 |
| Pix credit here (1984, Danger Be Careful of Live Wires) |
The Chinese National Financial Regulatory Administration (NFRA)has released its 《关于银行业保险业人工智能安全开发应用的指导意见》"[Guiding Opinions on the Secure Development and Application of Artificial Intelligence in the Banking and Insurance Industries"]. NFRA's online announcement (full text follows below in English and Chinese) nicely summarized its seven overall objectives reduced to thirty two guiding measures:
《指导意见》从治理架构、开发应用、数据治理、算力建设、风险管理、能力提升、保障与监督等方面提出了32项指导性意见。一是完善人工智能治理架构。要求金融机构加强顶层设计和统筹管理,建立健全人工智能全生命周期管理体系,加强应用场景和业务流程管理。二是推进高水平人工智能开发应用。要求金融机构完善开发与测评体系,实现模型开发部署全流程管理,稳妥探索人工智能技术研发和金融智能体建设,促进行业应用生态建设。三是提升数据治理能力。要求完善数据管理运营体系,提升数据服务能力,针对业务场景持续推进高质量数据集和知识工程建设。四是加强智能算力建设。按需布局建设自主可控、安全高效的智能算力底座,鼓励有条件的大型金融机构向中小金融机构输出算力服务,支持同业探索基础设施共建共享。五是完善人工智能风险治理框架。要求金融机构将人工智能风险纳入全面风险管理体系,实施风险分类分级管理和高风险应用准入管理,在高风险应用关键环节要建立人工监督和干预机制,加强外包和供应链风险管理。六是提升人工智能安全开发应用能力。持续增强人工智能模型稳健性,提高透明度,促进可解释性,确保人工智能应用符合法律法规及社会价值观要求,加强网络安全、数据安全与个人信息保护,加强运营韧性和业务连续性管理。七是保障与监督。明确金融监管总局及各级派出机构加强指导和监督,督促金融机构全面落实风险治理要求,关注金融业务合规风险,严肃查处违规行为。加强风险应对处置,定期评估监管政策和监管效果,持续提高监管适配能力。
Pix credit here
The "Guiding Opinions" put forward 32 guiding measures covering aspects such as governance architecture, development and application, data governance, computing power infrastructure, risk management, capability enhancement, and safeguards and supervision. First, improve the AI governance architecture. Financial institutions are required to strengthen top-level design and overall management, establish and improve a full-lifecycle management system for AI, and strengthen the management of application scenarios and business processes. Second, advance high-level AI development and application. Financial institutions are required to improve development and evaluation systems, achieve full-process management of model development and deployment, prudently explore AI technology R&D and the construction of financial AI agents, and foster an industry application ecosystem. Third, enhance data governance capabilities. Financial institutions are required to improve data management and operational systems, enhance data service capabilities, and continuously advance the construction of high-quality datasets and knowledge engineering tailored to business scenarios. Fourth, strengthen intelligent computing power infrastructure. Financial institutions should deploy and build—based on demand—an independently controllable, safe, and efficient intelligent computing infrastructure; large financial institutions with the capacity to do so are encouraged to provide computing services to small and medium-sized financial institutions, and industry peers are supported in exploring the joint construction and sharing of infrastructure. Fifth, improve the AI risk governance framework. Financial institutions are required to incorporate AI risks into their comprehensive risk management systems, implement categorized and graded risk management and access controls for high-risk applications, establish human oversight and intervention mechanisms for critical stages of high-risk applications, and strengthen risk management regarding outsourcing and supply chains. Sixth, enhance capabilities for the safe development and application of AI. Continuously enhance the robustness of AI models, improve transparency, promote explainability, and ensure that AI applications comply with laws, regulations, and societal values; strengthen cybersecurity, data security, and personal information protection; and bolster operational resilience and business continuity management. Seventh, ensure safeguards and oversight. Clarify that the National Financial Regulatory Administration (NFRA) and its local offices shall strengthen guidance and supervision, urge financial institutions to fully implement risk governance requirements, focus on compliance risks in financial operations, and strictly penalize violations. Strengthen risk response and mitigation, regularly evaluate regulatory policies and their effectiveness, and continuously improve regulatory adaptability.
 |
| Pix credit here (1979, Science has its dangers, arduous efforts cross barriers |
It suggests the closing stages of the Chinese Marxist Leninist New Era and the start of the next stage of Chinese historical development now much more visible on the shorter term horizon--the era of the automation of forward movement along the Socialist Path toward communism and the virtualization of the structures of CPC leadership and guidance (considered here). It also, with these transformations, suggests the central contradiction of the Next Era: the contradiction between the central role of the human in leading and guiding the people along the socialist path through the elaboration of a fundamental political line and the increasing capacity of non-human systems to undertake that leadership and guidance role through the implementation that may detach the application of the fundamental political line from its conception.
