The discussion around data protection and data security extends to generative artificial intelligence (GenAI), which, despite its innovation potential, brings new challenges to protecting sensitive data. Particularly in highly regulated industries like the financial sector, data protection in the context of GenAI is of crucial importance. This article explains how companies can strategically address data protection issues to position themselves for the future.
Generative Artificial Intelligence in Finance – A Topic for the Board of Directors
Discussions around data protection and security have gained increasing importance in recent years. A new topic with both technological and strategic relevance for companies is coming into focus: data protection in generative artificial intelligence (GenAI). This technology, capable of generating new content such as texts, images, or music, holds enormous potential for innovation and efficiency gains. At the same time, it poses new challenges for companies in protecting sensitive data. This is especially important in highly regulated industries like finance and is critical when using these new tools.
The Board of Directors must address the data protection aspects of GenAI solutions for several good reasons:
- Regulatory Requirements: GenAI solutions must comply with strict data protection regulations like the General Data Protection Regulation (GDPR) and Switzerland's new Data Protection Act (DPA). Additional challenges arise from new regulations such as the EU AI Act.
- Risk Management: GenAI introduces new risks such as cyberattacks or data leaks. The Board must oversee effective risk management and recognize emerging risks like prompt hacking or training with proprietary data.
- Loss of Trust and Reputational Damage: Data protection violations can harm customer and partner trust.
- Ethical Responsibility: The Board must ensure that the technology aligns with the company’s ethical principles, especially in handling personal data.
- Long-term Competitiveness: Responsible data protection can create a competitive advantage by strengthening customer trust.
Overall, data protection in GenAI solutions is a core topic for the Board of Directors, requiring close collaboration between technical, legal, and strategic departments to fully harness the technology's potential and ensure safe data handling.
The financial industry is undergoing a revolution through technologies like GenAI and advanced language models (e.g., GPT-4), which make workflows, collaboration, customer service, and payment processes faster, more secure, and more efficient.
Unique, a leading European startup, offers specialized GenAI solutions for the financial industry that optimize processes and save time through the use of GPT technology. The three key use cases of Unique demonstrate how specific tasks can be handled more efficiently:
-
Documentation of Customer Interactions
Unique records customer interactions, transcribes them, and summarizes them, whether they occur in person, online, or by phone. These data are directly integrated into the CRM system, saving an average of 20–30 minutes per customer interaction. This significantly reduces administrative overhead, allowing advisors to spend more time with customers.
-
Information Retrieval in Documents
Unique employs the RAG method (retrieval-augmented generation) to extract internal bank information from various sources. The data remain within the bank, and only a semantic fingerprint is stored in an embedded database. This technology accelerates processes and improves quality without sharing internal data externally.
-
Analytics for Service and Contact Centers
Unique transcribes recorded phone conversations and analyzes the transcripts, such as call duration and core topics. This feature can be customized to meet specific customer needs, such as automatically populating the CRM after a customer conversation.
Data Protection-Related Issues
The introduction of GenAI in the financial sector brings a range of data protection issues and challenges, particularly under Switzerland’s DPA and the regulations of the Swiss Financial Market Supervisory Authority (FINMA). Additionally, the EU GDPR applies if personal data in Switzerland or personal data of customers in the EU/EFTA is affected. Key considerations in this context are summarized below:
Data Minimization
GenAI systems require large amounts of data to function effectively, which can conflict with data protection principles in the DPA and GDPR. Measures like data minimization, purpose limitation, anonymization, and pseudonymization ensure that only the minimal necessary data are processed.
When using private instances like Microsoft Azure OpenAI Service, data are not stored but only processed in memory, and users can opt out of model training. Principles such as “Privacy by Design” and “Privacy by Default” ensure that data protection measures are integrated and activated by default, protecting user privacy.
Purpose Limitation and Transparency
Data are used only for clearly defined and legitimate purposes, such as improving services and ensuring service security. Users should be transparently informed about which data are collected and for what purpose, typically through privacy statements and terms of use. The complexity of GenAI can make it harder to understand data usage, so ensuring data are not used for other purposes without consent or legal obligation is critical, particularly in model training. This has caused discussions and reputational risks in the past.
Technical and Organizational Measures
GenAI employs technical and organizational measures to ensure data security and protection, including:
- Encrypting data during transmission and storage to prevent unauthorized access.
- Strictly controlling access to personal data, allowing only authorized personnel.
- Preventing access by large language model providers to prompts and outputs (“opt-out of abuse monitoring”).
- Regularly reviewing and updating data protection practices and security measures to meet legal requirements and best practices.
Data Security
GenAI systems can be vulnerable to cyberattacks, which may lead to data loss or misuse.
