Why Financial Services needs Software Escrow for AI-Driven Solutions
AI-Security-Trends

In August 2024, the European Union’s Artificial Intelligence (AI) Act came into force, aiming to balance safety and compliance with competitiveness, and setting the world’s first benchmark for a comprehensive AI regulatory framework. Soon after this, South Africa’s Department of Communications and Digital Technologies (DCDT) published a draft of its proposed national policy framework for AI, and is in the process of collating feedback from stakeholders. Once finalised and published, this policy will form the foundation for the country’s AI regulations, and potentially a stand-alone AI Act.

While the birth of AI can be traced back to the 1950’s, the modern AI revolution swept through 2010’s. This laid the foundation for the current ubiquity of AI models across industries, which, in turn, has led us to now being defined as an ‘AI-powered world’. From China, Nigeria and India to the USA, UK and Australia, other countries are similarly making progress towards national policies and laws to govern AI. It’s a defining moment for the ground-breaking technology, and a clear indication of the consensus that our world is now irreversibly embedded in the AI Era.

According to an industry analysis report by Grand View Research, the global AI market value was estimated at USD 196.63 billion in 2023. Massive investment in research and innovation driven by the world’s tech giants, as well as continuing advances in computational power and data availability are resulting in a proliferation of AI algorithms and models. As a result, the AI market value is expected to reach over USD 1,81 trillion by 2030. Globally, there is widespread, rapidly escalating uptake of AI-driven tools, particularly in industries such as Financial Services, automative, manufacturing, retail and healthcare.

As with all new and experimental technologies, AI comes with risks, many of which are still unknown. However, as the technology evolves and uses of it proliferate, there are other risks which are clear and present, and driving innovative mitigation solutions. Guy Krige, Executive Risk Consultant at ESCROWSURE says, “We are seeing the uptake of a profusion of AI-driven solutions especially in industries such as Financial Services and this has to be comprehensively included in business continuity and risk mitigation strategies and protocols. In essence, AI models are software, typically provided by third-party vendors, which are integrated in a companies’ systems and platforms to enhance its services and operations. Like any other third-party software, AI models open the business up to particular risks, and this is why there is currently a global and local focus on software escrow for AI to safeguard operations and business continuity.”

What is software escrow, and how does it work for AI?

Software escrow is a global best practice for mitigating third-party risks that involves the independent safekeeping of the software’s source code which can be made available to the user under predetermined release conditions. ESCROWSURE has been delivering software escrow services in South Africa for the past 20 years and is currently the only software provider in the southern hemisphere with ISO 27001:2022 certification, which is the international standard pertaining to information security and third-party software risk management. Krige says, “Software escrow for AI applications is aimed at protecting AI models and data, which has become critical due to how integral they are to a company’s operations and services. It serves as a vital safeguard against data breaches, data poisoning and other risks associated with AI models.”

However, Krige also points out that the risks to AI models are not only attacks from the outside. Most AI-driven solutions are provided by third-party vendors and a user such as a bank or an insurance company would have no access and no means to protect the vendor’s AI assets. He says, “This presents a fundamental weakness to the AI model user. However, in the event of an AI provider’s failure or the unforeseen discontinuation of their AI services or business, software escrow ensures access to the source code and related hosting information. This allows the user to maintain and operate the AI software independently or to transition smoothly to an alternative provider. Therefore, software escrow reduces the user’s dependency on a single AI software provider’s stability, giving them greater confidence in their long-term AI investments.”

Software escrow agreements also protect financial institutions from Intellectual Property (IP) disputes that could potentially arise if the AI provider fails to protect their own IP rights or is involved in legal issues. Agreed access to the source code ensures that companies can safeguard their operations without infringing on IP rights.

Enhancing trust in AI ecosystems
Through the commitment to providing access to AI source code and models, software escrow builds trust between AI providers and their users. This trust is crucial as AI becomes more pervasive across industries, and more entrenched in sensitive sectors such as Financial Services. Users with software escrow can make necessary updates, patches, or modifications to AI software to keep it running smoothly and securely, if their provider is unable to fulfil their maintenance obligations.

“In the context of the current, rapid development of specific AI regulations, software escrow also has an important role to play in assisting both vendors and users in achieving regulatory compliance,” says Krige. “Guidelines from South Africa’s Financial Sector Conduct Authority already emphasize the importance of continuity planning and risk management in technology outsourcing. As the new AI regulatory framework for South Africa develops, there is little doubt that we are going to see specific rules and requirements for the safeguarding of customer data, as well as for ensuring operational continuity that depends on AI-powered models.”

As AI continues to transform businesses, incorporating software escrow into risk management strategies is becoming increasingly vital to build resilience. Krige concludes, “AI technologies evolve rapidly, and companies need to be empowered to adapt and maintain their systems. What is key to Financial Services companies is to ensure the long-term viability of their AI investments and software escrow enables them to keep their AI-driven systems running smoothly, regardless of the third-party provider’s future. This helps protect the institution’s substantial investment in AI technology, while building robustness and resilience in the AI ecosystem.”

Scroll to Top