IBA Compliance Connection

Your go to source for compliance!

Our bank wants to implement a chatbot for routine customer interactions and general inquiries. Is there any guidance on what a chatbot can and cannot say? Are there any compliance concerns we should be aware of? For how long do we need to retain the chat scripts?

by

admin

We are not aware of any federal or state guidance specifying what a chatbot can and cannot say to a customer. The federal banking agencies issued a request for information on financial institutions’ use of artificial intelligence, including chatbots, in March 2021 (with descriptions of some of the related risks), but they have not followed up with related rules or guidance.

The agencies’ request for information notes that “many of the potential risks associated with using AI are not unique to AI” and provides examples of potential operational vulnerabilities, “such as internal process or control breakdowns, cyber threats, information technology lapses, risks associated with the use of third parties, and model risk, all of which could affect a financial institution’s safety and soundness.” The request for information also mentions that use of AI could heighten consumer protection risks, “such as risks of unlawful discrimination, unfair, deceptive, or abusive acts or practices (UDAAP) under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), unfair or deceptive acts or practices (UDAP) under the Federal Trade Commission Act (FTC Act), or privacy concerns.”

Regarding privacy concerns, we are aware that class action lawsuits have recently been filed in California alleging that website owners violate the California Invasion of Privacy Act when they record communications between consumers and company chat bots without customers’ knowledge or consent. A similar risk may exist under the Illinois Criminal Code, which prohibits “eavesdropping” without the consent of all parties to an electronic communication when there is no reasonable expectation of privacy. As we are unaware of any Illinois case law finding that a customer does not have a reasonable expectation of privacy in electronic messages directed to a chatbot, we recommend including a disclaimer informing customers that conversations with your chatbot will be recorded before allowing them to use it.

We are not aware of record retention requirements that are specific to chatbot communications, and we believe that the content of chatbot conversations will determine the required record retention period. While the OCC is not your primary regulator, OCC guidance notes that the retention period for any given electronic communication depends on its content rather than its format or technology. For example, under SEC rules, broker-dealers must retain electronic communications with customers related to their business for at least three years. Additionally, due to Illinois’s ten-year statute of limitations on written contracts, we recommend retaining any correspondence that may be relevant to a dispute over a contract for ten years after the contract’s termination. Also, any correspondence related to litigation should be retained until the completion of the action and the resolution of all issues that may arise from it.

For resources related to our guidance, please see:

  • Request for Information and Comment on Financial Institutions’ Use of Artificial Intelligence, Including Machine Learning, 86 Fed. Reg. 16837, 16839 (March 31, 2021) (“It is important for financial institutions to have processes in place for identifying and managing potential risks associated with AI, as they do for any process, tool, or model employed. Many of the potential risks associated with using AI are not unique to AI. For instance, the use of AI could result in operational vulnerabilities, such as internal process or control breakdowns, cyber threats, information technology lapses, risks associated with the use of third parties, and model risk, all of which could affect a financial institution’s safety and soundness. The use of AI can also create or heighten consumer protection risks, such as risks of unlawful discrimination, unfair, deceptive, or abusive acts or practices (UDAAP) under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), unfair or deceptive acts or practices (UDAP) under the Federal Trade Commission Act (FTC Act), or privacy concerns.”)
  • Bots Beware: Website Chat Bots Become Latest Target for California Class Actions (October 20, 2022) (“California class action lawyers have turned their sights on a new target: websites that employ ‘chat bots,’ digital assistants that allow companies to communicate with customers without employing live website customer service representatives. These cases allege that the website owners violate the California Invasion of Privacy Act (CIPA, Penal Code Section 630 et seq.) by ‘recording’ communications between consumers and company chat bots without the consumers’ knowledge or consent. . . . In recent years, the California plaintiffs’ bar has sought to apply CIPA to certain website tracking technologies such as session replay. Now that trend has extended to chat bots, with new lawsuits asserting claims for violation of Penal Code Section 631, the CIPA’s anti-wiretapping statute, which prohibits a third party from eavesdropping on or recording communications between two other parties without the parties’ consent.”)
  • Illinois Criminal Code, 720 ILCS 5/14-2(a)(3) (“A person commits eavesdropping when he or she knowingly and intentionally: . . . Intercepts, records, or transcribes, in a surreptitious manner, any private electronic communication to which he or she is not a party unless he or she does so with the consent of all parties to the private electronic communication.”)
  • Illinois Criminal Code, 720 ILCS 5/14-1(e) (“For purposes of this Article, ‘private electronic communication’ means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or part by a wire, radio, pager, computer, electromagnetic, photo electronic or photo optical system, when the sending or receiving party intends the electronic communication to be private under circumstances reasonably justifying that expectation. A reasonable expectation shall include any expectation recognized by law, including, but not limited to, an expectation derived from a privilege, immunity, or right established by common law, Supreme Court rule, or the Illinois or United States Constitution. Electronic communication does not include any communication from a tracking device.”)
  • Shefts v. Petrakis, 758 F. Supp. 2d 620, 633 (C.D. Ill. 2010) (“[A]n individual can ‘impliedly consent’ to the monitoring of his communications for purposes of the Eavesdropping Statute. ‘The circumstances relevant to an implication of consent will vary from case to case, but will ordinarily include language or acts that tend to prove that a party knows of, or assents to, encroachments on the routine expectation that [communications] are private.’”)
  • OCC Advisory Letter,  AL 2004-9, Electronic Record Keeping (June 21, 2004) (“As part of its evaluation of an electronic records retention system, bank management should determine which electronic messages and communications to retain. This determination will depend on whether a particular e-mail or electronic message is a ‘record’ for purposes of the particular record retention requirement or whether the bank may need it later for business or litigation purposes. Thus, banks should look to the content of particular messages rather than their format or technology. If the e-mail were considered a ‘record’ or would be retained for business purposes because of its content if it had been received or sent in paper, then it should also be retained as a ‘record’ even though it is in electronic form.”)