Financial services firms are leveraging Generative AI (GenAI) to identify areas of operational efficiency, innovate products and services, and improve overall business performance. The rapid acceleration in GenAI adoption urges financial institutions to strengthen existing governance structures and comply with the evolving AI regulatory landscape, frameworks, and guidelines. In addition to addressing compliance issues, robust governance needs to be tailored to address GenAI-specific risks to promote responsible and transparent use of AI technology. 

In this piece, we discuss five foundational elements for establishing and implementing GenAI governance across financial services organizations.  

Proactively Engage with Legal and Compliance 

Being part of a highly regulated industry, financial services firms need to prioritize Regulatory compliance especially in case of GenAI which is marked by high scrutiny and new and evolving guidelines (AI Act, Algorithmic Accountability Act, provisions within the American Data Protection and Privacy Act). As a result, it is imperative that organizations tightly couple with Legal and Compliance teams while devising GenAI implementation right from the start. 

Uplift Risk and Control Inventory 

Adoption of GenAI comes with new risks especially around data and cybersecurity. A key governance component should consider updating risk management frameworks and associated controls to uplift risks and their assigned severity and impact. Organizations should re-evaluate the existing risks and associated control inventory to enhance and tailor it for GenAI. Specific risk areas that organizations need to assess when leveraging GenAI include:

• Data – potential for unauthorized access, misuse, or mishandling of sensitive data, compromising data privacy and integrity
  
• Cyber security – increased vulnerability to cyberattacks and threats including data breaches and malware
  
• Third-party – risks tied to reliance on external GenAI providers or vendors and their associated data security practices, compliance, and reliability.  
  
• Regulatory – risks stemming from non-compliance or inadequate scrutiny as it relates to regulatory requirements and industry guidelines 
  
• Technology – risk of technology failure, including system errors, compatibility issues, and unanticipated performance gaps in GenAI solutions 
  
• Talent – challenges in finding and retaining relevant and skilled professionals to manage, secure, and govern GenAI applications effectively.
  

A prominent example of guidelines aimed at managing risks associated with AI systems comes from The National Institute of Standards and Technology (NIST), whose introduction of the AI Risk Management Framework (AI RMF) can be a useful tool for organizations to leverage while updating their risks and controls.¹ 

Establish Monitoring 

Effective governance should encompass the evaluation of key areas impacted by developing metrics — such as performance and risk indicators — to better manage GenAI systems and associated risks. In addition, organizations should leverage automated monitoring tools to detect anomalies, model drift, or potential issues in real-time. 

GenAI governance should focus on the following areas to monitor risks (not limited to): 

• GenAI Vendor Management 
  
• Data quality and output bias 
  
• Financial impact 
  
• Security issues.

To establish an effective GenAI governance structure, it's crucial to define clear ownership of decision-making processes. Defining roles and responsibilities for oversight, coupled with robust audit trails, ensures accountability and transparency across the organization. 

Choosing the right operating model 

An optimal model allows organizations to evaluate and prioritize areas for leveraging GenAI solutions, ensuring consistent adoption and implementation of the technology across all lines of business.

Organizations can choose a centralized, decentralized, or hybrid model based on their maturity, size, and overall risk appetite: 

• Decentralized – Functional teams report to the organization’s AI governance lead, practicing self-governance with distributed decision-making and flexibility
  
• Centralized – A central body oversees all AI initiatives, setting standards, policies, and methodologies, especially suitable for highly regulated environments
  
• Hybrid – Centralizes AI expertise and best practices while allowing business units to innovate and tailor solutions suited to their unique needs.

Enabling diversity of inputs 

Effective governance requires perspectives from cross-functional areas including Data, Cybersecurity, Regulatory Compliance as well as from specialists in Legal, Ethics, and Human Resources. Diverse inputs help ensure GenAI governance policies are well-balanced and can manage risks across all areas of the organization. Each participating team assumes accountability around resolving specific issues related to their functional areas with the common goal of using GenAI in an ethical manner. 

