The first steps

(Translated by DeepL)

After more than three years of legislative gestation, the European regulation on artificial intelligence has finally been published in the Official Journal. It is directly applicable to all EU Member States, without the need for transposition into national law. There are transitional arrangements for certain players and requirements.

The Regulation represents the first regulatory framework to apply generally to artificial intelligence systems (AIS), as defined below. This regulation marks a major turning point, also for Swiss financial services providers. On the one hand, the regulation has extraterritorial scope, and on the other, it could serve as a source of inspiration beyond the borders of the European Union. Although it is still too early to determine whether the Regulation will become a new ‘international standard’ (as the RGPD has been), it is likely to have an impact in Switzerland.

The Regulation adopts a risk-based approach applying to both AIS and general purpose AI models (GPAIM).

It divides AIS into four categories, respectively (i) AIS presenting an unacceptable risk (art. 5), (ii) AIS presenting a high risk (art. 6), (iii) AIS presenting a limited risk (art. 50) and (iv) AIS presenting a minimal risk.

For the first category, the regulation prohibits AI practices such as ‘social credit’ systems (in short, the evaluation of natural persons over a certain period of time on the basis of their known, inferred or predicted social behaviour or personal characteristics) or real-time biometric surveillance.

The second category covers, in particular, AIS used to assess the creditworthiness of individuals (credit scoring, see cdbf.ch/1316/ in relation to the RGPD). For these systems, providers and deployers must comply with extensive technical and organisational requirements (the definition of provider and deployer is discussed below). Each high-risk AIS must comply with the requirements imposed by the Regulation before being put into service on the European market. These requirements must be met not only during the authorisation procedure before the competent national authority, but also throughout the life cycle of the AIS.

The third category covers AIS that are neither prohibited nor present a high risk under the Regulation, but to which certain transparency obligations apply.

Finally, the last category covers AI applications used in video games or spam filters and for which the Regulation does not lay down any specific regulatory requirements.

In the presence of a GPAIM, it is necessary to examine whether the model presents a systemic risk that could have a significant impact on the European market due to its scope, or actual or reasonably foreseeable negative effects on public health, public security, fundamental rights or society as a whole, which could spread throughout the value chain (art. 51).

A. Material scope of application

As already mentioned, the Regulation applies to AIS and GPAIM. The addition of GPAIM during the adoption of the Regulation creates practical challenges for the coordination of the rules applicable to AIS and GPAIM. In this context, the question will also arise as to whether GPAIM is a sub-category of AIS, in which case the provider will have to assess whether its model presents an unacceptable, high or limited risk.

The regulation defines an AIS as “machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments” (art. 3 ch. 1). It is clear from this definition that AIS generate results that can influence physical or virtual environments. In addition, they must possess a certain degree of autonomy and adaptability. These elements mean that systems based on pure “if-then” logic are excluded from the definition, in favour of those that seek to detect apattern in the input that can be compared with those in atraining data set.

The definition of GPIAMs is even broader than that of AIS. An AI model becomes a GPIAM if it “displays significant generality” and is “capable of competently performing a wide range of distinct tasks” (art. 3 c. 63). These clarifications implicitly refer to so-called general AI, as opposed to so-called weak AI, which is limited to performing specific tasks. GPIAMs are regulated less strictly than AIS and are the subject of a separate section of the regulation, since they were not included until after the European Commission’s first draft (see cdbf.ch/1181/). ChatGPT is an example of GPIAM.

B. Personal scope

The personal scope of the regulation is based on a distinction between those who offer systems based on artificial intelligence (providers, art. 3 ch. 3) and those who use them for commercial purposes (deployers, art. 3 ch. 4) :

• A provider is anyone who develops or makes available on the EU market an AIS, whether acting on a paid or unpaid basis. A provider must be clearly identified because he bears primary responsibility for compliance. The concept of a provider includes companies that substantially modify an AIS or use AIS in an unintended way, transforming it into a high-risk AIS.
• Deployers are commercial users of AIS, who operate these systems under their own authority. This excludes personal use in a non-business context.

The regulation also lays down obligations for importers and distributors, it being specified that the latter may also qualify as providers in certain cases.

C. Territorial scope

The Regulation has a broad territorial scope, covering not only actors within the EU, but also those outside if their AIS affects people in the EU or if results generated by AIS located outside the EU are used in the EU (art. 2). The aim of the European legislator was to prevent regulatory circumventions by activities outside the EU that would have an influence on the European internal market. As a result, the regulation can also be applied extraterritorially.

Swiss companies must pay particular attention to transparency and compliance obligations if their activities or products incorporating artificial intelligence affect users within the EU. Even without being directly active on the EU market, these companies could be subject to the Regulation, for example if theoutput of their AIS is intentionally used in the EU.

D. Conclusion

The Regulation lays the foundations for a new regulatory framework to be explored. It is important for Swiss financial services providers in several respects : (i) some of these providers have a presence in the EU to which the new rules will apply, (ii) some of the Regulation’s provisions have extraterritorial scope and (iii) this Regulation is one of the regulatory approaches that DETEC will no doubt draw on in response to the Federal Council’s mandate to present “possible regulatory approaches to artificial intelligence” by the end of 2024. It should also be noted that artificial intelligence has made its appearance in FINMA’s Risk Monitoring 2023.

The European AI Regulation will have major implications for the financial industry. The Centre for Banking and Financial Law will publish a series of commentaries on this subject. In addition, this topic will be the subject of a presentation at the Journée 2024 de droit bancaire et financier.