To ensure data security when using GenAI in compliance with the DPA and FINMA guidelines, companies must implement robust encryption technologies for data in transit and at rest, enforce strict access controls and authentication mechanisms, and conduct regular security reviews and audits. Additionally, comprehensive employee training and the establishment of an emergency management plan are necessary. These measures minimize the risks of data loss and unauthorized access while ensuring compliance with legal requirements.
Automated Decision-Making
The use of GenAI-based systems must ensure that automated decisions are transparent, traceable, and fair, and that affected individuals can exercise their rights. In sensitive areas involving protected personal data, such systems should only be used with the explicit, voluntary consent of the informed individual. The EU AI Act often categorizes these systems as high-risk, imposing strict requirements for documentation, compliance, and user information.
Data Transfers Abroad
Since GenAI services are often provided by international providers headquartered in the U.S., resulting in data transfers abroad, it is crucial to ensure compliance with Switzerland’s DPA requirements.
This raises the question of how to guarantee that such data transfers meet the DPA or GDPR standards, particularly in ensuring an adequate level of data protection. Two main options are available:
-
Certification under the Data Privacy Framework
Determine whether a U.S.-based company is certified under the Data Privacy Framework. This can be checked on the official website of the Data Privacy Framework. The website provides a current and comprehensive database of certified companies.
-
Direct Verification
Alternatively, contact the company directly or review its privacy policy on its website.
Excursus: Regulatory Requirements by FINMA
The Swiss Financial Market Supervisory Authority (FINMA) sets specific regulatory frameworks for data processing and risk management that must also be observed when using GenAI.
- FINMA Circular 08/21 "Operational Risks – Banks" and FINMA Circular 18/3 "Outsourcing – Banks and Insurers": These outline requirements for managing operational risks and outsourcing, which are relevant to IT security and data processing when using GenAI.
- FINMA Circular 18/3 "Outsourcing – Banks and Insurers": Formulates requirements for data security and privacy in outsourcing arrangements, applicable to GenAI services provided by third parties.
- FINMA Circular 08/21 "Operational Risks – Banks": Includes requirements for managing operational risks, including IT risks, relevant to ensuring data integrity and availability when using GenAI.
- FINMA Circular 11/2 "Internal Control Systems – Banks": These general regulatory frameworks, based on FINMA’s technology-neutral approach, also apply to GenAI.
Conclusion
GenAI offers immense opportunities for efficiency gains and innovation. At the same time, it poses significant challenges to data protection, which is particularly critical in highly regulated environments like the financial industry. Companies must ensure that GenAI systems comply with the stringent data protection requirements of the DPA and GDPR to meet regulatory obligations and minimize risks such as cyberattacks and data leaks.
The Board of Directors bears a special responsibility: It must monitor compliance with these regulations, ensure effective risk management, and uphold ethical standards. Responsible data handling can not only meet legal and ethical requirements but also strengthen customer trust, providing a competitive advantage. Close collaboration between technical, legal, and strategic departments is essential to harness the full potential of GenAI securely and sustainably.
Authors: Dr. Sina Wulfmeyer, Chief Data Officer, & Mathias Reimer, Senior Legal Counsel, Unique AG (Zurich)
GenAI in Finance – An Insight into Relevant Data Protection Issues
The discussion around data protection and data security extends to generative artificial intelligence (GenAI), which, despite its innovation potential, brings new challenges to protecting sensitive data. Particularly in highly regulated industries like the financial sector, data protection in the context of GenAI is of crucial importance. This article explains how companies can strategically address data protection issues to position themselves for the future.
Generative Artificial Intelligence in Finance – A Topic for the Board of Directors
Discussions around data protection and security have gained increasing importance in recent years. A new topic with both technological and strategic relevance for companies is coming into focus: data protection in generative artificial intelligence (GenAI). This technology, capable of generating new content such as texts, images, or music, holds enormous potential for innovation and efficiency gains. At the same time, it poses new challenges for companies in protecting sensitive data. This is especially important in highly regulated industries like finance and is critical when using these new tools.
The Board of Directors must address the data protection aspects of GenAI solutions for several good reasons:
Overall, data protection in GenAI solutions is a core topic for the Board of Directors, requiring close collaboration between technical, legal, and strategic departments to fully harness the technology's potential and ensure safe data handling.
The financial industry is undergoing a revolution through technologies like GenAI and advanced language models (e.g., GPT-4), which make workflows, collaboration, customer service, and payment processes faster, more secure, and more efficient.
