MANAGING AI RISKS

The use of artificial intelligence itself adds a dimension of risk to the framework of financial risk management categorized as Cybersecurity Risk. So, we need to develop some effective ways to keep computerized systems safe against cyber threats by incorporating security into every stage of the digital transformation. Financial risk management should cover the entire life cycle, from beginning to end, from development to deployment to disposal. The           management of security is evaluated at certain milestones called “control gates” or decision points. The corporation must  ensure that security controls are in place, security considerations are addressed, and identified risks are       understood before moving on to the next lifecycle phase (NIST, 2008). Agile approaches are useful for continuously updating and improving standards. The “security planning is to be conducted as part of integrating security, and should include:

  • Ascertaining key security roles during the system development process
  • Outlining key security milestones and activities involved in the system development.
  • Integrating secure design, IT architecture, and coding standards.
  • Ensuring that all stakeholders are aware of security performance goals, implications, considerations, and requirements.

They show stakeholders important aspects of systems development progress and the implications of critical decisions made on security in order to prepare for potential security threats (Mohamed & Ali, 2021).

Continuous Integration & Continuous Delivery Pipeline

New technological risks associated specifically to the DeFi [efn_note]  DeFi or Decentralized Finance is a financial system that removes intermediaries such as banks, brokerages and exchanges through the use of smart contacts based  on  blockchain technology [/efn_note] (decentralized finance) applications are:

    1. Oracle Risks

In the absence of oracles, blockchains [efn_note]  A decentralized, distributed ledger that records the source of a digital asset. [/efn_note] are completely self-contained, and they have no idea of what goes on outside of the native blockchain. DeFi protocols require that certain routine actions like liquidations and prediction market resolutions function correctly by being able to access secure, tamper-resistant asset prices. Oracle risk then arises when protocols rely on these feeds. Oracles, as they exist today, represent the highest risk to DeFi protocols that rely on them. The arbitrageurs have led to the loss of millions of dollars due to the vulnerability of all on-chain oracles. A number of Oracle services, including Chainlink and Maker, have been crippled by outages with disastrous downstream effects (Harvey et al, 2021).

As long as Oracles lack blockchain nativeness, hardening, and resilience, they represent the largest systemic threat to DeFi at the moment.

    2. Protocol Governance Risks

Since smart contracts [efn_note] A term used to describe a computer code that automatically executes an agreement and is a small computer program stored in a blockchain platform. [/efn_note]   control the application and are autonomous, the only risk is programming risk. Many DeFi applications are more complex than autonomous code. A decentralized credit facility such as MakerDAO [efn_note] MakerDAO is a decentralized credit facility built on the Ethereum network which is made of a smart contract service that allows and regulates the loan and borrowing of cryptocurrencies. [/efn_note]  depends on a human-controlled governance process that actively adjusts protocol parameters to keep it solvent. Similar systems are used by many DeFi protocols, relying on humans to actively manage protocol risk (Harvey et al, 2021). In doing so, a new risk is introduced―governance risk―which is unique to the DeFi landscape.

Protocol governance refers to the representative or liquid democratic mechanisms. Users and investors can participate in the governance process by acquiring a token on a liquid exchange that has been explicitly assigned rights to the protocol’s governance. The tokens are used to guide the future direction of the protocol after they are acquired by holders. The fixed supply of government tokens assists in resisting attempts by anyone to acquire a majority

(51%). However, the protocol is still subject to the risk of control by a malicious actor. Founders often control traditional fintech companies, making it less likely for an external party to influence or change the company’s course. However, the DeFi protocol is vulnerable to attacks from the time the governance system is launched. With the right financial resources, an adversary can easily control the protocol and steal funds by simply acquiring a majority of liquid governance tokens. As of yet, no Ethereum [efn_note]  Ethereum is a decentralized blockchain based platform with smart contract functionality that is most known for its root cryptocurrency, known as Ethereum or ETH. [/efn_note]  -based DeFi project has experienced a successful governance attack, but a financially capable adversary is capable of attacking a protocol if the incentives outweigh the cost.

