IA talks AI
Targeted at UK investment management firms and IA Engine innovators, 'IA talks AI' covers the implementation of artificial intelligence within the sector, from the perspective of both general business efficiencies and with investment-specific use cases in mind. Beginning in May 2023, the series contains short, informal interviews with industry leaders, policymakers, regulators and innovators, covering policy, regulatory and practical considerations.
IA talks AI
03.08. Exclusive: IOSCO launch AI supervisory toolkit
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Kris Nathanail, Director for Standards Development at IOSCO explains their AI supervisory toolkit and the questions regulators can ask financial firms about safe AI adoption.
Hello and welcome to the latest episode of the IA Talks AI. I'm pleased to welcome Chris Nathaniel, the Director of Standards Development at the International Organization of Securities Commissions, IOSCO. And she's going to announce something to us and to the world when this podcast comes out at the end of May 2026. This new work will be available. And I highly recommend that you read it if you work in financial services and especially if you are a financial services regulator. So, Chris, why don't you tell us more about what this work is and what we can learn from it?
SPEAKER_01Lawrence, first uh let me say thanks to the IA for having me here today. It's uh it's a great pleasure to be announcing the publication of our first supervisory toolkit on uh artificial intelligence. The toolkit is meant to be a sort of practical resource to help our 130 members, they cover 99% of global capital markets from a regulatory perspective, adopt a risk-based, proportionate approach to the supervision of firms using AI in capital markets. To do that, we've adopted a three-layer approach. Layer one sets out the areas for super reconsiderations. So those are themes that we are hearing day in, day out when we think about uh artificial intelligence, questions around governance, questions around model risk, how do you disclose, how are you transparent with investors about the use of AI, what kind of market risks does the use of AI bring into the system? And of course, as it's very prevalent at the moment, cybersecurity and operational resilience risk. We then move on to what we've called layer two, and that is very much specific considerations on four key areas outsourcing and third-party risk, disclosures, governance, and record keeping and reporting. And there, what we've done is create a set of questions that supervisors can take in with them when they go into firm visits, for example, or if they're doing thematic reviews of how firms are using AI and ask those questions to really understand how firms are conducting themselves with the use of AI. How are they ensuring proper governance around the use of AI internally? And last but not least, we've also set out a set of indicators so that supervisors can follow up on adoption of AI within capital markets, both uh generally but also across sectors, so with broker dealer firms, they may be overseeing or investment management firms.
SPEAKER_00Excellent. So um there's a lot to digest there. So perhaps we'll just sort of dive in with um with some of the broad scene setting um around this work. So many listeners, I'm sure, work in financial services and will have been aware of the use of artificial intelligence in financial services for some time. But obviously, I think a lot of us also recognize that this moment in history is is a bit different. Um so what did you um learn and reuse perhaps from your approach to regulation of artificial intelligence um in the past and what's new now, and that you had to specifically think about new ways to address?
SPEAKER_01You know, it's a very good question because when I speak with people about AI, they say to us, Oh, you produced something in 2021. The first higher score report on AI was a set of uh guidance for broker dealers and uh asset managers on how they use AI ML. So often the question comes back, why now? Is it because of Gen AI? Is it because of agentic AI? In many ways, yes. The complexity around AI has certainly increased. I think it's fairly obvious to anyone that is uh taking an interest at the moment in those issues. You are seeing new types of risks. Gen AI brings hallucination risk, for example, you have more opacity in terms of how the models are operating, you have some non-deterministic behavior that you didn't get before. So certainly there is a need to think about is our approach to regulation, to supervision still fit for purpose in a world where AI is more complex? But in addition to that, AI is also scaled up, right? Between 2021 and now, the world has moved so quickly on AI that it felt to us it was time to take a step back and think about again, is the supervision philosophy around uh capital markets still appropriate in this new world? The conclusion we've come to is actually it is. If you think about the broad principles that uh regulate supervision of capital markets, risk-based, proportionate supervision of capital markets, they are about the same uh activity, same risks, same regulatory outcomes. They are about principles such as governance, such as record keeping, being able to be transparent both to your regulators and to your investors about what you're doing. Those principles haven't gone away, and they haven't changed because of developments in AI. What has changed is how you might approach it, the type of questions you might want to ask both yourself as a firm, but also the supervisors might be asking a few. So the what is the same, the how has changed, and that's why it felt. It was time for us to come back around the table, bring everyone together and think about that.
