AI Governance and Strategy

The “greatest risk facing European banks today may be the innovations they fail to pursue.” So said European Central Bank (ECB) Supervisory Board member Patrick Montagner in a February speech in Brussels. “Standing still means falling behind,” he continued, so supervisors welcome banks’ investment in new technology, including artificial intelligence (AI). And this innovation is happening fast: according to ECB data, over 85% of significant European banks are using AI in applications ranging from fraud detection to credit scoring, from customer service to regulatory analysis.

However, governance and risk controls must keep pace with this rapid AI adoption, Montagner warned. AI, and especially generative AI, systems need ongoing monitoring, robust oversight and human accountability.

Speaking at a KPMG event in Frankfurt, Montagner’s colleague on the Supervisory Board, Pedro Machado, expanded on this argument. Machado first noted how AI is “becoming part of the day-to-day operating fabric of banks”. It therefore needs an appropriate governance and risk management framework. Machado said the ECB would take a technology-neutral approach, applying existing principles, such as those set out in current European Banking Authority (EBA) governance guidelines.

Machado said the ECB has been encouraged to see many banks put in place AI policies, centres of expertise and clearer internal processes for considering whether to deploy AI in different use-cases. Nonetheless, AI governance “remains uneven across institutions and use-cases.” Machado highlighted three main areas where more progress is needed:

• Accountability: in some banks ownership of and responsibility for AI use is fragmented across functions and divisions, without a clear accountability framework;
• Oversight: as a result, senior management does not always have effective oversight of AI, despite the strategic importance of the technology;
• Controls: not all banks have adequate internal challenge mechanisms to AI use, involving risk, compliance and internal audit functions.

These areas must be addressed so that AI is governed as a core business and risk issue, not a “technology side project”.

Turning to risk management, Machado again acknowledged banks’ efforts (building on their long experience of managing complex models) to put in place sound control frameworks for AI. Again, however, he highlighted areas where further attention is required:

• Explainability: banks must ensure that AI model outputs can be understood by decision-makers, challenged by risk managers and reviewed by internal auditors. This requires a level of explainability beyond technical documentation;
• Monitoring: AI models can evolve – or ‘drift – over time. To prevent and detect any unwanted changes, AI model performance needs to be continuously monitored, with clear procedures in place to respond should a model begin to behave unexpectedly;
• Data: high-quality and representative data is essential for AI models to perform well and avoid bias: a prudential concern if the result is risk being systematically underestimated. Good data quality and governance are therefore critical to the safe and sound use of AI.

In addition, Machado highlighted the potential concentration risks associated with generative AI. In a market dominated by a small number of providers, banks could find themselves strategically dependent on third-party vendors. This could lead to concerns around operational resilience, exit or substitution strategies, data confidentiality as well as legal and reputational risks. Machado reminded banks of the EU Digital Operational Resilience Act (DORA) requirements to assess the risks of using third-party service providers, also in the case of generative AI.

New technology, including AI, is transforming banking and has the potential to deliver dramatic further improvements in customer service and efficiency. Machado and Montagner clearly aimed to show that the ECB welcomes this, and does not wish to discourage banks from innovating.

However, both affirmed that the ECB expects banks to take a strategic approach. This involves clearly defining how new technology will add value, identifying priority use-cases and ensuring adequate resources are available. The alternative of haphazardly installing [shiny] new applications creates a danger that the risks of AI will not be properly identified and managed: which could lead to significant regulatory and reputational problems. It also raises the risk of poor investment decisions, and of banks failing to capture the full benefits of new technology. From both a risk and a business perspective, a strategic approach makes sense.