This article will focus on key regulatory developments and practical steps financial institutions should take in this rapidly evolving environment.

Author and source: Xiao Naiying, Fei Si, Yu LeiMin, King & Wood Mallesons Research

Generative AI is rapidly gaining adoption—regulators focus on practical applications

As financial institutions continue to adopt generative artificial intelligence ("generative AI"), regulatory focus is shifting from principle-based policy statements to practical implementation. Our Generative AI Guidance for Financial Institutions, released in January 2025 [1], noted that the regulatory landscape for generative AI was emerging, though frameworks at the time remained primarily principle-based. [2]

Since then, regulatory focus has shifted from macro-level principles to operational governance. Hong Kong is transitioning from a pilot phase to responsible application, while mainland China’s regulations are becoming increasingly detailed, particularly in areas such as content governance, data processing, filing obligations, and model oversight. This article highlights key regulatory developments and practical steps financial institutions should take in this rapidly evolving landscape.

Hong Kong: From Pilots to Structured Applications

Recent developments in Hong Kong indicate that the financial services sector is adopting generative AI in a more mature and pragmatic manner. Regulatory focus is on whether financial institutions can deploy these technologies responsibly, in a controllable way, with strong emphasis on investor protection and regulatory scrutiny.

The Hong Kong Monetary Authority ("HKMA")'s report, "The New Era of GenAI: Promoting Responsible Adoption of Artificial Intelligence in Financial Services," released in April 2025 [3], notes a shift in Hong Kong’s perception of generative AI—75% of surveyed financial institutions have already implemented or are developing AI applications, with this figure projected to reach 87% within the next three to five years.

Meanwhile, practical guidelines are becoming increasingly specific. For example, the Office of the Privacy Commissioner for Personal Data in Hong Kong, in its March 2025 guidance document, “Checklist for Employee Use of Generative AI” [4], translates privacy and governance concerns into concrete operational controls. The checklist recommends establishing clear policies on tool usage, data input, output storage and retention, verification, bias correction and reporting, watermarking and labeling, device access, and incident reporting.

The Hong Kong Digital Policy Office's "Guidelines on Generative AI Technologies and Applications," first released in April 2025 and updated in December of the same year [5], provides further best-practice guidance, emphasizing principles such as fairness, transparency, user choice, and bias correction. Financial institutions using generative AI for customer interactions, recommendation engines, suitability support, internal classification, or risk screening should regard these guidelines as a key component of their overall compliance framework.

A particularly significant development is the ongoing expansion of Hong Kong’s generative AI regulatory framework. As outlined in our January 2025 article, the Monetary Authority partnered with Cyberport in 2024 to launch the GenA.I. Sandbox, providing authorized institutions with a controlled environment to develop and test innovative use cases of generative AI in banking.

In October 2025, the Monetary Authority released the First GenA.I. Sandbox Report [6], identifying risk management, anti-fraud measures, and customer experience as the three key testing areas, while also highlighting technical and governance challenges such as hallucinations and information inaccuracies. This marks a shift in regulatory focus from encouraging innovation to understanding how to safely integrate generative AI into banking operations.

In addition, the second phase of the GenA.I. sandbox, launched in the same month of October, reflected a significant shift from testing AI capabilities to achieving secure and reliable implementation. The MAS selected 27 use cases involving 20 banks and 14 technology partners, with a strong emphasis on proactive AI governance, automated quality assurance, and adversarial simulation to enhance defenses against deepfake fraud. This marks a clear transition toward deployment readiness, control effectiveness, and AI-driven risk mitigation.

In March 2026, the Monetary Authority, together with the Securities and Futures Commission, the Insurance Authority, and the Mandatory Provident Fund Schemes Authority, launched the GenA.I. Sandbox++, extending the framework to the securities, asset and wealth management, insurance, MPF, and stored value payment facilities sectors. It retains the three core areas of risk management, fraud prevention, and customer experience, while explicitly continuing to advance the “AI against AI” regulatory strategy—using AI to manage AI-related risks.

In November 2025, the Monetary Authority launched the "FinTech 2030" strategy, which includes the "AI x Authorized Institutions" initiative aimed at promoting the comprehensive and responsible adoption of artificial intelligence in the financial sector and fostering the development of shared, scalable infrastructure and industry models. From a legal and regulatory perspective, this strategy reinforces a key message: AI governance is no longer an isolated innovation issue, but must be integrated into corporate architecture, business resilience, customer protection, and regulatory preparedness.

