Legal & Regulatory Issues

• Fiduciary Duties 
  • Asset managers generally have fiduciary duties to their clients, including the duty of care and the duty of loyalty. These duties require, among other things, appropriate diligence in selecting, engaging and overseeing AI service providers and disclosure to investors of risks and conflicts of interest associated with the use of AI. This oversight and disclosure must be analyzed in the context of the specific use case of AI. To fulfill their fiduciary duties to their clients and to avoid liability for failure to properly supervise their employees, asset managers should develop and adopt appropriate policies and procedures governing the use of AI.

    One aspect of an asset manager’s fiduciary duties relates to proper allocation of expenses.  In the context of a private fund manager, whether a particular AI expense is able to borne by a fund versus a manager is highly dependent on the fund governing documents and past practice.  It is important to review the fund governing documents to allocate expenses properly as between a fund and the manager and to review past practice with respect to allocation of analogous types of expenses. For new funds, it is helpful to add specific language regarding AI-related expenses as fund expenses.

• Data Storage and Information Governance
  • Asset managers should understand where and for how long an AI tool stores data, what types of data it retains (e.g., prompts, outputs, transcripts), the business purpose for the retention and whether its retention practices align with regulatory requirements and the asset manager’s information governance policies. It is important to assess whether the tool retains more or less data than necessary and whether there is potentially sensitive information stored in the AI tool itself, including material non-public information (“MNPI”).

• Privacy and Cybersecurity
  • The use of AI tools to process sensitive commercial and personal data can introduce significant data privacy and cybersecurity risks, including potential data breaches, challenges with third-party data obligations, and jurisdictional concerns related to cross-border data storage and privacy regulations (e.g., GDPR, CCPA, PIPL).  The use of AI tools should be analyzed with the applicable frameworks in mind.

    Many asset managers use AI to record and transcribe meetings. This raises potential consent issues depending on the timing and substance of recording notices and where the participant is located.  The law on consent to recording varies by jurisdiction, and wiretapping laws may apply.

• Recordkeeping and Discovery-Related Considerations
  • The use of AI for generating new kinds of records (e.g., transcripts or summaries of calls or meetings) presents novel record retention issues. Registered investment advisers should consider when and how AI-generated materials may trigger statutory recordkeeping obligations. 
    
    AI tools may generate materials responsive to civil discovery or regulatory inquiries. Whether on-site or at a vendor, the information in AI tools may fall within various preservation demands or production commitments. Courts’ rules and parties’ discovery protocols may require disclosure of AI technologies’ use and of related records.

• Confidentiality, Privilege and Intellectual Property Considerations
  • Inputting confidential information into an AI tool—and especially a publicly available tool—risks waiving   protections such as privilege or trade secret protections. Asset managers should consider what access an AI provider has to the information, what protections and restrictions exist for the manager’s confidential data and what mechanisms allow the manager to verify such safeguards.  Inadvertent disclosure can damage privilege, intellectual property and trade secret protection, and the harm can be difficult to remediate.  It can also result in liability for improperly disseminating or failing to maintain adequate procedures to protect MNPI.

• Marketing
  • Regulators and investors are increasingly taking action against companies over alleged misrepresentations of AI use, a practice known as “AI-washing.” The SEC has brought enforcement actions against investment advisers for misleading investors about the extent to which they use AI.  Asset managers should coordinate internally to ensure they are providing consistent and accurate descriptions of AI tools and their actual use.

• Labor & Employment
  • Use of AI can raise a variety of labor and employment issues.  For example, if a firm monitors and records employee use of AI tools, employers should structure electronic monitoring programs to fit within legitimate business purpose exceptions and obtain informed consent where required (noting that certain legal jurisdictions may require different consents than others).  A fulsome AI risk program should also target AI use by third-party HR vendors, which is common in recruiting, promoting and benefits administration.  Risk programs should include periodic audits of any related algorithms used by third-party HR vendors and any AI output used internally for HR purposes for disparate treatment or impact (e.g., bias in outputs of the AI usage).  Employers should also ensure that any HR vendors they engage that use AI can explain model logic, support legally required exceptions to their standard processes (e.g., reasonable accommodations for disabilities) and cooperate in audits and defense of claims.  

Recommendations When Adopting AI Tools

In summary, in light of the above legal and regulatory issues, we recommend asset managers at a minimum take the following actions when integrating AI into their businesses:

• Adopt policies and procedures governing the use of AI;
  • The policies should outline the types of AI that are permitted, the pre-approval process for AI service providers and the ongoing review process of AI tools.The policies and procedures should also require employees to independently verify AI generated outputs.
• Provide disclosures to investors about the risks associated with the firm’s use of AI.
• Conduct initial and ongoing diligence on the AI service provider.
• Ensure agreements with AI service providers and service providers that use AI contain the necessary assurances regarding the AI service, including representations regarding compliance with applicable law, protections for managers’ data, and the ability to verify safeguards.
• Review marketing materials to ensure the firm is not engaged in any so-called “AI-washing.”
• Consult with experts in the adoption of AI tools.

Please contact your usual Ropes & Gray attorney or AMTechnology@ropesgray.com for further information.