Section 1: AI System Identification and Classification (3 points)
Q1. Complete AI System Inventory: Have you created and maintain a complete, current inventory of all AI systems used across your wealth management operations?
Q2. EU AI Act Risk Classification: Have you classified each AI system according to EU AI Act risk categories (Unacceptable or Prohibited, High Risk, Limited Risk, Minimal Risk)?
Q3. DORA ICT System Classification: Have you identified which AI platforms constitute critical or important functions under DORA requiring operational resilience measures?
Section 2: IAF and SEAR Accountability Framework (4 points)
Q4. Statements of Responsibilities (SoR) and PCF Mapping: Have you formally updated the Statements of Responsibilities for relevant PCF role holders (e.g., CEO, CRO, Head of Compliance) to include specific accountability for AI governance, and are these reflected in the firm's Management Responsibilities Map (MRM)?
Yes: AI accountability is explicitly listed as an Inherent or Other responsibility in SoRs for all relevant PCFs.
Q5. Reasonable Steps and Policy Framework: Do your AI governance policies provide a clear audit trail for PCFs to demonstrate they are taking Reasonable Steps to prevent regulatory breaches, specifically covering data ethics, algorithmic bias, and EU AI Act compliance?
Yes: Policies include defined reporting lines, red flag escalation procedures, and documented evidence of senior management challenge.
Q6. Board and Independent NED Oversight: Since the extension of SEAR to Non Executive Directors (NEDs) on 1 July 2025, can your Board and specifically the Chair of the Risk Committee demonstrate effective oversight and challenge of AI strategy as part of their inherent responsibilities?
Yes: Board minutes show active debate, questioning of AI risks, and approval of the firm's AI risk appetite.
Q7. Dedicated AI Governance Forum and Cross Functional Accountability: Have you established a dedicated AI Governance Committee that ensures Prescribed Responsibilities for Conduct Risk and Operational Resilience (DORA) are synchronised across business lines?
Yes: A formal committee exists with representation from Risk (PCF 14), Compliance (PCF 12), and IT, with clear terms of reference.
Section 3: Staff AI Literacy and Competence (3 points)
Q8. Staff Training Needs Assessment: Have you assessed AI literacy requirements for all staff working with AI systems, based on their roles and the systems they use?
Q9. Training Programme Delivery: Have you delivered AI literacy training to staff, with records of completion and competency assessment?
Q10. Ongoing Competency Maintenance: Have you established processes for maintaining AI literacy through refresher training and competency reassessment?
Section 4: Human Oversight and Explainability (4 points)
Q11. Human Oversight Protocols: Have you documented human oversight protocols for high risk AI systems showing when and how humans review AI outputs?
Q12. Explainability Frameworks: Can you explain to clients and regulators how your AI systems reach specific decisions affecting individual clients?
Q13. Decision Audit Trail: Do you maintain audit trails showing AI inputs, outputs, and human decisions for individual client cases?
Q14. Override and Intervention Records: Do you track when humans override AI recommendations, with documented reasons for intervention?
Section 5: Third Party and Vendor Management (3 points)
Q15. Platform Vendor AI Governance Oversight: Have you assessed the AI governance capabilities of platform vendors (e.g., FE Analytics, Aviva Adviser Platform, Xplan, institutional platforms) and obtained necessary documentation?
Q16. Contractual AI Governance Requirements: Do your contracts with AI platform vendors include specific requirements for transparency, explainability, and regulatory compliance?
Q17. DORA Register of Information and Vendor Incident Management: Have you established a Register of Information for all ICT third party arrangements (as required under DORA) and processes for identifying and managing AI related incidents involving vendor platforms?
Q18. AI Governance Harmonisation Across Entities: Have you established a unified AI governance framework harmonising policies, systems, and controls across all merged entities?
Q19. Legacy Platform Migration and Consolidation: Have you assessed AI governance implications of legacy platforms and planned migration to consolidated infrastructure?
Q20. Integration Period Regulatory Compliance: Can you demonstrate continuous AI governance compliance throughout the merger integration period?
Q21. Distributed Workforce AI Governance: Have you established governance mechanisms ensuring consistent AI use across multiple offices and hundreds of advisers?
Q22. Client Segment Differentiation: Have you tailored AI governance controls to address different client segments (HNW vs UHNW vs institutional)?
Q23. Volume and Velocity Monitoring: Have you implemented monitoring systems capable of tracking AI decisions at the scale of your operations?
Q24. Group Wide Governance Alignment: Have you aligned Irish operations AI governance with parent company enterprise frameworks?
Q25. Cross Border Risk Management: Have you established processes managing AI governance where parent company and Irish requirements differ or conflict?