In March 2026, the Monetary Authority issued a circular [7] to all authorized institutions regarding business models under digital transformation, noting that new technologies, including agent-based AI, are accelerating digital transformation. The circular clarified the Monetary Authority’s expectations for all authorized institutions—to proactively assess and adapt their long-term business models in response to technological change. Among other requirements, the circular mandated that the board of each authorized institution oversee and approve a formal strategic plan on digital transformation and financial digitization by September 9, 2026. This strategic plan should identify opportunities for adjustment or transformation in product offerings, revenue models, customer engagement, risk management, and operations. For more details on the Monetary Authority’s digital transformation circular, please refer to our infographic. [8]

Recent regulatory trends in Hong Kong indicate that financial institutions should establish a comprehensive framework covering data, technological resilience, governance, and accountability, and manage generative AI throughout its lifecycle in a rigorous and auditable manner.

In practice, this includes the following key points:

(Application Scenario Differentiation) Different deployment scenarios must be carefully distinguished. Internal tools, customer applications, monitoring and observation tools, decision-support use cases, and third-party models may raise distinct legal and risk considerations; grouping them broadly under a single category of “AI use” may be insufficient to meet requirements;

(Governance Focus) Institutions should bring under governance issues typically described as purely technical—such as prompt design, retrieval mechanisms, output processing, model validation, reporting thresholds, and human review;

(Policy Alignment) Institutions should align their internal policies with the terminology and key concerns currently outlined in Hong Kong’s guidelines, including responsible use, fairness, accuracy, transparency, privacy, accountability, and incident response;

(Regulatory Balance) Institutions should prepare for the narrowing space between innovation support and regulatory oversight. While sandbox participation and other regulatory interactions may accelerate deployment, they also imply higher governance requirements; and

(Regulatory Engagement) Participation in sandbox and pilot programs should be viewed as regulatory preparedness activities, not merely as opportunities for innovation. Before engaging with regulators, institutions must ensure clearly defined roles and approvals, documented testing and validation (including bias and hallucination controls), explicit human review and reporting triggers, and a comprehensive set of evidentiary documentation ready for review.

Mainland China: Moving toward an operational and rules-based regulatory approach

China's regulatory framework for generative AI continues to evolve toward a more operational, rule-based, and regulatory-oriented approach. For financial institutions, the practical issue is no longer merely whether a specific AI tool is permitted for use, but whether the institution can demonstrate that relevant use cases have been properly classified, registered when necessary, supported by appropriate data controls, and monitored throughout their lifecycle.

This is crucial because regulatory boundaries are becoming more nuanced. Recent developments in labeling AI-generated content, registering algorithms and models, security assessments, national standards, and data governance in the financial sector all point in the same direction: mainland China’s AI compliance is increasingly focused on implementing evidence-based measures.

The "Measures for the Identification of Artificial Intelligence-Generated and Synthesized Content," jointly issued by the National Internet Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the National Radio and Television Administration, translates high-level transparency and governance concerns into specific, actionable content labeling and metadata requirements.

The core of this method is the dual labeling system, requiring simultaneous implementation:

a) Explicit labels visible to users; and

b) Implicit tagging by embedding file metadata to enable traceability.

This dual-labeling approach reflects clear regulatory expectations that user-facing transparency and backend traceability for regulatory, law enforcement, and accountability purposes must operate in parallel. Importantly, the approach also extends responsibility across the entire AI content value chain. In summary:

Content generation service providers shall implement content labeling (including explicit and implicit labeling) during the content generation phase to ensure the accuracy and persistence of labels, and support traceability and accountability when AI-generated content is subject to regulatory review or investigation;

Content distribution platforms should identify, retain, and display existing labels attached to AI-generated content, prevent and address intentional removal, falsification, or misuse of such labels, and cooperate with regulatory authorities in oversight, including regulation related to content provenance and traceability; and

Users must not intentionally remove, alter, conceal, or forge explicit labels; must not intentionally tamper with implicit labels or technical identifiers; must not falsely represent AI-generated content as human-created in a misleading manner; and must not use synthetic content in ways that circumvent traceability or regulatory requirements.

This approach further distinguishes between confirmed, possible, and suspected AI-generated content to support appropriate governance and regulation. These categories do not impose general AI detection obligations on dissemination platforms or users. Instead, they recognize varying levels of certainty regarding content origin, and mandatory labeling requirements apply only to confirmed AI-generated content produced by regulated AI content generation service providers.

