On June 25, the International Organization of Securities Commissions (IOSCO) published a draft report and proposed guidance (Report) regarding asset managers and market intermediaries’ use of artificial intelligence (AI), including machine learning (ML). It’s a useful reference document to help you stay informed on evolving firm practices, as well as regulatory concerns and approaches, in this area.
The Report is based on IOSCO’s survey of and discussions about AI and ML with asset managers and market intermediaries. It analyzes how firms are using the relevant technologies, outlines the potential benefits and risks, and describes how firms are addressing those risks. The report also includes appendices describing how various regulators (including Canadian securities regulators) are addressing AI and ML risks and summarizes guidance in this area published by international organizations such as the Financial Stability Board.
IOSCO is seeking feedback on six proposed regulatory measures (Measures). Three of the measures are framed as proposed requirements that IOSCO believe regulators should adopt:
- Test and monitor algorithms: Regulators should require firms to test and monitor the algorithms to validate the results of any AI and ML technique on a continuous basis. Testing should be conducted in an environment that is segregated from the live environment before deployment to ensure that AI and ML behave as expected in stressed and unstressed market conditions and operate in a way that complies with regulatory obligations.
- Competence: Regulators should require firms to have adequate skills, expertise and experience to develop, test, deploy, monitor and oversee the controls over the AI and ML that the firm uses. Compliance and risk management functions should be able to understand and challenge the algorithms that are produced and conduct due diligence on any third-party provider, including on the level of knowledge, expertise, and experience present.
- Oversight of third parties: Regulators should require firms to understand their reliance upon, and manage their relationship with, third party providers, including monitoring their performance and conducting oversight. This includes having clear service-level agreements and contracts that clarify the scope of any outsourced functions and the third party’s responsibilities and that specify clear performance indicators and “sanctions” for poor performance.
The other proposed Measures are framed in softer language, which may indicate a lack of consensus among IOSCO members regarding the universal necessity for such requirements:
- Senior management responsible for AI/ML and its controls: Regulators should consider requiring firms to have designated senior management responsible for overseeing the development, testing, deployment and monitoring of, and controls for, AI and ML. This includes having a documented internal governance framework and having appropriately senior individuals with relevant skills and knowledge sign off on the technology’s initial deployment and any substantial updates.
- Disclosure and regulatory reporting: Regulators should consider what level of disclosure they should require firms to provide about their use of AI and ML. Among other things, regulators should consider:
- Requiring firms to disclose meaningful information to customers and clients around their use of AI and ML that impact client outcomes; and
- What information the regulators may require from firms using AI and ML to ensure they can have appropriate oversight of those firms.
- Data quality controls: Regulators should consider requiring firms to have appropriate data quality controls so that data on whose performance the AI and ML depends is of sufficient quality to prevent bias and sufficiently broad to ensure a well-founded application of AI and ML.
Although the Measures won’t be binding on IOSCO member regulators, we expect that the Ontario Securities Commission (OSC) and other Canadian securities regulators likely will take the final version of the Measures into account when they interpret existing rules and consider regulatory reforms.
The comment deadline is October 26, 2020. If you have questions about the Report or are interested in discussing how evolving regulatory expectations in this area might affect your business, please contact us.
June 30, 2020