SPEAKER_00I think the the philosophy, you touched on the philosophy of regulating AI. And I think that that um that does illuminate something I think that that has presented a really interesting challenge to regulators now, which is that um that we've not faced a technology like this that is sort of has such general application, uh, but is also non-deterministic. So regulators have have traditionally been much more comfortable in systems where you can say, why did the um why did the trading algorithm make that decision? And you can say, well, we can get under the hood of it, we can see with these inputs, you know, and this data, it's made, it's triggered this decision for this reason. And with generative AI, we simply cannot do that. They are black boxes, which say black box AI is not entirely new. But um but they nevertheless, it's it's a technology now that is doing not only potentially making investment decisions, but also involved in direct interactions with customers, all the things uh I mean you might say with the GENTIC AI, which uh your report uh looks at in in far more detail than than those in the past, they are black boxes with decision-making agency. So, how much did you think about learning from our approach to regulating human beings who are also black boxes with and potentially malicious intent as well? That's something you touch on is is the necessity of of firms protecting themselves from from something that that could be um that could be used maliciously as well. So did you think about those analogies when you were designing this and uh what did that tell you about how to regulate AI in the future?
SPEAKER_01Yes, but I think in the same way as we haven't fully resolved as society, how you manage those risks from a human perspective, I'm not sure we have quite found the the solution to the end degree when it comes to AI. And that's why when we think about the the oversight of AI, we very much think about it in a terms of principles-based, because it's evolving so fast that if you go into a great level of detail about how exactly you should take that approach and how exactly you should oversee the specific models tomorrow, your your guidance is outdated. So the we the approach we've taken is more to say, look, the principles remain the same. And from a super perspective, we will always expect to have a human somewhere in the chain. Now, of course, it used to be a lot easier to say you have human in control. That is to say, nothing happens until the the human actions that that thing. We may be moving with uh gen AI and agentic AI across the spectrum, potentially at some point, although it's human out of the loop. That is to say that the model is making those decisions. I don't think we're quite fully there yet. Uh certainly from a C3 perspective, we'd still expect to be able uh for the firm to be able to demonstrate to us that there has been human interactions and that there are systems in place to be able to essentially kill the uh the AI if it's needed, as we have in other types of markets. We have kill switches, we have circuit breakers, and some some of those tools are referenced in the in the paper exactly for that reason, that you need to be able to control it at some point if needed.
SPEAKER_00Yes. And that um that may be, I suppose, um a practical approach to the problem of of sort of runaway AI in the trading environment. And I suppose what's new about novel about Gen AI is that um that it it can also be in in lots of different back office processes. We know from um in financial services that we've got lots of modular pieces of software that that don't all talk to each other in in very easy ways. So I suppose there is also a longer-term risk, or or did you consider that um that near term we might be able to rely on people with kind of institutional memory of how these processes were done? Longer term, we may actually lose those people, and because of attrition, we may be in a situation where now the the financial system rests on AI, agentic AI that can navigate the system. But but if it breaks down, then we don't have a very easy way in which to revert to the old operating model. I mean, maybe that's a longer-term uh challenge. Did you kind of think about what that might look like?
SPEAKER_01Yes, to the extent that some of the questions that you raise actually were already existing when you spoke about more traditional AIML models. It's certainly been exacerbated with Agent TI and with and with Gen AI, but some of those considerations were still there initially. And that is why the toolkit focuses very strongly on questions around governance and being able to document all the decisions that senior management have taken, that the board has taken, being able to demonstrate that they they understand what is going on within the firms and that at all points they are able to interact with those decisions as appropriate. But also the question of record keeping and the question of monitoring the model at all times, right? And being able to act upon that as necessary. If you have those measures in place, those health measures in place, uh, then you should always be able, even if people who are currently working on the models leave, you should always be able to come back and understand what's happened, understand the decisions that were made. From a governance perspective, that is what you would expect as a as a supervisor.
