This article will focus on key regulatory developments and practical steps that financial institutions should take in this rapidly evolving environment.

Article Authors and Sources: Xiao Naiying, Fei Si, Yu Leimin, King & Wood Mallesons Research

Generative AI is gaining widespread adoption – Regulators focus on practical applications

As financial institutions continue to adopt generative artificial intelligence (“generative AI”), regulators are shifting their focus from principled policy statements to practical applications. Our “Guide to Generative AI Financial Institutions” [1], published in January 2025, pointed out that a regulatory landscape for generative AI is taking shape, although the framework at that time was still mainly principled. [2]

Subsequently, the regulatory focus has shifted from macro principles to operational governance. Hong Kong is moving from the pilot phase to responsible application, while mainland China's regulations are becoming increasingly detailed, particularly in areas such as content governance, data processing, filing obligations, and model regulation. This article will highlight key regulatory developments and practical steps financial institutions should take in this rapidly evolving environment.

Hong Kong: From Experimentation to Structured Application

Recent developments in Hong Kong demonstrate that the financial services sector is promoting the application of generative AI in a more mature and pragmatic manner. The regulatory focus is on whether financial institutions can deploy related technologies in a responsible, controllable manner that prioritizes investor protection and withstands regulatory scrutiny.

The Hong Kong Monetary Authority (“HKMA”) released a report in April 2025 entitled “GenA.I. New Era: Promoting the Responsible Application of Artificial Intelligence in Financial Services”[3], which pointed out that Hong Kong’s perception of generative AI is changing – 75% of the surveyed financial institutions have implemented or are developing AI applications, and it is expected to reach 87% in the next three to five years.

At the same time, practical guidelines are becoming increasingly specific. For example, the "Guideline List on the Use of Generative AI by Employees" [4] issued by the Office of the Privacy Commissioner for Personal Data in Hong Kong in March 2025 transforms concerns about privacy and governance into specific operational control measures. The list recommends the development of clear policies on tool use, data input, output storage and retention, verification, deviation correction and reporting, watermarking and annotation, device access and incident reporting.

The Hong Kong Digital Policy Office first released the "Guidelines on Generative Artificial Intelligence Technologies and Applications in Hong Kong" in April 2025 and updated it in December of the same year [5], which further provides best practice guidance and emphasizes principles such as fairness, transparency, user choice and bias correction. Financial institutions that use generative AI for customer interaction, recommendation engines, suitability support, internal classification or risk screening should regard the guidelines as an important part of the overall compliance framework.

Hong Kong's regulatory infrastructure continues to expand

A particularly important development is the continued expansion of Hong Kong’s generative AI regulatory framework. As we described in our January 2025 article, the Hong Kong Monetary Authority (HKMA) launched the GenA.I. Sandbox in 2024 in collaboration with Cyberport, providing a controlled environment for accredited institutions to develop and test innovative use cases of generative AI in the banking sector.

In October 2025, the Hong Kong Monetary Authority (HKMA) released the "First GenA.I. Sandbox Report" [6], which pointed out that risk management, anti-fraud measures and customer experience were the three major testing areas, and also pointed out technical and governance challenges such as content illusion and information error. This marks a shift in regulatory focus from encouraging innovation to understanding how to safely integrate generative AI into bank operations.

Furthermore, the second phase of the GenA.I. Sandbox, launched in October of the same year, reflects a significant shift from experimenting with AI capabilities to achieving secure and reliable implementation. The Hong Kong Monetary Authority (HKMA) selected 27 use cases involving 20 banks and 14 technology partners, emphasizing proactive AI governance, automated quality inspection, and adversarial simulation to enhance the ability to prevent deepfake fraud. This marks a clear transition towards deployment readiness, control effectiveness, and AI-driven risk mitigation.

