Content

Purpose

At Unique, we believe that AI can be a force for positive change in the world, and we are committed to realizing this potential in a responsible and ethical manner. By adhering to these principles and values, we will build trust and confidence in our AI solutions and contribute to a better future for all.

Legal Disclaimer

This AI Policy was created by Unique in cooperation with trail GmbH. It is continiously evolving to adjust to the changes in the company and the legal environment. We do our best to keep it updated but cannot guarantee it.

1 General Provisions

1.1 Purpose and goal of the AI policy

This AI policy defines how AI systems are procured, used, adapted, offered and sold within Unique AG. The term AI includes traditional Machine Learning Models, as well as Generative AI technologies. The policy is intended to provide developers, users and third parties, such as vendors, consultants, permanent external employees or other relevant third parties, with guidance on the correct use and sale of AI systems. It also outlines the acceptable use cases of AI in the organization, aligns AI usage and principles with the organizational values and reputation, ensures compliance with applicable laws for AI usage and development, protect confidential data and IP, govern responsible development of AI, foster responsible and safe AI usage and promote AI literacy in the organization. Further, since Unique is dealing with FSI (Financial Services Industry),the goals of developing responsible AI and deploying safe, reliable and compliant use cases is of uttermost importance for the technology to scale and to drive adoption.

The use of AI is governed by the applicable legislation, in particular the EU AI Act, the EU General Data Protection Regulation (GDPR) and relevant sector-specific regulations (see section “Other policies and regulation”).

1.2 Scope of the AI policy

This AI policy is binding for employees, management executives (called performance board at Unique), board of directors (Verwaltungsrat), permanent external consultants or employees, vendors and other relevant third parties of Unique AG. It also applies to companies affiliated with Unique AG.

1.3 Coming into force

This AI policy came into force after the resolution has been approved by the Executive Board (Performance Board) on Nov 25th, 2024 and is valid upon publication.

1.4 Contact

Dr. Sina Wulfmeyer (CDO) of Unique is the central point of contact for all questions and concerns regarding this AI policy.

2 Definition of AI

Artificial intelligence (AI) refers to the ability of machines or computer systems to perform tasks that usually require human intelligence. Generative AI enables the creation of new content, while descriptive AI is used to analyze and interpret existing data. In general, we assume that AI covers also GenAI.

This policy follows the definition of AI of the EU AI Act (Art. 3 No. 1 EU AI Act, Recital 12): An AI system is a machine-based system that derives from the the input received (e.g. data) how to generate outputs (e.g. predictions, content, recommendations, decisions, or algorithms) that can influence physical or virtual environments. AI systems can operate according to explicit (clearly defined) goals or implicit goals (derived from data). The underlying technology can be based on machine learning or logic- and knowledge-based concepts and goes beyond simple data processing by enabling learning, reasoning and modeling processes. AI systems are characterized by varying degrees of autonomy, which means that they can act to a certain extent independently of human involvement and are able to operate without human intervention. Systems that are based exclusively on rules defined by natural persons for the automatic execution of actions do not fall under the definition of an AI system.

3 Organization

Unique uses and offers AI systems in line with its AI strategy: the AI strategy centers on leveraging advanced AI technologies, notably GPT language models, to boost productivity, streamline operations, and enhance client interactions by automating data management and generating insights in various languages. It emphasizes skilling and building of an AI-enabled workforce to transition from traditional banks towards AI-assisted operations. This is encapsulated by their FinanceGPT solution, which underscores innovation, responsibility, and security. It is important to note that Unique is not hosting or training any GenAI models at the moment. Unique works with 3rd party vendors like Microsoft which are providing GenAI models or clients bring their own GenAI models.

Additionally, Unique's robust AI Governance Framework ensures responsible AI deployment in line with established ethics and regulatory standards, supporting the highest level of compliance and IT security.

In summary: it is part of the core business of Unique to deliver AI use cases to the Financial Service Industry.   