Overall, this approach marks a shift toward shared responsibility and lifecycle-based governance, with content labeling and traceability positioned as baseline compliance controls for managing synthetic content risks under China’s evolving regulatory framework.

Although operational focus has increasingly shifted toward content labeling and traceability, algorithm and model registration remains a core pillar of China's mainland AI regulatory framework. Although relevant laws and regulations have not undergone significant revisions recently, regulatory practices and enforcement continue to evolve.

The following observations warrant special attention from financial institutions:

1. Algorithm registration and model registration are two separate but potentially overlapping regulatory procedures. Under certain conditions, some generative AI service providers may be required to fulfill a "dual registration" obligation covering both algorithmic and model-level requirements.
2. Certain financial services applications face greater regulatory uncertainty. The regulatory approach to registering models for specific financial services use cases is still evolving. Based on publicly available registration records, there have been limited successful approvals for algorithms or models directly used in functions such as financial risk assessment, credit or lending decisions, or AI-driven trading activities. Given their potential impact on market stability and consumer protection, these use cases appear to be subject to stricter scrutiny.
3. Certain customer-facing use cases have more mature filing trends. Publicly available filing information indicates that several algorithms and models related to customer-facing applications have been approved, such as AI-powered customer service and assistants, as well as certain AI-supported financial or securities analysis tools. Notably, these use cases are typically characterized by content generation or information support functions, rather than direct decision-making or risk-bearing activities.

Recent enforcement actions indicate that regulatory approval or filing completion is not considered a final or static outcome. For institutions providing algorithmic recommendation services or generative AI services, expectations extend throughout the entire system lifecycle. When statutory or regulatory trigger conditions arise—such as changes in use cases, model functionality, data sources, user reach, or distribution channels—institutions may need to conduct supplementary security assessments, update existing filings, or proactively communicate with regulators as appropriate.

This trend has been reinforced by broader law enforcement initiatives. In April 2025, the Cyberspace Administration of China launched a three-month nationwide special campaign titled “Clear and Bright: Rectifying the Misuse of AI Technology,” during which regulators took action against numerous non-compliant AI products and related content. This clearly indicates that AI compliance is now firmly embedded within routine regulatory enforcement activities, rather than being viewed as an exceptional or transitional issue. Failure to maintain ongoing compliance may increase exposure to regulatory interviews, public censures, rectification orders, administrative penalties, and associated reputational risks.

Beyond content labeling, registration, and security assessments, the regulatory scope for generative AI in mainland China continues to expand in breadth and granularity. Recent regulatory tools and policy initiatives indicate that regulators are progressively shifting their focus from content safety and technical compliance to behavioral impacts, ethical governance, and scenario-specific risk management—particularly in high-risk contexts.

An important dimension of this evolution is the growing interaction between generative AI governance and technology ethics review frameworks, and the personal information protection requirements under the Personal Information Protection Law. Although these two systems are not new, their application to AI use cases is becoming increasingly visible and operational. In particular, when AI systems involve the processing of personal information, automated decision-making, or functions that may significantly impact individual rights, regulators increasingly expect organizations to assess not only legality and security, but also fairness, explainability, and ethical risks.

The "Interim Measures for Ethical Review and Services in Artificial Intelligence Technology," jointly issued in April 2026 by multiple departments, indicates that certain high-risk AI research and application scenarios—particularly those involving sensitive personal data, behavioral intervention, or large-scale societal impact—may require structured ethical reviews or expert evaluations within a broader compliance framework. Whether such a review is necessary will depend on the specific use case, the data involved, and the deployment environment, and should be assessed on a case-by-case basis.

For financial institutions, the direct compliance impact of these measures may be limited. However, as signals of regulatory direction, these developments are significant. They indicate that mainland China’s AI regulation is evolving from broad obligations toward scenario-based, function-based, and user-impact-oriented requirements, with generative AI governance increasingly expected to extend beyond technical robustness to include human-machine interaction design, safeguards, and upgrade mechanisms.

In addition to formal legal and administrative measures, national standards are playing an increasingly important role in shaping compliance expectations for AI practices. In the field of generative AI, regulatory authorities have issued several national standards providing guidance on machine learning security assessments, synthetic content labeling, training data security, and baseline service requirements. Further national standards related to AI model-as-a-service security, lifecycle security operation capabilities, and agent-based AI applications are currently under development.

These national standards serve as regulatory benchmarks, providing guidance to regulators on how to assess the adequacy of security measures, governance arrangements, and operational controls in practice. Over time, they may exert increasing influence in regulatory and enforcement contexts, shaping expectations for what constitutes "appropriate" safeguards for AI systems.

