Managing AI Risk: 3 Laws Companies Using Consumer Data for AI Development Need to Know

2 minute read | May.16.2023

Artificial Intelligence (AI) is transforming financial services, from underwriting and trading securities to customizing financial products and services. These innovative modeling techniques may enhance the accuracy of models used to identify potential customers and assess their potential risks, expand access to credit by underserved populations, and reduce losses and other associated costs.

However, as highlighted by the Federal Trade Commission’s (FTC) article, The Luring Test: AI and the Engineering of Consumer Trust, AI may also carry significant consumer and commercial risks. As companies contemplate novel uses of AI, here’s what you need to know about the FTC’s focus on three “laws important to developers and users of AI” which may impact your business:

Fair Credit Reporting Act, including its implementing Regulation V. The FCRA comes into play in certain circumstances where an algorithm is used to deny people employment, housing, credit, insurance, or other benefits.
Equal Credit Opportunity Act, including its implementing Regulation B. The ECOA makes it illegal for a company to use a biased algorithm that results in credit discrimination based on race, color, religion, national origin, sex, marital status, age, or because a person receives public assistance; and
Section 5 of the FTC Act. The FTC Act prohibits unfair or deceptive practices. That would include the sale or use of – for example – racially biased algorithms.

The FTC, among other regulators, will likely continue to use its authority and expertise to exercise jurisdiction under these statutory regimes and focus on companies’ use of AI. Given the growing concerns about the use of new AI tools, the FTC provides several cautionary considerations for businesses operating in this space:

Firms building or deploying AI tools should staff personnel devoted to ethics and responsibility for AI and engineering.
A company’s risk assessment and mitigation programs should factor in foreseeable downstream uses and should incorporate training staff and contractors, among others.
Firms should monitor, document and address the actual use and impact of any AI tools eventually deployed, including an exit strategy if deployment does not go as planned.
If a company wants to convince the FTC that it adequately assessed risks and mitigated harms associated with use of AI, a reduction of personnel devoted to AI ethics may not be persuasive.

It’s clear that FTC staff and other regulators are focusing on how companies may choose to use AI technology, including new generative AI tools, in ways that can have actual and substantial impact on consumers. If you use or are contemplating using AI tools as part of your product or service offerings, now is the time to examine the three laws the FTC deems important to developers and users of AI.

Authors

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.