow-up.
3. Third-Party Risk Management. The OCC expects banks to have an effective third-party risk management program that includes robust due diligence, effective contract management and ongoing oversight of third parties. For AI, this typically means that a bank should have controls over the acquisition and use of the technology and should monitor the third party’s performance over time.
4. New and Modified Products Principles. The OCC expects banks to establish appropriate risk management processes for reviewing and approving new and modified activities, including AI activities. Banks should consider if they have assessed and understand the risks associated with any new and modified AI activities and determined that the activities align with a bank’s overall business plans and strategies.
5. Responsible Use of Alternative Data. The OCC expects banks to manage the consumer protection implications of using alternative data in underwriting, including in underwriting activities that employ AI.3 This often is done through an analysis of relevant consumer protection requirements prior to implementing an AI technology.
The OCC’s outline of key supervisory expectations for banks to satisfy when using AI may not be as daunting as it first appears. The expectations generally are based on prior OCC issuances and will be assessed through the OCC’s risk-focused examination process. Therefore, it may be better to view the OCC’s outline as a prioritized list of the expectations that it will most closely look at during examinations. Viewed through this lens, the outline can be a tool that banks use to allocate their limited compliance resources to the areas of greatest regulatory risk.
More broadly, the federal banking regulators have been actively engaged on AI issues for several years, including through the issuance of a request for information from the industry in early 2021.4 The OCC notes in the outline that the agency is continuing to engage with the other regulators to determine next steps, including potentially issuing recommendations on the use of AI by banks. Hopefully, the agencies also will engage with banks to ensure that any guidance the agencies issue incorporates the many insights that the industry is constantly developing as it uses machine learning and AI in new and innovative ways.
1 Press Release, Deputy Comptroller Testifies on Artificial Intelligence (May 13, 2022), https://occ.gov/news-issuances/news-releases/2022/nr-occ-2022-52.html. The OCC regulates national banks, federal savings associations, and federal branches and agencies of foreign banking organizations.
2 Task Force on Artificial Intelligence, Keeping Up with the Codes – Using AI for Effective RegTech (May 13, 2022), https://financialservices.house.gov/events/eventsingle.aspx?EventID=409378.
3 See our Legal Update on a recent outline from the Consumer Financial Protection Bureau that addresses algorithmic bias in automated valuation models: https://www.mayerbrown.com/en/perspectives-events/publications/2022/03/cfpb-publishes-proposals-to-prevent-algorithmic-bias-in-avms.
4 Please see our Legal Update on the 2021 request for information: https://www.mayerbrown.com/en/perspectives-events/publications/2021/04/rfi-on-financial-institutions-use-of-ai-provides-opportunity-to-shape-future-regulatory-framework.