Generative Artificial Intelligence Policy
River
Bank
1. Purpose
The purpose of this policy is to govern the development, deployment, and management of Generative Artificial Intelligence (Generative AI) technologies at River Bank. This policy aims to ensure that Generative AI technologies enhance operational efficiency, improve customer experience, and maintain competitive advantage while adhering to ethical standards and regulatory requirements.
2. Scope
This policy applies to all departments and employees within River Bank. It covers all Generative AI applications and systems used across the organisation, including those aimed at optimising operations, innovating financial products, enhancing customer experiences, streamlining compliance and risk management, and supporting data-driven decision-making.
3. Responsibility
The Generative AI Strategy leader operates as the 1st line of defence and must ensure compliance with this policy is achieved. The Chief Risk Officer operates as the 2nd line of defence and owns this policy, reporting to the AI Governance Board comprising stakeholders from IT, data science, HR, and relevant business units. Each department involved in deploying or interacting with Generative AI systems is responsible for adhering to this policy, and each department will identify and train Generative AI Champions, who report to the AI Governance Board.
4. Review Period
The policy should be reviewed annually or more frequently if significant changes in Generative AI technology or business practices occur.
River Bank
Artificial Intelligence Policy Introduction
5. General Policy Statement
River Bank commits to using Generative AI technologies responsibly, transparently, and in alignment with our core values of integrity and innovation.
Generative AI systems will be used to automate processes, enhance decision-making, and improve customer and employee experiences without compromising ethical standards or customer privacy.
5.1 Generative AI Policy Tiers
Tier 1 - Low impact Simple, non-mission critical task automation for team members, with no direct visibility to customers, regulators, stakeholders or third parties.
Tier 2 - Moderate impact Function automation with no direct visibility to customers, regulators, stakeholders or third parties. Task automation for mission critical activities.
Tier 3 - High impact Any application with direct visibility to customers, regulators or key stakeholders, or any application that could materially impact key risks.
Individual team members are accountable for the Generative AI outputs they use.
Approval from AI Governance Board is not required for each individual automation, but is required for any changes to the framework or architecture.
100% source allocation, automated quality monitoring and QA are not required.
AI Governance Board must approve every application before use and is accountable, so must have visibility of KPIs.
100% source allocation is not required, but automated quality monitoring and QA are required.
AI Governance Board must approve every application before use and is accountable, so must have visibility of KPIs
100% source allocation, automated quality monitoring and QA are required.
Task automation is the application of generative AI to perform a specific task, such as writing a document, software code, email, etc. Function automation is the application of generative AI to automate a whole function, such as automatically reviewing loan applications or River Bank’s policies and procedures.
River Bank
Artificial Intelligence Policy Policy Statement Page 1 of 2 Policy
Tiers Application Examples Policy Restrictions
5.2 Off-The-Shelf Generative AI Applications
Off-the-shelf tools such as ChatGPT and MS Copilot are also deemed Generative AI systems and are allocated to ‘Tier 1 - Low impact’ in the Generative AI Policy Tiers. Neither customer data nor sensitive data should be processed via off-the-shelf applications. Employees are accountable for the output they use from off-the-shelf applications.
5.3 Data Handling
Generative AI systems will initially handle internal policies, procedures, and proprietary data without access to personally identifiable information (PII) or sensitive customer data. This restriction will be reviewed based on the outcomes of pilot projects.
5.4 External Partnerships
River Bank will collaborate with external Generative AI solution providers for advice on governance and strategy, as well as designing, building and launching Generative AI solutions. River Bank also will deploy technology powered by global providers for Generative AI models and cloud services.
All external relationships will be governed by strict contracts to manage risks and ensure compliance with this policy and any other relevant requirements.
River Bank
Artificial Intelligence Policy Policy Statement Page 2 of 2
6. Ethical AI Use
9.1 Transparency, Fairness and Non-discrimination
River Bank will be transparent about its use of Generative AI systems to its employees, customers and other stakeholders.
For source transparency, Tier 1 and Tier 2 applications in the Generative AI Policy Tiers will not require 100% source attribution, but Tier 3 applications do.
Continuous auditing and review are required for Tier 2 and Tier 3 applications to ensure Generative AI algorithms do not result in biased outcomes.
Measures must be taken to guarantee fairness in all interactions.
9.2 Accountability
Clear responsibilities must be defined for all Generative AI-driven processes, with designated teams or executives accountable for each Generative AI application.
9.3 Privacy and Data Protection
All Generative AI systems must comply with GDPR, the ISO 270001 accreditation and other data protection laws, with regular audits to ensure adherence.
9.4 Safety and Security
Robust security measures must be implemented to protect Generative AI systems from cyber threats and unauthorised access.
9.5 AI Governance and Ethics Oversight
An
River Bank
AI Governance Board,
CRO
Departmental AI Champions must be established to oversee and guide the ethical use of AI within River Bank. Artificial Intelligence Policy Ethical AI Statement
the
and
7. Monitoring and Compliance
Monitoring tools and automated maintenance routines will be developed to ensure Generative AI systems perform as intended and remain compliant with all regulations and ethical standards. Reporting will be integrated into the bank’s enterprise risk management framework and the ISO270001 framework.
8. Incident Management
Protocols for incident management will be integrated with the bank’s enterprise risk management framework and the ISO270001 ISMS to address and mitigate any issues arising from Generative AI systems effectively.
9. Disciplinary Action
Violations of this policy can lead to disciplinary action, up to and including termination of employment. Specific penalties will depend on the nature and severity of the violation.
10. Relevant Documents
Additional guidance can be found in related policies on data protection, IT security, and human resources Employees should also refer to the regulatory compliance guidelines provided by the PRA, FCA, and GDPR.
River Bank
Artificial Intelligence Policy