In March 2026, the Hong Kong Monetary Authority (HKMA), together with the Securities and Futures Commission, the Insurance Authority, and the Mandatory Provident Fund Schemes Authority, launched the GenA.I. Sandbox++, expanding the framework to the securities, asset and wealth management, insurance, Mandatory Provident Fund, and stored value payment instruments sectors. It retains the three core areas of risk management, anti-fraud, and customer experience, while explicitly continuing to advance the regulatory strategy of "using AI to combat AI," namely, utilizing AI to manage AI-related risks.

The Hong Kong Monetary Authority's "Fintech 2030" strategy

In November 2025, the Hong Kong Monetary Authority (HKMA) launched the "Fintech 2030" strategy, which includes the "AI x Accredited Institutions" strategy. This strategy aims to promote the comprehensive and responsible application of AI in the financial industry and foster the development of shared and scalable infrastructure and industry models. From a legal and regulatory perspective, this strategy reinforces an important message: AI governance is no longer an isolated innovation issue but should be integrated into corporate architecture, business resilience, customer protection, and regulatory preparedness.

In March 2026, the Hong Kong Monetary Authority (HKMA) issued a circular to all authorized institutions regarding business models under digital transformation[7], noting that new technologies, including agent-based artificial intelligence, are accelerating digital transformation. The circular outlines the HKMA’s expectations of all authorized institutions to proactively assess and adjust their long-term business models to address technological changes. Among other things, the circular requires the board of directors of each authorized institution to oversee and approve a formal strategic plan on digital transformation and financial digitalization by 9 September 2026. The strategic plan should identify opportunities for adjustments or transformations in product offerings, revenue models, customer interactions, risk management, and operations. For more information on the HKMA’s digital transformation circular, please see our infographic.[8]

The Practical Significance of Hong Kong's Latest Developments

Recent regulatory trends in Hong Kong reflect that financial institutions should establish a comprehensive framework covering data, technological resilience, governance and accountability, and manage generative AI in a rigorous and evidence-based manner throughout its entire lifecycle.

In practice, this includes the following key points:

(Application Scenario Differentiation) Different deployment scenarios should be carefully distinguished. Internal tools, customer applications, monitoring and surveillance tools, decision support use cases, and third-party models may raise different legal and risk considerations, and categorizing them all into a single category of "AI use" may not be sufficient to meet the requirements;

(Governance Focus) Organizations should include issues that are typically described as purely technical (such as prompt word design, retrieval mechanisms, output processing, model validation, reporting thresholds, and manual review) in their governance scope;

(Policy Alignment) Institutions should align their internal policies with the terminology and concerns currently available in the Hong Kong guidelines, including responsible application, fairness, accuracy, transparency, privacy, accountability and incident response;

(Regulatory Balance) Institutions should prepare for a narrowing space between innovation support and regulatory review. While sandbox participation and other regulatory interactions may accelerate deployment, they also imply higher governance requirements; and

(Regulatory Communication) Participation in sandbox and pilot projects should be viewed as regulatory preparation activities, not merely as opportunities for innovation. Before communicating with regulatory agencies, organizations should ensure clear responsibilities and approvals, documented testing and validation (including bias and illusion controls), clear triggers for human review and reporting, and a complete set of evidentiary documentation for review purposes.

Mainland China: Moving Towards an Operational and Rules-Based Regulatory Path

China's generative AI regulatory framework continues to evolve towards greater operability, rules-based approach, and regulatory orientation. For financial institutions, the practical issue is no longer simply whether a particular AI tool is permitted, but rather whether they can demonstrate that relevant use cases have been properly categorized, filed where necessary, supported by appropriate data controls, and monitored throughout their entire lifecycle.

This is crucial because regulatory boundaries are becoming increasingly refined. Recent developments in AI-generated content labeling, algorithm and model registration, security assessments, national standards, and data governance in the financial industry all point in the same direction: AI compliance in mainland China is increasingly emphasizing evidence of implementation.

Content labeling and traceability are becoming core compliance requirements.

