Keep up to date with the trending topics
from our industry experts

Have you written your acceptable use policy for AI in financial services?

Written by Henry Duncombe

Monday, 13 May, 2024

Webinar: This is your Microsoft Copilot speaking, we’re ready for financial services take off

On demand

Learn how this powerful AI tool can help you create, analyse and communicate better with your data.

Microsoft Copilot Webinar

The challenge

Artificial intelligence (AI) is nothing new, it has been around for many years. However generative artificial intelligence, often referred to as generative AI or GenAI, is a branch of artificial intelligence that has taken the world by storm in the last 12 months.

Generative AI uses generative models to generate text, images, videos, or other data that resemble the patterns and structures of their input training data. These models learn from a vast amount of data (e.g. the entire Web) and then produce new, original outputs that are similar but not identical to the training examples.

ChatGTP is leading the charge

The biggest example of this was the arrival of ChatGTP. This was “D-day” for GenAI and blindsided many businesses. With its ease of use, free access and lightning takeup (reaching 100 million users in just 2 months), it became the poster child of generative AI. The impact of this technology is still heavily under debate, with the vast majority of businesses believing it will significantly benefit their future — but there are many voices of concern and fears which need to be addressed.

Why financial services firms need to be careful

Within financial services, firms operate their business with due skill, care and diligence to meet the strict regulations. This means that they must take a risk-based approach in everything they do and the tools and technologies they use must be carefully managed to avoid potential issues. The power of AI comes with a huge amount of risk, and the genie is out of the bottle with business users all starting to use it for business purposes, without the approval of the IT department.

How should IT leaders respond to this?

A common starting point for all firms when it comes to any powerful new end-user technology, is to agree on a policy on its use within their business. More specifically, to include it in their business as an acceptable use policy (AUP).

What is an acceptable use policy and why do I need one?

An AUP is simply a documented policy that outlines a set of rules and guidelines to be followed by business users in their use of a company’s computer resources (e.g. applications, web usage etc). It clearly states what the user is and is not allowed to do with these resources. The AUP is essential for safeguarding and protecting firms from their IT system being used in an illegal, unauthorised or un-sanctioned manner. Typically, new staff members will read and agree to the AUP before they are given a user account on their first day in a business.

What should my acceptable use policy cover for generative AI?

When drafting your AUP for Generative AI, we would recommend that you include the following headings:

1. Introduction

Overview of the policy’s purpose. This might include a simple introduction/explanation of AI and generative AI, in a manner which a non-technical business user can understand. Then make a statement of the management’s intentions on how they would like this technology to be used in the business and some of the risks the policy looks to mitigate.

2. Scope

Be clear on who the policy applies to and under what circumstances. For example, this may cover all employees, including contractors, or anyone who has access to the company network and is granted the right to use AI tools for work-related purposes.

3. The policy

Break the policy down into a series of statements which cover the following:

Permitted uses and tools

Be clear on the permitted uses of generative AI tools within the business. This is for work-related purposes, but some firms might narrow this further to only certain areas or processes. Provide examples of how it should be used and how it should not be used. Also state obvious points like they should not use generative AI to generate or spread any content that is harmful, offensive, misleading or illegal. In addition, provide a list of vetted tools, perhaps in the appendix. Note only these tools should be made available with the appropriate web security technology, and the rest blocked.

User responsibilities

This is critical. Many firms are adopting the position that staff should use generative AI purely as an assistant, not a replacement for their work. Staff should be informed that they are fully responsible for its output and accuracy. This means they will be held accountable for its results.

Data privacy and security

The tools should be used in line with the firms’ wider security policies on data. Depending on what tools you have permitted will often decide whether you allow your company data to be accessible within these tools, along with any history. For example, the work version of Microsoft 365 Copilot will natively have secure access to your data within the Microsoft 365 tenant, and therefore you can allow uses to securely upload and reference all the data it can see. However, if you’re just using the web version of Microsoft Copilot, it is recommended you should not permit any users to upload any of your corporate data.

In addition, AI may also disclose business data to the business user which they should not have access to. This may be down to poor permissions structure. In this event, the AUP should state that the user should flag this to their compliance team and not use any of the information.

Intellectual property

Business users should be made responsible for checking that the generated content does not infringe upon the intellectual property rights or copyrights of others. Depending on what tool you’re using, generative AI does provide links to its sources. Just as a reporter should “check their sources”, the business user should check these AI sources. Just because the generative AI used the data doesn’t mean it’s not assessing content which breached any intellectual property. For example, there are many cases where generative AI has circumvented “pay walls” to get commercially sensitive information.

Monitoring and compliance

Staff should be made aware that the use of generative AI tools will be monitored and audited as far as possible with the given technology. This is currently a weakness because who did what, when and why is hard to see, however, it is constantly improving. This is a concern within financial services as they are under strict record-keeping obligations.

4. User Acceptance

Every AUP should request that the employee abide by the policy and understand that a failure to do so could result in disciplinary action. Typically asking the employee to sign the AUP is a sensible way to complete this.

A good place to start

Generative AI is a powerful tool which the majority of financial firms are looking to embrace, but inevitably there is a lot of un-sanctioned usage occurring which is putting many financial firms at risk, in particular around data security and compliance. A great starting point to address this is by creating an acceptable use policy for your financial services firm.

Need help creating your AUP?

Our services

Our 4 pillars for a complete choice of managed IT services - all tailored to the needs of financial services firms in London and the UK.

Finance Forward 365 - Microsoft 365 cloud services supported by experts

Finance Forward 365

Microsoft modern workplace & cloud technology for digital transformation.

Compliant Teams -  Microsoft Teams phone system with call recording and archiving

Compliant Teams

Increased productivity & collaboration with call recording whilst reducing costs.
Cyber security solutions for financial services

Cyber Security

Keep your data secured against rapidly changing threats within Financial Services.

Responsive IT managed services for financial services

Power BI

Business Intelligence transformation and support tailored for Financial Services.

Follow us:

Pin It on Pinterest

Share This