WIXLIB

8 Regtech Adoption Practice Guide Artificial Intelligence-based Regtech SolutionsIncreasing amount of data sources with broader usage:As banks are collecting and storing increasing amounts ofdata, an ML model can help to predict possible outcomesthrough iterative processing and analysis of a large datasets.For example, an investment risk model may find externallyavailable company attributes such as expenses, income,historical regulatory related fines, and internally held datasuch as loan pay-back ability to correlate and calculate theinvestment risk. The data in turn helps to train a model thatcan enable automated investment decisions.Other challenges that can be addressed by AI-basedRegtech solutions include dealing with increasing regulatorycomplexity, managing the associated costs of compliance,and meeting greater expectation on control and systemauditability.As AI solutions require a significant volume of quality data,many banks face challenges in the availability and qualityof their data due to factors such as unidentifiable andduplicated data sources, duplicated data storage locations,lack of data ownership, poor data quality, unstructureddata, and manual data verification and reconciliation. AI canhelp streamline and better control the gathering of sourcedata from different systems across a bank as detailed inRegtech Adoption Practice Guide Issue #4: RegulatoryReporting and Stress Testing4.Whether AI-based Regtech solutions are developedin-house or by vendor partners, it is important for banksto establish proper governance and controls to managethe related risks. Some of the key barriers and risks forAI-based Regtech solution adoption are listed below.Section 3 of this Guide (“Implementation Guidance”)will further explore the methods banks may adopt toovercome these barriers and mitigate or minimise theimpact of the key risks.Increased customer expectations: COVID-19 hasaccelerated the adoption of digital technologies. Customershave become accustomed to receiving products andservices digitally and are increasingly expecting the samefrictionless digital experience from their banks.AI solutions can streamline the customer journey to providean enhanced experience, whilst continuing to manage abank’s risk and meet compliance obligations. For example,NLP and ML-based sales compliance solutions can be usedto minimise multiple call-backs to customers (for moredetails please see Use Case 1 in Section 4.1 of this paper).42.3 Key barriers/risks whenadopting AI-based RegtechsolutionsKey barriers Data availability and quality: The effectiveness of AIapplications depends on the availability of high-quality,diverse, and dynamic datasets. Banks should thereforehave the right data infrastructure in place (e.g. a datalake hosting data from multiple source systems) toensure that all the relevant internal and external dataare available and current. However, the maturity of datainfrastructure varies amongst banks, with time andmonetary investment required to build up the necessaryinfrastructure.Poor data quality has a direct correlation to inaccurateand biased results. Due to the complexity of the datalineage and frequent changes in data ownership, banksoften find it challenging to locate the data sources,conduct data validation, and maintain data quality.Regtech Adoption Practice Guide Issue #4: Regulatory Reporting and Stress Testing, HKMA (November 2021), ion/guidelines-andcircular/2021/20211126e1a1.pdf