The "Measures for Identifying Artificial Intelligence-Generated Synthetic Content," jointly issued by the State Internet Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration of Radio and Television, transforms high-level transparency and governance concerns into specific and operable requirements for content labeling and metadata.

The core of this approach is a dual labeling system, which requires simultaneous implementation:

a) Explicit annotations visible to the user; and

b) Embed file metadata to achieve implicit annotation for traceability.

This dual-labeling approach reflects a clear regulatory expectation that user-facing transparency and backend traceability for regulation, enforcement, and accountability must operate in parallel. Importantly, this approach also extends accountability throughout the entire AI content value chain. In summary:

Content generation service providers should implement content labeling (including explicit and implicit labeling) during the content generation stage to ensure the accuracy and persistence of the labeling, and support traceability and accountability when AI-generated content is subject to regulatory review or investigation.

Content distribution platforms should identify, retain, and display existing annotations attached to AI-generated content, prevent and address the deliberate removal, falsification, or misuse of annotations, and cooperate with regulatory agencies in oversight, including oversight regarding content source traceability and verifiability; and

Users must not intentionally remove, tamper with, conceal, or forge explicit annotations, must not intentionally tamper with implicit annotations or technical identifiers, must not mislead others by falsely presenting AI-generated content as human-created content, and must not use synthetic content in a way that circumvents traceability or regulation.

This approach further distinguishes between confirmed, potential, and suspected AI-generated content to support appropriate governance and regulation. These categories do not impose a general AI detection obligation on distribution platforms or users. Instead, they acknowledge different levels of certainty regarding content source, and mandatory labeling obligations apply only to confirmed AI-generated content generated by regulated AI content generation service providers.

In summary, this measure marks a shift towards a shared responsibility and lifecycle-based governance model, with content labeling and traceability positioned as the baseline compliance control for synthetic content risk management under China's evolving regulatory framework.

Algorithm and model registration remains at the core of the regulatory framework.

Despite increasing operational focus on content labeling and traceability, algorithm and model registration remains a core pillar of China's AI regulatory framework. While there have been no major revisions to relevant laws and regulations recently, regulatory practices and implementation continue to evolve.

The following observations deserve special attention from financial institutions:

1. Algorithm registration and model registration are two independent but potentially overlapping regulatory procedures. Under certain conditions, some generative AI service providers may be required to undertake "dual registration" obligations covering both the algorithm and model levels.
2. Certain financial services applications face greater regulatory uncertainty. The regulatory approach to model filing for specific financial service use cases is still evolving. Based on publicly available filing records, there are limited successful approvals for algorithms or models directly used for functions such as financial risk assessment, credit or loan decisions, or AI-driven transaction activities. Given their potential impact on market stability and consumer protection, such use cases appear to face more stringent scrutiny.
3. The filing trend for certain customer-facing use cases is becoming more mature. Publicly available filing information indicates that several algorithms and models related to customer-facing applications have been approved, such as AI-powered intelligent customer service and assistants, as well as certain AI-supported financial or securities analysis tools. It is worth noting that such use cases are typically characterized by content generation or information support functions, rather than direct decision-making or risk-taking activities.

The focus of regulation has shifted from one-time approval or filing to ongoing supervision.

Recent enforcement activities indicate that regulatory approval or filing is not considered a final or static outcome. For organizations providing algorithmic recommendation services or generative AI services, the expectation extends to the entire lifecycle of the system. When statutory or regulatory triggers occur (e.g., changes in use cases, model functionality, data sources, user reach, or dissemination channels), organizations may need to conduct supplementary security assessments, update existing filings, or proactively communicate with regulatory agencies as appropriate.

This trend has been reinforced by broader enforcement initiatives. In April 2025, the Cyberspace Administration of China launched a three-month nationwide campaign, "Clean Up the Internet and Rectify the Abuse of AI Technology," during which regulators took action against a large number of non-compliant AI products and related content. This clearly demonstrates that AI compliance is now firmly embedded in routine regulatory enforcement activities, rather than being regarded as an exceptional or transitional issue. Failure to maintain continuous compliance may increase exposure to regulatory interviews, public criticism, rectification orders, or administrative penalties, as well as corresponding reputational risks.