SPEAKER_00Yes. And and um you obviously touching now on on governance and record keeping, I get a sense as a financial services industry, we we touch all parts of the economy. And there's a sense in which we also um of course invest savers money. So we we tend to think that we set ourselves high standards. So, you know, when it comes to proper governance of AI, proper documentation of how AI is being used and what processes it's engaged in, how we would remedy it if anything went wrong, how we know when something's gone wrong. These are all things that I think are are fundamental to uh as your report, I think, very well describes um the future operation of financial services, but also the economy more broadly. I think that there is, I got a strong sense reading the framework of its applicability to uh the wider corporate sector and the wider economy. Did that strike you as you were creating this framework, or were there any other interesting, emergent lessons that you got in the course of making this work?
SPEAKER_01With the organization for security commissions, our focus is capital markets. So when we were thinking about this, of course, our um primary objective was capital markets firms. That said, if you think about the objectives of financial regulation around uh good conduct, around good governance, those fundamental objectives are not in practice that dissimilar from what, as an investor in a corporate, you would want to see from that corporate. The approach might be slightly different, of course, but the fundamental principles are the same. So if our toolkit can also help firms in their other types of activities, in their investment activities, then from our perspective, that's that's great if it can help the broader economy. But certainly our focus was financial markets.
SPEAKER_00Yes, and it's it's I suppose a gentic AI was was one of the key themes that um marked a big step change from your previous report in 2021. If I got that right, was it 2021 was the previous report and 2025 was an update report?
SPEAKER_012025 was uh a state of play report. What is going on in the industry? How are how is AI being used? Where is it being used? Because what we found was that um in 2021 a lot of it was more back office. Actually, nowadays we're seeing AI being used in other types of areas within firms as well. So 2025 was about what is the state of play, what is happening in financial markets, so that we could consider if we had to adopt, to adapt, sorry, as securities regulators as well. 2026 is about how do we adapt? What are the questions we should be asking firms? How do we supervise these things? How can we help our members, our supervisor community think about those questions?
SPEAKER_00Good. Um so then we've got, I suppose, yeah, 2025 got the new lay of the land. And the yeah, as the big change from 2021 then in terms of the how-to, has been the arrival of these agents that can make decisions and engage in entire processes uh by themselves. And governance, therefore, I think is as as we drew the analogy earlier, potentially with human workers, something where if you cannot perfectly control and interpret the decisions of human beings, staff or agents, then what you have to have is a governance framework that helps keep the whole thing safe, auditable, and and so on. One of our um engine member firms, um, Agentic Risks, so they they are a firm that advise specifically on on uh governance of AI agents in particular, they draw quite a an intriguing analogy, which is with working dogs. So we kind of we classify working dogs into different types, and depending on you know how closely they interact with human beings or with uh sensitive systems, we we constrain them all, we give them more or less autonomy. So a guide dog that has to um help navigate a city is very heavily trained and tightly sort of specified, whereas a sheepdog that works in the fields can have a bit more freedom to kind of run run wild, but but obviously provided it continues to to keep people safe and do the job it's supposed to do. So I suppose I I found that example really um illuminating of the power that governance could have, because it's not as though you can, with an agent or with a dog, you can in all cases say that's going to be that's going to ensure the safety of this activity. But what you can do is say, well, we have a framework that that tells us that this is a good way to go about it. And if anything goes wrong, we know broadly why that situation occurred and who's responsible for that. So it it seems to me that that is broadly applicable. In in terms of the accountability then, did you have a sense in which you wanted to situate accountability and the governance responsibility for this at a high level rather than leaving it to the market or to to leaders potentially to just delegate that authority further down the chain?