The use, procurement and sale of AI systems follows the values of diversity, equity and inclusion, customer-centricity, integrity, human-centricity and sustainability, and is aligned with the core values of Unique:

• WE THINK BIG AND NEVER STOP CHALLENGING STATUS QUO 

• WE ARE A TEAM OF ENTREPRENEURS

• WE RESPECT AND VALUE EVERYBODY’S UNIQUENESS 

• WE FOSTER SUSTAINABLE BUSINESS THROUGH INTEGRITY AND LOYALTY 

• WE STRIVE TO IMPROVE QUALITY OF LIFE ON OUR PLANET 

This AI policy and any internal AI governance processes are intended to support the development of compliant and secure use cases as well as control risks that may be associated with the use and scale of AI systems in accordance with legal requirements. Unique focuses primarily on AI use cases that have low and limited risk use cases, but some experimental medium risk use cases. Should AI systems with a higher risk profile be relevant in the future, they will be reviewed and tested and will undergo a detailed analysis by the relevant departments.

4 Roles and Responsibilities

In relation to this AI policy and the responsible use of AI systems, the following internal departments and roles have central responsibilities:

Unique is a GenAI-first company and hence everybody is responsible and accountable for identifying and introducing new, innovative AI applications throughout the company, supervising the AI systems during the period of use and making relevant adjustments to AI systems, as well as developing new AI products.

At Unique, the responsibilities for identifying, introducing, supervising, and developing AI applications are distributed across several departments:

AI Governance Committee: Responsible for overseeing AI governance, ensuring ethical and responsible AI development and deployment, and promoting transparency and accountability in AI systems.

Chief Data Officer (CDO): Plays a key role in the conformity assessment of AI systems, ensuring compliance with regulations and transparency obligations.

Chief Information Security Officer (CISO): Involved in the conformity assessment and responsible for the security and compliance of AI systems incl. Cybersecurity, LLM security.

Product Development Team: Responsible for the development of new AI products, integrating security into the software development lifecycle, and ensuring the AI systems are secure and reliable (in close collaboration with CISO).

Data Science Team: Evaluates the technical feasibility of AI workflows and identifies potential for optimization and automation. Prompt engineering and identification of malicious prompting practices.

Operational Security Manager: Supports the CISO by focusing on security architecture, product security, and compliance, ensuring the AI systems are secure during their period of use.

These departments collectively ensure that AI applications at Unique are innovative, secure, and compliant with relevant regulations.

In their respective area of expertise, Chief Data Officer (CDO), Chief Information Security Officer (CISO) and the Head of AI are responsible and accountable for developing the AI Governance Framework for Unique and its clients, including the development of technical controls for AI Governance (e.g. Unique benchmarking feature, hallucination check, compliance check, etc.). 

Chief Information Security Officer (CISO), Chief Financial Officer (CFO), Chief Technology Officer (CTO) and the Head of AI are responsible for approving AI systems and the Chief Executive Officer (CEO) and Chief Technology Officer (CTO) are responsible for procuring AI systems. 

5 Guiding Principles

When using, procuring and selling AI systems, the following AI principles are upheld in accordance with the organizational values and characteristics of trustworthiness:

• Robustness and Reliability:
  AI systems must operate reliably, performing consistently according to their intended purposes while minimizing risks, ensuring they function appropriately even under adverse conditions. Tests of robustness and performance under varying conditions should take place regularly.

• Privacy:
  AI systems must uphold privacy throughout their lifecycle, adhering to data protection laws and policies. Measures should ensure the confidentiality, integrity, and availability of AI applications and their data, including personal and sensitive information. Users' rights to access, correct, and object to data use must be maintained.

• Security and Safety:
  AI systems should include safety mechanisms throughout their lifecycle, capable of preventing misuse and mitigating unwanted harms. Mechanisms to override, repair, or decommission AI systems should be in place to address any undue risks, especially to protect humans and the environment. AI actors must prevent unauthorized access or modification of AI systems. AI systems must safeguard data security during their lifecycle. 

