Government Accountability Office Report on AI and Financial Services

By Keith Schostag

On May 19th, the Government Accountability Office (GAO) issued a report on the use of artificial intelligence (AI) at financial institutions, including credit unions. The GAO report provides a detailed look into how the rise of AI is affecting both credit unions and the National Credit Union Administration (NCUA). Indeed, while the GAO looked at financial institutions and their regulators in general, the report's recommendations target NCUA alone. So, let's dive into what the report found regarding the NCUA and credit unions.

The Benefits of AI

As the GAO notes in the report, AI can bring numerous benefits to credit unions. The report notes that financial institutions use AI for multiple functions, such as:

  • Countering threats and illicit finance through assessing customer risk and detecting illicit activity
  • Making credit decisions and analyzing credit worthiness
  • Providing customer service through chatbots
  • Making investment decisions
  • Managing risk, such as credit and liquidity risk

The report notes that these and other uses can result in lower costs for consumers, greater financial inclusion, greater convenience, increased security, higher profitability, and, most importantly, improved compliance and risk management. Truly, as the report notes and I believe, AI can be a great boon for credit unions and consumers. That being said…

The Risks of Skynet AI

While AI can bring many benefits to consumers and credit unions, it also presents multiple risks. The report notes the following risks for consumers:

  • Fair lending risk
  • Conflict of interest risk
  • Privacy risk
  • False or misleading information risk

The report also notes three main risks for financial institutions:

  • Operational and cybersecurity risk
  • Model risk
  • Compliance risk

These are very real risks and require credit unions to really do their due diligence on third party vendors. Even then, the report notes that credit unions "may find it difficult to evaluate the data sources used to train AI models, especially if the sources are opaque or unavailable…" Even if a credit union is able to evaluate data sources, new data is constantly being fed into an AI program. This means that a credit union needs to constantly evaluate the output from an AI program. Credit unions cannot blindly trust it. For example, there have been multiple cases of attorneys using AI to write briefs or motions and the AI cites to cases that don't exist. Why? Because AI is imperfect and while it can bring a lot of benefits to credit unions, it takes a lot of work and due diligence to maintain it.

AI and the NCUA 

Beyond financial institutions, the report focused on financial regulators. While the report mentions the Consumer Financial Protection Bureau (CFPB), Commodity Futures Trading Commission (CFTC), Federal Deposit Insurance Corporation (FDIC), Federal Reserve, NCUA, the Office of the Comptroller of the Currency (OCC) and others, the report's recommendation only mentions NCUA. The report notes that NCUA lacks two key oversight tools that are available to other prudential regulators:

  • Model risk management guidance
  • Third-party risk management and oversight authority

First, regarding model risk management guidance, the report notes that the FDIC, Federal Reserve, and OCC have issued holistic model risk management guidance that addresses all types of models, including AI models. However, the guidance issued by NCUA only addresses interest rate risk modeling and provides limited details. The report notes that the guidance was also last updated in 2016.

On third-party risk management and oversight authority, the report notes that the FDIC, Federal Reserve, and OCC have the authority to examine certain third-party service providers and undertake corrective measures. However, NCUA does not have this authority.

Report Recommendations

In the report, GAO recommends that Congress grant NCUA authority to examine technology service providers and that NCUA update its model risk management guidance. In response to the GAO recommendation on model risk management guidance, NCUA noted that it "will review contemporary sound practices on model risk management and provide information and clarity to examiners and credit unions." On the recommendation for oversight, the NCUA noted that any such authority should be mindful of potential risks to credit unions and their relationship with vendors due to the generally smaller size of credit unions.

I would recommend reading the report in full. It contains much more in-depth information on the benefits and risks of AI. Ultimately, in the face of a lack of guidance, credit unions will need to make their own decisions regarding AI and their operations. Remember, the future is not set. There is no fate but what we make for ourselves.

Have more questions on AI or other compliance issues? America's Credit Unions members can email the Compliance Team at compliance@americascreditunions.org.

Keith Schostag
Director of Federal Compliance
America's Credit Unions