SPEAKER_01Can I just say I love the dog analogy? I'd never thought of that. I may steal it. I think it's great. From a regulatory perspective, accountability remains with a firm. Obviously, you can't delegate accountability to a model. Um parallel to that is an asset manager that is using a third-party valuer can't delegate responsibility to the third-party valuer. It's the same here. But it goes back a little bit to the discussion we were having initially around proportionality. And I very much agree with you that depending on where the AI is being used, the level of human oversight of the AI, the impact it could have on the market, you almost get to a risk matrix, and that helps inform how much oversight you need to have. And I think that is both the case as a supervisor as it is the case from a governance perspective for the board of the firms, for the senior management of the firms. But very much on the question of who holds the final responsibility, there is no shying away from that. The responsibility remains with the firm, remains with the board and the senior management of that firm. In practice, that means that they need to be trained in the same way as senior as more junior staff may be trained. The training might be different, but you need to be able to have the skills to make decisions. You need to be able to have the skills to understand what is being presented to you, because that responsibility you are not shying away from.
SPEAKER_00And um you you you talk in your in the report about some of the ways in which um firms can show that they've properly expressed that um governance and that that control. So you talk about third-party supplier contracts, for instance, and making sure that those are appropriately specified. I I had a couple of reflections when I was reading that part. One is is uh obviously a kind of ongoing debate, some of our members um talking about given how important these base models are to driving certain processes, is there a case for actually a kind of shared accountability model? I think that's an intriguing proposition. Um so you would say, well, we um it I suppose it comes down to whether you're thinking of AI as a sort of one one model is to consider that AI is the the machine, and so the firm basically uses the machine, but the the machine is is the responsibility of the model maker. And the other is that AI is a kind of utility, so you it's more like the energy that feeds the machine, but it's still your machine as a firm and and um and you're respon ultimately and and entirely responsible for it under law. So I was I was thinking the the third-party contracts question is one in which you could um you talk about specifying certain quality threshold that you have to meet, perfor you know, how we're going to measure performance, and it could, I suppose, also entail some recognition of the fact that if we ins if we're insisting that the model makers provide a certain quality, that they are in some ways we can make them responsible, even if as far as you and your members, member regulators are concerned, the accountability from their standpoint still rests with the firm. Is that is that a fair summary of kind of the the way to think about it? So you could regulators aren't about to change to a model that that holds model makers account. But if you have the right terms in your contracts with that supplier, you can get them to bear some of that responsibility with you and to to to be accountable for making better models.
SPEAKER_01I think when you engage with the third-party providers, there are a series of questions that you should be asking of them. I don't know to what extent you could go all the way to making them responsible. Certainly it wouldn't give you super 3 coverage because supervisors have been very clear, the responsibility remains with you. So the question is, should your initial concern or your primary concern be about sharing responsibility or should it be about ensuring you have again asked the right questions, got to the right point at which you feel you can use it as a utility, as a as you've said, um, but as part of your systems? Because if you think about agent tech AI, for example, or even Gen AI, the decision points around what data can it access, how does it um filter through, how am I using it? They're still with the firm. They're not with the module provider. So it's not clear to me the question should be can we shift some of the responsibility or the accountability in those negotiations on contracts? To me, it seems more a question of how can we ensure again that we've done all of our due diligence, that we have asked all the right questions, so that when the supervisor comes knocking at our door, we can explain it, we can show it, we can demonstrate um the criteria we have used for vendor selection, we can demonstrate that um you know we understood what was being sold to us, we can uh demonstrate we have appropriate monitoring and oversight procedures of of the models internally. I don't think we should be moving towards a question of can we shift that that responsibility? I think it would be a mistake for everyone.
SPEAKER_00And um indeed, as you as you touch on there, the ways in which the technology are being used by firms are are going to be greatly varied, you know, depending on exactly that firm's business model, the the systems they use, you know, behind the scenes. Um They're indeed whether they interact with customers in and in what way. So I I got the sense that you you you did map the common features of the relationship between firms and AI providers, for instance, and you kind of kept the the framework at a at a high level, reasonably high level, so that it would be broadly applicable across all of your member regulators in in all the jurisdictions that they govern. So so did you did you at a certain point recognize that there was a line to be drawn and you say, well, we can't we can't reasonably come up with a detailed checklist that's going to apply, you know, to every firm in every jurisdiction that regulators can go with? But we know that there will be these common features of the relationship and that with appropriate governance, record keeping and so on, we can we can regulators can sort of to some extent control the safety of the system, but also learn from the disclosures of and their interactions with the firms about exactly how they're managing it. Is that how you thought about it?
