Risk & Compliance Hot Topics: AI Risk Management, State Privacy Laws

This month’s roundup of recent news and developments in the world of governance, risk, and compliance (GRC) for financial services includes:

• NCUA regulatory agenda
• AI risk management
• State data privacy legislation
• Cybersecurity risks in banking

Let’s dive in:

National Credit Union Administration releases rule making agenda

On June 14, the National Credit Union Administration (NCUA) released its 2023 spring agenda of proposed rules, pre-rules, and final rules. The regulatory topics for credit unions addressed in the agenda include climate-related financial risk, digital assets and related technology, and procedures for monitoring BSA compliance, among others.

NIST launches public working group following release of AI risk management framework

On June 22, the National Institute of Standards and Technology (NIST) launched a public working group on artificial intelligence to explore the risks, opportunities, and challenges of generative AI. In connection with NIST’s AI Risk Management Framework (released in January 2023), the working group will: 1) “help address the opportunities and challenges associated with AI that can generate content, such as code, text, images, videos and music,” and 2) “help NIST develop key guidance to help organizations address the special risks associated with generative AI technologies.”

As AI technology develops at a breakneck pace, “organizations need to act now to formulate an enterprise-wide strategy for generative AI trust, risk, and security management before deploying applications that use hosted large language models (LLMs),” one Gartner analyst recommends in InformationWeek. “Legacy security controls are not sufficient for new generative AI capabilities.”

California Consumer Privacy Act (CCPA) changes delayed

On June 30, changes to the California Consumer Privacy Act (CCPA) expected to take effect on July 1 were pushed out to March 2024. The Sacramento County Superior Court ruled that the final provisions of the California Privacy Rights Act (CPRA), which amends the CCPA, now have an effective date of March 29, 2024. However, any previously finalized regulations under the CCPA are still enforceable.

The delay came as a response to a complaint filed by the California Chamber of Commerce arguing for a 12-month transition period between the finalization of the new regulations and their enforcement. This means that regulations finalized on March 29, 2023 (regarding CPRA rules on data processing agreements, consumer opt-out mechanisms, and other issues) are now enforceable on the same date next year. Other yet-to-be-finalized changes concerning cybersecurity audits, risk assessments, and AI will also become effective one year after their finalization, the National Law Review explains.

Two other laws — the Colorado Privacy Act and the Connecticut Personal Data Privacy and Online Monitoring Act — did go into effect on July 1, 2023, as planned. The current “patchwork” of consumer data privacy laws continues amid debate about a federal standard and an active legislative agenda at the state level, Cato Institute points out in an analysis published this week. Ten states have signed comprehensive privacy bills into law, with another five under consideration as of July 2023. In total, 32 states have presented privacy bills.

Financial institutions vulnerable to cybersecurity risks in wake of banking crises

Following this year’s upheaval in the banking industry, financial institutions are being targeted by cyber criminals seeking to exploit “the fog of urgent data sharing, new communication patterns and unfamiliar systems” that come with periods of change, Banking Exchange reports.

Bad actors capitalize on merger and acquisition activity to target “lingering gaps in security systems, weaknesses in defunct systems, stale accounts, and unwatched security controls, and policy changes not understood by employees and customers.”

Cybersecurity threats like phishing, business email compromise, ransomware, and other attacks are on the rise and require increased vigilance from risk and security teams at financial services firms.