The EU’s Artificial Intelligence Act Has Gone Live: How Will it Affect U.S. Banks?

The European Union’s new Artificial Intelligence Act went into force on August 1. Two years from that date, organizations will need to be in full compliance with most of the act’s articles. While a few dozen U.S.-based financial firms with operations in Europe are already preparing, companies worldwide will feel the act’s regulatory ripples as it influences policy and policing.

“This is a paradigm we have seen before,” said Henning Soller, a partner at McKinsey & Co., which recently surveyed 150 EU-based institutions about their preparedness for governing generative AI and implementing the EU AI Act. He explained how Europe has taken the lead in the past crafting comprehensive data and technology policies that served as a “testbed” for other countries in the Middle East, Latin America, and Asia Pacific.

When the EU parliament, for instance, adopted the General Data Protection Regulation governing data security and privacy, countries like Brazil used it as a blueprint for their own legislation while others adapted parts of it for their regulatory frameworks. To this end, governments are likely to learn and cherry-pick from the EU AI Act’s articles or adopt its provisions wholesale to advance their own oversight initiatives.

Concerns about the technology and particularly generative AI, after all, are the same everywhere: ethics, privacy, accuracy, reliability, and security are common themes among regulators focused on managing AI’s risks. The EU AI Act’s aim, to “promote human-centric and trustworthy AI, while protecting health, safety, and fundamental human rights,” expresses the balance policy makers hope to achieve between innovation and societal protections and the fine line banks will expect to walk as they deploy the technology more broadly in their operations.

Still, how to apply it to achieve these ends isn’t entirely clear. In the McKinsey survey, only 5% of financial institutions “strongly agreed” that they understood what the EU AI Act required of them and, likewise, what risk categories—defined by the act—their AI projects would fall into. EU regulators, too, might add to the uncertainty by being slow to provide guidance and clarity through the two-year implementation period. Resolving cases where jurisdictions, using their own readings of the act, interpret guidance differently also will be crucial.

“The idea is to have one regulation. But what we saw with GDPR is that different regulators have slightly different views,” said Malin Strandell-Jansson, an associate partner in McKinsey’s Stockholm office.  “With regards to enforcement, diverging views can be a real problem.”

 U.S. Marching to Its Own Drum, But Listening

In the U.S., meanwhile, lawmakers tend to follow their own path and extend the scope of established law to capture what’s needed for new technology. In this case, the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act, provides one foundation for evolving AI requirements for banks. It requires any financial institution that offers services to consumers to explain how their data is used and to safeguard sensitive data. States, too, often take the lead with their own legislation. “A lot on the U.S. side happens at the state, and not necessarily federal, level,” Soller said, complicating efforts to design country-wide policies in the U.S.

As the U.S. continues to build out its regulatory framework and fill gaps in AI oversight, plenty of U.S. companies will need to comply with the EU AI Act. In financial services alone, McKinsey estimates that today 40-50 U.S.-based banks with operations and customers in the EU will be subject to the new rules, as will those developing AI in the U.S. and sending outputs to the EU. The numbers are likely to increase as regulators review cases where banks may have a limited number of EU-based clients, but EU clients, nonetheless. “Even if it’s just a small part of your overall customer population, the corresponding setup of the right kind of governance is still required,” Soller said.

Fortunately, U.S. banks may have a head start in their AI governance maturity, Soller believes. U.S. companies in general, he said, have a stronger technical foundation than their EU counterparts in terms of how they’re implementing AI, and they’re further along in maturing their technology controls overall. The financial services industry is heavily regulated already, so the idea of incorporating new controls, in this case for AI, is not new. “In that sense, financial institutions are actually better off than other companies,” Strandell-Jansson said. “The idea is to complement and fill gaps where regulations already exist.”

For all banks, implementing a plan to comply with the EU AI Act will place extra burdens on them as they work to recognize the operational and monetary benefits of deploying the technology. How much of a burden is unclear. Strandell-Jansson believes that while complying with the requirements will slow adoption, the time spent now will be worth it.

“AI governance is a bit like digital sustainability—if we don’t act now and formulate this in a responsible, practical way, we will need to repair the disaster later on,” she said.