Financial regulatory developments on big data & advanced analytics in the EU
Xu Zhu - University of Bremen
At the Machine Lawyering Conference 2021, I presented my recent paper, "Big Data and
Advanced Analytics in the context of the European Financial Regulation". In this paper, I
analyzed the current supervisory implications of advanced analytics applications in the European
financial sector on the basis of existing publications of the European financial supervisory
authorities. In particular, the paper discusses the current development in the regulation of advanced
analytics applications in the EU as well as the related topics in the focus of banking supervision.
The paper points out that Big Data and Advanced Analytics (BD&AA) and the related opportunities
and risks for financial institutions have increasingly moved into the focus of the financial
supervisory authorities of the EU. However, the European banking supervisory authorities
are currently only in the phase of examining the effects of BD&AA on financial institutions and
analyzing whether existing regulations are sufficient or need to be adjusted in order to adequately
address the risks from the use of BD&AA. The publications of the financial supervisory
authorities of the EU concerning BD&AA also indicate that a regulatory framework specifically for
BD&AA is still premature at this point in time.
Moreover, my paper describes the issues relating to BD&AA that are in supervisory focus
according to the EBA-report. These issues include explainability and interpretability, security of
data and machine learning models, data quality and data protection.
In terms of explainability and interpretability, the paper argues that the explainability and
interpretability of the machine learning models are a key issue for the European financial
supervisory authorities. The European financial supervisory authorities apply the principle that the
management of a financial institution is responsible for the "proper business organization". A proper
business organization also means that decisions based on the application of BD&AA must be
understandable and explainable to third parties. The need for explainability and interpretability is
even higher when BD&AA-based decisions have a direct impact on consumers. In sum, the
explainability and integrability of BD&AA models represent a focus for the financial supervisory
authorities when it comes to assessing and addressing the possible risks from the use of the
BD&AA. However, the financial supervisory authorities are still at an early stage to derive specific
supervisory requirements from these risks.
The paper also highlighted the security of data and models as a further topic in supervisory focus,
In this context, the EBA-report recommends banks to identify the protection requirements and to
implement appropriate IT security measures for BD&AA applications. According to the EBA, these
security measures can be implemented both as part of the superordinate information security
management system or as part of a security management system specially set up for BD&AA.
Overall, the financial supervisory authorities in the EU have identified a special and growing threat
to information security in BD&AA.
Furthermore, the paper describes data quality as another important issue for supervisors, as the
results of machine learning models are only valid if the input data has a good quality. Therefore, the
EBA-report recommends the banks to identify the data quality risks in BD&AA and integrate them
into the risk management.
Last but not least, the paper also examines data protection as an issue in supervisory
foucs, as the EBA-report requires banks to comply with the requirements of the EU General
Data Protection Regulation (GDPR) during the entire life cycle of their BD&AA applications.
Although issues relating to data protection in financial institutions in the EU fall primarily within
the competence of data protection authorities, data protection issues of financial institutions could
become relevant for the financial supervisory authorities, as possible shortcomings in the
business organization can also be derived from the deficiencies in the data protection.
Finally, the paper concludes that more regulatory steps concerning the use of BD&AA in the
financial sector can be expected in the EU in the near future, as BD&AA has increasingly become
more important for financial institutions in the EU.