ASIC aims to bridge the gap in financial services AI regulation

In his keynote address at the UTS Human Technology Institute Shaping Our Future Symposium on Wednesday, Australian Securities and Investments Commission chair Joe Longo said that while the current regulatory environment around the use of artificial intelligence (AI) may not be sufficient, it is far from the “Wild West”.

“For example, current directors’ obligations under the Corporations Act aren’t specific duties – they’re principle-based. They apply broadly, and as companies increasingly deploy AI, this is something directors must pay special attention to, in terms of their directors’ duties,” Mr Longo said.

He also pointed to the 2022 Federal Court finding against RI Advice as an example of how current regulation can deal with emerging technological issues.

In that case, which was an Australian-first, the Federal Court found that RI Advice did not act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.

According to the corporate regulator, a “significant number” of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.

When handing down the judgment, Justice Rofe said: “Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services.

“It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.”

In his address, Mr Longo said that it’s “not a stretch to apply this thinking to the use and operation of AI by financial services licensees”.

“In fact, ASIC is already pursuing an action in which AI-related issues arise, where we believe the use of a demand model was part of an insurance pricing process that led to the full benefit of advertised loyalty discounts not being appropriately applied,” he said.

“The point is, the responsibility towards good governance is not changed just because the technology is new. Whatever may come, there’s plenty of scope right now for making the best use of our existing regulatory toolkit.

“And businesses, boards, and directors shouldn’t allow the international discussion around AI regulation to let them think AI isn’t already regulated. Because it is. For this reason, and within our remit, ASIC will continue to act, and act early, to deter bad behaviour whenever appropriate and however caused.”

Mr Longo did, however, note that the regulator would test the regulatory parameters including probing the oversight, risk management, and governance arrangements entities have in place.

“We’re already conducting a review into the use of AI in the banking, credit, insurance, and advice sectors,” he added.

“This will give us a better understanding of the actual AI use cases being deployed and developed in the Australian market – and how they impact consumers. We’re testing what risks to consumers licensees are identifying from the use of AI, and how they’re mitigating against these risks.”

The important question around AI in financial services, Mr Longo said, is finding out where the gaps are so that they can be filled.

“For now, existing obligations around good governance and the provision of financial services don’t change with new technology. That means all participants in the financial system have a duty to balance innovation with the responsible, safe, and ethical use of emerging technologies,” he said.

“Bridging the governance gap means strengthening our current regulatory framework where it’s good and shoring it up where it needs further development. But above it all, it means asking the right questions. And one question we should be asking ourselves again and again is this: ‘Is this enough?’”