Regtech Adoption Practice Guide Artificial Intelligence-based Regtech Solutions 9 Talent and relevant skillset shortage: Talent andrelevant skillset shortage has been identified as asignificant barrier to Regtech adoption across theHKMA White Paper, the Regtech Adoption Index5, andthe Regtech Skills Framework6 report. AI is a fastmoving topic, and developments in AI-related skillsetsare constantly progressing. Emerging domains thatrequire innovation – such as AI-enabled Regtech – arestill experiencing a large skills gap. If banks are unableto secure talent with cross-disciplinary skills or upskillexisting employees, they will find it difficult to adoptAI-based Regtech solutions.When adopting AI-based Regtech solutions that involvepersonal data, banks need to conduct a comprehensiveprivacy risk assessment, referencing the Data ProtectionPrinciples under the Personal Data (Privacy) Ordinance.Banks should also ensure good data ethics withinthe development and operation of AI-based Regtechsolutions. Adoption of Cloud computing: Cloud computingprovides the data storage capacity and massiveprocessing power that are fundamental to AI innovation.Many AI-based Regtech solutions available in themarket are also cloud-based. Although Hong Kongbased banks have started to adopt Cloud computing,this is still at a relatively early stage, as detailed in thefirst Regtech Adoption Practice Guide “Cloud-basedRegtech solutions”7.Banks should be mindful of such limitations and planand execute continuous monitoring after deploying AImodels to detect performance degradation, known asmodel drift, and ensure the models are continuouslytrained and updated to remain accurate and applicable.Key risks Data Privacy and right of use: AI-based Regtechsolutions are reliant on the ingestion of vast amountsof data to train models and detect patterns. Dependingon the Regtech application areas, the data utilised byAI-based Regtech solutions may involve personal data.Related data privacy risks include:– Excessive data are collected than required– Data are used for purposes other than specified– Data are stored and transmitted insecurelyAccuracy and reliability: While some AI modelscan make judgements/decisions with minimal humaninterference, banks need to be aware that outputs canbe biased and can lose accuracy over time. Outcomebias is often the result of a stale dataset or whencertain populations are under/over-represented in thedata. In addition, AI model performance will degradeover time due to various reasons, such as whenpreviously unseen data become available, or variablesand parameters change triggered by a change in thebusiness and upstream data changes. Explainability: While AI-based solutions offersignificant automation opportunities, there is a majorrisk for the growing AI sophistication, i.e. explainability.The lack of understanding of how AI-based solutionswork to produce output is also referred to as a “blackbox” risk.AI-based Regtech solutions outputs are often tied torisk management decisions or compliance outcomes.Banks should implement adequate measures to ensurean appropriate level of transparency and explainabilitycommensurate with the materiality of the solutions.– Risks of discrimination and profiling85678The Regtech Adoption Index 2020, HKMA (June 2021), ion/press-release/2021/20210617e5a1.pdfRegtech Skills Framework - Assessment & Recommendations Report, HKMA (October 2021)Regtech Adoption Practice Guide Issue #1: Cloud-based Regtech Solutions, HKMA (June 2021), ion/press-release/2021/20210617e5a1.pdfGuidance on the Ethical Development and Use of Artificial Intelligence, Office of Privacy Commissioner of Personal Data, (August 2021), https://www.pcpd.org.hk/english/resources centre/publications/files/guidance ethical e.pdf

10 Regtech Adoption Practice Guide Artificial Intelligence-based Regtech Solutions03 ImplementationguidanceBefore implementing an AI-based Regtech solution,banks should establish a proper enterprise-leveldata AI governance model as well as ensure accessto AI-related skills and capabilities.Banks canestablish talent programmes to upskill staff basedon recommendations outlined in the EnhancedCompetency Framework on Fintech9 and RegtechSkills Framework published by the HKMA. This sectionoutlines some pre-requisites and key considerationsfor AI-based Regtech implementation to address thechallenges and barriers listed in Section 2.3.3.1 Pre-requisite 1: Establishorganisational datagovernancea cumbersome and time-consuming process to identifyand extract the relevant data when required. Proper datagovernance provides an effective foundation and bestpractices for banks to deploy AI-based Regtech solutions.Without this foundation, AI-based Regtech solutions wouldbe built upon unsuitable poor quality data, which couldlead to inaccurate outputs, greatly reducing the value suchsolutions could bring to a bank.Data governance componentsAs a first step, a bank should define its data governancecomponents. Below are some critical components thatbanks should consider including in their data governanceprogramme:Data governance is an enterprise-wide standardisationof roles, processes, policies, and standards in regard todata. A lack of standardised data governance results in9Enhanced Competency Framework on Fintech, HKMA (December 2021), ion/guidelines-and-circular/2021/20211203e1.pdf

