By Bart Layton, CEO - AI Guardian
Fact Checked by Robin Hackney
Within the US, the Securities and Exchange Commission (SEC) regulates the offer and sale of all securities, including those offered and sold by private companies. Established by the Securities and Exchange act of 1934, as a response to the stock market crash that had triggered the US Great Depression 5 years prior, the SEC was tasked with regulating securities trading in the US for the protection of investors and US markets. On their official website, the SEC cites its mission as "protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formation."
Under SEC chair Gary Gensler, that mission has involved an increased focus on firms' use of technology - specifically modern communications technologies and predictive data analytics including the use of AI systems. Here, I explore the SEC's focus on technology, including recent communications and actions, a forecast for the proposed regulations, and recommended next steps.
The SEC's Recent Focus on Technology
Every firm regulated by the SEC has faced increased pressures recently - directly or otherwise - from the SEC regarding appropriate use of technologies. Here we explore the two applications of technology in particular have fallen under the most intense regulatory scrutiny:
1. Off-Channel Communications
If you come from the financial services industry, you may already be experiencing heart palpitations at the mention of "off-channel communications". For those less familiar, this term refers to the use of personal email, SMS, or social platforms (like What'sApp) by a member of a regulated firm for business-related communications, where that communication may not be subject to appropriate recordkeeping and supervision. While these technologies are not new - with What'sApp having been around for ~15 years, and 30 years for SMS - the strict regulation of their use in the industry has been more acute over the last 2 years, with total penalties now exceeding $1.7 billion.
2. AI and "Predictive Data Analytics"
Similarly, while one form of AI technology - generative AI - has only entered the mainstream in recent years, Machine Learning has now been actively used within the industry for decades. AI tools and technologies offer substantial potential for value to Financial firms, but they aren't without risk. In the SEC Proposed Rules on Conflict of Interest and SEC Predictive Data Analytics, they forth the position that the use of AI technologies and "predictive data analytics" present a conflict of interest risk, in which such models could promote actions that place the firm's interests ahead of those of the customer/investor, and the "black box" nature of many of these models limits the ability to address these conflicts. That said, under the broad definition originally adopted within the SEC Proposed Rule, "covered technologies" include items ranging from deep learning AI models developed in-house to third-party AI tools and AI features within platforms - some Excel macros even arguably fell in scope of the rule.
SEC Guidance and Actions on AI
In March of 2022, 6 months before the public launch of ChatGPT, the SEC released one of their earliest communications on the topic of AI - announcing the Investor Advisory Committee discussion on Artificial Intelligence and Cybersecurity. While Cybersecurity took the headline, the first topic of the day (agenda here) was a panel discussion of Ethical AI and RoboAdvisor Fiduciary Responsibilities.
The following year, perhaps bolstered by the ChatGPT-driven surge of hype around generative AI, SEC shifted from exploratory discussions to rule-making, with their July 2023 announcement of SEC Proposed Rules: New Requirements to Address Risks to Investors From Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers.
And in December 2023, SEC Chair Gary Gensler publicly denounced the practice of "AI Washing" (see FAQs below for detailed definition).
AI Sweeps by the SEC's Division of Examinations
Starting in late 2023, the SEC began issuing letters to firms requesting copies of marketing, promotion and disclosures sent to current and prospective clients containing any reference to the firm's use of AI technologies. The letter also outlined dozens of other requested pieces of evidence pertaining to the responsible use of AI, all due within a week of receipt. Reportedly under 50 firms received the first batch of requests, with far more expected over the coming year.
SEC Enforcement Actions on AI
To date, two SEC examinations into firms' use or claimed use of AI technologies have concluded with enforcement actions related to AI (see official press release from the SEC here). The two investment advisers involved were accused of "AI Washing" and ultimately settled for a total of $400k. For other firms, the outlook of other recently initiated SEC examinations into AI claims and use remain uncertain, but - as we've seen in the past - the frequency and magnitude of these penalties is only expected to grow as the SEC moves from the first wave of exploratory investigations to further sweeps across more firms within the industry.
Conclusions
So what do we expect, and what can we do about it?
