View original document

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

3/27/2024

U.S. Department of the Treasury Releases Report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the…

U.S. Department of the Treasury Releases Report on Managing
Artificial Intelligence-Specific Cybersecurity Risks in the
Financial Sector
March 27, 2024

WASHINGTON – Today, the U.S. Department of the Treasury released a report on Managing
Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector.

The

report was written at the direction of Presidential Executive Order 14110 on the Safe, Secure,
and Trustworthy Development and Use of Artificial Intelligence. Treasuryʼs O ice of
Cybersecurity and Critical Infrastructure Protection (OCCIP) led the development of the
report. OCCIP executes the Treasury Departmentʼs Sector Risk Management Agency
responsibilities for the financial services sector.
“Artificial intelligence is redefining cybersecurity and fraud in the financial services sector, and
the Biden Administration is committed to working with financial institutions to utilize
emerging technologies while safeguarding against threats to operational resiliency and
financial stability,” said Under Secretary for Domestic Finance Nellie Liang. “Treasuryʼs AI
report builds on our successful public-private partnership for secure cloud adoption and lays
out a clear vision for how financial institutions can safely map out their business lines and
disrupt rapidly evolving AI-driven fraud.”
In the report, Treasury identifies significant opportunities and challenges that AI presents to
the security and resiliency of the financial services sector. The report outlines a series of next
steps to address immediate AI-related operational risk, cybersecurity, and fraud challenges:
1. Addressing the growing capability gap. There is a widening gap between large and small
financial institutions when it comes to in-house AI systems. Large institutions are
developing their own AI systems, while smaller institutions may be unable to do so
because they lack the internal data resources required to train large models. Additionally,
financial institutions that have already migrated to the cloud may have an advantage
when it comes to leveraging AI systems in a safe and secure manner.
2. Narrowing the fraud data divide. As more firms deploy AI, a gap exists in the data
available to financial institutions for training models. This gap is significant in the area of
https://home.treasury.gov/news/press-releases/jy2212

1/4

3/27/2024

U.S. Department of the Treasury Releases Report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the…

fraud prevention, where there is insu icient data sharing among firms. As financial
institutions work with their internal data to develop these models, large institutions hold
a significant advantage because they have far more historical data. Smaller institutions
generally lack su icient internal data and expertise to build their own anti-fraud AI
models.
3. Regulatory coordination. Financial institutions and regulators are collaborating on how
best to resolve oversight concerns together in a rapidly changing AI environment.
However, there are concerns about regulatory fragmentation, as di erent financial-sector
regulators at the state and federal levels, and internationally, consider regulations for AI.
4. Expanding the NIST AI Risk Management Framework. The National Institute of Standards
and Technology (NIST) AI Risk Management Framework could be expanded and tailored to
include more applicable content on AI governance and risk management related to the
financial services sector.
5. Best practices for data supply chain mapping and “nutrition labels.” Rapid advancements
in generative AI have exposed the importance of carefully monitoring data supply chains
to ensure that models are using accurate and reliable data, and that privacy and safety
are considered. In addition, financial institutions should know where their data is and how
it is being used. The financial sector would benefit from the development of best
practices for data supply chain mapping. Additionally, the sector would benefit from a
standardized description, similar to the food “nutrition label,” for vendor-provided AI
systems and data providers. These “nutrition labels” would clearly identify what data was
used to train the model, where the data originated, and how any data submitted to the
model is being used.
6. Explainability for black box AI solutions. Explainability of advanced machine learning
models, particularly generative AI, continues to be a challenge for many financial
institutions. The sector would benefit from additional research and development on
explainability solutions for black-box systems like generative AI, considering the data used
to train the models and the outputs and robust testing and auditing of these models. In
the absence of these solutions, the financial sector should adopt best practices for using
generative AI systems that lack explainability.
7. Gaps in human capital. The rapid pace of AI development has exposed a substantial AI
workforce talent gap for those skilled in both creating and maintaining AI models and AI
users. A set of best practices for less-skilled practitioners on how to use AI systems safely
would help manage this talent gap. In addition, a technical competency gap exists in
https://home.treasury.gov/news/press-releases/jy2212

2/4

3/27/2024

U.S. Department of the Treasury Releases Report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the…

teams managing AI risks, such as in legal and compliance fields. Role-specific AI training
for employees outside of information technology can help educate these critical teams.
8. A need for a common AI lexicon. There is a lack of consistency across the sector in
defining what “artificial intelligence” is. Financial institutions, regulators, and consumers
would all benefit greatly from a common AI-specific lexicon.
9. Untangling digital identity solutions. Robust digital identity solutions can help financial
institutions combat fraud and strengthen cybersecurity. However, these solutions di er in
their technology, governance, and security, and o er varying levels of assurance. An
emerging set of international, industry, and national digital identity technical standards is
underway.
10. International coordination. The path forward for regulation of AI in financial services
remains an open question internationally. Treasury will continue to engage with foreign
counterparts on the risks and benefits of AI in financial services.
As part of Treasuryʼs research for this report, Treasury conducted in-depth interviews with 42
financial services sector and technology related companies. Financial firms of all sizes, from
global systemically important financial institutions to local banks and credit unions, provided
input on how AI is used within their organizations. Additional stakeholders included major
technology companies and data providers, financial sector trade associations, cybersecurity
and anti-fraud service providers, and regulatory agencies. Treasuryʼs report provides an
extensive overview of current AI use cases for cybersecurity and fraud prevention, as well as
best practices and recommendations for AI use and adoption. The report does not impose any
requirements and does not endorse or discourage the use of AI within the financial sector.
In the coming months, Treasury will work with the private sector, other federal agencies,
federal and state financial sector regulators, and international partners on key initiatives to
address the challenges surrounding AI in the financial sector. While this report focuses on
operational risk, cybersecurity, and fraud issues, Treasury will continue to examine a range of
AI-related matters, including the impact of AI on consumers and marginalized communities.
Read Treasuryʼs AI Report here.
###

https://home.treasury.gov/news/press-releases/jy2212

3/4

3/27/2024

U.S. Department of the Treasury Releases Report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the…

https://home.treasury.gov/news/press-releases/jy2212

4/4