Regtech Adoption Practice Guide Artificial Intelligence-based Regtech Solutions 11Figure 1: Data governance components for AI-based Regtech solutions People and organisation: Buy-in from the seniorleadership is key to a successful data governanceprogramme.Once the executive sponsorship isobtained, a data governance committee should then beformed to drive data management activities. As eachbusiness unit uses data differently, it is critical thatthe committee comprises data owners from diverginglines of business as well as the IT departments. Banksshould also invest in training employees in key datacapabilities, such as business intelligence, advancedanalytics, data architecture, and data integration toprepare the organisations for change. Process: Establishing and standardising data governanceprocesses is essential for the effective execution ofdata management activities. Typical data governanceprocesses include request management and issueresolution. Policy and standard: A data governance policy is a setof standardised guidelines, operational procedures, andmanagement approaches to manage data throughoutthe entire data lifecycle, from creation to disposal. Toensure consistent execution of data management,quantifiable standards should also be defined. 10Technology: Technology facilitates the access toand management of data as well as adherence toprocesses and procedures. Banks need to modernisetheir data architecture before realising the benefits of AItechnology. Banks should also identify data tools andplatforms for the monitoring and consumption of databy business units across the banks. Data quality: Data quality determines the outcomes ofan AI application. Banks should therefore establish adata quality framework comprising processes to reviewand address data quality issues. Data suitability: Banks must ensure the data are fit forpurpose and that they represent a sizable sample thataccurately reflects the overall data population. Data security and privacy: Data privacy refers tosafeguarding banks’ enterprise and customer datathroughout the data management lifecycle. Banksshould define and establish rules and controls on theauthentication, authorisation, and access to data atthe raw data level. All data activities, for example,access to and modifications of data, should be properlyrecorded to fulfil audit requirements.All business units across the bank and IT departmentsneed to be involved to establish the right organisationaldata governance. A bank can consider the three-stepapproach outlined below to establish organisational datagovernance:1 Understand the current state: The first step is tounderstand the current practices across the above datagovernance components before defining the strategyand vision of the future state. A review of datainventory should be performed to understand wheredata resides across the organisation. This can bedone through a documentation review and interviewswith data owners or subject matter experts from thebusiness functions. The exercise also allows banks tobetter manage data-related risks such as data breachor leakage of customer data10. Interviews should focuson capturing the as-is state as well as understandingthe current use cases, pain points, and potential datarequirements for the future.Sound practices for customer data protection, HKMA (April 2022), ion/guidelines-and-circular/2022/20220404e1.pdf

12 Regtech Adoption Practice Guide Artificial Intelligence-based Regtech Solutions2 Design and build a data governance framework: Thedata governance framework should be designed withconsideration of the existing business landscape andfuture-state vision against all relevant data governancecomponents. Key business users should be involvedthroughout the design process and key stakeholdersshould be engaged early to socialise the design. Thisenables users to be aware of the design and generatesbuy-in.3 Implement the data governance framework: Theimplementation stage will enable the bank to bridgethe gap between the current state and the target datagovernance framework. The key to implementation isa well-designed and realistic implementation roadmapwhich should be developed based on prioritisedinitiatives and take into account any dependent activities.The implementation should be managed as a projectusing a clearly defined project delivery methodology.3.2 Pre-requisite 2: Establishan AI governance frameworkA robust AI governance framework enables andoperationalises trust, accountability, and transparency inAI-based solutions. Currently, there is no industry-standardAI governance framework. However, various organisations,including the Office of the Privacy Commissioner forPersonal Data in Hong Kong and the HKMA have publishedguidance on AI governance and high-level principles onAI11, which banks could reference when establishing their11AI governance framework. While not exhaustive andapplicable to all AI-based Regtech solutions, this sectioncaptures some key steps banks can consider whenestablishing their own AI governance framework.Understand the current state: Identify and documentall AI-based solutions in the organisation to understandexisting AI use cases and capabilities. Gather and assessany current governance and risk frameworks applied toAI-based solutions and identify areas of focus.Develop a strategy and governance: Banks, whetherdeveloping their own AI solutions or working with thirdparty vendors, should develop AI-related strategies,principles, and controls that generate trust in the solutions.Where possible, banks should obtain documentation fromthird parties to ensure adherence to their AI principles.Examples of AI principles that promote trust are: Algorithm integrity: Confidence in the validity oftraining data and processes and metrics used todevelop and evaluate AI solutions. Explainability of the algorithmic decision-makingprocess: Understanding why and how the AI modelsproduce the outputs promotes transparency andreliability. Fairness of the models: Consideration of bias, such asrace and gender, to ensure the models are inclusive andfree from prejudice.High-level Principles on Artificial Intelligence, HKMA (November 2019), ion/guidelines-and-circular/2019/20191101e1.pdf

