ACFCS Contributor Report: A Compliance Approach to Mitigating AI Risks to Personal Privacy – the quest to balance data accuracy, integrity, security, sourcing

Graphic source: PC Mag. To read the full story, click here.

Policing predictive analytics

• Crime forecasting and predictive policing, including the ingestion of historical crime data into AI systems to predict high-density “hot spots,” a highly touted feature of some AI, AML vendors systems.
• The executive order defines “crime forecasting” as the use of analytical techniques to attempt to predict future crimes or crime-related information.  
• It can include machine-generated predictions that use algorithms to analyze large volumes of data, as well as other forecasts that are generated without machines and based on statistics, such as historical crime statistics.
  

Ripples in the AI watermark

• To fight AI deepfake images, videos and audio, the order is asking government agencies to examiner how they can create “watermarking” for anything that has been wholly or in part created with or altered by AI.
• The term “watermarking,” according to the order, means the act of embedding information, which is typically difficult to remove, into outputs created by AI for the purposes of verifying the authenticity of the output or the identity or characteristics of its provenance, modifications, or conveyance.
• The examples in the order include outputs such as photos, videos, audio clips, or text.
  

Putting the ‘official’ back in government documents, videos, voices

• The order is also exhorting government agencies to “Protect Americans from AI-enabled fraud and deception by establishing standards and best practices for detecting AI-generated content and authenticating official content.”
• This would be the other side of the coin from the above initiative to watermark AI-enhanced content by creating a way to ensure the authenticity of actual government or private-sector messages, images and videos.
• Currently, the order is tasking The Department of Commerce with developing guidance for “content authentication and watermarking to clearly label AI-generated content.”
• Federal agencies will “use these tools to make it easy for Americans to know that the communications they receive from their government are authentic—and set an example for the private sector and governments around the world,” according to the executive order.
  

Apart from protecting the country’s citizens and businesses from AI scams, the government also must better protect itself.

The order is also calling for the establishment of an “advanced cybersecurity program to develop AI tools to find and fix vulnerabilities in critical software,” which would further build on current efforts, including the Biden-Harris Administration’s ongoing AI Cyber Challenge.

Together, these efforts “will harness AI’s potentially game-changing cyber capabilities to make software and networks more secure.”

The multi-dimensional directives are also designed to diminish or deflect the potential for organized criminal groups, rogue nation states and other global power competition foes, like Russia and China, to use the same AI technology to puncture national security’s virtual vaults.

Implementing privacy measures through technology and integrating these control measures into procedures will achieve a higher level of compliance that is more adaptable to change.

Currently, PETs encompass technological tools and techniques designed to enhance procedural protection of private information.

For instance, PETs such as differential privacy, synthetic data, and homomorphic encryption can be utilized to anonymize data on a large scale, allowing companies to benefit from the products of AI without assuming all the liability that can accompany a data breach.

Implementing privacy measures through technology and integrating these control measures into procedures will achieve a higher level of compliance that is more adaptable to change.

Currently, PETs encompass technological tools and techniques designed to enhance procedural protection of private information.

For instance, PETs such as differential privacy, synthetic data, and homomorphic encryption can be utilized to anonymize data on a large scale, allowing companies to benefit from the products of AI without assuming all the liability that can accompany a data breach.

Synthetic data

“Synthetic data, generated by sophisticated algorithms, closely mimics real-world scenarios,” according to a Nov. 2023 story in Medium, touting that “ Generative AI and Synthetic Data will make our internet safer.”

“This allows cybersecurity professionals to create realistic testing environments without exposing actual sensitive data,” the piece posits. “Through this, the efficacy of security measures can be thoroughly evaluated without the inherent risks associated with using genuine datasets. Generative AI can revolutionize the way cybersecurity protocols are tested.”

Homomorphic encryption

Homomorphic encryption (HE) is a cryptographic scheme that allows analysts to perform calculations on encrypted data without decrypting it, according to several published reports, including TechTarget, Inpher and John Cook Consulting.

HE converts data into ciphertext that can be analyzed and worked with as if it were still in its untainted, untouched form.
 
This enables analysts, scientists and their advanced systems to encrypt data, perform calculations on it without decrypting it, and then receive the resulting ciphertext back without compromising sensitive or restricted data assets, according to published reports.

The act classifies different actions enabled by AI based on the risk they pose to society and the specific measures and precautions companies should take to mitigate or avoid these risks.

For example, AI being used in healthcare for diagnostic or predictive purposes is classified as high risk and needs to be registered in the EU database and continually assessed.