Unique, a leading European startup, offers specialized GenAI solutions for the financial industry that optimize processes and save time through the use of GPT technology. The three key use cases of Unique demonstrate how specific tasks can be handled more efficiently:
Documentation of Customer Interactions
Unique records customer interactions, transcribes them, and summarizes them, whether they occur in person, online, or by phone. These data are directly integrated into the CRM system, saving an average of 20–30 minutes per customer interaction. This significantly reduces administrative overhead, allowing advisors to spend more time with customers.
Information Retrieval in Documents
Unique employs the RAG method (retrieval-augmented generation) to extract internal bank information from various sources. The data remain within the bank, and only a semantic fingerprint is stored in an embedded database. This technology accelerates processes and improves quality without sharing internal data externally.
Analytics for Service and Contact Centers
Unique transcribes recorded phone conversations and analyzes the transcripts, such as call duration and core topics. This feature can be customized to meet specific customer needs, such as automatically populating the CRM after a customer conversation.
Data Protection-Related Issues
The introduction of GenAI in the financial sector brings a range of data protection issues and challenges, particularly under Switzerland’s DPA and the regulations of the Swiss Financial Market Supervisory Authority (FINMA). Additionally, the EU GDPR applies if personal data in Switzerland or personal data of customers in the EU/EFTA is affected. Key considerations in this context are summarized below:
Data Minimization
GenAI systems require large amounts of data to function effectively, which can conflict with data protection principles in the DPA and GDPR. Measures like data minimization, purpose limitation, anonymization, and pseudonymization ensure that only the minimal necessary data are processed.
When using private instances like Microsoft Azure OpenAI Service, data are not stored but only processed in memory, and users can opt out of model training. Principles such as “Privacy by Design” and “Privacy by Default” ensure that data protection measures are integrated and activated by default, protecting user privacy.
Purpose Limitation and Transparency
Data are used only for clearly defined and legitimate purposes, such as improving services and ensuring service security. Users should be transparently informed about which data are collected and for what purpose, typically through privacy statements and terms of use. The complexity of GenAI can make it harder to understand data usage, so ensuring data are not used for other purposes without consent or legal obligation is critical, particularly in model training. This has caused discussions and reputational risks in the past.
Technical and Organizational Measures
GenAI employs technical and organizational measures to ensure data security and protection, including:
Data Security
GenAI systems can be vulnerable to cyberattacks, which may lead to data loss or misuse.
To ensure data security when using GenAI in compliance with the DPA and FINMA guidelines, companies must implement robust encryption technologies for data in transit and at rest, enforce strict access controls and authentication mechanisms, and conduct regular security reviews and audits. Additionally, comprehensive employee training and the establishment of an emergency management plan are necessary. These measures minimize the risks of data loss and unauthorized access while ensuring compliance with legal requirements.
Automated Decision-Making
The use of GenAI-based systems must ensure that automated decisions are transparent, traceable, and fair, and that affected individuals can exercise their rights. In sensitive areas involving protected personal data, such systems should only be used with the explicit, voluntary consent of the informed individual. The EU AI Act often categorizes these systems as high-risk, imposing strict requirements for documentation, compliance, and user information.
Data Transfers Abroad
Since GenAI services are often provided by international providers headquartered in the U.S., resulting in data transfers abroad, it is crucial to ensure compliance with Switzerland’s DPA requirements.
This raises the question of how to guarantee that such data transfers meet the DPA or GDPR standards, particularly in ensuring an adequate level of data protection. Two main options are available:
Certification under the Data Privacy Framework
Determine whether a U.S.-based company is certified under the Data Privacy Framework. This can be checked on the official website of the Data Privacy Framework. The website provides a current and comprehensive database of certified companies.
Direct Verification
Alternatively, contact the company directly or review its privacy policy on its website.
Excursus: Regulatory Requirements by FINMA
The Swiss Financial Market Supervisory Authority (FINMA) sets specific regulatory frameworks for data processing and risk management that must also be observed when using GenAI.
Conclusion
GenAI offers immense opportunities for efficiency gains and innovation. At the same time, it poses significant challenges to data protection, which is particularly critical in highly regulated environments like the financial industry. Companies must ensure that GenAI systems comply with the stringent data protection requirements of the DPA and GDPR to meet regulatory obligations and minimize risks such as cyberattacks and data leaks.
The Board of Directors bears a special responsibility: It must monitor compliance with these regulations, ensure effective risk management, and uphold ethical standards. Responsible data handling can not only meet legal and ethical requirements but also strengthen customer trust, providing a competitive advantage. Close collaboration between technical, legal, and strategic departments is essential to harness the full potential of GenAI securely and sustainably.
Authors: Dr. Sina Wulfmeyer, Chief Data Officer, & Mathias Reimer, Senior Legal Counsel, Unique AG (Zurich)