Corporate Governance 2026

PUERTO RICO Law and Practice Contributed by: Fernando J. Rovira-Rullán and Andrés I. Ferriol-Alonso, Ferraiuoli LLC

• (G) greater emphasis on board and manage - ment accountability and disclosure is perceived (eg, clear ownership of ESG metrics and align - ment between public statements and underlying records). Accordingly, the most material developments for many Puerto Rico-based companies are practical and governance-led rather than responding to a single, comprehensive local ESG reporting statute. Puerto Rico does not currently have a standalone corporate law regime that imposes AI-specific board composition or committee mandates on private companies. Accordingly, board oversight of AI is addressed primarily through existing fiduciary duties and through general consumer protection and data privacy obligations. In practice, boards and management teams increas - ingly treat AI as a governance, risk and controls topic. Common oversight approaches include: 8. Artificial Intelligence 8.1 Board Oversight of AI • allocating AI risk ownership to the audit/risk com - mittee or to a designated technology/cyber sub - committee; • requiring management to adopt written policies for acceptable AI use (including procurement and third-party tools); • integrating AI into enterprise risk management and internal controls; and • ensuring appropriate documentation for material AI-enabled decisions (eg, in HR, credit, underwrit - ing, pricing, customer interactions and compliance monitoring). 8.2 AI Use-Related Risks There is no single Puerto Rico AI governance statute of general application that prescribes an enterprise AI framework. Companies operating in Puerto Rico typi - cally manage AI use-related risks by adapting exist - ing governance and compliance frameworks to AI use cases and by aligning internal policies with recognised risk management standards.

Key AI risks most frequently addressed in practice include: data privacy and confidentiality, IP and trade secret leakage, bias and discrimination in automated decision-making, cybersecurity vulnerabilities, and reputational risk from inaccurate or misleading AI- enabled communications. For 2025, the most material “developments” for Puer - to Rico-based companies are expected to be driven by US federal and sectoral enforcement and guidance (including consumer protection and unfair/deceptive practices standards), and by contractual and market expectations (eg, customers and lenders requiring AI- related controls, audit rights, and incident notification). Within organisations, responsibility is commonly split as follows: • the board (or audit/risk committee) sets risk appe - tite and receives reporting; • management (often legal/compliance, IT/security, and business owners) implements AI policies, approvals and monitoring; and • internal audit/controls functions provide assurance, typically by testing adherence to policies, vendor controls and documentation. 8.3 Liability Exposures Arising From AI Use Boards and officers in Puerto Rico generally face AI- related exposure through existing legal theories rather than an AI-specific directors’ liability regime. Depend - ing on the use case, the primary risk areas include: • disclosure and reporting issues (eg, failing to dis - close material risks/incidents where disclosure is required); • consumer protection and unfair/deceptive practic - es risk from AI-enabled marketing, pricing, custom - er service or automated decision-making; • employment and anti-discrimination claims (eg, use of AI in recruiting, screening or performance assessments); • data privacy and cybersecurity incidents (including unauthorised disclosure of personal data, con - fidential information or trade secrets through AI tools); • IP infringement and content ownership disputes; and

587 CHAMBERS.COM

Powered by