The AI Act and the Financial Sector

The Regulatory Framework of the AI Act

AI is increasingly becoming part of our everyday lives. The question of artificial intelligence is growing in prominence and entering everyday public discourse not only because of the regulation that governs it. Indeed, it is here that one can most clearly sense that EU legislation is trying to catch up with reality. The technology itself is not revolutionary in origin, but in recent years it has advanced both qualitatively and quantitatively, and today it is rapidly reshaping the operations of numerous industries, including the financial sector.

AI casts new light on data management and risk management, creates the possibility of automated decision-making, and simultaneously generates new challenges in the areas of data protection, data security, ethical standards, and other forms of legal compliance. While finding the right balance between innovation and legal regulation is a key expectation placed on legislators, adapting to already enacted regulatory requirements presents a serious challenge for market participants and public bodies alike.

What is the AI Act?

In March 2024, the European Union’s decision-making body adopted Regulation (EU) 2024/1689 on Artificial Intelligence, commonly known as the AI Act. The regulation is groundbreaking not only because it is the world’s first attempt to regulate the use of artificial intelligence in a comprehensive, framework manner, but also because it is a pioneer in its regulatory subject matter.

The novelty of the AI Act lies in its linking different AI technologies to levels of risk. This creates a tiered regulatory framework ranging from the lowest-risk solutions all the way to outright prohibited applications. The underlying premise is that tools serving different purposes carry different levels of risk. The AI Act distinguishes four categories:

• Minimal Risk (General-purpose AI models): This category covers applications that do not significantly affect people’s rights or safety. These systems are only required to meet general transparency and information obligations. A typical use case for such technologies is internal administrative applications within organizations.
• Limited Risk: Limited-risk AI systems are applications that may somewhat influence users’ decisions or rights, but not to a significant degree. These include, for example, chatbots or AI-based customer service systems that facilitate communication without directly influencing users’ decisions or creating major risks. For such systems, the regulation focuses on transparency and informing users. This category is particularly relevant in the area of customer information and decision-support functions.
• High Risk: High-risk AI systems are applications that may have a significant impact on people’s rights, safety, and quality of life. This category includes AI systems operating in areas such as healthcare diagnostics, financial decision-making, or the legal field. These systems are subject to strict compliance requirements and oversight, for example through data protection rules, detailed documentation, regular audits, and risk assessments.
• Unacceptable Risk (Prohibited AI practices): Unacceptable-risk AI systems are applications that endanger people’s fundamental rights and safety; under the AI Act, these may not be used under any circumstances, as they are incompatible with fundamental rights and values. This category includes, for example, social scoring systems that rate people’s behaviour or performance, which are potentially discriminatory and raise serious ethical concerns.

It is clear from the above that the first task for users of AI systems is to classify the system according to its risk level. The main rules governing this audit are set out in the AI Act, which also specifies which bodies may conduct it.

A critical question for AI systems used in the financial sector is the extent to which they qualify as high-risk. This is because the designated critical infrastructure elements in the financial sector are subject to stricter regulatory requirements compared to other actors in the industry.

According to the definition in the AI Act, AI used by critical infrastructure is appropriately classified as high-risk. This does not, of course, imply automatic classification — it is obviously necessary to distinguish between a bank’s chatbot and an algorithm that automatically adjudicates loan applications. It is also important to note here that not every single part of a bank necessarily qualifies as critical infrastructure, yet it is still worth being prepared for the possibility that a larger proportion of the software used within banks may be classified as high-risk compared to other market participants.

If a system does receive a high-risk classification, the provider incurs a number of corresponding obligations. The most important of these are as follows:

• Risk management: The provider must first establish and operate a risk management system. Among other things, this system is responsible for estimating the likelihood of harm posed by high-risk systems and categorizing risks appropriately.
• Data management: Providers must ensure that systems operate on high-quality and sufficiently inclusive datasets.
• Technical documentation: By maintaining adequate documentation, providers seek to reduce the effects of the “black-box effect.” The term “black-box effect” is used when an AI system provides useful information to the user but the system’s decision-making process is not transparent or traceable.
• Instructions for use: Preparing and making available instructions for use helps deployers of the tool understand how the AI system works.

Awareness of the challenges posed by the changed regulatory environment is not new to our bank’s operations, nor does it arise without precedent. Nevertheless, the regulatory framework briefly outlined above places the KIBERLAB team before numerous challenges; the team continuously works to ensure that AI systems can operate in full legal compliance and provide optimal support for both users and providers.

In the next instalment of this series, you will learn what counts as artificial intelligence under the AI Act.

Reviewed by: dr. Laura Bikki Kovácsné, dr. Bernadett Bocsi, and dr. András Bencsik