Published Documents

Financial Sector Artificial Intelligence Executive Oversight Group Deliverables

The use of Artificial Intelligence (AI) and Generative AI (GenAI) offers tremendous opportunities within the financial sector including improving service delivery to customers and clients, strengthening fraud detection, increasing the security of firms themselves, and creating innovative products to grow the economy.  Simultaneously, AI is also being used by nefarious actors to perpetuate fraud and weaken firms’ security defenses.  As AI continues to take hold, it is critical that financial institutions (FIs) use AI appropriately to maximize the positive impacts of this technology for their clients and customers, while also mitigating the risk of AI use by adversaries.  To better understand and address these dynamic concerns, in late 2024, the Financial Services Sector Coordinating Council (FSSCC) and the U.S. Department of the Treasury in collaboration with the Finance and Banking Information Infrastructure Committee (FBIIC) established the AI Executive Oversight Group (AIEOG).

A US Treasury press release on the overall effort can be found at Treasury Announces Public-Private Initiative to Strengthen Cybersecurity and Risk Management for AI | U.S. Department of the Treasury.

This effort initiated six workstreams to develop deliverables in partnership with industry and federal and state regulatory partners to enable secure and resilient AI across the U.S. financial system. Together, participants focused on addressing identified gaps in the financial sector’s use of AI, developing practical tools that financial institutions can use to manage AI-specific cybersecurity risks while unleashing innovation.

To aid financial sector firms ability to share information about this suite of AI focused deliverables, the FSSCC created the Financial Sector AI Deliverable Reference and Application Guide. This document provides an overview of all the key workstreams and their deliverables listed below including their individual intended audiences in one easily shareable document.

• AI Lexicon defines key AI-related terms based on definitions from various industry standards and government resources with the goal of improving sector communications, on aspects ranging from risk management to contracts negotiation. Participants from FBIIC member federal agencies and FSSCC member firms collaborated with U.S. Treasury on the development of this AI Lexicon which includes common risk management and technical terminology with a focus on frequently used terms that have a specific meaning in the context of AI use in the financial sector.

• Financial Services AI Risk Management Framework (FS AI RMF) authored collectively by the FSSCC FS AI RMF Workstream and the Cyber Risk Institute (CRI), is an operationalization of the National Institute of Standards and Technology's (NIST) AI RMF specifically tailored for financial services. The FS AI RMF consists of four primary deliverables—an AI Adoption Stage Questionnaire, a Risk and Control Matrix, a User Guidebook, and a Control Objective Reference Guide. It is designed as a complement rather than a replacement to existing frameworks and provides a scalable and adaptable approach tailored specifically for the financial services environment. Organizations can utilize the FS AI RMF to design and conduct their own assessments, address gaps, prioritize mitigation efforts, and develop a more resilient control posture across various stages of AI adoption. The suite of resources for the FS AI RMF can be found on the CRI webpage located here.

• The Identity and Authentication deliverables, authored collectively by the FSSCC Identity and Authentication Workstream, the American Bankers Association (ABA) and Better Identity Coalition, focuses on “Mitigating AI-Powered Attacks Against Identity and Authentication” and associated “Recommendations for Policy Makers.” The primary deliverable outlines three primary attack vectors -- deepfake-driven social engineering and impersonation, synthetic identity creation, and AI agents as attack surrogates -- comprising ten specific tactics that threaten identity and authentication systems and mitigation strategies. The paper also includes a maturity model for identity controls to combat malicious use of Gen AI that lays out high-level technologies, ideas, and frameworks financial institutions can work towards mitigation of Gen AI-powered attacks.
  
  The accompanying policy recommendations deliverable outlines twenty distinct actions for policymakers – spread across four key initiatives – that would collectively help FIs defend against current and emerging attacks powered by Gen AI that target FI identity and authentication systems.
• The Explainability deliverable, “AI and Explainability in Finance: Explainability Challenges, Practices and Recommendations” was authored collectively by the FSSCC Explainability Workstream and theBank Policy Institute (BPI).  This deliverable references various aspects of traditional AI, but focuses more intentionally on Gen AI, underscoring the need for continuing collaboration across the sector, with regulators and third-party providers on how financial institutions can fulfill the core objectives of explainability. It also includes steps firms should consider to deliver intended and trustworthy outputs, utilize tools effectively, and apply guidance to enhance explainable AI and ensure transparency.  It is a practical resource for non-technical audiences, line of business owners and technology teams to reference as they develop, implement, and support AI capabilities.
• The Data Nutrition Labeling (DNL) deliverable, authored collectively by the FSSCC Data Nutrition Labeling Workstream and PNC Financial Services, recommends a structured approach for the evaluation of data quality as it relates to AI solutions in the financial sector, to support increased transparency and trust in the use of AI, and ensure alignment with state, federal, and international regulatory standards and guidance.  
• The AI Enhanced Fraud deliverable, authored collectively by the FSSCC AI Enhanced Fraud Workstream, the American Bankers Association (ABA), Bank Policy Institute (BPI), and the Financial Services Information Sharing Analysis Center (FS-ISAC), provides info on the AI Fraud Attack Landscape, details on what education and awareness programs should look like to counter these trends, incident response and operational reporting considerations, including how to respond to deepfakes, controls and technology responses, and a summary of how the ecosystem and sector is coming together to combat these issues together. It is intended to empower consumers through continuous education, designing operations and communications to anticipate deception, modernizing incident response to include consumer-initiated fraud events, and evolving technology strategies to detect and disrupt these scams earlier in the engagement cycle.

The latest AIEOG documents exemplify the financial sector's collaborative efforts with public partners to responsibly integrate technology and manage third party service providers.  These most recent documents add to the suite of prior guidance from the Cloud Executive Steering Group on the secure integration of Cloud technology. Key resources that may be helpful to financial institutions still migrating to the cloud can be found at https://fsscc.org/fsscc-cesg-cloud-group-deliverables/.