Start OneTrust-to-PrivacyEngine migration today 🔁 Effortless switch now available Learn More!

Mandatory AI Literacy: Compliance in the Age of Regulation

Privacy Engine
Sep 16, 2025

    Need world class privacy tools?

    Schedule a Call >

    Bonus Material: Download the AI and Data Protection Risk Toolkit

    AI is no longer “on the way”. It’s here. We now firmly live in a world where AI decides who is eligible for a loan, how companies identify and manage risk, and where, literally, billions of dollars and euros are invested.

    So, while AI keeps racing ahead in both the US and China, here in Europe, the rules are finally catching up. The EU AI Act is no longer novel. It came into force in 2024, and it is Europe’s answer to ensuring AI advancement does not go unchecked. Built on the GDPR, it is ensuring ethical, transparent, and compliant AI is the standard across the continent. No shortcuts. No excuses.

    Quite a radical stance in the global AI marketplace of 2025.

    Since February 2025, ensuring AI literacy for AI developers is a legal requirement. That means just knowing how to code is no longer enough. You need to know the law. The ethics. The risks. The social impact. Especially in finance, where the wrong algorithm can lead to devastating consequences for clients and destroy trust in an instant.

    Regulation is Outpacing Training

    The EU AI Act takes a risk-based approach. High-risk systems, like algorithmic lending, face strict obligations. Why? Because biased models can lock people out of credit and deepen inequality.

    But here’s the problem: training does not seem to have kept up. In 2023, several academic colleagues and I conducted a survey to see how well-versed developers of AI systems in Finance were in the GDPR and explainable AI1.

    Our survey uncovered some interesting insights. The developers and researchers of AI systems revealed that developers of AI systems based in industry believe they are more knowledgeable than academics who develop AI systems. Awareness of Explainable AI (essential for GDPR) is patchy among both academics and industry leaders in Finance, and identifying experts who have had specialised GDPR-for-AI training is rare.

    Another interesting finding was that many AI developers claimed they had never experienced data breaches with the deployment of their developed AI systems. In theory, this could be a good thing, but it could also be a worrying blind spot. If they do not understand the GDPR, then can they really say they have never experienced a data breach with their AI systems?

    Fast forward to 2025, and AI literacy is now a requirement under the EU AI Act. Since February last, developers of AI systems can no longer be just technically sharp. They need to show AI literacy, which means they need to demonstrate an understanding of how their systems fit into law and ethics.

    That includes knowing GDPR principles, navigating the EU AI Act risk categories and building transparency and accountability into systems.

    This isn’t optional. It’s the law.

    Download AI and Data Protection Risk Toolkit

    When AI Goes Wrong: algorithmic lending and hedge funds

    Finance has already had its wake-up calls. Just recently, the Financial Times reported on an analysis of 39.5 million U.S. mortgage applications made between 2018–2023, which revealed that Black applicants were more than twice as likely to be denied a mortgage compared to white applicants with similar financial profiles. They experienced a 2.1× higher rejection rate. Latino applicants faced a 1.5× higher rejection rate, and Asian applicants 1.2× higher. The disparity held even after adjusting for income, debt, loan size, and geographic location

    The newspaper said that all major lenders, including Bank of America, JPMorgan Chase, Rocket Mortgage, and LoanDepot, exhibited this bias. Their analysis employed regulatory data under the Home Mortgage Disclosure Act to create a statistical model isolating financial factors. The disparity persisted, suggesting something beyond overt applications of race in lending decisions. These were likely embedded biases in the data, credit scoring models, or their historical underpinnings.

    Without training, staff miss these hidden biases in data or worse still, apply their own biases. The result is discriminatory lending decisions.

    Less recently, in 2017, but still noteworthy, Hong Kong real estate tycoon Samathur Li Kin-kan invested in Tyndaris Investments’ so-called “robot hedge fund,” managed by a supercomputer named K1. The company presented simulations indicating that K1 could generate double-digit returns for Li Kin-kan, who then decided to invest $2.5 billion into the fund, with a view to doubling his investment to $5 billion.

    K1, however, failed to perform as advertised. By February 2018, the AI system had consistently lost money, losing as much as $20 million in one day. In response, Li Kin-kan filed a $23 million lawsuit against Tyndaris, accusing the firm of exaggerating K1’s capabilities and misrepresenting the technology’s effectiveness. Tyndaris, in turn, countersued for $3 million in unpaid management fees.

    Looking at these two examples, the lesson is pretty clear. AI is only as good as the people who manage it. How can we ensure good people manage AI? By educating them.

    Closing the Gap

    The solution, however, is not more generic training. It’s sector-specific, real-world training. Lenders need to know how to spot and fix bias. Wealth managers need to apply the EU AI Act risk rules and keep clients informed by employing explainable AI techniques where possible. Most importantly, going forward, universities need to integrate GDPR, the EU AI Act, and ethical AI into their teachings across multiple disciplines.

    In summary, finance runs on trust. And AI, if done right, can strengthen that trust. With AI literacy now being a legal requirement, the clock is ticking. Regulation is here. Training must catch up.

    The organisations that act now, investing in people, not just AI technology, will be the ones ready for the future.

    Those that don’t?

    They’ll be playing catch-up in a game where the stakes are too high to lose.

    Footnotes: 1 Moloney, M., Svetlova, E., MUCKLEY, C., PASCHALIDOU, E. G., COITA, I., & POTI, V. (2023, November). Assessing AI and Data Protection Expertise In Academia and the Financial Services Sector: Insights And Recommendations for AI Skills Development. (S. Shojai, Ed.) Journal of Financial Transformation(58), 160 – 167.

    Share this

    YOU MIGHT ALSO BE INTERESTED IN

    Check out these PrivacyEngine posts that are related to AI

    Common Challenges faced by Data Protection Officers
    8 Minute Read

    Common Challenges faced by Data Protection Officers
    Best Practices for Data Privacy Risk Management | Risk Registers
    8 Minute Read

    Best Practices for Data Privacy Risk Management | Risk Registers
    What to Consider When Processing a DSAR
    8 Minute Read

    What to Consider When Processing a DSAR

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    Get Started For Free
    Schedule Demo
    PrivacyEngine Onboarding Screen