On May 13, 2022, the US Office of the Comptroller of the
Currency (“OCC”) outlined some of the supervisory
expectations for how the banks it regulates should manage risks
associated with artificial intelligence (“AI”), including
machine learning.1 Notably, the outline identifies
parts of the agency’s comprehensive guidance on risk management
that are relevant to machine learning activities and explains
aspects of how the agency intends to supervise machine learning
technology. In this Legal Update, we discuss some of the key risks
associated with AI and the supervisory expectations in the
OCC’s recent outline.
The outline of supervisory expectations for machine learning was
issued as part of testimony before Congress. In May 2022, Deputy
Comptroller for Operational Risk Kevin Greenfield testified before
the Task Force on Artificial Intelligence of the House Committee on
Financial Services.2 Mr. Greenfield is well-known
in the financial services community as an expert on risk management
practices and has served in various leadership roles at the OCC
since 2014. His testimony on AI included a 16-page written
statement describing the OCC’s views on AI, key risks that are
implicated by AI and some of the agency’s supervisory
expectations for the banks that it regulates.
The outline identifies four key risks associated with AI.
1. Explainability. Explainability refers
to the extent that a bank’s personnel understand and can
explain the outcomes of its AI processes. Explainability is a risk
associated with using AI because a failure to understand an AI
process or outcome could result in the bank acting in a way that
harms its customers or fails to comply with consumer protection
requirements. Relatedly, a lack of explainability means that a bank
may be unable to apply model risk management practices to an AI
process or technology, which could impair safety and soundness.
2. Data Management. Data management and
governance refers to the risk that poor quality data or data that
is not managed effectively by a bank may be used by an AI process
in a way that results in incorrect predictions or outcomes
containing illegal bias.
3. Privacy and Security. Consumer privacy
and data security is the risk that an AI process may expose
sensitive consumer data to compromise. Further, some uses of AI may
implicate restrictions on processing certain types of consumer
4. Third-Party Providers. Many AI
technologies rely on third-party providers for development or
implementation. These third parties may pose a risk to a bank’s
operations and use of AI depending on the criticality of the
technology or the service being provided by the third party.
The outline identifies five key supervisory expectations that
the OCC has for banks that use AI:
1. Risk and Compliance Management
Programs. The OCC expects a bank to have well-designed
risk management and compliance management programs that cover the
use of AI. These programs generally should include controls for
monitoring AI process outcomes to identify unwarranted risks or
violations of consumer protection laws, including fair lending.
Further, larger banks should be cognizant of the more extensive
risk management requirements that apply under the OCC’s
heightened standards and be prepared to adjust their risk
governance and management practices as appropriate when introducing
or altering AI activities.
2. Model Risk Management. The OCC has
extensive supervisory guidance around a bank’s use of models
(including for anti-money laundering compliance). Many AI processes
would be viewed as models by the OCC under its existing guidance.
Effective model risk management practices can include appropriate
due diligence and risk assessment, sufficient and qualified
staffing, governance and controls. These practices will be assessed
by examiners using comprehensive procedures and may be subject to
3. Third-Party Risk Management. The OCC
expects banks to have an effective third-party risk management
program that includes robust due diligence, effective contract
management and ongoing oversight of third parties. For AI, this
typically means that a bank should have controls over the
acquisition and use of the technology and should monitor the third
party’s performance over time.
4. New and Modified Products Principles.
The OCC expects banks to establish appropriate risk management
processes for reviewing and approving new and modified activities,
including AI activities. Banks should consider if they have
assessed and understand the risks associated with any new and
modified AI activities and determined that the activities align
with a bank’s overall business plans and strategies.
5. Responsible Use of Alternative Data.
The OCC expects banks to manage the consumer protection
implications of using alternative data in underwriting, including
in underwriting activities that employ AI.3 This
often is done through an analysis of relevant consumer protection
requirements prior to implementing an AI technology.
The OCC’s outline of key supervisory expectations for banks
to satisfy when using AI may not be as daunting as it first
appears. The expectations generally are based on prior OCC
issuances and will be assessed through the OCC’s risk-focused
examination process. Therefore, it may be better to view the
OCC’s outline as a prioritized list of the expectations that it
will most closely look at during examinations. Viewed through this
lens, the outline can be a tool that banks use to allocate their
limited compliance resources to the areas of greatest regulatory
More broadly, the federal banking regulators have been actively
engaged on AI issues for several years, including through the
issuance of a request for information from the industry in early
2021.4 The OCC notes in the outline that the agency
is continuing to engage with the other regulators to determine next
steps, including potentially issuing recommendations on the use of
AI by banks. Hopefully, the agencies also will engage with banks to
ensure that any guidance the agencies issue incorporates the many
insights that the industry is constantly developing as it uses
machine learning and AI in new and innovative ways.
1. Press Release, Deputy Comptroller
Testifies on Artificial Intelligence (May 13,
The OCC regulates national banks, federal savings associations, and
federal branches and agencies of foreign banking
2. Task Force on Artificial
Intelligence, Keeping Up with the Codes – Using AI for
Effective RegTech (May 13, 2022), https://financialservices.house.gov/events/eventsingle.aspx?EventID=409378.
3. See our Legal Update on a recent outline from the
Consumer Financial Protection Bureau that addresses algorithmic
bias in automated valuation models: https://www.mayerbrown.com/en/perspectives-events/publications/2022/03/cfpb-publishes-proposals-to-prevent-algorithmic-bias-in-avms.
4. Please see our Legal Update on the 2021 request
for information: https://www.mayerbrown.com/en/perspectives-events/publications/2021/04/rfi-on-financial-institutions-use-of-ai-provides-opportunity-to-shape-future-regulatory-framework.
Visit us at
Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
“Mayer Brown Practices”). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited
liability partnerships established in Illinois USA; Mayer Brown
International LLP, a limited liability partnership incorporated in
England and Wales (authorized and regulated by the Solicitors
Regulation Authority and registered in England and Wales number OC
303359); Mayer Brown, a SELAS established in France; Mayer Brown
JSM, a Hong Kong partnership and its associated entities in Asia;
and Tauil & Chequer Advogados, a Brazilian law partnership with
which Mayer Brown is associated. “Mayer Brown” and the
Mayer Brown logo are the trademarks of the Mayer Brown Practices in
their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters