Banks warn of generative model risk

Banks are rewriting risk playbooks for generative artificial intelligence as fraud teams add tools to catch deepfakes and synthetic identities. (risk.net) A model-risk framework is the bank rulebook for testing, approving, monitoring, and shutting down models that can go wrong. Risk.net reported on April 14 that banks say multipurpose generative systems are harder to govern than older models built for one narrow task. (risk.net) That difference is practical: a credit score model usually has one job, while a large language model can draft text, summarize files, answer questions, and produce unexpected outputs from the same prompt window. The Federal Reserve’s Supervisory Letter 11-7 still anchors bank model-risk programs, but it was issued in 2011, years before the current generative artificial intelligence wave. (federalreserve.gov) Banks are also dealing with a second problem: fake people and fake media aimed at customer accounts. Aware said April 14 that 98% of organizations in its survey reported an urgent need for “biometric orchestration,” meaning software that routes face, voice, and identity checks across multiple tools instead of relying on one gatekeeper. (globenewswire.com) Aware said 93% of surveyed organizations expect artificial intelligence-driven fraud to intensify over the next three years, and 86% said deepfake threats have accelerated investment in biometric security. The release described demand for liveness detection and anti-spoofing checks that try to tell a real customer from a generated face or voice. (globenewswire.com) Consumer banks are responding in public. Small Business Trends reported that Chase has launched workshops to help customers spot rising artificial intelligence-driven scams, extending a broader education push around voice cloning, impersonation, and urgent-payment tricks. (smallbiztrends.com) Regulators have been telling banks to move carefully on artificial intelligence without creating a separate rulebook just for one technology. The Office of the Comptroller of the Currency said in Bulletin 2023-37 that banks should apply existing risk-management principles to artificial intelligence, including governance, third-party oversight, testing, and ongoing monitoring. (occ.treas.gov) The standards world is moving in the same direction. The National Institute of Standards and Technology’s Artificial Intelligence Risk Management Framework tells organizations to govern, map, measure, and manage artificial intelligence risks, a structure banks can use when a general-purpose model behaves less like a calculator and more like an unpredictable assistant. (nist.gov) The immediate question for banks is no longer whether to use generative artificial intelligence, but how to prove they can control it before a model error or a convincing fake reaches a customer. (risk.net)