Regulatory Coverage

High-risk AI systems must implement a risk management system that continuously identifies, analyzes, and evaluates risks throughout the lifecycle.

High-risk AI systems must automatically log events with traceability throughout the system's lifetime.

High-risk AI systems must be sufficiently transparent so users can interpret outputs and use them appropriately.

High-risk AI systems must be designed with human oversight measures enabling detection and intervention when anomalies occur.

High-risk AI systems must achieve appropriate levels of accuracy and be robust against errors, faults, and inconsistencies.

Providers of high-risk AI must implement a quality management system covering the full system lifecycle with documented controls.

Systems must have computer-generated audit trails that record operator actions and changes to electronic records, with time/date stamps.

Additional controls for open systems including document encryption and use of established standards for reliability of data.

Manufacturers must establish documented procedures to control design of the device to ensure specified design requirements are met.

Broker-dealers with market access must establish, document, and maintain risk controls preventing orders that exceed pre-set limits or are erroneous.

Entities must implement controls to monitor system components for anomalies that could indicate malicious acts, natural disasters, or errors.

Entities must evaluate and respond to identified security events to achieve the entity's objectives.

Entities select, develop, and perform ongoing assessments of vendors and business partners, ensuring they meet the entity's controls.

AI system performance and goals are measured, and performance is documented with quantified uncertainty.

The AI risk or impact metrics reflect organizational risk tolerance and include explainability, interpretability, and accountability.

Accountability for AI risk is clear and processes are in place to achieve it throughout the AI lifecycle.

Organizational risk tolerance is set and documented for AI risks, including bias, safety, and security.

The organization shall apply the AI risk assessment process to identify risks associated with AI systems.

The organization shall determine what needs to be monitored, the methods, and when results shall be analyzed and evaluated.

Implement hardware, software, and procedural mechanisms that record and examine activity in information systems containing ePHI.

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, with legal or similarly significant effects.

Personal data shall be processed in a manner that ensures appropriate security of the personal data.

Financial institutions using AI/ML models must ensure models are explainable and outcomes can be understood by stakeholders.

Financial institutions must maintain audit trails for model decisions and ensure models can be audited.

Member firms must establish and maintain a system to supervise the activities of each associated person and automated systems.

Audit logs must capture all individual user access, all actions taken by privileged users, and use of identification and authentication mechanisms.

Businesses using automated decision-making must provide meaningful information about the logic and likely outcomes.

Financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities.

Financial entities shall put in place mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents.