New NFRA guidelines promote safe AI adoption in finance

The National Financial Regulatory Administration announced the release of new guidelines on the safe development and application of AI in the banking and insurance sectors on Thursday.

The guidelines call for stronger risk-based and tiered management of the development and application of artificial intelligence at banking and insurance institutions to effectively address the challenges posed by AI development, while better serving the real economy and meeting the needs of the public.

An NFRA official said the guidelines aim to regulate the development and use of AI by banking and insurance institutions, effectively prevent and control risks arising from AI applications, promote the high-quality development of digital finance, advance the orderly integration of AI innovation with financial services, and guide the healthy and orderly development of AI applications in the financial sector in a manner that is beneficial, safe, and fair.

The guidelines require financial institutions that develop and deploy AI technologies to strengthen top-level planning and overall governance by establishing a comprehensive AI lifecycle management framework and enhancing oversight of application scenarios and business processes.

Institutions are encouraged to build independently controllable, secure, and efficient intelligent computing infrastructure. Large financial institutions with the necessary capabilities are encouraged to provide computing-power services to smaller institutions and support industry efforts to jointly build and share infrastructure.

Additionally, financial institutions are required to incorporate AI-related risks into their comprehensive risk management frameworks, implement risk-based classification and tiered management, and establish access controls for high-risk AI applications.

Human oversight and intervention mechanisms must be put in place at key stages of high-risk applications, while outsourcing and supply-chain risk management should also be strengthened.

The regulatory official said financial institutions should conduct regular assessments and reviews of AI-related risks and risk-control measures, guarding against risks such as "black-box" models, AI hallucinations, and algorithmic discrimination, while strengthening cybersecurity, data security, and customer information protection.

Financial institutions should build AI capabilities that combine security, transparency, and accountability, while balancing risk control with business development. They should strengthen data security and personal information protection, strictly implement data classification and protection requirements, and improve content filtering and data desensitization measures, the official said.

The guidelines mark the NFRA's first dedicated regulatory framework for the safe development and use of artificial intelligence in the banking and insurance sectors, said Dong Ximiao, chief economist at Merchants Union Consumer Finance and executive director of the Shanghai Institution for Finance and Development. They address the challenge of some financial institutions adopting AI blindly without adequate regulatory guidance, while establishing rules, defining red lines, and setting the direction for AI applications in banking and insurance sectors.

Dong noted that the guidelines set out clear safeguards for AI applications. Most notably, they prohibit the use of personal information and private data in training generative AI models, aiming to curb privacy breaches and algorithmic bias at the source. Banking and insurance institutions are also required to incorporate AI-related risks into their overall risk management frameworks and strengthen human oversight in high-risk scenarios to ensure the prudence of critical business decisions.

Beyond risk control, the guidelines chart a path for the high-quality development of AI in finance, emphasizing secure, practical, and self-reliant technological development. They are designed to ensure that AI serves the real economy, promotes the orderly integration of technological innovation with financial services, and supports the sustainable growth of digital finance, Dong said.

He emphasized that the guidelines have four key highlights.

One notable feature is that they provide, for the first time, a clear definition of high-risk application scenarios, including fund trading, credit approval, and underwriting and claims settlement. Applications in these areas must be approved by the risk management committee of a financial institution and reported to the NFRA. Human oversight and intervention mechanisms are also mandatory at key stages to ensure that critical decisions do not become "black boxes".

Another important aspect concerns computing infrastructure. The guidelines require large institutions to build independent and controllable intelligent computing platforms based on their needs, while encouraging them to provide computing services to smaller financial institutions. They also support the co-construction and sharing of computing resources across the industry, helping to ease computing bottlenecks faced by smaller institutions and promote more balanced sector-wide development.

The guidelines also establish strict red lines for data privacy protection by explicitly prohibiting the use of sensitive personal information — such as names and identification numbers — for the training and optimization of generative AI models. This helps build strong safeguards against data security risks from the outset.

Furthermore, financial institutions are required to maintain end-to-end oversight of AI applications, while continuously improving model transparency and robustness. These requirements will help ensure that algorithmic decision-making remains compliant and traceable, providing an institutional framework for the safe application and healthy innovation of AI in the financial sector, Dong said.

jiangxueqing@chinadaily.com.cn