Yesterday, RBI issued a Draft Disclosure framework on Climate related financial risks 2024 applicable for regulated entities (REs). Comments / feedback, if any, may be sent by e-mail with the subject line “Comments on Disclosure framework on Climate-related Financial Risks, 2024”, by April 30, 2024.
The policies proposed will have cascading impact on the loan customers and hence is of interest to the industry also.
The disclosures for REs will cover Governance, Strategy, Risk Management, Metrics and Targets. The Governance, Strategy and Risk management may be rolled out from FY 2025-26 on wards for Banks and top layer of NBFCs. Metrics and Targets may be rolled out in the following year. For ban cooperative Banks the roll out may be deferred by an additional year and for others, the dates need to be announced.
Since the risks of Banks and NBFCs are related to those of their customers, the REs will have to collect information and impose norms for their customers in terms of not only Governance, Strategy and Risk management, but also the Metrics.
The discussion on AI and climate change appears relevant in this context since the customers who are users of AI may be required to disclose information to the investors and who in turn have to submit the consolidated information to RBI.
It is observed that some time in 2023, an idea was adopted by ISO that Standard developers should incorporate and demonstrate their concern for Climate change while arriving at the standards. Accordingly ISO-Guide 84:2020 was also released. It appears that this requirement is being now added mechanically to all standards without justifying its relevance.
Accordingly, a standard like ISO 42001 meant as a Requirement Standard for Artificial Intelligence Management System (AIMS) in clause 4.1 (Understanding the organization and its context) adds a component “The organization shall determine climate change is a relevant issue”.
When a company implementing an AI or developing an AI and looking at this document for guidance and possible certification would wonder what its use of an AI algorithm has to do with “Climate Change”.
While we consider that this clause has crept into the standard following the blind implementation of a norm without considering the proportionality of the impact of such a suggestion, we still open up for debate this requirement in the context of some recent revelations on the climatic impact of the AI systems particularly using LLMs.
LLMs are the first AI systems adopted by most companies and hence the climatic impact of LLMs becomes a relevant case for certification of ISO 42001.
In the context of Crypto Currencies, we have discussed how the energy requirements of Bitcoin/Crypto currency mining could be detrimental to the society (Refer the Article: Mr Piyush Goyal and Mr R K Singh… Do you know how much energy goes into Bitcoins?), a similar concern has now surfaced on the consequential use of scarce water resources in the development of LLMs.
For example it is stated that
“A single LLM interaction may consume as much power as leaving a low-brightness LED lightbulb on for one hour.”…—Alex de Vries, VU Amsterdam
In India discussions have taken place on water consumption by Companies like Pepsi or Cocacola but the dimension of Water and Energy Consumption by AI systems both for development and usage makes one to sit back and think if there is a need to decelerate the growth of data centers to conserve water and energy resources.
An article published by associated Press recently quoting the 2022 information suggested that Microsoft’s data center water use increased by 34% from 2021 to 2022. The company slurped up more than 1.7 billion gallons, or 6.4 billion liters, of water in the previous year, which is said to be enough to fill more than 2,500 Olympic-sized swimming pools. It was a similar story with Google, which reported a 20% spike in its water consumption over the same timeframe. It is anybody’s guess what would be the situation in 2024 with ChaptGPT 4/5 and Bard/Gemini being in use.
A time has come for ISO 42001 auditors (Ed: Audit of ISO 42001 may perhaps be required to be done like ISO 27701 along with ISO 27001) to ask the question to their auditee organizations if it is possible to ignore the climatic impact of use of AI when an AIMS audit is undertaken.
The current discussions on regulation of AI is normally around Job loss, Human brain degradement, Explainability,Accountability, Bias control etc., but not very much on the climate impact or related issues such as carbon foot print. The EU act on AI may require that the “High Risk AI Systems” may be required to report report their energy consumption resource use and other impacts throgh out their systems life cycle.
India has to also incorporate this aspect in its proposed AI regulation. A Yale university report mentions that in Chile and Uruguay, protests have erupted over planned data centers that would tap drinking water reservoirs.
There was a time when Indian Government would run TV ads on “Stop the tap when you are shaving”. Now the new generation ads will be “Dont make a query in Chat GPT if you donot need it”. Probably water conservation should become part of the IT industry’s responsibilities.
We donot know if the recent drinking water shortage in Bengaluru city has any origin in the increased use of AI !
On October 27, 2009, Government had issued a notification under Section 69 of ITA 2000 titled Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
This rule had a clause 23 which stated as under:
Destruction of records of interception or monitoring or decryption of information.—
(1) Every record, including electronic records pertaining to such directions for interception or monitoring or decryption of information and of intercepted or monitored or decrypted information shall be destroyed by the security agency in every six months except in a case where such information is required, or likely to be required for functional requirements.
(2) Save as otherwise required for the purpose of any ongoing investigation, criminal complain or legal proceedings, the intermediary or person in-charge of computer resources shall destroy records pertaining to directions for interception of information within a period of two months of discontinuance of the interception or monitoring or decryption of such information and in doing so they shall maintain extreme secrecy.