Regtech Adoption Practice Guide Artificial Intelligence-based Regtech Solutions 13Resilience: Refers to the ability of the AI solutionsto withstand a major disruption within acceptabledegradation of performance and to recover within anacceptable time frame. Governance and guidelines, data governanceframework, and determining a service delivery modelto ensure that there are clear company policies andprocedures around the adoption of AI-based solutions.Define a target operating model (TOM): Creating an AITOM and subsequent implementation of the TOM helpbanks to understand how the AI solutions will be managedand run. Key components to include in the AI TOM are:Establish governance committees: Targeted AI governancecommittees ensure the right decision-makers cometogether to make informed decisions to steer thedevelopment and use of AI and address the unique risksand issues of AI-based solutions. The identification of AI-related skills and capabilitieswithin the banks, and areas in need of developmentper the Enhanced Competency Framework on Fintechand Regtech Skills Framework published by the HKMA.Define roles and responsibilities of people involved inthe AI development lifecycle, for example, who shouldbe responsible for continuous monitoring of the AIsolutions and subsequent refinement of the underlyingmodels. The key processes and templates, for example, aprocess map detailing the steps and actors involvedin conducting AI model evaluation, along with thestandardised model evaluation form to document theevaluation. The technology available to support the key processes,and data integration considerations to enable theadoption of AI-based solutions.Build a risk management framework: A bank shouldconsider implementing an AI-specific risk managementframework to facilitate the monitoring, identification, andprioritisation of AI-solution risks. The framework shouldcontain risk mitigation strategies covering the AI solutiondevelopment lifecycle, for example system failure, ethicalconcerns, and cybersecurity.Continuous control: A bank should maintain continuouscontrol over the AI-based solution post-implementation.Necessary capabilities and skillsets within the bankshould be acquired or developed to enable the continuousgovernance and risk management of AI-based solutions.Regular audits of AI-based solutions also need to be putin place to identify risks and ensure compliance with localregulations.

14 Regtech Adoption Practice Guide Artificial Intelligence-based Regtech Solutions3.3 AI-based Regtech solutionimplementationWhen adopting an AI-based Regtech solution, a bank shouldfollow a standardised project implementation approach.The previous research showed that 61% of surveyedHong Kong banks partner with a third-party vendor toimplement Regtech solutions, with 8% using purelyin-house development capabilities. Figure 2 below is anexample of a standard project implementation approachthat a bank can consider when partnering with third partiesto adopt AI-based Regtech solutions.Figure 2: Sample standard project implementation approachSource: KPMG1. Strategy (Initiate)It is important to align the objectives and target outcomesof AI-based Regtech solutions with the organisation’svision and strategy. After the objectives are defined,the project team should understand the organisational AIcapabilities and AI governance to make the buy-or-developdecision, define the project scope, and define roles andresponsibilities. These steps ensure a proper foundationfor an AI project and help to avoid future deviations fromthe project goal.2. DesignThe second phase aims to understand how to desig

6 Regtech Adoption Practice Guide Artificial Intelligence-based Regtech Solutions 2.1 Key developments AI is an overarching concept that refers to different emerging technologies mimicking the cognitive functions of humans, such as problem-solving, speech recognition, visual perception, decision-making and language translation.