FREE CHAPTER from ‘A Practical Guide to GDPR in Financial Services’ by Patrick O’Kane

CHAPTER EIGHT – ARTIFICIAL INTELLIGENCE (AI) IN FINANCIAL SERVICES

What is Artificial Intelligence?

The financial services sector is being revolutionised by Artificial Intelligence (‘AI’). The ICO has defined AI as ‘the theory and development of computer systems able to perform tasks normally requiring human intelligence’ in their ICO Guidance on AI and Data Protection.¹

In movies such as ‘Terminator 2’ and Steven Spielberg’s ‘AI’, Artificial Intelligence was science fiction. AI is now a big part of our reality. Financial services companies are harnessing the great power of AI.

AI is a vast subject with a huge number of legal and data protection implications. This chapter cannot discuss them all. Rather, this chapter gives a brief summary of some of the main AI issues as they relate to GDPR.

Why is AI important in financial services?

Financial services companies use data across their operations and central functions for numerous different reasons.

They may use AI for a number of reasons.

Below are a few brief examples:

• Fraud Prevention – AI can help companies avoid fraud. For example, AI may be used to detect insurance fraud or money laundering through monitoring customer interactions and activity.

• Process automation – AI can help firms automate processes that you would normally expect humans to do. For example, Big Bank receives thousands of loan applications per year. They reject approximately 1,000 loan applications a year. In the old days, Big Bank used to send the names of the people who had been rejected to the administration department who then drafted up the loan rejection letters. Big Bank have now automated this process using AI. When a loan is rejected, a letter is automatically drafted by computer and sent out.

• Compliance – AI can help companies with their compliance obligations. For example, AI can be used to conduct sanctions screening checks or Know Your Customer (KYC) Checks.

• Credit checking – AI can help banks and other financial institutions to check on a person’s credit quickly and easily.

• Customer service – AI can help companies automate their customer service. For example, Chatbots (a software application used to have online chats with customers) and other forms of software such as voice recognition can provide individualised customer service quickly and efficiently.

• Marketing – AI can help companies in financial services to send customers marketing that is more efficient. For example, AI can help align customer preferences with the advertising they receive.

Regulators, Artificial Intelligence and a risk-based approach

As AI becomes more prevalent within companies, the authorities are starting to pay closer attention to the subject.

In April 2021, the European Commission published a new draft regulation governing the use of AI.

The Financial Conduct Authority in the UK has said “Data analytics and AI are increasingly used in financial markets. …… Where decisions are taken by financial services firms using data-based or algorithmic methods, we need to make sure those decisions are transparent, fair and secure, and that the data is used ethically.”

In July 2020, the ICO has released very comprehensive guidance on the subject called ‘Guidance on AI and Data Protection’. The ICO has said that organisations should adopt a risk-based approach when processing personal data for the purposes of Artificial Intelligence.

In particular, they say:

“Taking a risk-based approach means:

• assessing the risks to the rights and freedoms of individuals that may arise when you use AI;

• implementing appropriate and proportionate technical and organisational measures to mitigate these risks.”²

Legal issues to consider in respect of AI

Data Protection Principles

As we discussed in Chapter 1, the Data Protection Principles must be observed by your company when using AI.

The Principles are:

1. Lawfulness, fairness and transparency

This is important in the context of AI. In particular, you must:

• Be up front with your customers about how their personal data is processed and tell them about this in your Privacy Notices.

• Ensure the AI does not lead to unfair outcomes, such as inadvertently discriminating against the customer.

2. Purpose limitation

You cannot collect personal data for one purpose and go behind the customer’s back to use it for a different purpose, such as AI, if the AI is incompatible with the first purpose.

3. Data minimisation

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Don’t let AI applications process too much irrelevant data.

4. Accuracy

Personal data must be accurate and, where necessary, kept up to date. You must ensure the data you are using for the AI is accurate so that the AI does not lead to unfair outcomes.

For example, Shady Insurers use AI to help them decide what insurance price quotes they should give to various customers. Jim contacts Shady to get a car insurance quote. Shady has out of date data on Jim, including details relating to a speeding ticket he received 20 years ago. Shady use this data to provide a quote to Jim via their AI system. As a result of using this old, out of date personal data, Jim is given a quote for his car insurance that is too high and unfair to him.

5. Storage limitation

Don’t retain the personal data you process in your AI projects for longer than is necessary.

6. Security

Make sure there is appropriate security around the data you use for AI.

7. Accountability

Keep records of the controls you have in place around AI in case you are ever asked for copies of these records by a Regulator.

For example, you should keep records of any Data Protection Impact Assessments you approved for the use of AI.

Legal basis under Article 6

As we have discussed in Chapter 1, any time personal data is processed, there must be a legal basis in place under GDPR to process the personal data.

