Why financial services needs software escrow for AI-driven solutions

AI comes with risks, many of which are still unknown.
AI comes with risks, many of which are still unknown.

In August 2024, the European Union’s Artificial Intelligence (AI) Act came into force, aiming to balance safety and compliance with competitiveness, and setting the world’s first benchmark for a comprehensive AI regulatory framework. Soon after this, South Africa’s Department of Communications and Digital Technologies (DCDT) published a draft of its proposed national policy framework for AI, and is in the process of collating feedback from stakeholders. Once finalised and published, this policy will form the foundation for the country’s AI regulations, and potentially a standalone AI Act.

While the birth of AI can be traced back to the 1950s, the modern AI revolution swept through 2010s. This laid the foundation for the current ubiquity of AI models across industries, which, in turn, has led us to now being defined as an ‘AI-powered world’. From China, Nigeria and India to the USA, UK and Australia, other countries are similarly making progress towards national policies and laws to govern AI. It’s a defining moment for the ground-breaking technology, and a clear indication of the consensus that our world is now irreversibly embedded in the AI era.

According to an industry analysis report by Grand View Research, the global AI market value was estimated at US$196.63 billion in 2023. Massive investment in research and innovation driven by the world’s tech giants, as well as continuing advances in computational power and data availability are resulting in a proliferation of AI algorithms and models. As a result, the AI market value is expected to reach over US$1.81 trillion by 2030. Globally, there is widespread, rapidly escalating uptake of AI-driven tools, particularly in industries such as financial services, automative, manufacturing, retail and healthcare.

As with all new and experimental technologies, AI comes with risks, many of which are still unknown. However, as the technology evolves and uses of it proliferate, there are other risks which are clear and present, and driving innovative mitigation solutions. Guy Krige, Executive Risk Consultant at ESCROWSURE, says: “We are seeing the uptake of a profusion of AI-driven solutions, especially in industries such as financial services, and this has to be comprehensively included in business continuity and risk mitigation strategies and protocols. In essence, AI models are software, typically provided by third-party vendors, which are integrated in a companies’ systems and platforms to enhance its services and operations. Like any other third-party software, AI models open the business up to particular risks, and this is why there is currently a global and local focus on software escrow for AI to safeguard operations and business continuity.”

What is software escrow and how does it work for AI?

Software escrow is a global best practice for mitigating third-party risks that involves the independent safekeeping of the software’s source code, which can be made available to the user under predetermined release conditions. ESCROWSURE has been delivering software escrow services in South Africa for the past 20 years and is currently the only software provider in the southern hemisphere with ISO 27001:2022 certification, which is the international standard pertaining to information security and third-party software risk management. Krige says: “Software escrow for AI applications is aimed at protecting AI models and data, which has become critical due to how integral they are to a company’s operations and services. It serves as a vital safeguard against data breaches, data poisoning and other risks associated with AI models.”

However, Krige also points out that the risks to AI models are not only attacks from the outside. Most AI-driven solutions are provided by third-party vendors, and a user such as a bank or an insurance company would have no access and no means to protect the vendor’s AI assets. He says: “This presents a fundamental weakness to the AI model user. However, in the event of an AI provider's failure or the unforeseen discontinuation of their AI services or business, software escrow ensures access to the source code and related hosting information. This allows the user to maintain and operate the AI software independently or to transition smoothly to an alternative provider. Therefore, software escrow reduces the user’s dependency on a single AI software provider's stability, giving them greater confidence in their long-term AI investments.”

Software escrow agreements also protect financial institutions from Intellectual Property (IP) disputes that could potentially arise if the AI provider fails to protect their own IP rights or is involved in legal issues. Agreed access to the source code ensures that companies can safeguard their operations without infringing on IP rights.

Enhancing trust in AI ecosystems

Through the commitment to providing access to AI source code and models, software escrow builds trust between AI providers and their users. This trust is crucial as AI becomes more pervasive across industries, and more entrenched in sensitive sectors such as financial services. Users with software escrow can make necessary updates, patches or modifications to AI software to keep it running smoothly and securely, if their provider is unable to fulfil their maintenance obligations.

“In the context of the current, rapid development of specific AI regulations, software escrow also has an important role to play in assisting both vendors and users in achieving regulatory compliance,” says Krige. “Guidelines from South Africa's Financial Sector Conduct Authority already emphasise the importance of continuity planning and risk management in technology outsourcing. As the new AI regulatory framework for South Africa develops, there is little doubt that we are going to see specific rules and requirements for the safeguarding of customer data, as well as for ensuring operational continuity that depends on AI-powered models.”

As AI continues to transform businesses, incorporating software escrow into risk management strategies is becoming increasingly vital to build resilience. Krige concludes: “AI technologies evolve rapidly, and companies need to be empowered to adapt and maintain their systems. What is key to financial services companies is to ensure the long-term viability of their AI investments, and software escrow enables them to keep their AI-driven systems running smoothly, regardless of the third-party provider’s future. This helps protect the institution’s substantial investment in AI technology, while building robustness and resilience in the AI ecosystem.”

Share

ESCROWSURE

The purpose of Technology and Software Escrow - protecting your organisations Business Continuity. Many organisations are entirely dependent on third party Software Products for their mission critical business processes and functions. This dependency constitutes Operational Risk. It is crucial for such Software End-Users to mitigate their exposure to such risk.

An escrow arrangement is the most cost-effective tool for protecting the interests of both parties – the Software End-User as well as the Intellectual Property (IP) of the Software Supplier.

Constituted in South Africa in 2003, Escrow Europe (Pty) Ltd t/a ESCROWSURE is South Africa’s leading software escrow service provider and is dedicated to the highly specialised practice of locally and internationally effective Software Escrow arrangements, tailored to manage the operational risk associated with an organisations absolute dependency on proprietary Software. The sole focus of ESCROWSURE is on quality software escrow arrangements - in escrow terminology referred to as Active Escrow.

With Active Escrow, Intellectual Property (IP) such as software source code and technical documentation is not only securely vaulted but is also professionally verified and updated on a routine basis.

Editorial contacts

Rafeeqah Gertze
liquidlingo Communications
(+27) 83 765 3345
rafeeqah@liquidlingo.co.za