6 minute read 15 Mar 2024
Illustrations of people going to parties at night

The EU AI Act: What it means for your business

Authors
Konrad Meier

Senior Manager, AI Law Leader in Financial Services | EY Switzerland

Solution-oriented financial services lawyer with an entrepreneurial mindset.

Roger Spichiger

Partner, Responsible AI Leader in Financial Services | EY Switzerland

Supports financial services clients on their AI journey with deep finance, risk and regulatory transformation expertise. Roger loves the water, mountains and all kinds of sports.

6 minute read 15 Mar 2024

The EU AI regulation is coming. What does it mean for you and your business in Switzerland?

In brief

  • The EU AI Act brings strict requirements, also for organizations which have not had to deal with model management until now.
  • As a first step, organizations should gain an overview,  build a repository of all models and implement a model management.
  • The EU AI Act is set to enter into force in Q2-Q3, 2024, with transition periods for complying with various requirements ranging from 6-24 months.

Artificial Intelligence (AI) is transforming our world in unprecedented ways. From personalized healthcare to self-driving cars and virtual assistants, AI is becoming ubiquitous in our daily lives. However, this growing use of AI has raised many concerns about its impact on fundamental rights and freedoms. In response to this, the European Union (EU) has taken a significant step to regulate AI.

The EU AI Act, also known as the EU Artificial Intelligence Act, is the world's first concrete initiative for regulating Artificial Intelligence. It aims to turn Europe into a global hub for trustworthy AI by laying down harmonized rules governing the development, marketing, and use of AI in the EU. The AI Act aims to ensure that AI systems in the EU are safe and respect fundamental rights and values. Moreover, its objectives are to foster investment and innovation in AI, enhance governance and enforcement, and encourage a single EU market for AI.

Who is affected?

The AI Act has set out clear definitions for the different actors involved in AI: providers, deployers, importers, distributors, and product manufacturers. This means all parties involved in the development, usage, import, distribution, or manufacturing of AI systems will be held accountable. Moreover, the AI Act also applies to providers and deployers of AI systems located outside of the EU, e.g., in Switzerland, if output produced by the system is intended to be used in the EU.

What is required?

Step 1: Model inventory – understanding the current state

To understand the implications of the EU AI Act, companies should first assess if they have AI systems in use and in development or are about to procure such systems from third-party providers and list the identified AI systems in a model repository. Many financial services organizations can utilize existing model repositories and the surrounding model governance and add AI as an additional topic.

Organizations which have not needed a model repository so far should start with a status quo assessment to understand their (potential) exposure. Even if AI is not used at present, it is very likely that this will change in the coming years. An initial identification can start from an existing software catalogue or, if this is not available, with surveys sent to the various business units. 

Step 2: Risk classification of models

Based on the model repository, the AI systems can be classified by risk. The EU AI Act distinguishes different risk categories:

The Act lays out examples of systems posing an unacceptable risk. Systems falling into this category are prohibited. Examples include the use of real-time remote biometric identification in public spaces or social scoring systems, as well as the use of subliminal influencing techniques which exploit vulnerabilities of specific groups.

High-risk systems are permitted but must comply with multiple requirements and undergo a conformity assessment. This assessment needs to be completed before the system is released on the market. Those systems are also required to be registered in an EU database which shall be set up. Operating high-risk AI systems requires an appropriate AI risk management system, logging capabilities and human oversight respectively ownership. There shall be proper data governance applied to the data used for training, testing and validation as well as controls assuring the cyber security, robustness and fairness of the system.

Examples of high-risk systems are those related to the operation of critical infrastructure, systems used in hiring processes or employee ratings, credit scoring systems, automated insurance claims processing or setting of risk premiums for customers.

The remaining systems are considered limited or minimal risk. For those, transparency is required, i.e., a user must be informed that what they are interacting with is generated by AI. Examples include chat bots or deep fakes which are not considered high risk but for which it is mandatory that users know about AI being behind it.

For all operators of AI systems, the implementation of a Code of Conduct around ethical AI is recommended. Notably, General-purpose AI models (GPAI), including foundation models and generative AI systems, follow a separate classification framework. The AI Act adopts a tiered approach to compliance obligations, differentiating between high-impact GPAI models with systemic risk and other GPAI models. 

Step 3: Prepare and get ready

If you are a provider, deployer, importer, distributor or affected person of AI systems, you need to ensure that your AI practices are in line with this new artificial intelligence regulation. To start the process of fully complying with the AI Act, you should initiate the following steps: (1) assess the risks associated with your AI systems, (2) raise awareness, (3) design ethical systems, (4) assign responsibility, (5) stay up-to-date, and (6) establish a formal governance. By taking proactive steps now, you can avoid potential significant sanctions for your organization upon the Act coming into force.

The AI Act is set to come into force in Q2-Q3 2024 following publication in the Official Journal of the European Union. Transition periods for compliance will subsequently be imposed with companies having 6 months to adhere to requirements for prohibited AI systems, 12 months for certain General Purpose AI requirements, and 24 months to achieve full legislative compliance.

What are the penalties in case of non-compliance?

The penalties for non-compliance with the AI Act are significant and can have a severe impact on the provider’s or deployer's business. They range from €7.5 million to €35 million or 1% to 7% of the global annual turnover, depending on the severity of the infringement.  Hence, it is essential for stakeholders to make sure they understand the AI Act fully and comply with its provisions.

How is the financial services sector impacted by the Act?

Financial services have been identified as one of the sectors where AI could have the most significant impact. The EU AI Act contains a three-tier risk classification model that categorizes AI systems based on the level of risk they pose to fundamental rights and user safety. The financial sector uses a multitude of models and data-driven processes which will come to rely more on AI in the future. Processes and AI systems used for creditworthiness assessments, or the evaluation of risks with AI premiums of customers fall into the high-risk category under the AI Act. Additionally, AI systems used in operating and maintaining financial infrastructure considered to be critical also fall under the scope of high-risk AI systems, as do AI systems used for biometric identification and categorization of natural persons or employment and employee management. 

Illustrations of people going to parties at night

EY EU AI Act brochure

Download the PDF to get an overview of the EU AI Act and its impact on the markets. 

Download PDFb

Summary

The EU AI Act is set to be a significant milestone in the field of AI regulation and innovation. To ensure that the benefits of AI are fully realized while protecting fundamental rights and user safety, it is important for organizations to act now, assess their risks, and start preparing for the changes that the AI Act will bring. By doing so, organizations can move towards a more secure and trustworthy AI environment which will allow them to reap the rewards of this transformative technology.

Acknowledgement:

We kindly thank Ava Dossi for her contribution to this article.

About this article

Authors
Konrad Meier

Senior Manager, AI Law Leader in Financial Services | EY Switzerland

Solution-oriented financial services lawyer with an entrepreneurial mindset.

Roger Spichiger

Partner, Responsible AI Leader in Financial Services | EY Switzerland

Supports financial services clients on their AI journey with deep finance, risk and regulatory transformation expertise. Roger loves the water, mountains and all kinds of sports.