The Commonwealth Bank of Australia (CBA) has classified artificial intelligence (AI) as a “material risk type” under its risk management framework, as the financial institution develops its use of the emerging technology.
CBA’s governance structure for AI is described in a transparency report on how the bank has used the new technology over the past decade.
A material risk designation means the bank’s board sets annual risk appetite statements for AI deployment, just as it does for lending and liquidity exposures.
In doing so, CBA has established a dedicated AI risk committee that sits below executive level but above business unit management.
The AI committee oversees the design and operation of the bank’s risk framework for the technology, and provides “risk management challenge and advice for higher-risk AI use cases.”
In the report, the governance structure places the board at the apex, supported by four committees including risk and compliance and audit.
Below that sits the executive leadership team (ELT), supported by management-level committees including a model risk governance committee and the AI risk committee that oversee AI-related risks.
“Business units maintain their own financial risk committees (FRCs) and non-financial risk committees (NFRCs) that can evaluate AI models deployed in their areas.
“The board holds chief executive Matt Comyn and his executive team directly accountable for managing AI-related risks and opportunities.
“All in all, the board has ultimate responsibility for the bank’s risk governance, including the risk management framework and oversight of its operation by management,” the CBA report states [pdf].
Policies governing AI risk management are subject to periodic review under the bank’s group policy framework.
As part of the report, Commonwealth Bank said it screens 80 million events daily using AI models to detect fraud and scams.
It also uses an internal guardrails-as-a-service (GaaS) for the customer facing Ceba chatbot, to ensure the veracity of the AI’s responses when it uses retrieval augmented generation (RAG) to pull up content from the bank’s website.
This is to ensure the content is appropriate for customer queries, rather than hallucinated by the language model.