     3. Smart-Contract Risks

With their inherent properties, blockchains are able to reduce traditional financial risks, like counterparty risk. However, DeFi is built on code. Attackers have a broader attack surface with this software foundation than traditional financial institutions. After deploying code on a blockchain, anyone can discover and interact with it, as public blockchains are open systems. Because this code is often used to store and transfer blockchain native financial assets, new and unique risks are introduced by smart contracts (Harvey et al, 2021).

An economic exploit can be used by an attacker to withdraw funds beyond the functionality of a Smart Contract due to a logic error in the code. Such an exploit can be manifested in software bugs of any kind. Imagine a smart contract with the purpose of escrowing deposits from any ERC-20 [efn_note] ERC20 is a standard token used in the Ethereum blockchain for the issuing and creating of smart contracts. [/efn_note] user and transferring the entire balance to the winner of a lottery. When transferring tokens, the contract uses the internal number to determine the amount. That is where the bug exists in our hypothetical contract. A rounding error will cause the internal number to differ slightly from the actual balance of tokens held by the contract. When it tries to transfer, it will transfer “too much” and the execution will fail. In the absence of a failsafe, tokens will be functionally locked within the protocol. They are known as “bricked” funds and can never be retrieved.

Programming smart contracts are still in its infancy, and complex smart contracts do not yet have the resilience to handle high-value transactions. Until smart-contract risk is addressed in the DeFi landscape, DeFi application adoption and trust will suffer, as users are hesitant to trust the contracts they interact with and that hold their funds.

       4. Scaling Risks

Ethereum has a throughput of less than 0.1% of Visa, which is capable of processing more than 25,000 transactions per second. Due to Ethereum’s lack of scalability, DeFi may not be able to keep up with demand. Efforts are aimed at increasing Ethereum’s scalability or replacing Ethereum with an alternative blockchain that can handle higher transaction volumes more easily. However, all attempts to date have failed.

In addition to vertical and horizontal scaling, there are two other general ways to increase blockchain throughput. The first is to centralize all transaction processing into one big machine. With a centralized blockchain, such as Ethereum, communication overhead (transactions and blocks) is reduced, but the system is still centralized, with one machine largely responsible for the system’s processing. Using horizontal scaling, however, the system is divided into multiple parts, retaining decentralization and increasing throughput through parallelization. Ethereum 2.0 applies this approach in conjunction with a Proof of Stake [efn_note] Proof Of Stake is a consensus mechanism for blockchain networks, used to verify and process cryptocurrencies transactions, validating any data saved on the network.  [/efn_note] consensus algorithm.

The field of DeFi is filled with multiple approaches to reduce the scalability risks, but there is no clear winner (Harvey et al, 2021). The potential impact of applications will be limited as long as DeFi’s growth is limited by blockchain scaling.

            AI development appears to be advancing faster than expected but advances in its  oversight and governance are also required. While AI can be as powerful as a human or exceed it, it cannot act independently. Humans must still train and improve it using numerical data sets to make it capable of handling various tasks. The products of human imagination must ultimately be managed to avoid unintended consequences resulting from misuse and abuse, whether deliberately or unwittingly.

Author: Dr Hazik Mohamed (Sapience Consulting)

REFERENCES

Harvey, C. R. and Ramachandran, A. and Santoro, J. (2021). DeFi and the Future of Finance. Available at SSRN:  https://ssrn.com/abstract=3711777

Mohamed, H. and Ali, H. (2021). Finding Solutions to Cybersecurity Challenges in the Digital Economy. In Boitan, I. A. and Marchewka-Bartkowiak, K. (Eds.) Fostering Innovation and Competitiveness with FinTech, RegTech, and SupTech. Chapter 5, pp 80-96. IGI Global.

National Institute of Standards and Technology. (2008). Special Publication 800-64 Revision 2 – Security Considerations in the System Development Life Cycle.

Learn more about the future of technology in Fintech, Big Data and Artificial Intelligence with these available courses today!

Fintech and Digital Transformation in Banking & Finance

Artificial Intelligence Foundation

Enterprise Big Data Professional