NIST Releases New Framework for Managing AI and Promoting Trustworthy and Responsible Use and Development

On January 26, 2023, the National Institute of Standards and Technology (“NIST”) released the Artificial Intelligence Risk Management Framework (“AI RMF 1.0”), which provides a set of guidelines for organizations that design, develop, deploy or use AI to manage its many risks and promote trustworthy and responsible use and development of AI systems.

The AI RMF 1.0 provides guidance as to how organizations may evaluate AI risks (e.g., intellectual property, bias, privacy and cybersecurity) and trustworthiness. The AI RMF 1.0 outlines the characteristics of trustworthy AI systems, which are valid, reliable, safe, secure, resilient, accountable, transparent, explainable, interpretable, privacy enhanced and fair with their harmful biases managed. It also describes four high-level functions, with associated actions and outcomes to help organizations better understand and manage AI:

  • The Govern function addresses evaluation of AI technologies’ policies, processes and procedures, including their compliance with legal and regulatory requirements and transparent and trustworthy implementation.
  • The Map function provides context for organizations to frame risks relating to AI systems, including AI system impacts and interdependencies.
  • The Measure function uses quantitative, qualitative or mixed-method tools, techniques and methodologies to analyze, benchmark and monitor AI risk and related impacts, including tracking metrics to determine trustworthy characteristics, social impact and human-AI configurations.
  • The Manage function entails allocating risk resources to mapped and measured risks consistent with the Govern function. The Manage function includes determining how to treat risks and develop plans to respond to, recover from and communicate about incidents and events.

NIST released a draft AI Risk Management Framework Playbook to accompany the AI RMF 1.0. NIST plans to release an updated version of the Playbook in the Spring of 2023 and launch a new Trustworthy and Responsible AI Resource Center to help organizations put AI RMF 1.0 into practice. NIST has also provided a Roadmap of its priorities to advance the AI RMF.

Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.
For more Technology Legal News, click here to visit the National Law Review.

Chamber of Commerce Challenges CFPB Anti-Bias Focus Concerning AI

The end of last month the U.S. Chamber of Commerce, the American Bankers Association and other industry groups (collectively, “Plaintiffs”) filed suit in Texas federal court challenging the Consumer Financial Protection Bureau’s (“CFPB”) update this year to the Unfair, Deceptive, or Abusive Acts or Practices section of its examination manual to include discrimination.  Chamber of Commerce of the United States of America, et al v. Consumer Financial Protection Bureau, et al., Case No. 6:22-cv-00381 (E.D. Tex.)

By way of background, the Consumer Financial Protection Act, which is Title X of the 2010 Dodd-Frank Act (the “Act”), prohibits providers of consumer financial products or services or a service provider from engaging in any unfair, deceptive or abusive act or practice (“UDAAP”).  The Act also provides the CFPB with rulemaking and enforcement authority to “prevent unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.”  See, e.g.https://files.consumerfinance.gov/f/documents/cfpb_unfair-deceptive-abusive-acts-practices-udaaps_procedures.pdf.  In general, the Act provides that an act or practice is unfair when it causes or is likely to cause substantial injury to consumers, which is not reasonably avoidable by consumers, and the injury is not outweighed by countervailing benefits to consumers or to competition.

The CFPB earlier this spring published revised examination guidelines on unfair, deceptive, or abusive acts and practices, or UDAAPs.  Importantly, this set forth a new position from the CFPB, that discrimination in the provision of consumer financial products and services can itself be a UDAAP.  This was a development that was surprising to many providers of financial products and services.  The CFPB also released an updated exam manual that outlined its position regarding how discriminatory conduct may qualify as a UDAAP in consumer finance.  Additionally, the CFPB in May 2022 additionally published a Consumer Financial Protection Circular to remind the public of creditors’ adverse action notice requirements under the Equal Credit Opportunity Act (“ECOA”).  In the view of the CFPB, creditors cannot use technologies (include algorithmic decision making) if it means they are unable to provide required explanations under the ECOA.

In July 2022, the Chamber and others called on the CFPB to rescind the update to the manual.  This included, among other arguments raised in a white paper supporting their position, that in conflating the concepts of “unfairness” and “discrimination,” the CFPB ignores the Act’s text, structure, and legislative history which discusses “unfairness” and “discrimination” as two separate concepts and defines “unfairness” without mentioning discrimination

The Complaint filed this fall raises three claims under the Administrative Procedure Act (“APA”) in relation to the updated manual as well as others.  The Complaint contends that ultimately it is consumers that will suffer as a result of the CFPB’s new position, as “[t]hese amendments to the manual harm Plaintiffs’ members by imposing heavy compliance costs that are ultimately passed down to consumers in the form of higher prices and reduced access to products.”

The litigation process started by Plaintiffs in this case will be time consuming (a response to the Complaint is not expected from Defendants until December).  In the meantime, entities in the financial sector should be cognizant of the CFPB’s new approach and ensure that their compliance practices appropriately mitigate risk, including in relation to algorithmic decision making and AI.  As always, we will keep you up to date with the latest news on this litigation.

For more Consumer Finance Legal News, click here to visit the National Law Review

© Copyright 2022 Squire Patton Boggs (US) LLP

White House Office of Science and Technology Policy Releases “Blueprint for an AI Bill of Rights”

On October 4, 2022, the White House Office of Science and Technology Policy (“OSTP”) unveiled its Blueprint for an AI Bill of Rights, a non-binding set of guidelines for the design, development, and deployment of artificial intelligence (AI) systems.

The Blueprint comprises of five key principles:

  1. The first Principle is to protect individuals from unsafe or ineffective AI systems, and encourages consultation with diverse communities, stakeholders and experts in developing and deploying AI systems, as well as rigorous pre-deployment testing, risk identification and mitigation, and ongoing monitoring of AI systems.

  2. The second Principle seeks to establish safeguards against discriminative results stemming from the use of algorithmic decision-making, and encourages developers of AI systems to take proactive measures to protect individuals and communities from discrimination, including through equity assessments and algorithmic impact assessments in the design and deployment stages.

  3.  The third Principle advocates for building privacy protections into AI systems by default, and encourages AI systems to respect individuals’ decisions regarding the collection, use, access, transfer and deletion of personal information where possible (and where not possible, use default privacy by design safeguards).

  4. The fourth Principle emphasizes the importance of notice and transparency, and encourages developers of AI systems to provide a plain language description of how the system functions and the role of automation in the system, as well as when an algorithmic system is used to make a decision impacting an individual (including when the automated system is not the sole input determining the decision).

  5. The fifth Principle encourages the development of opt-out mechanisms that provide individuals with the option to access a human decisionmaker as an alternative to the use of an AI system.

In 2019, the European Commission published a similar set of automated systems governance principles, called the Ethics Guidelines for Trustworthy AI. The European Parliament currently is in the process of drafting the EU Artificial Intelligence Act, a legally enforceable adaptation of the Commission’s Ethics Guidelines. The current draft of the EU Artificial Intelligence Act requires developers of open-source AI systems to adhere to detailed guidelines on cybersecurity, accuracy, transparency, and data governance, and provides for a private right of action.

For more Technology Legal News, click here to visit the National Law Review.
Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.