Alongside AI-specific initiatives, financial industry regulation in mainland China is increasingly strengthening expectations around data and model governance, directly impacting the deployment of generative AI. Specifically:

a) Requirements for data security and lifecycle governance are intensifying. The People's Bank of China’s “Management Measures for Data Security in People’s Bank of China Business Areas,” effective May 1, 2025, requires financial institutions to implement data classification and grading, establish and regularly update data inventories, identify personal, sensitive, and critical data, assign internal responsibilities, and adopt comprehensive data security management measures throughout the data lifecycle; and

b) Model governance and centralized oversight are becoming regulatory priorities. In December 2025, the National Financial Regulatory Administration issued the "Implementation Plan for High-Quality Development of Digital Finance in the Banking and Insurance Industries," encouraging institutions to build enterprise-level AI and model management platforms to support centralized development, deployment, and monitoring of models.

Overall, these regulatory trends indicate that AI applications in the financial sector are increasingly expected to be governed by structured lifecycle models, clearly defined human intervention points, and enhanced oversight of vendors and outsourced technology providers. As a result, AI compliance in mainland China is converging with established financial industry control standards, placing growing emphasis on governance maturity, documentation quality, and regulatory readiness.

Recent developments indicate that mainland China is deepening the implementation of AI regulation. While broad concepts such as security, transparency, and responsible data use remain important, regulatory pressure is increasingly focused on how institutions document, demonstrate, and operationalize these concepts in practice.

For financial institutions, adopting AI in mainland China should be supported by structured governance, lifecycle controls, and defensible documentation. Institutions that integrate audit trails, data governance, security assessments, model risk management, and vendor oversight into the design and operation of AI systems from the outset will be better positioned to responsibly scale their AI applications.

Global Outlook: Monitoring, Concentration, and Dependency

Beyond Hong Kong and mainland China, the Financial Stability Board’s October 2025 report, “Monitoring AI Applications in the Financial Sector and Associated Vulnerabilities” [9], emphasizes that AI in finance is not merely a behavioral or technical issue, but a financial stability concern. The report highlights the rapid pace of AI model development, growing reliance on third-party providers, and evolving supply chains, as well as the need for regulators to monitor deployments, address data gaps, and understand vulnerabilities related to third-party dependencies and concentration risks. For institutions, this implies that AI governance must extend beyond ethical policies and model documentation to encompass outsourcing, operational resilience, and ecosystem risks. Examples include dependence on a limited number of foundational model providers, cloud platforms, data suppliers, and AI integration layers; limited visibility into training data sources and model update cycles; and the risk that a single vendor disruption, model change, or security incident could simultaneously impact multiple institutions.

Regulatory scrutiny may extend from individual model outputs to a broader control environment, including contractual and audit rights, change and release management, business continuity and contingency planning, data portability, incident reporting, and ongoing monitoring of third-party performance and concentration exposure.

Practical impact on financial institutions

The current regulatory landscape has not produced a single universal checklist. Legal and regulatory expectations will vary depending on the industry, business model, use case, operational footprint, and deployment design. Nevertheless, recent developments point to a practical agenda that many financial institutions should now consider.

1. (Governance and Oversight) The board and senior management should ensure clear accountability, reporting pathways, and approval frameworks are established for significant AI use cases;
2. (Use Case Evaluation) Institutions should ensure that high-impact use cases receive enhanced legal, compliance, model risk, and technical reviews;
3. (Data and Privacy) Prompting, retrieval, and training workflows should be reviewed in conjunction with broader data governance and confidentiality obligations;
4. (Transparency and Output Handling) Institutions should review whether customer disclosures, employee guidelines, output labeling, and quality control processes are fit for purpose;
5. (Third-party and outsourcing risks) Due diligence on suppliers, contract controls, contingency planning, and ongoing monitoring should be strengthened; and
6. (Testing, Monitoring, and Incident Reporting) Testing, logging, model monitoring, and incident reporting arrangements should be proportionate to the use case.

A single generative AI deployment may involve multiple aspects, including personal data, banking secrecy, intellectual property, customer communications, model validation, operational resilience, outsourcing, and recordkeeping. Therefore, entrusting these issues to a single innovation or technology team is often insufficient.

Human oversight is equally critical. For high-risk use cases, merely mentioning a "human-in-the-loop" may not be convincing unless the institution can specify when review is required, who is responsible for conducting the review, what the reviewer should check, how the review is documented, and when escalation or suspension is triggered.

