Limited Testing and Formal Governance Creates Compliance and InfoSec Risks for Firms Adopting AI
Despite eagerness to leverage artificial intelligence, financial services firms lack formal artificial intelligence (AI) governance frameworks, testing protocols, and third-party oversight, according to the 2024 AI Benchmarking Survey, a joint project of ACA Group's ACA Aponix and the National Society of Compliance Professionals (NSCP), released today at the NSCP National Conference.
The joint survey, conducted online in June and July 2024, gathered data from over 200 compliance leaders in the financial services industry around their firm's use of AI tools and technologies, as well as compliance practices used to manage the risks AI tools and technologies present.
According to the survey, firms are missing opportunities to better manage AI risks. It found that only 32% of respondents have established an AI committee or governance group, only 12% of those using AI have adopted an AI risk management framework, and just 18% have established a formal testing program for AI tools. Furthermore, most respondents (92%) have yet to adopt policies and procedures to govern AI use by third parties or service providers, leaving firms vulnerable to cybersecurity, privacy, and operational risks across their third-party networks.
"We're seeing widespread interest in using AI across the financial sector, yet there's a clear disconnect when it comes to establishing the necessary safeguards," said Lisa Crossley, Executive Director, NSCP. "Our survey shows that while many firms recognize the potential of AI, they lack the frameworks to manage it responsibly. This gap not only exposes firms to regulatory scrutiny, but also underscores the importance of building robust AI governance protocols as usage continues to grow."
Other notable findings include:
- 75% of respondents are exploring AI or using it internally, with37% of firms reporting already having adopted AI tools for internal use and 38% currently exploring AI use cases. The most common use cases for AI were research, marketing, compliance and risk management, and operations support.
- Among respondents already using AI, 52% indicated they use public enterprise generative AI tools (such as ChatGPT), 50% reported using private/enterprise generative AI, and 43% are using machine learning.
- Compliance professionals reported that their primary goal for AI use in the compliance program is to improve efficiency (67%). Yet, as 68% of compliance professionals at firms who have already adopted AI tools reported that AI tools have had "no impact" on their compliance program, this goal has gone unrealized
- Cybersecurity or privacy concerns around AI tools were identified as the top concern when integrating AI tools into compliance programs (45%). This was followed by uncertainty around regulations or regulatory examinations (42%), lack of talent with AI expertise (28%), and lack of tools that meet compliance programs' needs (20%) as challenges to AI adoption.
"The survey's most concerning finding is the lack of policies governing third-party AI use," said Carlo di Florio, President at ACA Group. "Regulators are heavily emphasizing third-party risk management, as we saw with the SEC's Reg S-P updates, the SEC Cyber Rule, and the EU's Digital Operational Resilience Act. ACA is actively helping clients build robust AI governance frameworks that align with regulatory demands, ensuring compliance and improving program efficiency. Without these measures, leveraging AI's potential while remaining compliant will be challenging.
The full results of the 2024 AI Benchmarking Survey will be released during ACA's and NSCP's webcast on November 7, 2024. For more information, click here.
About the Survey Respondents
Governance, compliance, and risk professionals, including chief compliance officers, chief legal officers, and chief information security officers, at over 215 financial services firms of various size and RAUM (regulatory assets under management) participated in the survey.
40% of respondents were from firms with between 11 50 employees, with 42% managing between $1 billion to $10 billion in RAUM. Asset managers accounted for 43% of total respondents, with private market firms, alternative investment advisors, the second and third most common types of firms respectively.
About ACA Group
ACA Group (ACA) is the leading governance, risk, and compliance (GRC) advisor in financial services. For over 20 years, we've empowered our clients to launch, grow, and protect their business. Our global team of 1,300 employees includes former regulators and practitioners with a deep understanding of the regulatory landscape. Our innovative approach integrates advisory, managed services, distribution solutions, and analytics with our ComplianceAlpha technology platform. For more information, visit www.acaglobal.com
About NSCP
Since 1986, the National Society of Compliance Professionals has been the leading non-profit, membership organization dedicated to supporting compliance professionals in the financial services industry, focusing primarily on investment advisers, broker-dealers, and private funds. NSCP membership offers a wide range of compliance resources, educational opportunities, and regulatory advocacy and engagement. NSCP provides its members with essential information on compliance topics, regulatory insights, and useful tools through its monthly publication, online and in-person events, and within an interactive online community. NSCP members have access to a diverse community of compliance professionals who share their knowledge and expertise.
View source version on businesswire.com: https://www.businesswire.com/news/home/20241029416902/en/
Contacts:
Media Contacts:
ACA Group
BackBay Communications
aca@backbaycommunications.com
NSCP
Colleen Gallagher
OnWrd UpWrd
cgallagher@onwrdupwrd.com
