Supplier AI use ‘requires new approaches to liability and risk allocation’ in financial services

Liability provisions have long been hard-negotiated between customers and suppliers in the context of financial services supplier contracts, but a new report published by Pinsent Masons sets out that the use of AI by suppliers in service delivery can alter the risk profile and, in some cases, would justify increased protections for customers being built into those contracts.

The report, which explores the implications for financial services firms of suppliers’ use of AI tools to deliver critical services, considers how financial services firms may need to approach liability provisions alongside related risk controls such as transparency obligations, approval rights, model governance, audit rights, incident notification, data-use restrictions, explainability commitments and operational resilience controls.

“The first question to consider is whether the supplier’s use of AI as part of its tools should alter the scope of the liability under a services agreement,” said Yvonne Dunn, one the primary authors of the Pinsent Masons report. “The supplier may argue that the AI is ‘just another element of its technology stack’ and therefore normal levels of liability cap, exclusions, and standard limitations should apply. Customers may agree, but they will want to consider whether the use of AI as part of service delivery introduces any specific risks. For example, if an AI-powered service misclassifies sensitive data, leading to a regulatory breach, this may fall under the general liability cap, or it may be the subject of a separate indemnity for breach of applicable law by the customer which is caused by the supplier.”

The case for enhanced liability provisions would be based around the risk that a failure in the underlying AI system could be systemic rather than isolated, thus ratcheting up the potential losses, according to Luke Scanlon, another primary author of the Pinsent Masons report.

“The fact that some AI failures such as model degradation could be harder to detect and that AI could intensify the prospect of data-related liability, means that standard approaches towards risk allocation will need to be adjusted where the supplier is significantly dependent on its use of AI,” Scanlon said. “If a customer has made clear that specific uses of AI which are seen as high risk are not acceptable and the supplier has made a commitment to work within those boundaries, compliance with those ‘red lines’ may justify an enhanced liability position.”

“Further, where the contract prohibits the use of customer data for general model training, breaches of that prohibition are increasingly treated as high-risk events and are often carved out from standard liability caps and exclusions, or subject to a higher ‘super-cap’, to reflect the associated regulatory, financial, and reputational exposure,” he added.

Dunn said financial services firms can expect suppliers to push for a “layered approach” to any increase in their liability. This, she said, could entail standard liability provisions applying with a sub-set of liability provisions specific to AI, such as higher caps for AI-related losses.

“Many services agreements will already include supplier liability provisions relating to regulatory breach, but if this is not included as standard then it is something to consider in the context of AI,” said Dunn. “For example, under the EU AI Act suppliers of high-risk AI systems must comply with strict transparency and safety requirements, which may lead the customer to seek recourse from the supplier if AI-related regulatory obligations are breached. Such recourse might be specific indemnities from the supplier.”

Scanlon said negotiations over liability provisions can be protracted where suppliers’ AI tools are built on so-called ‘frontier’ AI models – ‘next generation’ AI models that push the boundaries of AI capabilities and known impacts.

“Suppliers working with frontier AI models will themselves be subject to the terms of those model providers, which frequently disclaim liability for output accuracy,” Scanlon said. “There is a risk that these limitations are passed down the supply chain, leaving customers exposed unless this is actively addressed in contract negotiations.”

“Customers should require transparency on the supplier’s upstream terms with AI model providers. Where a supplier cannot pass through adequate protections, it may be expected to absorb that risk within the commercial model, or the customer should factor it into its own risk assessment and implement appropriate internal controls,” he added.

Access the Pinsent Masons report on AI-enabled service delivery