The Act lays out examples of models posing an unacceptable risk. Models falling into this category are prohibited. Examples include the use of real-time remote biometric identification in public spaces or social scoring systems, as well as the use of subliminal influencing techniques which exploit vulnerabilities of specific groups.
High-risk models are permitted but must comply with multiple requirements and undergo a conformity assessment. This assessment needs to be completed before the model is released on the market. Those models are also required to be registered in an EU database which shall be set up. Operating high-risk AI models requires an appropriate risk management system, logging capabilities and human oversight respectively ownership. There shall be proper data governance applied to the data used for training, testing and validation as well as controls assuring the cyber security, robustness and fairness of the model.
Examples of high-risk systems are models related to the operation of critical infrastructure, systems used in hiring processes or employee ratings, credit scoring systems, automated insurance claims processing or setting of risk premiums for customers.
The remaining models are considered limited or minimal risk. For those, transparency is required, i.e., a user must be informed that what they are interacting with is generated by AI. Examples include chat bots or deep fakes which are not considered high risk but for which it is mandatory that users know about AI being behind it.
For all operators of AI models, the implementation of a Code of Conduct around ethical AI is recommended.
Step 3: Prepare and get ready
If you are a provider, user, importer, distributor or affected person of AI systems, you need to ensure that your AI practices are in line with these new regulations. To start the process of fully complying with the AI Act, you should initiate the following steps: (1) assess the risks associated with your AI systems, (2) raise awareness, (3) design ethical systems, (4) assign responsibility, (5) stay up-to-date, and (6) establish a formal governance. By taking proactive steps now, you can avoid potential significant sanctions for your organization upon the Act coming into force.
Please note that this article refers to an ongoing legislative process which might lead to changes of the requirements.
What are the penalties in case of non-compliance?
The penalties for non-compliance with the AI Act are significant and can have a severe impact on the provider’s or deployer's business. They range from €10 million to €40 million or 2% to 7% of the global annual turnover, depending on the severity of the infringement. Hence, it is essential for stakeholders to make sure they understand the AI Act fully and comply with its provisions.
How is the financial services sector impacted by the Act?
Financial services have been identified as one of the sectors where AI could have the most significant impact. The EU AI Act contains a three-tier risk classification model that categorizes AI systems based on the level of risk they pose to fundamental rights and user safety. The financial sector uses a multitude of models and data-driven processes which will come to rely more on AI in the future. It is expected that those processes and models which are used for creditworthiness assessments or the evaluation of risk premiums of customers fall into the high-risk category. In addition, models used in operating and maintaining financial infrastructure considered to be critical will fall under the high-risk classification as well as AI systems used for biometric identification and categorization of natural persons or employment and employee management. So far, not included in the scope of the risk classification are, amongst others, AI systems purely used to improve customer experience, systems to detect fraud, customer lifetime value predictions and pattern analysis (without directly affecting decisions on individual customers).