As an FSI specialist at AWS, I work with many FSI firms who have or are planning to put their generative AI applications into production. As regulated entities, or as a technology providers to regulated entities, there are regulatory considerations which must be considered. As is the case with most regulations in FSI, these regulations are often principal based, providing broad guidance on desired outcomes while requiring the regulated firm to develop and follow detailed policies to achieve these outcomes. Audits from regulators then review the firm’s detailed policies and ask for evidence to show that they adhere these policies, often in the forms of audit trails or similar. In providing guidance to firms who want to assure they are aligned with current and emerging regulations; I have provided the general principles behind these regulations along with a list of current and emerging regulations.

• Describe how your AI solution collects, uses, and protects personal identification information (PII)

• This is closely tied to existing data privacy regulations

• Your solution must prevent bias to disadvantage select groups

• You must demonstrate that your solution does not have bias by way of training data and test results

• Describe how your solution works and how it derived responses

• Describe the data used by your solution to produce responses

• Describe the logic behind the responses (which most LLMs can provide with their responses if asked)

• Each use-case is assessed for its unique risk

• Your regulatory exposure can vary greatly by the specific use-case your solution addresses

• You must identify which organization, company, or group is responsible for each of the above areas for your solution

• This list may include groups internal to your firm, or external providers

• For your firm, identify which regulatory body is responsible for ensuring compliance with the regulations

• California SB 1047 (pending) – safety testing, safeguards, monitoring for “frontier” developers (vetoed)

• Presidential executive order on Safe, Secure, and Trustworthy AI (October 2023)

• FTC – consumer protection

• NHTSA – safety, specifically in autonomous vehicles

• California CCPA – data privacy

• EU GDPR – data privacy

• EU AI Act – assess risk of the use-case that regulates development, use, and placement of AI

• Published policy stating it expects to use a regulator-led, sector-specific approach

• Pan-Canadian AI Strategy – advocates responsible AI, Canadian AI Ethics Council

• Personal Information Protection and Electronic Document Act

• National Artificial Intelligence Ethics Framework

• EMBAG – mandates the release of federal system as open source

• OECD and UN are establishing guidelines currently

Of the current regulations above, perhaps the most impactful is the EU AI Act. If your firm operates in the EU or had customers in the EU, you may be impacted for AI offering. Some firms (Meta, Apple) have delayed release of their AI offerings in the EU until they can fully comprehend the regulatory impacts. In general, data privacy laws apply where AI models use private data for training, or access private data to provide responses to prompts. Careful classification of private data, segregation of private data handling, and algorithm and bias and explainability are important details you must provide regulators. Some useful links are below;

AWS AI Data Foundation