SPEAKER_01I think the way we thought about it was from a very humble place of securities regulators will never out-innovate the market. And there is absolutely no way we will out-innovate developments in AI. So being realistic about that, then the question became: how do we keep up in practice? And the toolkit is our attempt to keep up in practice in a way that covers all types of AI and in a way that helps jurisdictions across a whole range of um sectors and across a whole range of development, if I can call it that way. An emerging market jurisdiction should be able to take the toolkit and make use of it in the same way as a developed jurisdiction, developed securities regulators would. How did we go about that? First, um, it was recognizing that we need to be anchored in outcomes, not in technology. Many regulators are technology neutral. That is also our approach, but it goes back to the what and the how we were discussing earlier. The regulatory outcomes, the what should remain the same. The how you approach achieving those regulatory outcomes might differ because of AI, but you should still think about it in terms of those broad categories. Um technology neutral does not mean you should not adapt how you approach an issue. It just means you need to think about how you adapt it. Um so, to give you a specific example, if you think about the traditional aspects, suitability, market integrity, fair disclosures, actually though those don't change purely because you're now having an LLM in the middle there somewhere, right? Firms, as we've been discussing, remain accountable for the products and they remain accountable for the for the services they deliver, regardless of the technology underneath. So that was one of the ways we decided to approach this. The second, it goes back to the point we were discussing around proportionality, uh, be it um at the level of the firm or at the level of the supervisor. The toolkit sets out a framework for supervisors to consider around the nature and the complexity of the system, the level of human oversight, and the potential impact on the client and the firm. Again, it's a risk matrix. Depending on where you are in that matrix, you might need more or less oversight. Having said that, I think there's also a component that we need to think about. And it's, I like to call it building the super three muscle because it's one thing for firms to be using AI. But as markets become more complex, we also need to think about how we might be able to use super 3 technology. So, in addition to the toolkit, IOSCO has recently announced a subtech forum where we basically bring our members together, want to share experiences, as you've rightly said, on both what's going on in markets, but also on uh the type of technology they are using to oversee those markets, but also hopefully over time to develop some technology together, or at least parts of it, uh, so that it can then fit into into their frameworks.
SPEAKER_00Yeah, I think that that that touches on a really interesting dimension to this, which is of course that um and again it points back to the importance of overall governance, because there is a sense in which to some extent the the the solution to the challenges and risks posed by AI is in many cases going to be more AI. When when we look at mythos and and the waves that that the shockwave that sent through the economy and society, it was because of the recognition that um that a bad actor with a model this powerful could cause havoc. And that part of the solution, inevitably, is not going to be human beings that can code at the speed of a model like mythos, you know, to counter a a malicious, um, a malicious actor. It's that actually you will need models, defensive models, AI models, that are doing this. And I think that that that also applies to things like uh we know that increasingly firms are using AI and have been for some time for fraud detection. So and the the incentive there for firms is is pretty similar to that for regulators. Firms are using it to spot patterns in data that indicate if there's been uh malpractice, and likewise uh regulators want to see that firms are not uh misbehaving and use uh pattern matching algorithms to spot when, for instance, you know, trades might be executed in ways that indicate that that they haven't followed all the rules or or perhaps they, you know, if they fr if you're doing front-running, for instance, then um there are ways indeed, AI may also present new novel ways of concealing bad practice that it would suggest to me regulators would have to counter with technology of their own. In speaking to your member organizations, were there any particularly illuminating examples you thought of of plans that they had to deploy those technologies themselves and to learn from firms about how to do so?
SPEAKER_01Aaron Ross Powell A lot of uh regulators are already looking to implement supervisory technology and they are making or trying to make use of AI in in doing so. I can't speak to the specifics, of course, that is for each jurisdiction to speak to. But what I can tell you is there is interest. You know, we have had such a level of uh excitement about the supervisory forum internally with our members, and we are seeing them wanting to share how they are implementing it, but also the challenges they're facing. I think it's fair to say AI is a sort of challenge of our times. That's both the case for industry as it is for regulators, and they are opportunities for discussions, for learning from one another in in those aspects as well.
