Introduction to Unique Compliance Layer (PPT)
In the given context, the compliance layer refers to a set of principles, processes, and control structures established by Unique to comply with legal, regulatory, and internal requirements for our banking customers. It is a mechanism that protects the organisation from compliance breaches and ensures that it adheres to generally accepted market standards and codes of conduct and data protection principles, in Switzerland and Europe.
Overview
Details on different layers
1A. Deployment Models
Different deployment models are available:
Multi-tenant on Unique cloud
Single/bank-specific tenant on Unique cloud
Single/bank-specific tenant on bank cloud (customer-managed tenant)
Clients can choose from the most appropriate deployment model and incorporate
their security and data protection requirements.On-premise
1B. FSI Amendments
We also have in place recommended FSI amendments for our contracts with Microsoft. In detail:
M453 – FINMA. This is the financial service amendment (FSA) and jurisdiction-specific companion amendment (Switzerland) including FINMA requirements
like audit rights.
M744 – bank secrecy. This includes professional secrecy and industry-specific
terms regarding banking secrecy.
M329 – CH data protection. This is the amendment for Switzerland regarding
Microsoft products and services Data Protection Addendum)
1C. No data storage by Azure Open.AI services and opt-out of human review process
Unique closely partners with Microsoft to offer GenAI solutions in a secured and controlled environment: when working with Unique and using Microsoft Azure Open.AI Services, users are using an enterprise and private instance of Open.A’s ChatGPT packaged and hosted by Microsoft Switzerland (prompts and answered are not shared with Open.AI nor Microsoft).
Unique chose to opt out of the logging and human review process in Azure Open AI service by Microsoft. This option is available for highly sensitive industries like FSI. This means that no data is stored by Microsoft Azure Open.AI services. If this opt-out is not chosen, the general data storage period from Microsoft is 30 days. Microsoft Azure OpenAI services are currently available in Europe and Switzerland.
2. Data hosting location is Switzerland only
All client data (including CID) is stored and hosted in Switzerland (Microsoft Cloud in Switzerland North) if the client chooses so via a contractual agreement (other locations are also possible). For Azure OpenAI services, data is only processed and no data is stored at all times (see also opt-out of human review process).
We also performed a Transfer Impact Assessment for Microsoft Inc. according to the method of D. Rosenthal (leading Tech Lawyer in Switzerland). Results can be shared upon request.
3. Data Leakage Prevention (DLP) plus no data storage by Azure OpenAI services, opt-out of human review process with Microsoft, no data used for training purposes
DLP: Unique offers an API to connect your Data Leakage Prevention (DLP) to check if any CID data or PII data has been inserted by users. For details, please refer here.
When working with Microsoft Azure OpenAI Services no data (incl. client data) is stored by Microsoft or OpenAI.
Unique chose to opt out of the logging and human review process in Azure Open AI service by Microsoft. This option is available for highly sensitive industries like FSI. This means that no data is stored by Microsoft Azure OpenAI services. If this opt-out is not chosen, the general data storage period from Microsoft is 30 days. Microsoft Azure Open AI services are currently available in Europe and Switzerland.
Unique and Microsoft do not use any client data for training purposes of AI or any other neural network models.
In addition, Unique also follows Responsible AI Principles:
Privacy & Security: AI systems should be secure and respect privacy
Inclusiveness: AI systems should empower everyone and engage people
Accountability: People should be accountable for AI systems
Transparency: AI systems should be understandable
Fairness: AI systems should treat people fairly
Reliability & Safety: AI systems should perform reliably and safely
4. Restricted Access to data
We have built an access concept including processes and controls to ensure who can see what. In addition, clients can also choose how the processes and controls are auditable (e.g., via audit logs). Unique’s restricted access concept involves the following parts (which can be customized and adjusted to customer-specific setup and needs):
Role-based access based on the active directory of a bank
Privileged access management (PAM), privileged identity management (PIM)
Key management (done by Unique or bring your own key)
Encryption of data in transit and at rest
Audit logs
2-Factor authentication
Strong password and login policy
Terms and Conditions for end-users
Regular threat modelling workshops
Enrolled in a bug bounty program
Additional security measures possible: e.g., MS Lockbox, Confidential Computing
5. Privacy by Design and Default
Privacy by design and default are fundamental principles for Unique, guiding our commitment to protecting client data. From the inception of our software solutions, during software development and also for UI/UX design, we prioritize the integration of robust privacy measures, ensuring that data protection is built into our products and services. This approach not only complies with Swiss and European data protection regulations but also fosters trust among our clients. By default, our systems are configured to prioritize user privacy, granting individuals control over their data while minimizing the need for additional user intervention.
We further place high importance on responsible AI and our AI-generated content is protected in several ways:
Content Protection through AI-Generated Watermarks: Employ AI-generated watermarks to safeguard content integrity.
End-User Terms and Conditions (T&Cs): Provide comprehensive Terms and
Conditions for end-users, ensuring legal clarity.Client and Employee Training: Deliver training programs for both clients and
employees to enhance security awareness and competence.Awareness Campaigns and Security Knowledge Sharing: Execute awareness campaigns and promote the sharing of security insights and best practices.
AI Policy Implementation: Enforce a robust AI policy to govern responsible AI use within the organization.
Adherence to OWASP Responsible AI Framework: Comply with the OWASP
Responsible AI framework, ensuring ethical and secure AI practices.
6. Feedback loop
We have built in a feedback loop in all our Gen-AI based features. This is twofold:
Empowering User Control (“Human in the Loop”): Users have the option to
modify AI-generated output, ensuring control and also adding a personalized
touch.Soliciting User Feedback on AI Output:
• We encourage users to provide feedback on the AI-generated content to
gauge its alignment with their expectations.
• To maintain security, we caution users not to share any confidential information when providing feedback.
7. Skillset and training
Unique possesses specialized expertise in Swiss local law, demonstrating a comprehensive understanding of the legal landscape – both from a legal and IT security perspective. Our proficiency extends to the intricate realm of data protection specifications, ensuring compliance with stringent Swiss regulations at all times. Furthermore, our in-depth knowledge of FINMA guidelines underscores our commitment to offering solutions aligned with the intricacies of Switzerland’s financial regulatory framework. The accuracy of these claims will be validated through an external audit process, substantiated by both SOC 2/ ISAE 3000 Type 1 and 2 assessments and a FINMA report
Whitepaper on Compliance Layer
Link:
Author |
|---|