Evolving rules continue to expand the regulatory boundaries of generative AI.

Beyond content labeling, registration, and security assessments, the broader regulatory boundaries for generative AI in mainland China continue to expand in both scope and granularity. Recent regulatory tools and policy initiatives indicate that regulators are gradually extending their focus from content security and technical compliance to behavioral impact, ethical governance, and scenario-based risk management, especially in higher-risk situations.

A key dimension of this evolution is the growing interaction between generative AI governance and technology ethics review frameworks and the personal information protection requirements under the Personal Information Protection Act. While these two frameworks are not entirely new, their applicability in AI use cases is becoming increasingly visible and operational. In particular, when AI systems involve the processing of personal information, automated decision-making, or functions that could significantly impact individual rights, regulators increasingly expect institutions to assess not only legality and security, but also fairness, explainability, and ethical risks.

The "Measures for Ethical Review and Services of Artificial Intelligence Technology (Trial Implementation)," jointly issued by multiple departments in April 2026, indicates that certain high-risk AI research and application scenarios—especially those involving sensitive personal data, behavioral intervention, or large-scale social impact—may require structured ethical reviews or expert assessments within a broader compliance framework. Whether such reviews are necessary will depend on the specific use case, the data involved, and the deployment environment, and should be assessed on a case-by-case basis.

For financial institutions, the direct compliance impact of these measures may be limited. However, these developments are significant as signals of regulatory direction. They indicate that AI regulation in mainland China is evolving from broad obligations to scenario-based, function-based, and user-impact-oriented requirements. Generative AI governance is increasingly expected to transcend technological robustness and extend to human-computer interaction design, safeguards, and upgrade mechanisms.

A comprehensive national standard system related to AI is taking shape.

Beyond formal laws and administrative measures, national standards are playing an increasingly important role in shaping compliance expectations in AI practices. In the field of generative AI, regulatory agencies have issued numerous national standards providing guidance on machine learning security assessments, synthetic content annotation, training data security, and baseline service requirements. Further national standards related to AI Model-as-a-Service security, lifecycle security operational capability assessments, and agent-based AI applications are under development.

These national standards serve as regulatory benchmarks, providing guidance for regulators on how to assess the adequacy of safety measures, governance arrangements, and operational controls in practice. Over time, they are likely to exert an increasingly significant influence in regulatory and enforcement areas, shaping expectations regarding what constitutes "appropriate" safeguards for AI systems.

Regulatory oversight of data and model governance in China's mainland financial sector is tightening.

Alongside AI-specific measures, financial regulators in mainland China are increasingly emphasizing expectations regarding data and model governance, directly impacting the deployment of generative AI. Specifically:

a) Data security and lifecycle governance requirements are being strengthened. The "Measures for Data Security Management in the Business Areas of the People's Bank of China," issued by the People's Bank of China on May 1, 2025, requires financial institutions to implement data classification and grading, establish and regularly update data lists, identify personal, sensitive, and important data, allocate internal responsibilities, and adopt full lifecycle data security management measures; and

b) Model governance and centralized supervision are becoming regulatory priorities. The "Implementation Plan for High-Quality Development of Digital Finance in the Banking and Insurance Industries," issued by the State Financial Supervision and Administration Bureau in December 2025, encourages institutions to build enterprise-level AI and model management platforms to support the centralized development, deployment, and monitoring of models.

In summary, these regulatory trends indicate that AI applications in the financial industry are increasingly expected to be accompanied by structured lifecycle model governance, clearly defined human intervention points, and strengthened regulation of suppliers and outsourced technology providers. Therefore, AI compliance in mainland China is converging with established financial industry control standards, increasingly emphasizing governance maturity, documentation quality, and regulatory preparedness.

