Executive Letter: Be Aware of AI Used by Your Third-Party Vendors
By Rose Oswald Poels
Banks have long had the ability to utilize the services of third-party vendors to assist in daily operations. Such use provides many efficiencies for the bank and often additional services for customers. However, banks must remain diligent in the overall management of a third party, as the use of a third party does not reduce the bank’s responsibility to follow state and federal laws and regulations, or to operate in a safe and sound manner. To assist with the management of third parties, the agencies have issued interagency guidance (recently updated in 2023) and have provided a guide for community banks of third-party risk management.
Oversight of third-party vendors is particularly crucial for any area in which there may be bias for discrimination, including in real estate evaluations or appraisals, for credit underwriting or other loan qualification or approval programs, and for marketing and advertising. An additional layer of risk can arise for the bank when artificial intelligence (AI) is used by a third party in these settings given the concerns by regulators of discrimination within AI logic. The FDIC, OCC, FRB, and CFPB have each been clear that banks are the parties responsible to ensure AI used complies with law.
This week, I have learned that in recent FDIC examinations banks have been scrutinized for not being aware of the use of AI by their third parties. Awareness is critically important to the bank for proper risk management of the third party, especially if AI is used in any area in which there may be bias for discrimination. As the use of AI continues to rise, banks must remain aware of any use of AI by their third parties. Identifying and monitoring how third-parties utilize AI will better assist banks in managing risk of their third-party relationships. Should an examiner determine a bank’s third-party AI tool violated a compliance or other consumer-protection law, the bank will most likely be cited for the violation given that banks are responsible for the actions or inactions of their third parties.
While on the topic of automation, I also wanted to remind banks to review their use of any chatbot on their website to ensure questions submitted via the tool are being answered correctly and timely. Regulator expectation is that any answer provided by the chatbot be accurate and timely. More complex or nuanced customer questions likely need to be answered by bank staff rather than by the chatbot AI.
This article is not intended to deter the use of AI since it can be used in many helpful ways. After recently learning, though, that bankers were unable to answer during examinations whether AI is even being used by their third-party vendors, or unable to explain how it is used by third-party vendors, I thought this reminder would be timely. If you have questions on vendor management issues, you may contact WBA’s Legal Team at wbalegal@wisbank.com.