Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government what steps they are taking to ensure that AI-powered scam-detection tools used by UK financial institutions comply with data-protection and cybersecurity regulations.

The Information Commissioner’s Office (ICO), which is responsible for enforcing data protection laws, has provided guidance on how data protection law applies specifically to AI systems, including through updates following its recent generative AI consultation series.

This type of software is not regulated under existing cyber security regulations. However, HM Treasury, the Financial Conduct Authority and the Prudential Regulation Authority deploy a range of tools to ensure firms are resilient to the wide range of risks that they could face. This includes the regulators’ operational resilience policy, threat-led penetration testing, and sector-wide cyber stress testing. Technical advice is also provided by the National Cyber Security Centre and the National Protective Security Authority.