The Practical Significance of the Latest Developments in Mainland China

Recent developments indicate that mainland China is deepening the implementation of AI regulation. While macro concepts such as security, transparency, and responsible data use remain important, regulatory pressure is increasingly focused on how institutions document, demonstrate, and operationalize these concepts in practice.

For financial institutions in mainland China, the adoption of AI should be complemented by structured governance, lifecycle control, and a defensible record. Financial institutions that incorporate filing analysis, data governance, security assessments, model risk management, and supplier oversight from the outset into the design and operation of their AI systems will be better positioned to responsibly scale up AI adoption.

Global Outlook: Monitoring, Concentration, and Dependence

Looking beyond Hong Kong and mainland China, the Financial Stability Board’s report, “Monitoring the Use of AI in the Financial Sector and Related Vulnerabilities” [9], released in October 2025, emphasizes that AI in the financial sector is not just a behavioral or technical issue, but also a financial stability issue. The report highlights the rapid pace of AI model development, the increasing reliance on third-party providers, the evolving supply chain, and the need for authorities to monitor applications, fill data gaps, and understand vulnerabilities related to third-party reliance and concentration risk. The implication for institutions is that AI governance must go beyond ethical policies and model documentation, and also cover outsourcing, operational resilience, and ecosystem risks. For example: reliance on a few basic model providers, cloud platforms, data providers, and AI integration layers; limited visibility into training data sources and model update cycles; and the risk that a single vendor disruption, model change, or security incident will affect multiple institutions simultaneously.

Regulatory attention may extend from the output of a single model to a broader control environment, including contractual and audit rights, change management and release controls, business continuity and alternative planning, data portability, incident reporting, and ongoing monitoring of third-party performance and concentration exposure.

Practical impact on financial institutions

The current regulatory landscape does not produce a single, universally applicable list. Legal and regulatory expectations will vary depending on the industry, business model, use case, operational footprint, and deployment design. Nevertheless, recent developments point to many practical agendas that financial institutions should now consider.

1. (Governance and Oversight) The board of directors and senior management should ensure that clear accountability, reporting pathways, and approval frameworks are established for significant AI use cases;
2. (Use Case Evaluation) Organizations should ensure that high-impact use cases receive enhanced legal, compliance, model risk, and technical reviews;
3. (Data and Privacy) The prompting, retrieval, and training workflows should be reviewed in conjunction with broader data governance and confidentiality obligations;
4. (Transparency and Output Processing) Organizations should review whether customer disclosures, employee guidelines, output labeling, and quality control processes are appropriate for their purposes;
5. (Third-party and outsourcing risks) Supplier due diligence, contract control, alternative planning, and ongoing monitoring should be strengthened; and
6. (Testing, monitoring, and incident reporting) The scheduling of testing, logging, model monitoring, and incident reporting should be proportionate to the number of use cases.

A single generative AI deployment can involve multiple aspects, including personal data, bank confidentiality, intellectual property, customer communications, model validation, operational resilience, outsourcing, and record keeping. Therefore, it is usually insufficient to entrust these issues to a single innovation or technology team.

Human oversight is equally crucial. For higher-risk use cases, vaguely mentioning the "human involvement cycle" may not be convincing unless the organization can explain when audits are needed, who is responsible for the audits, what the auditors should check, how the audits are documented, and when an oversight or suspension is triggered.

Observations on AI Governance Practices in Global Financial Institutions

Based on a selective, non-exhaustive review of the AI governance practices of specific global financial institutions, we offer the following general observations. Please note that these observations are high-level and illustrative. There is no one-size-fits-all approach to AI governance; each financial institution's framework typically reflects a combination of factors, including applicable regulations and regulatory expectations in the relevant jurisdiction, organizational structure, risk appetite, stage of technological maturity, and the nature of AI use cases.