Analysis and Outlook for the SEC Proposed Rule
In some ways, the SEC sweep on AI has followed historical patterns - with the first sweep hitting less than 1% of regulated firms to establish a pattern before reaching more broadly; however, in other ways it has diverged. Typically, such a proposed rule would have been issued after preliminary examinations yielded evidence of a concerning pattern not yet fully addressed by existing regulations. In this case, the proposed rule seemed to have evolved from certain presumptions - perhaps validated in part by the following sweeps, but rolled out in a way that has rubbed many the wrong way.
Critics find the rule too far-reaching with its definition of "covered technologies" (see above note on excel macros) and cite the "Gen AI revolution" as a potential driver of a "rush job" on the rule. Supporters applaud the speed of response to the otherwise unchecked AI rush, and argue that the breadth of the technologies in scope is irrelevant if there is unmitigated conflict of interest risk. That said, those opposed seem to vastly outnumber those in favor, driving many to expect a substantial overhaul of the rule.
Take note of the word overhaul above, and not abandonment. Even detractors of the rule see the need for regulatory clarity on appropriate AI technology use within the industry, and acknowledge the harm that deceptive marketing and unchecked black-box models pose to both investors and the industry at large. It is only a matter of time before the rule is reworked accordingly and formally passed.
Furthermore, just as the use of smartphones and email have transformed the industry, and now regulation of those technologies has produced over $1.7B in penalty revenues for the SEC, experts expect a similar pattern for AI. Given both its transformative capabilities and significant risk potential, AI technology will be the target of further examinations, enforcement actions, and penalties.
Recommended Next Steps - How You Use AI
So you want to get ahead of the sweeps and eventual rule - where to start?
First, know two things: how your firm uses AI, and how your firm has claimed to use AI. This sounds simple, but there's much more to both of these.
Regarding your firm's use of AI, it's important to have visibility into not only the in-house development of AI models, but also the use of AI tools and features by your employees and contractors. A proper AI Inventory covers all these use types comprehensively, categorizes the risk level for each use, captures the applicable regulations, tracks the responsible AI practices both planned and in place to meet those regulations, and notes the parties accountable and responsible for oversight.
As for references to use of AI by your firm, this particularly in public promotions, but also in correspondence with existing customers and investors. Having a good handle on this will help you understand both your likelihood for being one of the earlier sweep targets, and - when compared to your AI Inventory - your to do list to improve your odds of successfully navigating such an examination.
Ultimately, you want all claims of AI use to be valid and demonstrable, all use of AI to be compliant with applicable regulations, and your use of AI delivering maximum value with managed risk. To accomplish this efficiently, you'll need right-sized AI Governance, enabled with the right tools, leading a workforce empowered by an effective AI Policy and proper Responsible AI training.
Wherever your firm is on its journey with AI, we're ready to be your one-stop shop or help you fill in where you aren't fully covered yet. Responsible AI for everyone - that's why we're here. Because as each of us use AI more responsibly, we all win.
Frequently Asked Questions
What is an SEC "sweep"?
A sweep is a focused investigation of multiple firms, focused on one regulatory theme (e.g., record-keeping, marketing, best interest). Sweeps are often executed as campaigns, with a cycle of activities iterated over more and more firms, particularly where a pattern of violations is found or suspected. A typical sweep cycle starts with letters requesting information, then examinations (which may require further information), and lastly the resolution phase which may include issuance of findings, negotiation, and ultimately penalties or settlement where applicable).
What can I do to prepare for the SEC sweeps on AI?
The first step to prepare for an SEC sweep on AI is to know how your firm has referred to its use of AI, particularly in public promotions, but also in correspondence with existing customers and investors. In parallel, establish or review an AI Inventory for clear visibility into the ways AI is being used by your employees and contractors. Ultimately, you want all claims of AI use to be valid and demonstrable, and all use of AI to be compliant with applicable regulations, which start with the steps above.
What is "AI Washing"?
AI washing is the practice of making false or misleading claims of AI use to improve the public perception of a company's technological capabilities and position in the market. The term is patterned after the terms whitewashing (intentionally trying to hide negative aspects behind a veneer of positive messaging) and "greenwashing" (making misleading claims of being eco-friendly). The SEC has issued fines for AI washing.
Comments