Artificial Intelligence (AI) continues to transform financial services, delivering efficiency, innovation, and competitive advantage. Firms are seeing opportunities in numerous, including using AI tools to accelerate vendor onboarding and more efficiently verify vendor due diligence responses. Yet, as adoption accelerates, so do concerns around risk, particularly in areas like data governance, vendor oversight, and reputational exposure.

Our interactions with senior leaders in the financial services sector, including CIOs, CROs, Heads of Risk, and in-house counsel have highlighted the growing complexity of managing AI tools and the critical questions that teams are grappling with.

Top Questions and Challenges Keeping Financial Services Leaders Awake at Night

1. Data Governance
   • Both financial institutions and their data vendors face uncertainty around where data goes, how it’s processed, and who ultimately controls it, particularly as data flows multiply and third-party AI integrations deepen.
   • How will a firm’s data be used by AI vendors? Who has access, and where is it hosted? Vendors are also concerned to understand how their data will be used by firms to augment their own in-house AI tools.
2. Stealth AI Usage
   • Vendors may introduce AI capabilities post-contract, creating unacknowledged dependencies, functionality and risk. Is AI being introduced quietly, either by vendors embedding new functionality into existing tools without disclosure, or by employees using “shadow AI” solutions outside approved governance frameworks?
3. Tool Criticality
   • Tools procured for limited or non-core use can become essential infrastructure, often without corresponding contract or control updates.
   • How can firms manage risk when a “non-critical” tool becomes mission-critical over time? Do current contracts allow sufficient auditability and assurance as system criticality evolves?
4. Reputational Risk
   • What frameworks exist to quantify and mitigate reputational damage linked to AI decisions, particularly those affecting retail customers? Can the firm demonstrate a clear audit trail of risk acceptance and management decisions?
   • Reputational risk remains one of the most difficult exposures to measure. Loss of customer trust, brand damage, and share-price movement can be difficult to quantify and may, in some cases, take months to surface.
5. Regulatory Guidance
   • With no unified standards across financial services, there is a lack of confidence in some quarters about how what governance frameworks are required, whether they are sufficient, and what sanctions might follow if they are deemed insufficient.
   • Should financial regulators move toward more prescriptive rules on AI governance, rather than today’s largely principles-based approach?

Key Takeaways for Managing AI Risk

• Understand the AI: Risk management starts with understanding both the functionality and the outcomes of AI tools. Some firms now require risks to be quantified (which is not always straightforward) in terms of potential financial impact, lost business, remediation costs or share-price effect. Effective risk management must address the risks associated with the particular AI, especially given the wide range of use cases and applications being deployed by firms.
• Context Matters: From reputational damage to data protection and regulatory lag, understanding the types of risks faced by different financial institutions is essential for effective risk management. For example commercial banks, retail banks and investment banks will each have their own risk profile, challenges and compliance requirements.
• Criticality is Key: The determination of an AI tool’s criticality has a large impact on its risk management. A tool seen that is considered to have high criticality will require higher standards of risk management, in many cases this can include always having a human-in-the-loop. This is a particularly relevant consideration in the context of the EU DORA regulation.
• Leadership & Documentation: Senior management and board-level engagement are essential for action and accountability. There need to be appropriate risk management forums to reach decisions on AI risk. And those risk decisions, particularly where opinions differ, must be clearly documented with rationale and approval trails.
• Cross-Functional Oversight: AI and third-party risk cannot sit in silos. Cross-functional accountability for third party vendors and sub-contractors is crucial for a collaborative approach to handling AI risks. Functions including procurement, legal, technology, risk, compliance and business teams must all share accountability for assurance.
• Cultural Integration: AI risk management should be embedded into the firm’s culture, not treated as an afterthought or a compliance “tick-box”.

Legal and Regulatory Considerations

While not solely a legal challenge or responsibility, there are practical steps that legal, compliance and risk teams can take to mitigate third-party AI risk through appropriate due diligence and contractual protection.

• Contractual audit rights must be explicit and adaptable to current and future AI functionality.
• Data use and licence clauses require rethinking in light of dynamic, machine-learning-based processing.
• Liability and indemnity provisions need to reflect emerging risks created by AI models and their training data.
• Regulatory alignment is essential, especially as UK, EU, and US frameworks evolve and diverge in scope and requirements.

Final Thoughts

As AI becomes more deeply embedded in financial services, firms must proactively address risk through governance, transparency, and cross-functional collaboration. The stakes are high, but so is the opportunity.

Firms should act now to:

• Map AI usage across all third parties and business units.
• Establish cross-functional governance committees for AI oversight.
• Review and update contracts to ensure ongoing transparency, auditability, and adaptability.

Contact us to learn how our team can support your legal AI strategy and risk management needs.