Xu Zhu - University of Bremen

At the Machine Lawyering Conference 2021, I presented my recent paper, "Big Data and

Advanced Analytics in the context of the European Financial Regulation". In this paper, I

analyzed the current supervisory implications of advanced analytics applications in the European

financial sector on the basis of existing publications of the European financial supervisory

authorities. In particular, the paper discusses the current development in the regulation of advanced

analytics applications in the EU as well as the related topics in the focus of banking supervision.

The paper points out that Big Data and Advanced Analytics (BD&AA) and the related opportunities

and risks for financial institutions have increasingly moved into the focus of the financial

supervisory authorities of the EU. However, the European banking supervisory authorities

are currently only in the phase of examining the effects of BD&AA on financial institutions and

analyzing whether existing regulations are sufficient or need to be adjusted in order to adequately

address the risks from the use of BD&AA. The publications of the financial supervisory

authorities of the EU concerning BD&AA also indicate that a regulatory framework specifically for

BD&AA is still premature at this point in time.

Moreover, my paper describes the issues relating to BD&AA that are in supervisory focus

according to the EBA-report. These issues include explainability and interpretability, security of

data and machine learning models, data quality and data protection.

In terms of explainability and interpretability, the paper argues that the explainability and

interpretability of the machine learning models are a key issue for the European financial

supervisory authorities. The European financial supervisory authorities apply the principle that the

management of a financial institution is responsible for the "proper business organization". A proper

business organization also means that decisions based on the application of BD&AA must be

understandable and explainable to third parties. The need for explainability and interpretability is

even higher when BD&AA-based decisions have a direct impact on consumers. In sum, the

explainability and integrability of BD&AA models represent a focus for the financial supervisory

authorities when it comes to assessing and addressing the possible risks from the use of the

BD&AA. However, the financial supervisory authorities are still at an early stage to derive specific

supervisory requirements from these risks.

The paper also highlighted the security of data and models as a further topic in supervisory focus,

In this context, the EBA-report recommends banks to identify the protection requirements and to

implement appropriate IT security measures for BD&AA applications. According to the EBA, these

security measures can be implemented both as part of the superordinate information security

management system or as part of a security management system specially set up for BD&AA.

Overall, the financial supervisory authorities in the EU have identified a special and growing threat

to information security in BD&AA.

Furthermore, the paper describes data quality as another important issue for supervisors, as the

results of machine learning models are only valid if the input data has a good quality. Therefore, the

EBA-report recommends the banks to identify the data quality risks in BD&AA and integrate them

into the risk management.

Last but not least, the paper also examines data protection as an issue in supervisory

foucs, as the EBA-report requires banks to comply with the requirements of the EU General

Data Protection Regulation (GDPR) during the entire life cycle of their BD&AA applications.

Although issues relating to data protection in financial institutions in the EU fall primarily within

the competence of data protection authorities, data protection issues of financial institutions could

become relevant for the financial supervisory authorities, as possible shortcomings in the

business organization can also be derived from the deficiencies in the data protection.

Finally, the paper concludes that more regulatory steps concerning the use of BD&AA in the

financial sector can be expected in the EU in the near future, as BD&AA has increasingly become

more important for financial institutions in the EU.