As the global race for developing artificial intelligence (AI) and harnessing its advantages surges on, countries generally agree that regulation is necessary and are actively exploring options to establish a more uniform legal framework for the development, marketing and use of AI to ensure high levels of protection of public interest, whilst ensuring the free movement of AI based goods and services.

At the forefront of AI legislation across the globe is the EU, who are taking a prescriptive legislative framework-based approach in the form of the AI Act, which will impose legislative obligations at all stages of the lifecycle of an AI system. In stark contrast, the UK is adopting, what is referred to as, a ‘pro-innovation’ approach to AI, with flexible regulation and governance that supports scientific research and entrepreneurs, whilst ensuring that the risks of AI are addressed, and consumer confidence and trust remains intact.

In the below table we summarise the similarities and differences across the main aspects of the approaches to regulating AI.

 

EU flag

European Commission

UK flag

United Kingdom
Definition of AI A rigid definition which classifies technology based on the level of risk it poses to the health and safety or fundamental rights of a person; unacceptable, high, limited, and minimal.  Flexible definition of AI based on features such as adaptivity and autonomy, rather than the techniques and methods that AI.  The intended purpose is to ‘future-proof’ against new and emergent technologies that have unanticipated outcomes.
Compliance framework Prescriptive legislative framework-based approach, imposing legislative obligations at all stages of the lifecycle of an AI system. Principles based approach that UK regulators should consider to best facilitate the safe and innovative use of AI in the industries they monitor.
Industry/Sector applicability Horizontal, industry agnostic, application of a single set of rules to govern AIs use. No intention of assigning rules or risk levels to entire sectors and technologies, rather adopt a ‘context-specific’ approach. Sector specific regulators expected to issue guidance on application of principles in next 6-12 months.
Regulatory enforcement Reliance on a coordinated network of new and established regulators, including a central European AI Board and national competent authorities for AI in each Member State. Adherence to the principles will be on a non-statutory basis and implemented by existing regulators with the key outcome being to drive responsible ‘AI innovation and continue to respond quickly to technological advances’
Cost of non-compliance Penalties of up to EUR 40 million or up to 7% of global annual turnover. No prescriptive sanctions or monetary fines at this stage.

 

What should organisations be doing now?

The regulatory position of the EU and the UK represents two ends of a spectrum. Based on current developments, the EU is set to be the first jurisdiction to enact a comprehensive regulatory framework with countries such as Canada and Brazil following suit with equivalent legislation. Other countries, including the US, will instead follow a broad sectoral approach in line with the UK. As regulations across the globe continue to evolve, a practical first step for companies should be to evaluate their existing compliance frameworks in the realms of data, privacy, security and resilience to determine those areas within existing mandates that cover similar territory.

Regulatory frameworks within the EU and UK are yet to be finalised, however organisations should take early action now to ease the compliance burden further down the line. No regrets activities to consider include:

People

Launch AI task force and perform horizon scanning

Hammer

Establish AI compliance capability, or augment existing compliance capability

Electronic components

Review AI technologies in-line with relevant third-party and employee expectations

Checklist

Define a technology classification catalogue
  • Stay on the lookout for all applicable AI regulations, such as EU’s AI Act and AI Liability Directive, and new/updated guidance from UK regulators (expected in next 6-12 months)
  • Partake in AI regulatory/standards discussions, e.g. ISO AI working group
  • Act as in-house AI advisor and information hub to the company
  • Engage AI experts to stay informed of the latest cross-industry views and potential direction of travel
  • Analyse regulatory landscape, its commonalities and jurisdictional nuances
  • Establish a ‘gold standard’ AI policies and standards, including incident management processes to drive compliance across borders
  • Form regular governance cadence, such as annual audit, quarterly reviews and regular AI risk forums
  • Ensure appropriate link-up with existing governance to avoid siloed management and drive necessary business engagement
  • Perform full due diligence on AI technologies, including background checks and risk assessment
  • Review sources and coding practices of the AI providers
  • Ensure the AI acts in-line with company core values
  • Train the AI on expectations and related disciplinary measures, with awareness of data and bias implications
  • Classify all technologies based on their use cases, data source and integrations
  • Classify all systems against upcoming AI Regulation grouping – i.e. unacceptable risk, high risk, limited risk and minimal risk
  • Maintain, update and ensure any changes are tracked through change management process with DPIA and risk assessments conducted against AI risks

 

Our Experts

4019

Daniel Golding

Partner, expert in Finance, Risk and Compliance

Contact Daniel

Related Insights

Woman smiling next to man

What the PRA’s 2024 mandate for international banks means for your organisation

The Prudential Regulation Authority (PRA)’s recent ‘Dear CEO’ letter is a lifeline for investment firms navigating the UK’s challenging financial landscape. We’ve highlighted the need-to-know insights to help you lead your firm with renewed focus on resilience and innovation.

Read more
Aerial view of London at night

2023 CASS insight survey

Now in its sixth year, Baringa’s 2023 CASS insight survey shares the views of 42 firms on CASS audit, the growing roles of software and automation in CASS management, and other key areas.

Read more
Business People Analyzing Statistics Financial Concept

Why organisational culture could be your biggest risk management blind spot

To survive and thrive in a constantly shifting risk landscape, financial institutions need to build a risk culture that is comprehensive, integrated and agile.

Read more
F1 team

Add a little "Red Bull" to your risk management

What parallels can be drawn between financial services and Formula 1? We look at how firms can apply Formula 1 thinking to their risk management strategy.

Read more

Subscribe to our Financial Services Newsletter

Get industry news and trending topics direct to your inbox each month

Subscribe now

Contact us

Find out what we can do for you...

Get in touch