In comparison, the use of Generative AI like ChatGPT poses a systemic risk and needs to follow the transparency requirements set forth in the act.

As compliance experts work to understand what liability and risks AI is subjecting us to, companies must proactively reevaluate their compliance protocols, rethink their approach to risk assessments, and explore updated privacy measures.

As companies eagerly adopt different AI technologies, they face an increased risk of financial crimes including fraud and money laundering – issues squarely on the minds of top officials in the U.S. and Europe as detailed in their dueling directives.

In the hopes of better protecting against financial crime, companies should be incorporating AI-specific risk assessments, but to do so they need to understand the types of financial crimes they are facing.

The use of AI can protect against financial crimes such as fraud and money laundering because its ability to review structured and unstructured data is more effective in catching money laundering schemes and detecting fraud.

The issue is with the advancement of new AI technologies comes new ways to defraud and scam.

AI has the power to create deepfakes of bank staff or consumers to create elaborate schemes with the intent to defraud a broad array of financial sector institutions, including banks, credit unions, money services businesses and crypto exchanges.

It opens up an entire new realm of scam attack angles.

Instead of limiting scams to the funds available in an account, deep fakes can be used to open new accounts, take loans and engage in transactions as if they were the consumer themselves.

Banks and financial institutions have several forms of due diligence in place to identify the beneficial owner of an account that in some cases can fall short when it comes to the depths of AI – particularly when the onboarding is fully digital and online.  

AI can pull data from any source it has access to, which in most cases is limitless.

Criminals can create such extensive synthetic identity scams that traditional compliance measures are inadequate to keep up with the changes that come with AI, putting more pressure on fincrime compliance and fraud teams to see how such technologies can supercharge their defensive efforts.

In short order, AI has emerged as a highly valuable tool, offering the potential to significantly enhance efficiency and effectiveness in practically all industries, from business to government and more – the implications and ramifications of which are only limited by imagination.

It feels like almost overnight, AI programs including ChatGPT, Claude, Midjourney and others have empowered individuals to be able to calculate more quickly, create art and music beyond their direct skill levels with the right prompts and even research and write like a journalist or novelist – creating full stories and books in seconds.

Embracing AI is not just a step toward innovation – it's an essential stride in the pursuit of progress and success in the corporate world.
Technological innovations like AI can change the way we conduct business in every aspect imaginable, but with it comes endless debates on the boundaries of privacy law and civil liberties.

Where would the world be without the development of Facebook, but also where would we be if, say for example, Facebook was not regulated?

Many would say Facebook needs to be significantly more regulated than it is now, but those who work more intimately in the field of technology believe the current regulations are impractical and unreasonable.

The best course of action to bridge the gap between what we want to implement, and what we actually can implement, would be to become familiar with the framework for risk assessments published by the National Institute of Standards and Technology (NIST).

In essence, it would be wise for individuals, software and hardware creators and corporates and banks, in particular, to incorporate NIST’s guidance on AI risk management into enhanced education programs and procedural privacy protection.

Compliance teams should take the most immediate action in updating their risk assessments, tailoring their training and education through the lens of NIST recommendations, and adopting PETs.

Those efforts sensitize, for instance, a bank’s automated transaction monitoring system to alert more quickly when riskier accounts run amok – and both the risk assessments and monitoring at many institutions rely in bulk on AI.

That creates a seeming dichotomy: How do you use AI risk assessments…to risk assess the AI you are using…to reduce the risk of financial crime?

AI and Risk Assessments are the newest Catch-22. Even so, countries like the U.S., EU and many tech-focused public-private sector groups believe AI-driven risk assessments can be effective in predicting future risks based on historical data.

As well, the socio-technical nature of AI can identify trends and vulnerabilities for a company better and more efficiently than an individual.

However, the risk assessment must also consider the inherent risks associated with the use of the AI technology in the first place.

AI operates effectively when it has access to a broad spectrum of data, but this exposes the company to additional risks, potentially increasing the likelihood of a data breach or cyberattack.

Not surprisingly, the answer on how to untangle the Celtic knot of AI risk assessments comes from a group with historically big brains tackling weighty and complicated challenges: The National Institute of Standards and Technology (NIST).

NIST is a non-regulatory agency that is part of the U.S. Department of Commerce.

As part of its mandate, it develops cybersecurity best practices, guidelines, standards, and offers a bevy of practical resources and guidance that has found its way into federal statutes, Executive orders and other U.S. policy initiatives.

The group also turned its own considerable processing power to guide on AI.

In January 2023 after 18 months of public and private-sector analysis from hundreds of stakeholders, the group released a framework to address the risks accompanying AI.