• Accountability, Liability & Responsibility:
  AI systems must be subject to human oversight and monitored by individuals with relevant and sufficient expertise to ensure compliance with usage policies, standards and regulation. At any time, AI actors must be held accountable for AI systems, their functioning and outputs, risk mitigation and upholding the principles of trustworthiness. Especially the deployer is responsible for a compliant usage of the system. Users of the AI system need to have a sufficient level of AI literacy.

• Economical Deployment:
  AI systems should be designed and deployed economically to optimize work processes and exploit new growth opportunities. This involves efficient use of resources, scalability, and ensuring that AI solutions deliver economic value without compromising on other principles, such as quality, fairness, or safety.

• Transparency:
  The use of AI systems must be transparent, ensuring users and affected stakeholders are aware of their interactions and proper usage. Providers and deployers should provide clear, understandable information on how the AI operates, including its data sources, processes, capabilities, limitations and decision-making logic. The underlying development process should be transparent as well, and decisions should be traceable. This transparency fosters understanding, enables reproducibility, and allows for contestation where appropriate. AI systems should be explainable, even for non-experts, answering how they are functioning. AI actors should commit to responsible disclosure, balancing transparency with other principles like privacy and security, updating information regularly to reflect current understanding and capabilities, and provide the respective information if subjected to an audit.

• Sustainability:
  The use and development of AI systems should be both socially and environmentally sustainable, supporting the UN's Sustainable Development Goals and led by the manifestation of “intergenerational justice”. 

• Fairness & Non-Discrimination:
  AI systems must treat all individuals equitably, avoiding bias and discrimination. AI actors should ensure non-discrimination, equality, and respect for human rights throughout the AI lifecycle. This includes addressing and mitigating biases and fostering diversity. 

• Beneficence & Non-maleficence:
  AI systems should always enforce human welfare and well-being. They should be designed and used in ways that promote non-maleficence and prevent harm. AI systems must “do good”.

• Diversity, Inclusion & Accessibility:
  AI actors should promote diversity and inclusion, enforcing current and future accessibility of AI technologies for humans irrespective of their personal expression or background (such as gender, ethnicity, race, sexual orientation, disabilities, etc.). 

• Truthfulness:
  AI systems should provide truthful information and users or affected stakeholders must not be deceived, nor be able to interfere with the AI system to generate deception of others.

In order to enable compliance with these principles in the use, procurement and sale of AI systems, various suitable and appropriate measures are taken within Unique. These also include obligations for employees (see section “Obligations and requirements”).

6 AI Systems

Permitted, used and bought AI systems shall be tracked and constantly updated in Unique’s internal AI Registry. This registry provides the users and vendors of the AI systems with relevant information, including the intended use and purpose, the risk class and the responsible internal person of or for the AI system. This also includes that AI use cases and its associated risks are reviewed on a continuous basis as described in Unique’s risk register process.

The use of AI systems with unacceptable risk according to the EU AI Act (e.g. emotion recognition at the workplace) is prohibited by law. Regarding the Unique use cases deployed towards clients, a legal opinion on the risk level and appropriate mitigation actions is provided by leading Swiss lawyer WalderWyss and available upon request (internal link to be added here).

7 AI Governance System

The implementation and operationalization of an AI governance system ensures the appropriate management and control of the AI systems used and sold and the effective enforcement of this AI policy. The governance process supports employees and responsible departments in effectively and systematically overseeing the use and sale of AI systems at Unique, including the assessment of their risks and quality characteristics, their alignment with the above-mentioned guiding principles, procedures for testing, validating and controlling, and the corresponding documentation and reporting mechanisms. Unique’s AI governance system is set up and certified according to ISO42001 and operationalized with the AI governance tool trail. It encompasses the Unique AI Governance Principles and all of their operationalization which have been built into the entire product as well as into this AI Policy. More information can be found here.

8 Other Policies and Regulation

8.1 Other Organizational Policies

The user or vendor of an AI system is responsible for ensuring that the use, adjustment or sale of the respective system complies with both this AI policy and all other existing policies of Unique in the respective operating countries. 