A prevalent three-tiered governance architecture is emerging: many organizations are adopting a "three lines of defense/three tiers" governance model tailored for AI. At the operational level, AI use cases are typically proposed and developed in a decentralized manner by various business units. At the middle level, organizations typically establish cross-functional committees (such as an AI governance committee or a responsible AI council), composed of senior representatives from risk, compliance, data, technology, and business teams, responsible for reviewing, approving, and monitoring AI use cases. At the highest level, the board of directors or a board-level committee (usually an existing risk or technology committee, rather than a newly established dedicated board-level AI committee) retains ultimate oversight of AI strategy, risk, and governance.

Organizations typically do not treat AI governance as a standalone framework; instead, AI is usually integrated into existing governance structures, particularly model risk management, operational risk, technology governance, and data governance frameworks. Many organizations view AI models as an extension of their model risk framework, subjecting them to similar validation, monitoring, and periodic review processes as traditional models, while adapting these processes to address AI-specific risks such as interpretability, bias, and model drift.

A strong emphasis on internal "responsible AI" principles: Many organizations have established internal AI governance principles or standards as baseline requirements for all AI use cases. While the terminology may differ, these principles generally converge around the common theme of:

• Fairness and avoidance of biased or discriminatory outcomes;
• Transparency and interpretability of model output and constraints;
• Data governance, confidentiality and privacy protection; and
• Continuous testing, monitoring, and model performance validation.

These principles are increasingly being operationalized through internal policies, control frameworks, and approval processes, rather than remaining merely at the level of purely declarative statements.

Cross-functional governance is a key characteristic: AI governance is rarely confined to a single function. Organizations typically involve multiple stakeholders from data, technology, legal, compliance, risk, and business teams. Dedicated AI governance committees or centers of excellence are often used to coordinate these functions, develop common standards, and ensure consistency across use cases. In some organizations, a centralized AI function develops group-wide policies and tools, while business units retain responsibility for implementation.

There is no uniform approach to “use-per-use approval committees”: While some organizations have established formal committees to approve individual AI use cases, others rely on existing approval processes (such as model risk committees or technology change forums). Large global organizations generally tend to integrate AI into their existing governance infrastructure rather than creating entirely new approval bodies, reflecting the idea that AI risks should be managed as part of a broader corporate risk framework.

Lifecycle governance is gaining increasing importance: AI governance is no longer limited to initial approval. Organizations are placing greater emphasis on end-to-end lifecycle control, including:

• Use case classification and risk grading;
• Pre-deployment testing and verification;
• Continuous performance monitoring and drift detection;
• Clearly defined thresholds for manual intervention and reporting; and
• Regular review, retraining, and retirement procedures.

This reflects a broader shift from static control to continuous monitoring.

Human oversight remains a core control mechanism: organizations generally recognize its importance, especially for high-risk use cases. However, more mature frameworks have moved beyond the general concept of a "human involvement cycle," striving to more precisely define when audits are needed, who is responsible for the audits, what standards should apply, and how to record and document them.

Data governance and model interpretability are priority areas: institutions generally emphasize challenges related to data quality, source, and access control, as well as the interpretability of complex models. These are often seen as core governance issues rather than purely technical considerations, especially in regulated financial services environments where interpretability and auditability are closely tied to regulatory expectations.

Governance frameworks continue to evolve with use cases and regulatory expectations: most organizations are still iterating their AI governance frameworks. As AI use cases expand—particularly in areas such as customer interaction, decision support, and risk management—governance frameworks are being refined to address new risks, regulatory developments, and operational lessons learned. Therefore, AI governance should be viewed as a dynamic and evolving discipline, rather than a fixed framework.

In summary, these observations indicate that the world is converging towards an integrated, principle-based, and lifecycle-oriented AI governance framework that is rooted in existing risk and control infrastructure but is increasingly adapted to address the unique characteristics and risks of AI systems.

*In this article, "Hong Kong" refers to the Hong Kong Special Administrative Region of the People's Republic of China.