The legal bases appear at Article 6 of GDPR and those most relevant to AI are set out below. The ICO says “whenever you are processing personal data – whether to train a new AI system, or make predictions using an existing one – you must have an appropriate lawful basis to do so.”³

The Legal bases perhaps most relevant to AI processing are potentially the bases set out below. We discuss these briefly.

a) Consent of the data subject ⁴– The data subject has given consent to the processing of his or her personal data through the use of AI. The benefit of using consent as a lawful basis is that valid consent can be easier to document and show to a regulator in the event that you are questioned about your lawful basis in relation to the AI. The disadvantage is that the consent can be withdrawn by the individual.

b) Contractual necessity⁵ – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. In other words, if you need the AI to deliver a contractual service to the individual, then this may be appropriate. For example, in some cases, some insurers may (depending on the circumstances) be able to rely on this ground for the purposes of using AI to assess the policyholder’s circumstances in order to price their insurance policy.

c) Legal obligation⁶ – Processing is necessary for compliance with a legal obligation to which the controller is subject. Is there any law that obliges you to perform AI on a customer’s data? For example, for anti-money laundering purposes or something of that nature. Remember, it must be a legal obligation, not a legal discretion.

d) Legitimate interest of your firm⁷ – Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. This is the vaguest and most contentious legal basis. Your company may be able to rely on this ground for AI processing if you can:

• Identify a legitimate interest (the ‘purpose test’);

• Show that the processing is necessary to achieve it (the ‘necessity test’); and

• Balance it against the individual’s interests, rights and freedoms (the ‘balancing test’).⁸

The Article 9 Legal Basis – Special Category Personal Data

If your firm is processing special category data, such as personal data relating to race, politics, religion, genetics, biometrics, health, sex life or sexuality, whilst using AI, then you will need one of the legal bases we have set out above. You will also need a further legal basis under Article 9 of GDPR such as:

• Explicit Consent, or

• Substantial Public Interest

See Chapter 1 for more details.

Processors and Controllers

Often data processing using AI involves multiple stakeholders. For example, you might purchase an AI application from a third-party provider. Alternatively, you might work with another financial institution to set up a fraud database for your mutual benefit that uses AI.

When you are working with other parties and processing personal data that uses AI, it is important to determine who the Processors are and who the Controllers are in respect of the personal data.

A Controller is ‘the natural or legal person, public authority or other body which, alone or jointly with others determines the purposes and means of the processing of personal data’.

In other words, they decide how and why the person’s personal data is processed.

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

You may need to put contractual clauses in place to govern the relationship between you and any third parties with whom you are engaged in processing personal data that uses AI. See Chapter 10.

Profiling and Automated Decision making

The Right to have human oversight in a decision made by a computer

Article 22 of GDPR says:

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

In other words, people have a right to have human oversight in a decision that has been made by a computer, ⁹ such as when an AI application refuses a loan to a bank customer.

If you do have any AI applications that process personal data by computer and make decisions that significantly affect people, then you must make changes to your processes. You must ensure individuals who have their data processed using AI can:

• Obtain human oversight or intervention in the decision, and

• Express their point of view, and

• Receive an explanation of the decision and challenge it.

For example:

• Riley sees her dream home for sale in Cookstown.

• She decides to make an offer and the offer is accepted. Riley sees an online application for a mortgage with Dream Mortgages.

• She enters her details. Dream Mortgages use an AI application to process Riley’s personal data.

• Three weeks later, she receives an email telling her that her mortgage application has been refused.

• When Riley asks Dream about this, they tell her that a computer reviews the applications. Riley is now in danger of missing out on the sale.

• Dream must make sure that one of their employees can review the mortgage applications that the AI software has refused.

There are some exceptions to the rule that companies must have a human review of computer decisions, including if:

• The processing is necessary for a contract between the data subject and the Controller, or

• The data subject has consented to the processing.¹⁰

Mitigating your risks in relation to AI – Practical Steps to Take

As the ICO has said, you must mitigate your data protection risks in relation to the personal data processing you are doing for AI purposes.

Some of the steps you can take to mitigate any data protection risk related to the use of AI appear below.

1. Updating your Privacy Notices to tell people about how their data is processed using AI systems

We include more information on your Privacy Notice obligations at Chapter 12. In your Privacy Notice, you should tell individuals if you process any of their personal data using AI. Give details on your Privacy Policy about any computer decision-making you are doing in relation to the AI you use.

2. Data Protection Impact Assessments (DPIAs)

It is advisable to do a DPIA on any processing of personal data that uses AI.

The ICO has said “in the majority of cases, you are legally required to complete a DPIA if you use AI systems that process personal data. DPIAs offer you an opportunity to consider how and why you are using AI systems to process personal data and what the potential risks should be¹¹”.

For more details on DPIAs, see Chapter 3.

3. Contracts

If you are engaging with multiple stakeholders in relation to processing personal data using AI, then you should ensure you have contracts in place with these various stakeholders.

For example, if you use an outsourced AI provider who is a Processor and they are processing personal data on your behalf, then you need a contract in place with the provider that includes all of the processor clauses set out in Article 28 of GDPR.

If you are processing personal data using AI with another Controller, then it is a good idea to put a contract in place setting out what your various responsibilities are in respect of the personal data.

4. Anonymisation

Sometimes, you may be able to derive value from processing data using AI, even if the personal data is fully anonymised. Anonymised data is “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”¹²Anonymised data is outside the scope of GDPR.

If you can achieve the same aims on the AI project with anonymised data, then you should anonymise the data.

 

MORE INFORMATION / PURCHASE THE BOOK ONLINE