Across the operating countries especially the applicable data protection regulation and guidelines of the financial market authorities should be taken into account, in particular: 

• EU: AI Act, General Data Protection Regulation (GDPR)  and Digital Operational Resilience Act (DORA) 

• Switzerland: FINMA guidelines, Federal Act on Data Protection (FADP)

• Lichtenstein: Banking Act (BankG), FMA Guidelines and Insurance SUpervision Act (ISA)

• Singapore: MAS guidelines, Personal Data Protection Act (PDPA). 

This AI policy does not affect the provisions of other Unique AG policies.

8.2 Legal Requirements

Unique itself and the use, adjustment and sale of AI systems within the organization are subject to the applicable legislation. All employees who use, adapt or / sell AI systems as part of their work for Unique must respect and comply with the requirements of the EU AI Act and the upcoming Swiss legislation on AI.

9 Obligations and Requirements 

9.1 Use, Adjustment and Sale of AI Systems

Obligations, requirments, roles and responsibilities can be found in our AI Management System.

9.2 Incident Reporting

Cases in which an AI system is not used, adjusted or sold correctly, must be reported. Reporting follows the general Incident Process and Unique’s AIM Leadership process and principles.

Improper use exists for example 

• if an AI system is used for a purpose not intended for the respective AI system

• if data is disclosed to unauthorized third parties during the use of an AI system (especially CID data = client identifying data of FSI clients)

• if a user or customer submits a complaint about an AI system used or the decision made by an AI system that affects them

• if existing security measures are circumvented when using an AI system

• if Unique’s Term of Use (Nutzungsbedingungen) are violated

Incidents that must be reported also exist if an AI system is not used in accordance with applicable regulations. In particular, violations of the EU AI Act and other relevant laws (e.g. the GDPR and Swiss Data Protection Act), as well as of this AI policy, are therefore to be reported to the data controller without undue delay.

9.3 Trainings

The CISO, Compliance and People & Culture Departments provide relevant training and information for all employees on the content and practical implementation of this AI policy as well as on the responsible use of AI systems at Unique. This is mainly done in the mandatory annual training which is usually held each November. Further, the CISO and Compliance Department are also responsible for providing information prior to using or selling an AI use case.

In the mandatory annual Compliance training the following topics are covered and need to be completed by every employee:

• Usage Policy Training

• AI Literacy Training

• AI Governance Training

As part of their contractual duties, all employees are required to read this AI policy when joining the organization or when this policy is published and are obliged to take part in annual mandatory training to comply with the requirements set out in this policy.

Employee training and education records are kept in recorded training, signed documents and confirmations that the employee has taken the training, as well as documents that attest the passing of a quiz on the training each year.

10 Other Provisions

10.1 Non-compliance with this policy (violation clause)

Through annual mandatory training, the Slack channel “Security and Compliance”, “Sig-AI”, security moments, a bi-weekly Unique exchange and Confluence pages it is ensured that the employees in their respective business area are familiarized with this policy, and it is the responsibility of each employee, user and vendor of an AI system to comply with this policy. The CDO is responsible for handling violations of this AI Policy and related action.

Non-compliance with the provisions of this AI policy may result in disciplinary action, including legal action under applicable labor, civil and / or criminal law. The CDO has the right and duty to monitor non-compliance.

10.2 Handling deviations and exceptions to this policy

Deviations or exceptions from this policy need to be documented, and approved by management.

11 Other Unique policies

The AI policy of Unique is related to several other policies within the organization due to the interconnected nature of AI governance, data protection, and compliance. These related policies include:

• Data Protection Officer (DPO) Policy

• Data Privacy Policy

• Privileged Access Management (PAM) Policy

• Identify Access Management (IAM) Policy

• Complaint Handling Policy

• Responsible AI Principles

These policies collectively ensure that AI systems at Unique are developed, deployed, and managed responsibly, ethically, and in compliance with legal and regulatory standards.