Establishing decision-making forums 

Establishing a steering committee to oversee AI strategy and policy, alongside an AI Ethics Board, can greatly help address the following key issues: 

• Uplifting existing governance policies and procedures 
  
• Reviewing and approving GenAI-related projects 
  
• Defining risk tolerance for GenAI activities 
  
• Remediating undesired outputs and unintended consequences. 
  

These forums can facilitate decision-making and maintain alignment between business and technology goals. 

Privacy 

The barrier to entry for GenAI adoption has been greatly lowered with the advent of Large Language Models (LLMs) and other GenAI tools, which can utilize enterprise data for inference without requiring large amounts of training. This can potentially include sensitive company information and Personal Identifiable Information (PII), making data privacy and security a major concern and a critical component of overall governance. 

As part of GenAI governance, financial institutions' policies should focus on: 

• Mandating the use of private enterprise models available in secure Cloud environments, as opposed to publicly available models 
  
• Identifying specific sensitive data attributes when utilized with LLMs, and take appropriate action to prevent sensitive data leakage  
  
• Defining access guidelines related to use and distribution of data in Retrieval Augmented Generation (RAG) 
  
• Ensuring GenAI compliance with GDPR and CPRA by enforcing data subject rights, data minimization, cross-border data safeguards, and consent management.
  

System Security 

In addition to ensuring appropriate use and management of data, it is critical to build alignment with cybersecurity practices and constantly monitor GenAI systems/applications to identify breaches or vulnerabilities. Utilizing the right tools enhances data security and aligns GenAI data asset management with the organization’s Data Governance policies. 

As per Cisco’s 2024 Data Privacy Benchmark Study, most organizations are limiting the use of GenAI due to data privacy and security issues; 27% had banned its use (at least temporarily), and 48% acknowledge inputting non-public company information into GenAI tools.² 

A crucial consideration for organizations advancing their GenAI journey is the creation and thorough understanding of their existing AI technology and system inventory. 

Maintaining a centralized repository enables firms to track the use of AI technology across various business units. This includes managing vendor-provided AI solutions, AI adoption projects, AI models, data sources for AI consumption, and essential artifacts such as system documentation, incident response plans, and data dictionaries. This practice enhances transparency by

• Providing a holistic view of GenAI usage and maturity
• Evaluating risk associated with each system
• Identifying the number of users impacted by each model
• Developing faster response for GenAI related incidents
• Maintaining updated GenAI assets. 

Leadership must ensure that GenAI governance framework fosters a culture of responsible technology use. As a starting point, it is important to build practices that focus on educating leaders and employees about GenAI, its intended application within the organization, and how it ties to the overall strategic objectives. GenAI related best practices can be implemented through tailored training programs and documented policies and procedures for uniform adoption. Integrating GenAI as a strategic priority within the organization and ensuring overall compliance will help all teams recognize its significance and risks, while also securing the necessary support. 

Example: Ally Bank has implemented an AI playbook guiding the enterprise. The playbook defines common policy and processes as well as ethical guidance and considerations for the organization.³  

Conclusion 

Establishing robust governance is crucial for a financial services firm’s GenAI journey, whether starting with limited adoption or scaling across the enterprise. Strong governance enables financial institutions to fully leverage GenAI’s potential while remaining compliant, fair, and secure. 

Organizations should prioritize aligning governance with business units through clearly defined policies, procedures, and controls. Additionally, investing in employee education and training on GenAI risks and responsible use will support long-term implementation and utilization. 

While GenAI offers transformative potential for the financial services industry across various use cases, only effective governance can ensure that its impact remains compliant, fair, and secure for all. 

Capco and GenAI 

Capco’s focus and expertise in GenAI Governance is helping financial services clients harness AI responsibly with a focus on compliance, transparency, and ethics, especially within the highly regulated environment. Contact us to learn how our tailored GenAI governance frameworks can give you a competitive edge. 

References 

¹ https://www.nist.gov/ 
² https://investor.cisco.com/news 
³ https://media.ally.com/