The regulatory framework for financial services firms using Artificial Intelligence (AI) in the UK is evolving — with the Department for Science, Innovation and Technology (DSIT) having now published the response to their 2023 White Paper. Overall, this response reaffirms the `agile and principles-based' approach originally proposed. However, the government has pledged extra support for regulators (in the form of money and guidance) and has laid out the potential for future binding requirements on developers of the most advanced systems. Regulators have also been asked to outline their strategic approach to AI by 30 April.
Background
The UK government published its original AI Regulation White Paper in March 2023 — for a full summary, see our earlier article here. In short, this proposed that existing regulators be empowered to fold a set of five cross-cutting principles into their remits:
- Safety, security and robustness
- Appropriate transparency and explainability
- Fairness
- Accountability and governance
- Contestability and redress
Importantly, the White Paper emphasised a reticence to intervene with bespoke rules for AI. Instead, existing frameworks like the Consumer Duty and the Senior Manager and Certification Regime (for FS), would be used to ensure firms take ownership of the appropriate use of (and governance over) any AI models. The FCA and Bank of England (BoE) have already aligned themselves with this view, through recent speeches and the tailoring of the Model Risk Management Policy.
White Paper Response
Following a review of stakeholder feedback, the response to the White Paper has now been published. It emphasises the following key points:
What this means for FS firms
In the coming months, the government will formally establish activities to support regulator capabilities and coordination, including its Steering Committee. They will publish findings from stakeholder engagement (via a series of expert discussion papers) and conduct new targeted consultations. Some common themes that should be addressed include intellectual property, data bias and the risk of discrimination, data protection and transparency, competition and impacts on the workforce.
UK financial services firms should continue to keep abreast of all consultations issued by the FCA, PRA and BoE, as they will be charged with the regulation of AI for this sector. Our previous article summarises the guidance that has been issued so far to date. In particular, the FCA and BoE have now been asked by the government to publish their future plans by the end of April. FS firms should also keep informed of any requirements from adjacent regulators that may have some remit over their operations — e.g. the Information Commissioner's Office.
In the meantime, as AI adoption continues to increase, firms should proactively begin adapting their risk management and governance frameworks — e.g, by establishing an effective suit of controls aligned to their risk appetite. Given the emphasis on Senior Managers' responsibility and the Consumer Duty, these should be prioritised. Firms could also choose to apply for the DRCF pilot scheme for support in understanding the regulatory framework.
The fact that the UK government will continue to review the need for future binding requirements on the developers of general-purpose AI systems may bring comfort to FS firms as they continue to consider and/or increase the use of these systems within their applications and services.
With political agreement now reached on the EU AI Act (see more in our article here), and regulatory frameworks developing in the US, firms with a footprint across multiple jurisdictions should consider how they will navigate any divergence.
How KPMG in the UK can help
Within KPMG in the UK, we have been developing and implementing AI tech solutions internally and externally. Through our extensive technical, operational and risk experience, we can help accelerate your ambitions within the AI space. This can be done by helping you define your AI strategy, governance and use case definition — right through to working with you to build effective AI tech solutions that are designed to add value to your business, underpinned by effective security, data and technology controls.
If you would like to discuss, please get in touch.