|
Article 46
|
(Risk management and regular reviews)
- When using AI systems, an organization shall, guided by the risk-based approach, review individual circumstances of use and perform risk assessments by considering whether or not to provide customer services or if there is a material impact on operation, amount of personal data being used, level of AI’s autonomy in decision-making, complexity of AI system, scope and width of impact on interested parties, and whether all remedy options are available.
- An organization shall establish adequate risk management and control measures and regular review mechanism depending on the level, characteristics or scope of risks based on the results of risk assessments.
- When conducting regular reviews, an organization shall assess whether the AI system meets the original purpose and risk level. For an AI system with a higher risk level, a third party with expertise in AI may be appointed to conduct reviews. It is advisable that these reviews cover data quality, model quality, system security, and equality, sustainable development, transparency and explainability. Relevant strategies and measures shall be adjusted and improved based on the results of reviews.
- Before using AI systems to provide financial services to consumers through direct interactions with AI, an organization shall perform evaluations on how data used in the system is governed, information and communication security, supervision mechanism, protection of consumer rights and response measures for unexpected event from the aspects of information security, compliance and risk control.
|