By John Hintze
For banks, artificial intelligence is not new. But the pace of AI’s advance certainly is an increasing risk. The solutions to risks arising from AI in banking include strengthening longstanding risk frameworks, adopting the technology in measured steps and educating bankers — from the frontline to the board — about its use, noted banker panelists at the 2024 American Bankers Association Risk and Compliance Conference.
The 2025 ABA Risk and Compliance Conference is set for June 10-13 in Indianapolis. Find out more.
“AI is so widely available today that it’s no longer an ‘if’ decision but a ‘when’,” Pandya said, “There’s an urgency to the discussion today, but bankers still need to know whether the technology is appropriate, when and how to use it, and how to build risk management frameworks around it.”
Richard H. Harvey Jr., general counsel and director of compliance risk at Beneficial State Bank, noted that banks’ misuse of innovations has prompted new regulations and laws for them to follow, making it incumbent on them now to learn about AI immediately. He added that some regulation to clarify AI use in financial services could be helpful but is unlikely for some time, and meanwhile regulators will communicate via enforcement actions.
“You don’t want to be the poster child that implemented an AI system and caused a lot of harm, and your bank ends up on the front page of the Washington Post,” Harvey said. “AI is very powerful and can be used for immense good, but on the flip side it can exacerbate discrimination and other issues impacting current financial services offerings.”
At the end of the day, said Nick Baxter, chief risk officer at First National Bank of Omaha, bankers must consider not only their own institutions’ use of AI but that of their technology partners and vendors. In terms of the latter two, he urged bank executives to work directly with those firms and question them vigorously about how they use AI in their services, so the bank can gauge whether the risk is acceptable.
Emphasizing the need for caution about third parties, Harvey noted that in working for three fintech firms he heard their executives routinely say “Let’s ask for forgiveness rather than permission” when developing services that may skirt bank regulations. They want to be first to market, he said. “And sometimes they operate in a wild west style.”
The approach banks take to evaluating third parties should ultimately stem from their formerly approved approaches to risk management. Baxter said he sees no need to change those frameworks, but banks must integrate AI into their risk-assessment processes to make them “AI aware.” For risk managers at banks, he noted three best practices, starting with relentlessly asking questions externally and internally about how and why the bank wants to use AI.
“We joke that what we really need is some data literate 6-year-olds,” he said.
Second: Be purposeful, Baxter said, adding that regulators should be informed about AI initiatives, and those initiatives should be incremental.
“Find a proof-of-concept, adopt it, get an early win and celebrate the heck out of it,” he said. “It breeds confidence: You’re the risk people, and you’ve shown you’ve thought it out and can be trusted to manage the execution.”
And third, he said: Banks should take advantage of their employees’ AI knowledge, since those employees are likely already using AI at home if not yet in the office. And give them general principles to abide by. Baxter added that a surprising number of lawyers who have joined his bank’s AI user-group community, because it helps them do their job better.
“It gives you the opportunity to make little step moving forward,” he said, adding that following those best practices reduces the need to bring in high-priced consultants. “You may need to buy access to expertise, but that’s very different from bringing someone in to rebuild the bank’s infrastructure.”
All three panel members agreed that quality data and the expertise to understand that data will be critical for banks to ensure use of the technology remains effective and safe. Pandya recommended a top-down approach, such as having a C-suite chief data officer overseeing a department empowered to do data governance, quality and assurance, as well as the AI and data-science modeling aspects. That executive would also be responsible for ensuring there isn’t algorithmic bias, system discrimination or other problematic AI outcomes.
“Data quality keeps us up at night, and generative AI could make that problem much worse by making the output of bad data seem reasonable and explainable,” Pandya said. “It could put ‘garbage in, garbage out’ on steroids.”
Harvey emphasized the necessity for banks to have executives that truly understand the data, and he noted that banks should have a C-suite member who is ultimately responsible and accountable for the data, although a bottom-up approach could work.
“Banks already have their risk models in place, so the issue is finding the best way to incorporate this new technology into their risk frameworks,” he said.
Also critical is more broadly educating employs across the bank about AI as its uses rapidly develop, Harvey said.
“The board of directors is going to make a determination about what risks the bank is comfortable with, and we all need to be able to manage toward the risk tolerance they establish,” he added.
A Gen-Xer in the audience stated her desire to have such a conversation with her bank’s board, but she acknowledged feeling uncomfortable about her own level of expertise and asked panel members to suggest “AI for Dummies”-sources of information.
“Where can I begin to get a really strong grasp of what we’re talking about, so I can apply it appropriately to the specific models I do understand?” she said.
Pandya pointed to the online publication Medium’s Towards Data Science, which provides relatively short blog posts that explain relevant information in consumable formats. And he recommended reviewing basic concepts from long-ago science classes.
“How did I run that test with a control group and treatment group and why was that important, why was randomization important and what does that actually tell me about the actual outcome measure?” Pandya sad. “It’s those kinds of basics; nothing more than that.”
John Hintze frequently writes for the ABA Banking Journal.