SPEAKER_00Another question that we've been debating of that's of much interest to us here is about um whether AI challenges our idea about where exactly the regulatory perimeter is. So uh obviously I I I did have, I think, reading the your framework, a lot of confidence that that firms that were appropriately applying the right governance standards, that they were documenting what they were doing, keeping logs that could be um assessed by regulators and and themselves indeed to learn from from how how they can apply these technologies safely and effectively. But we we s we haven't addressed um in parallel, there are there is consumer use of AI. There's basically the the consumer approaching AI and asking it for advice, you know, on how to manage their finances, how to invest, and so on. I wondered if you had, in the course of this work, um contemplated some of the questions in that area, what it would mean for for a consumer to act on the advice, financial advice of an AI before they've had any interaction with financial services firms?
SPEAKER_01That's a very good question. It's also a very difficult question because how do you um how do you prove that uh an off-the-shelf, free available online model has provided financial advice? Actually, I've done that exercise because I was quite curious. I went in and I asked a few questions. And the the first response I got was this is not financial advice. So it seems the models are getting clever about making sure that we know they're not providing advice. But that said, I I don't think we're quite at a point yet where we are ready to answer those questions as a society, as a market, as a regulatory community. I think there's still a long way for us to go before we're able to completely grapple with those points. And of course, as IOSCO, our members are securities regulators, they have very specific markets, they oversee very specific regulatory perimeters. So our focus has got to be on that regulatory perimeter, and we can't go beyond it as it stands.
SPEAKER_00Yeah, I I think I think that that does accurately reflect where we are, and indeed that's one of the kind of more sort of blue sky questions that we sometimes pose ourselves, or you know, what would it mean for regulators to um to perhaps regulate not um organizations in all instances, but regulate certain activities. So if you have uh an evidence of a a model that is is basically dispensing financial advice, when I I performed the same experiment that you did um out of interest, just opening, you know, uh uh one of the major models in like a an uh private window of my of my browser so it had no access to my kind of history or anything to see what what advice it would um it would provide. And it didn't actually start with that disclaimer of this is not financial advice. And it did indeed provide what what looked to me like a form of financial guidance. It it was very reasonable guidance, I would suggest, but that was only based on a very generic query that would be probably pretty easy for it to answer. And increasingly what we're seeing is uh consumers basically plugging AI into all of their financial financial apps and everything else and asking it to optimize their their life and their kind of um personal management. Um so is there a point at which you could start to say, well, could we say that something that looks like financial advice is going to be treated as financial advice? And and that's maybe a longer term question that that that your members will will want to actively consider. But um I was going to pick up next on the um the report talks about some of the the kind of practical measures and things that that your member regulators could look for and ask for and and assess when considering how their um the firms they regulate are applying AI and what we can learn from those. So things like um, you know, you can monitor what use cases there are, but also look at how many use cases that have been um subject to pilot are converted into full application, and then what um what potentially we can uh learn from the failure modes of those pilots that weren't successful and things like that. Um perhaps you can talk a bit more about some of that hands-on monitoring, the measures that you you want to use to kind of help regulators um navigate this unfolding terrain without perhaps also implying a false sense of you know comfort or accuracy that that these will guarantee that that you can protect and keep this technology safe when it's actually going to be uh very, very broad and and manifest in lots of different ways.
SPEAKER_01Well the the toolkit has uh as as three layers. And the the third layer is very much the indicators you've just mentioned. But if you think about again the philosophy behind the layers, layer number two, which is about the questions you should be asking of firms and the sources you could check to make sure that what the firm is telling you aligns with what is actually happening, is very much done with the idea of helping the supervisor have an understanding of exactly what is happening in that firm at that point in time for day-to-day spursory practices. But to the point we were discussing earlier around this is a very fast evolving environment. How can we regulators keep up with what's going on? That's layer three. That is the indicators. Why? Because over time, those indicators should allow you to build a picture of what is going on only in that firm, but across markets, across sectors. And it is one way that we would find to make sure that we can keep evolving our own thinking, both from a policy-making perspective, but also from a direct supervision perspective. So it's part of the toolkit, but it's more of a what can how can that help you as a supervisor keep track with what's going on in in the market rather than how can it help you oversee directly that that firm that you're going into.
