RegTech Intelligence

Accountability for GenAI

Generative AI (GenAI) continues to evolve quickly and shows great promise for financial institutions.

But here’s the catch: senior management regimes, like SM&CR and SEAR, hold ‘Senior Executives’ accountable for compliance, not machines.

So, how do SMFs/SEFs tick all the boxes which (in the EU) are written into the new EU AI Act or (in the UK) for the rulebooks and square the circle of compliance with post-Act technology developments?

Join us  in London at our exclusive annual conference on the 7th February 2024, to gain invaluable insights, discover cutting-edge solutions, and network with like-minded professionals who are equally passionate about staying ahead of the curve.

Register here


As technology continues to evolve quickly regulators are doubling down on accountability rules, and AI rules to maintain trust in the sector.

In the United Kingdom, the Senior Managers and Certification Regime (SMCR) continues to be expanded to new sectors, while in Ireland, the Senior Executive Accountability Regime (SEAR) is set to come into effect.

These regulatory frameworks aim to shift the focus to individual responsibility for their actions. In this era of artificial intelligence and advanced technology, SMCR and SEAR are stepping up to ensure that humans are held accountable over machines.

As JWG’s white paper ‘Unlocking embedded compliancereveals, financial institutions have embraced AI and other technologies as part of their digital transformation journey, and using rule repositories and AI-enabled Embedded Compliance controls can overcome fears of non-compliance and increase profits .

The Impact of GenAI Regulation:

The soon-to-be-released EU AI Act will place onerous obligations on the use of AI across all industries  “regardless of whether it is provided as a standalone model or embedded in an AI system or a product, or provided under free and open source licences, as a service…”

This means that SEFs will need to pace high hurdles for their GenAI that shall:

  • demonstrate that ‘reasonably foreseeable’ risks have been identified, reduced and mitigated through appropriate design, testing and analysis
  • process and incorporate only datasets that are subject to appropriate data governance measures for foundation models, in particular measures to examine the suitability of the data sources and possible biases
  • achieve throughout its lifecycle appropriate levels of performance, predictability, interpretability, corrigibility, safety and cybersecurity

We won’t have a deep understanding of new technical standards that are to emerge next year but we can soon expect to see stringent transparency requirements, comprehensive risk management obligations and, no doubt, ever more accountability for senior managers.


As we have written, Ireland will force board members and senior management on the Continent to rethink compliance for SEAR this year. The new regime will ‘gold plate’ current EU law and present international firms with major new hurdles.

The Central Bank of Ireland’s latest guidance on the Individual Accountability Framework (IAF), was released to great fanfare about how it will enhance individual accountability and promote integrity among senior executives.

The Bank of England’s 2023 SMCR review highlighted the need for greater clarity and consistency in the allocation of responsibilities among senior managers. It also emphasised the importance of robust governance structures and the active engagement of senior managers in managing risks effectively.

The role of RegTech

In many ways, RegTech is arriving just in time for accountability and AI. With ever more digital platforms that are exposed to the customers, the complexity of navigating a 50 page .pdf to determine whether a product is appropriate for the client is a real barrier to business growth.

As senior management regimes demand greater accountability for conduct, it is, therefore, no longer sufficient to rely on periodic training exercises that test whether the team has absorbed ‘what good looks like’. ​​​

In JWG’s ‘Unlocking embedded compliancereport, published with the support of Apiax and EY finds, leaders have adopted a rule-based framework that provides systems with the Boolean logic (i.e., ‘if statements’) that correspond to the old world’s thick policy documents.

By moving directly to logic, both the business and compliance can be aligned on the precise rules which guide the organisation’s decision making. Rather than high level policy statements supplemented by checklists, a more process-aligned logical framework can be agreed. This gives Compliance even more control over the policies and the business more certainty to rules which are fully transparent to all lines of defence.

The ‘Regulatory Rules Repository’ takes the Compliance function’s 1990’s policy portal to the next level as it transforms ‘plain text’ policy into executable logic which guide the business process as shown in the Exhibit from the paper below.

Exhibit 3: Target operating model for Embedded Compliance

Source: Unlocking Embedded Compliance, JWG 2023 – download here

In an ideal world, the business process owner simply asks Compliance for the appropriate rules for cross border sales and the rules repository returns the relevant rules, executable logic and the source of regulatory obligations and appropriate guidance.


SMCR in the UK and SEAR in Ireland are taking proactive steps to ensure that human accountability remains at the forefront just in time for senior managers to grapple with what AI means to them. By Embedding Compliance in the operations of a firm, senior managers can sleep soundly in the GenAI era, unless of course, it is you who is the responsible SEF. Learn more at our annual conference which is FREE for regulators and investment firms.

Register here

Related RegCast episodes:

Related articles:


To promote global dialogue on how to deliver regulatory change JWG post hundreds of focused articles a year to thousands of subscribers. Get involved and join the mail list.

By hitting the subscribe button you agree to our Privacy Policy