The EU’s Artificial Intelligence Act, focusing on harmonized rules for AI, might present significant changes for the financial sector operating in European Union. This article analyzes the potential future impact of this regulatory development for Alternative Investment Fund Managers (AIFMs) in Luxembourg and the necessary controls and challenges for compliance officers are likely to face.

The Act identifies/classify different risk levels as unacceptable risk, high risk, or limited risk and introduces a risk-based approach to AI regulation and controls.

This AI Act framework not only bans AI systems that pose severe threats to individuals, such as those involved in behavioral manipulation or social scoring (unacceptable risk) but also put particular emphasis and establishing stringent requirements for high-risk systems, and this is where can be the main impact for AIFM and in general for compliance officers.

Typically, an AIFM in Luxembourg might develop and rely on internal AI systems or alternatively it might outsource services to third-party providers (such as Investment Manager and/or Transfer agent activities using AI technologies) and the impact of the AI Act on the AIFM itself becomes more complex.

In line with the delegation principle stated on the CSSF Circular 18/698, the AIFM will be fully responsible for ensuring that these delegated external entities fully comply with the Act, particularly when they rely on AI systems classified as High-Risk. This requires enhanced due diligence processes on Initial, Periodical basis, and ongoing where the AIFM assesses and continually monitors the third-party’s AI systems for compliance with the AI Act’s stringent requirements, given that the AIFM remains ultimately responsible for any AI-driven decisions or actions taken by their delegates.

The AI Act defines high-risk AI systems as those AI technologies that pose significant risks to the health and safety or fundamental rights of individuals. The classification depends not only on the technology but also on its use, context, and potential impact. As previously mentioned, the AI Act enforces strict compliance requirements for high-risk AI systems to ensure they operate ethically, transparently, and safely.

Compliance officers must therefore extend their focus ensuring that external partnerships and delegated functions align with the EU’s new regulatory standards.

Consequently, over the Initial due diligence stage, the AIFM and Compliance Officers will need to focus on determining whether an AI system is classified as high-risk under the AI Act and provide the rationale behind this classification, have a clear understanding about specific actions taken by the third party/delegate to comply with the AI Act, and assess how the third party manages data privacy, security, and addresses potential biases or ethical concerns in their AI systems. They must also provide a clear explanation for this classification, or alternatively, provide the reasons why a specific AI tool has not been designated as high-risk.

Compliance Officers would need to deploy risk assessment tools for evaluating and categorizing AI systems, focusing particularly on those that pose significant risks. They must ensure that AI systems, especially high-risk ones, have technical documentation, including details about their development process continuous monitoring practices for AI systems.

Support can be obtained by updating the Due Diligence Questionnaire and its subsequent revisions. In updating the due diligence questionnaire for AIFMs in Luxembourg, specific inquiries should focus on the AI system’s classification under the AI Act, including its designation as high-risk and the underlying reasons. The revised questionnaire must understand into the third party’s measures for AI Act compliance, particularly in data governance and ethical AI development. It should also seek details about their process for monitoring AI system performance, addressing biases, and ensuring transparency in AI-driven decisions. Furthermore, the questionnaire should include queries about incident response strategies and the third party’s adherence to technical documentation standards as required by the AI Act.

In addition to these measures, examining the third party’s procedures for identifying and mitigating risks associated with their AI systems is essential. This includes both operational and decision-making risks. Monitoring and reporting mechanisms and escalation measures must also be evaluated to ensure the third party’s AI systems perform effectively and any compliance issues are reported in a timely manner.

Where We Stand Today:

On December 9, 2023, an agreement on the AI Act was reached between the European Parliament and the Council. The agreed text will go through formal adoption by both bodies, which is necessary for the text to become enforceable as EU law.

Given that the AI Act’s text is still awaiting formal adoption by both the European Parliament and Council to become EU law, the status of Luxembourg’s approval or implementation remains pending. This uncertainty necessitates a vigilant approach from AIFMs in Luxembourg to prepare for the Act’s eventual implementation. Ensuring a thorough assessment of third-party AI systems in alignment with the AI Act’s requirements will be crucial in navigating this new regulatory landscape.

If you arrived until here, it means that you potentially enjoyed this article. I personally thank you and I invite you to subscribe to the newsletter. Also, feel free to get in contact and suggest any particular topic for the next release.

The views and opinions expressed in this article are my own and do not reflect the official policy, position, or opinions of any financial institution, or other organization.
The content of this article is based on personal research of the author and understanding of AML (Anti-Money Laundering) and compliance topics.