SPEAKER_00And um perhaps a final question then, um so that we uh we keep to time. But um obviously at IOSCO, you are a kind of central convening body of national regulators and financial regulation in different jurisdictions naturally looks different, reflecting local um practices and conditions. But also I think AI clearly does represent a global challenge with lots of features. What do you sense as being the appetite among your members for consistent rules and and what, if anything, have you learned already about where they might diverge?
SPEAKER_01I go back to the point that AI is the challenge of our time and it is not an issue of certain jurisdictions are affected by it, others are not. Now, certainly, as you've rightly said, I think it's unrealistic to expect full rule alignment. Uh and I think in many ways it would probably be undesirable as well. As you said, jurisdictions have got different legal situations and traditions, they have different markets, they have different risk appetites. We're seeing approaches being a bit different. The EU has the AI Act, which is transversal. The UK still has a sort of principles-based regulation-led approach. The US at the moment is developing its own thinking around AI. We've had a lot of announcements. Someone on your podcast came to talk about that a few weeks ago, which I found quite interesting. But from our perspective, as IOSCO, what we have tried to do and what we have tried to bring value, I would say, is along three levels. And I'm seeing in conversations with our members, and as is reflected, I think, in the toolkit, a real desire for those levels. The first one is conceptual alignment. Most jurisdictions, sorry, appear to be converging towards the OECD definition of an AI system. That sounds technical, but actually it really matters because we need to be able to know we're talking about the same thing when we're engaging with one another. That is both the case for supervisors trying to collaborate, cooperate on supervision as it is for industry participants, actually. The second one where I'm seeing a desire for collaboration, for alignment, is on risk topology. Think about hallucination, bias, what do we mean with explainability, what do we mean by third party concentration, model drift? All those uh risks, they're the same across jurisdictions, right? But it's important that that risk typology is broadly shared, again, both from a supervisory perspective that we know what we're assessing, but also from a firm's perspective when you're engaging with different regulators. And that brings me on to my last point, and that's supervisory practice alignment. This is where the toolkit uh fits very strongly. We haven't done the toolkit in isolation. There was demand from our members, that's why it has been published. And in fact, we work with our members when we when we do these things. It's not just the IOSCO secretariat drafting, it's very much committee-led. What we found is when supervisors are asking firms broadly similar questions around governance, around third-party concentration, around disclosures, what that tells firms is there is a comparable signal across jurisdictions. It's helpful for firms because it means they know what to expect. It's less compliance costs, but it's also helpful for supervisors as well. Again, because markets are global, firms are acting cross-borders. So if we can all have that same basic baseline, I think we're in a much better place. There is demand for that, uh, independently from whether once you start getting to the rule specific, things might change a little bit.
SPEAKER_00Thank you. I I think your point uh towards the end there about having um a resource that gives firms something to know what to expect, I think is um is something that that lots of our listeners and members will um will pick up on. And I would highly recommend to them that they read this because the list of questions that you've um that you've written are very much uh the right ones, and and I'm sure that they can expect to hear those from their regulators in due course. Um so for those of our members that um that are engaged in this topic, I I highly recommend you read it as well. It's not uh not just for for the regulatory community.
SPEAKER_01We have a small survey attached to the uh toolkit. It's open until the 6th of July. Please respond to it. Uh we're very much looking forward to your responses. We have a phase two of this work, which is actually engaging with firms and looking at how they are looking at those aspects. So your responses uh will be uh truly welcome. Please engage and reach out uh through the survey. 6th of July, key date.
SPEAKER_00Read it and respond by the 6th of July. So thank you uh very much again, Chris, for coming and explaining the toolkit to us. We hope you enjoyed this episode and um will join us in the next one.