Now the current gazette notification states as under:
The Indian express commented that the rules have been amended to broaden the powers of the centre to issue directions to destroy digital evidence and to allow the home secretary or other bureaucrats to issue directions to destroy digital records.
On a proper reading of the rule it appears that the insinuations of the Indian Express (which no doubt will soon be echoed by the Anti Government media) is wrong. The rule suggests that the power to remove the information collected during an investigation process shall not be exercised by the security agency but by the authority which actually gave the permission or had the power to give permission for the monitoring. This is logical and appears to correct the possibility of misuse of the authority by the security agencies.
Under the rules, powers had been given exclusively to a “Competent Authority” to carry out the interception or monitoring or decryption of information. Any agency other than the “Competent Authority” indulging in such activity would become an “Unauthorized access” under Section 66.
To take care of unavoidable circumstances, it was provided that such orders may be issued by an officer not below the rank of a joint secretary duly authorized by the competent authority.
It was also provided that in case of emergencies and in remote areas where the obtaining of the permission from the “Competent Authority” or the “Designated Officer” was not feasible, the interception etc may be carried out with the prior approval of the Head or the second senior most officer of the security and law enforcement agency (hereinafter referred to as the said security agency) at the Central level and the officer authorised in this behalf, not below the rank of the inspector General of Police or an officer of equivalent rank, at the State or Union territory level;
In all cases where the delegated authority was exercised, such enforcing agency (Designated officer or the police officers etc) were required to inform in writing to the competent authority about the emergency and the action taken within 3 working days and obtain approval. If the approval was not available for 7 working days, the action of monitoring etc was expected to be terminated.
What the recent amendment states is that where such monitoring has commenced and certain data has been collected, the destruction of such data shall be done only with the instructions of the competent authority and not the security agency.
In other words, the security agency which is given the emergency powers to collect data is not permitted to play with it and destroy it when permission is denied by the competent authority.
This is therefore for “Preserving digital evidence” and not “Destroying digital evidence” as the news paper reports.
It is unfortunate that certain reporters of the media and the media themselves are ignorant and look at any action of the Government with coloured ideas. They must admit their ignorance and provide clarification. Otherwise this will be a “Fake News”.
I will not be surprised if this issue is taken to Court and some ignorant Judge perhaps in a High Court passes an order to stay the notification. A similar incident happened when Mumbai High Court gave a split verdict in the case of “Setting up of “Fake News Alert” by the Government to protect fake news about the Government being spread by the vested interests. The Court failed to understand the implications of the proposed amendments and the limited role of PIB in the context and declared that it was a freedom of press issue. In the past, in the celebrated Shreya Singhal Judgement Supreme Court itself displayed ignorance and gave a faulty judgement considering “Publication” as equivalent to “Messaging”.
I hope the news reporters understand such issues before they report.
One possibility is that State police in some occasions might have collected some investigating details using the powers under Section 69 of ITA 2000 and may like to destroy it before the NIA takes over the investigations. Such issues are now common in many states where there are opposition Governments. This amendment prevents the State level agencies exercising the powers as an emergency and later destroy the data if it is inconvenient to them. The amendment therefore has to be welcome as tightening up of the rules.
Whether it is on Privacy or Fintech Innovation or Cyber Laws, we are observing that all discussions in professional circles lead to DPDPA 2023 and Artificial Intelligence.
While Techies discuss AI as the new craze of Innovation and Disruption, the regulators and legal professionals keep warning about the dangers of AI and the need to put it on reigns.
The fact that Google has put a stop to its Google AI project, Mr Elon Musk has repeatedly warned about the dangers of AI, need to be kept in mind when we look at how to welcome AI into business.
Yesterday in a massive conference in Bangalore on AI in FINTECH organized by Razor Pay, the excitement of techies in the disruption caused by AI Technology was palpable. There was however one discreet warning about “Aggressive Juggad” taking on “Aggressive Regulator” from Dr Bharat Panchal who interestingly describes himself as the “Risky MonK”. Dr Padmanabhan, the past Executive zdirector of RBI also referred to “Disruption of the Disruptors” by non compliance.
In the din of excitement of the day, the warnings would not have been noticed. The vague discussion on “Ethical AI”, is insufficient to address this issue of how “Hallucination”, “Bias”, “Intellectual Property Right and Privacy Right violation” in Machine learning are insufficient to meet the requirements.
FDPPI has been therefore working on how in its DGPSI (Data Governance and Protection Standard of India) framework for DPDPA 2023 compliance the issue of AI can be addressed.
This will be one of the discussions in the special one day training on “Implementation of DPDPA 2023 Compliance through DGPSI” being held in Bangalore on March 2nd at Fairfield Marriot, Bangalore.
FDPPI is conducting a series of training programs all over India to prepare the Indian Professionals to be Data Protection Officers and Data Auditors.
In the month of March 2o24, several one day programs have been scheduled in Mumbai, Ahmedabad, Kolkata, Nagpur and Bangalore for experienced data protection professionals requiring an in-depth discussion on implementation of DPDPA 2023.
The registrations for all the programs other than in Bangalore has been closed. Registration for the program in Bengaluru is open.