Observations on AI Governance Practices in Global Financial Institutions

Based on a selective, non-exhaustive review of AI governance practices at specific global financial institutions, we make the following general observations. Please note that these observations are high-level and illustrative. There is no one-size-fits-all approach to AI governance; each financial institution’s framework typically reflects a combination of factors, including applicable regulatory and supervisory expectations in relevant jurisdictions, organizational structure, risk appetite, stage of technological maturity, and the nature of AI use cases.

A common three-tier governance structure is emerging: many organizations adopt a “three lines of defense” or three-tier governance model tailored for AI. At the operational level, AI use cases are typically initiated and developed in a decentralized manner by individual business units. At the intermediate level, organizations usually establish cross-functional committees—such as an AI Governance Committee or a Responsible AI Council—comprised of senior representatives from risk, compliance, data, technology, and business teams, responsible for reviewing, approving, and monitoring AI use cases. At the highest level, the board or board-level committees—typically existing risk or technology committees rather than newly created dedicated board-level AI committees—retain ultimate oversight over AI strategy, risk, and governance.

Institutions typically do not treat AI governance as a standalone framework; instead, AI is generally integrated into existing governance structures, particularly those for model risk management, operational risk, technology governance, and data governance. Many institutions view AI models as an extension of their model risk framework, subjecting them to validation, monitoring, and periodic review processes similar to those applied to traditional models, while adapting these processes to address AI-specific risks such as interpretability, bias, and model drift.

Strong emphasis on internal "Responsible AI" principles: Many organizations have established internal AI governance principles or standards as baseline requirements for all AI use cases. Although terminology varies, these principles generally align around the following common themes:

• Fairness and avoidance of biased or discriminatory outcomes;
• Transparency and interpretability of model outputs and limitations;
• Data governance, confidentiality, and privacy protection; and
• Ongoing testing, monitoring, and model performance validation.

These principles are increasingly operationalized through internal policies, control frameworks, and approval workflows, rather than remaining merely aspirational statements.

Cross-functional governance is a core characteristic: AI governance rarely remains confined to a single function. Organizations typically involve multiple stakeholders from data, technology, legal, compliance, risk, and business teams. Dedicated AI governance committees or centers of excellence are often established to coordinate these functions, establish common standards, and ensure consistency across use cases. In some organizations, a centralized AI function develops enterprise-wide policies and tools, while business units retain responsibility for implementation.

There is no standardized approach for the "Case-by-Case Approval Committee": while some institutions have established formal committees to review individual AI use cases, others rely on existing approval processes, such as Model Risk Committees or Technology Change Forums. In large global institutions, there is typically a preference for integrating AI into existing governance infrastructure rather than creating new approval bodies, reflecting the view that AI risks should be managed as part of a broader enterprise risk framework.

Lifecycle governance is gaining increasing attention: AI governance extends beyond initial approval. Institutions are placing greater emphasis on end-to-end lifecycle control, including:

• Use case classification and risk grading;
• Pre-deployment testing and verification;
• Continuous performance monitoring and drift detection;
• Clear manual intervention and reporting thresholds; and
• Regular review, retraining, and retirement processes.

This reflects a broader shift from static control to continuous monitoring.

Human oversight remains a core control mechanism: institutions widely recognize the critical importance of human oversight, particularly for higher-risk use cases. However, more mature frameworks have moved beyond the general concept of "human-in-the-loop" to precisely define when reviews are required, who is responsible for conducting them, which standards should apply, and how to document and evidence the process.

Data governance and model interpretability are priority areas: institutions commonly highlight challenges related to data quality, provenance, and access control, as well as the interpretability of complex models. These are often viewed as core governance issues rather than purely technical concerns, particularly in regulated financial services environments where interpretability and auditability are closely tied to regulatory expectations.

The governance framework continues to evolve with use cases and regulatory expectations: most institutions are still refining their AI governance frameworks. As AI use cases expand—particularly in customer interaction, decision support, and risk management—the governance frameworks are being enhanced to address new risks, regulatory developments, and operational lessons. Therefore, AI governance should be viewed as a dynamic and evolving discipline, not a static framework.

Overall, these observations indicate a global convergence toward integrated, principle-based, and lifecycle-oriented AI governance frameworks that are rooted in existing risk and control infrastructures but are increasingly adapting to address the unique characteristics and risks of AI systems.

In this article, "Hong Kong" refers to the Hong Kong Special Administrative Region of the People's Republic of China.