Addressing AI Risk for Banks and FIs – Challenges and Strategies

Introduction

The integration of artificial intelligence (AI) in the banking sector presents a dual opportunity: it offers the potential to transform key functions like credit risk assessment, fraud detection, and operational efficiency but it also introduces significant new risks. To effectively manage these risks, financial institutions (FIs) must adapt their Model Risk Management (MRM) frameworks to account for the complexities introduced by AI and machine learning (ML) technologies. Additionally, FIs must comply with evolving regulatory frameworks such as the EU AI Act and the NIST AI Risk Management Framework, while simultaneously addressing AI risk associated with third-party tools and a growing model validation backlog.

In this white paper, we explore three core challenges banks face in addressing AI risk and propose strategic insights for overcoming them.

‍

1. Aligning Model Risk and Compliance Policies with AI Regulatory Frameworks

Challenge: The complexity of AI models, especially regarding transparency, fairness, and bias, necessitates the adaptation of existing Model Risk Management (MRM) frameworks to comply with the latest regulatory requirements. Frameworks like the EU AI Act, the NIST AI Risk Management Framework, and Canada's OSFI E-23 guidelines are critical drivers, yet many financial institutions are not yet fully prepared to manage the AI-specific risks these regulations address.

Solution: Banks should update MRM frameworks to address AI-specific concerns such as:

• AI-specific model risk definitions and ratings: Clear guidelines for risk rating AI models across their lifecycle, from data collection to model deployment and monitoring.
• Rigorous model validation procedures: Tailored to AI’s unique challenges, such as data bias, interpretability issues, and fairness.
• Enhanced governance: Governance structures should be revisited to incorporate ongoing model monitoring, dynamic risk assessments, and real-time reporting tools.

The integration of MRM within Enterprise Risk Management (ERM) provides a comprehensive risk perspective. This holistic approach is critical in ensuring that AI-driven decision-making aligns with regulatory compliance and organizational strategic objectives, a theme consistent with the original draft’s focus.

‍

Challenge 2: AI risks are multidimensional and cover areas ranging from model, privacy, cyber, ethical and third-party risk management policies. It is important that AI risks are considered holistically across multiple policies and stakeholder groups.

Solution: To manage AI risks, financial institutions should:

• Update risk policies to include AI-specific factors.
• Establish clear accountability for AI risk.
• Continuously monitor AI systems.
• Foster collaboration and communication across departments.

‍

2. Managing Third-Party AI Solutions

Challenge: The increasing reliance on third-party AI solutions for functions such as hiring, customer interactions, and legal services introduces complexity. Regulatory guidance requires that banks validate third-party AI models to the same standards as internal models, which can be resource-intensive and difficult to monitor on an ongoing basis.

For instance, when a financial institution uses an AI vendor solution for candidate screening, a class action lawsuit against the vendor—especially over bias or discrimination—can expose the institution to legal, financial, and reputational risks. Candidates screened out by the AI may join the plaintiff class or be incentivized to sue the institution directly, claiming unfair hiring practices. This can lead to financial penalties, regulatory scrutiny, and operational disruptions if the AI system must be overhauled or replaced. To mitigate these risks, institutions should perform rigorous due diligence on AI vendors, secure strong contractual protections, and regularly monitor AI models for compliance with anti-discrimination laws.

The issue is further magnified by the fact that many traditional software vendors now have embedded AI within their core offering. For example, a traditional telephony provider could offer an AI driven transcription module, or a customer relationship management (CRM) solution could have AI-driven automation for outbound email generation. In such cases, AI is often silently creeping into enterprises and making governance challenging.

Solution: Banks should implement robust third-party AI assessment frameworks that mirror internal model standards, including:

• Comprehensive third-party model validation: Validation processes that monitor fairness, transparency, and performance, particularly in compliance-sensitive areas.
• Ongoing risk monitoring: Regular evaluations of third-party models through key performance indicators (KPIs) that assess specific use cases like candidate filtering or AI-powered credit decisions.
• Tailored governance structures: Clarifying roles and responsibilities across departments and ensuring internal audit functions are engaged in model risk assessment.

‍

3. Reducing the Backlog of Model Testing and Validation

Challenge: AI models introduce new complexities that can overwhelm traditional model testing and validation processes. The result is a backlog that can slow innovation and leave banks vulnerable to compliance failures and operational inefficiencies. AI model outputs, unlike traditional statistical models, evolve with new data, requiring more frequent and nuanced validation procedures to ensure accuracy and fairness. Additionally, in case of 3rd party AI models, intellectual property considerations means that in-house business or model validation teams often find it challenging to effectively validate and monitor such systems.

Solution:

• Risk-based prioritization: Banks should adopt a validation approach that focuses on models with the highest potential risk while applying lighter validation methods to use-case-specific AI models.
• Automated validation tools: Leveraging automation to streamline and automate the validation process, and reducing human error and improving efficiency.
• Scalable MRM frameworks: By investing in scalable validation processes and tools, banks can keep up with the volume of AI models needing assessment while maintaining regulatory compliance.
• Use of independent validation/certification services: Independent third-party validations as those provided by Armilla AI (amongst others) allow for mutually trusted third-party to effectively validate AI models. In addition, it can help benchmark against industry standards.

‍

Conclusion

Financial institutions must address the growing complexity of AI models through a combination of enhanced governance, tailored validation procedures, and continuous monitoring. By aligning their MRM frameworks with evolving regulatory requirements, managing the risks of third-party AI solutions, and reducing the model validation backlog, banks can mitigate AI-specific risks while embracing the opportunities AI technologies present.

Learn about our AI risk management solutions here.