The seminal work outlines what top minds believe are the four core functions a company must diligently scrutinize at the different stages of the AI-adoption, use, review and retune cycle.

Here are compressed and summarized snapshots of those core functions. They are:

Govern – The politics of the matrix

GOVERN is a cross-cutting function that is infused throughout AI risk management and enables the other functions of the process.

• Aspects of GOVERN, especially those related to compliance or evaluation, should be integrated into each of the other functions.
• Attention to governance is a continual and intrinsic requirement for effective AI risk management over an AI system’s lifespan and the organization’s hierarchy of AI risks, uses and data security exposure points.

Map – Directions on the AI interstate

The MAP function establishes the context to frame risks related to an AI system.

• The AI lifecycle consists of many interdependent activities involving a diverse set of actors.
• In practice, AI actors in charge of one part of the process often do not have full visibility or control over other parts and their associated contexts. The interdependencies between these activities, and among the relevant AI actors, can make it difficult to reliably anticipate impacts of AI systems.
• For example, early decisions in identifying purposes and objectives of an AI system can alter its behavior and capabilities, and the dynamics of deployment setting (such as end users or impacted individuals) can shape the impacts of AI system decisions.
• As a result, the best intentions within one dimension of the AI lifecycle can be undermined via interactions with decisions and conditions in other, later activities.

Measure – Building trust, making sure it does the right thing

The MEASURE function employs quantitative, qualitative, or mixed-method tools, techniques, and methodologies to analyze, assess, benchmark, and monitor AI risk and related impacts.

• It uses knowledge relevant to AI risks identified in the MAP function and informs the MANAGE function. AI systems should be tested before their deployment and regularly while in operation.
• AI risk measurements include documenting aspects of systems’ functionality and trustworthiness.

Manage – Bringing it all together, to keep it together

The MANAGE function entails allocating risk resources to mapped and measured risks on a regular basis and as defined by the GOVERN function. Risk treatment comprises plans to respond to, recover from, and communicate about incidents or events.

• Contextual information gleaned from expert consultation and input from relevant AI actors – established in GOVERN and carried out in MAP – is utilized in this function to decrease the likelihood of system failures and negative impacts.
• Systematic documentation practices established in GOVERN and utilized in MAP and MEASURE bolster AI risk management efforts and increase transparency and accountability.
• Processes for assessing emergent risks are in place, along with mechanisms for continual improvement.

The after-action report – balancing risks, resources, reviews and results

After completing the MANAGE function, plans for prioritizing risk and regular monitoring and improvement will be in place, according to NIST, but you still must go further.

Framework users will at that point have enhanced capacity to manage the risks of deployed AI systems and to allocate risk management resources based on assessed and prioritized risks.

But all of this must live in an atmosphere of continuous improvement, the group stated.

“It is incumbent on Framework users to continue to apply the MANAGE function to deployed AI systems as methods, contexts, risks, and needs or expectations from relevant AI actors evolve over time.”

Here is why AI-driven fincrime compliance teams need to “care” about Caremark.

Caremark harkens back nearly three decades to the seminal case “In re Caremark International Inc. Derivative Litigation,” where the Delaware Court of Chancery set forth a test to determine whether a director failed to “exercise reasonable oversight,” according to a September report by lawyers at Latham & Watkins.

“The court concluded that a director could be held liable for such claims only where a plaintiff could establish a director’s ‘lack of good faith as evidenced by sustained or systematic failure’ of oversight. These director oversight claims became broadly known as ‘Caremark claims.’”

While no company can shield itself entirely from risk, if it meets the NIST standard, it can likely avoid a great deal of liability, which is the goal they should be striving for.

The best way to mitigate risk is to build a team that understands what they are up against.

This is easier said than done as it can be quite challenging for an in-house legal team to manage its day-to-day tasks, such as contract review and negotiations, while also staying up to date on pending legislation and new executive orders.

To make training and education an effective control for AI programs, a company must have a well-resourced team that operates independently and has reporting mechanisms in place to foster a safe environment for learning and growth within the team.

Accountability structures that outline the roles and responsibilities of team members as well as AI risk management training tailored to the compliance team would be effective to ensure consistent compliance and a thorough understanding of the risks.

Just as criminals are historically “early adopters” of any tip, trick of tech tactic to outsmart bank controls and law enforcement, it would serve compliance champions well to be on the front of this gathering AI data risk assessment storm.

That would be preferable to playing a game of catchup with a machine mind that doesn’t stop, doesn’t eat, doesn’t sleep and has only one goal: to capture and analyze as much data it can – wherever and however it can get it.