Astris CSP
Help portal Begin a conversation
Tooling · AI

Artificial intelligence in a regulated environment — a measured view.

1 March 2024

The pace of technological advancement is accelerating. This is not news to anyone who has spent the last two years wading through the ChatGPT craze. What is perhaps less well understood is the speed at which the regulatory and confidentiality questions are catching up.

The adoption reality

Adoption of AI tooling across financial services is not uniform. The largest institutions have dedicated AI governance teams, model risk frameworks, and vendor due diligence processes that run to months. Smaller firms — the wealth managers, family offices, and trust companies in our sector — often lack the governance infrastructure and are adopting faster, with less scrutiny.

The most common use cases we see are document drafting, client communication drafting, meeting summaries, and research synthesis. None of these are inherently problematic. All of them carry risks that are not immediately visible to the users involved.

The confidentiality problem

The primary risk is data. When a user submits a client document, a trust structure, or a financial summary to a consumer AI tool, where does that data go? The answer depends entirely on the provider, the subscription tier, and the terms in force. For many consumer tools, submitted data may be used for model training. For tools accessed via enterprise API, the terms are typically more protective — but only if the firm has a commercial agreement in place.

A family office administrator summarising meeting notes from a call with a $500 million client in a free-tier AI tool is making a data decision. It is unlikely they know that.

The regulatory question

Data residency and processing rules apply to AI tools as they do to any other data processor. A firm operating under Bahamas Data Protection Act obligations, or advising European clients under GDPR, is required to understand where data is processed and by whom. Most AI providers process data in the United States. Some offer regional processing for enterprise customers. The obligation to know falls on the firm, not the tool.

Regulators are beginning to catch up. The EU AI Act creates obligations for high-risk AI use in financial services. The FCA has published guidance on AI governance. The SEC has made clear that AI-generated client communications are subject to the same standards as human-generated ones.

A measured recommendation

AI tooling is not a thing to avoid. It is a thing to govern.

The right approach starts with a clear policy: which tools are permitted, for which use cases, with which data classifications. It continues with commercial agreements that provide appropriate data protection guarantees. And it includes ongoing review as the regulatory landscape develops.

Astris CSP helps firms think through the data residency and governance questions before they become compliance incidents. The firms that do this work now will be better positioned than those who find themselves retrofitting governance onto an already-adopted toolset.

The technology is not the risk. The absence of a framework around it is.

← Briefings & journal