Ultimately, one must come to understand, or at least consider the plausibility, of a principle that under New Era Chinese Marxist-Leninism, the state apparatus can only be as “smart,” “intelligent” and “wise” as it is in the capacity and operations of the Party to do likewise. In the presence of asymmetry two fundamental contradictions must be addressed. The first is the contradiction between the leadership of the Party and its capacity to lead. The second is between the techno-instruments through which Party capacity is undertaken and the ability of the Party apparatus to steer, guide, assess, control and utilize these instruments in the performance of its own duties and responsibilities. The fundamental issue of instrumentalization and capacity remains undisturbed—the more autonomous the tech, the greater the risk that the relationship between instrument and its wielders will be reversed, at least in part. In the absence of a capacity to understand and manage those contradictions, either organs better capacitated to wield techno-instrumentalized applications and processes will drive human collective systems, or human collective systems may become an instrument through which techno-wisdom intelligence may realize its own vision for techno-human perfectibility. (Smart Regulation, Smart Society, Smart Courts, and Smart Party: The Ideology of Chinese Social Credit and its Dialectics (2025), Larry Catá Backer)
 |
| Pix credit here (1978, Scale the peaks of science to contribute to the realization of the 4 modernizations) |
国家金融监督管理总局发布
《关于银行业保险业人工智能安全开发应用的指导意见》
为深入贯彻党中央、国务院决策部署,落实中央经济工作会议、中央金融工作会议精神,推动银行业保险业扎实做好人工智能技术应用和风险防控,金融监管总局近日发布《关于银行业保险业人工智能安全开发应用的指导意见》(以下简称《指导意见》)。
《指导意见》要求开发应用人工智能的银行业保险业金融机构(以下简称金融机构)要以习近平新时代中国特色社会主义思想为指导,完整准确全面贯彻新发展理念,统筹发展和安全,加快培育发展金融行业新质生产力,推动人工智能应用合规、透明、可信赖,加强分类分级管理,有效应对人工智能发展带来的风险挑战,更好服务实体经济和满足人民群众需要。金融机构开发应用人工智能应坚持谁使用谁负责、自主可控、务实高效及安全发展的原则。
《指导意见》从治理架构、开发应用、数据治理、算力建设、风险管理、能力提升、保障与监督等方面提出了32项指导性意见。一是完善人工智能治理架构。要求金融机构加强顶层设计和统筹管理,建立健全人工智能全生命周期管理体系,加强应用场景和业务流程管理。二是推进高水平人工智能开发应用。要求金融机构完善开发与测评体系,实现模型开发部署全流程管理,稳妥探索人工智能技术研发和金融智能体建设,促进行业应用生态建设。三是提升数据治理能力。要求完善数据管理运营体系,提升数据服务能力,针对业务场景持续推进高质量数据集和知识工程建设。四是加强智能算力建设。按需布局建设自主可控、安全高效的智能算力底座,鼓励有条件的大型金融机构向中小金融机构输出算力服务,支持同业探索基础设施共建共享。五是完善人工智能风险治理框架。要求金融机构将人工智能风险纳入全面风险管理体系,实施风险分类分级管理和高风险应用准入管理,在高风险应用关键环节要建立人工监督和干预机制,加强外包和供应链风险管理。六是提升人工智能安全开发应用能力。持续增强人工智能模型稳健性,提高透明度,促进可解释性,确保人工智能应用符合法律法规及社会价值观要求,加强网络安全、数据安全与个人信息保护,加强运营韧性和业务连续性管理。七是保障与监督。明确金融监管总局及各级派出机构加强指导和监督,督促金融机构全面落实风险治理要求,关注金融业务合规风险,严肃查处违规行为。加强风险应对处置,定期评估监管政策和监管效果,持续提高监管适配能力。
《指导意见》的发布是贯彻党中央关于加强人工智能治理战略部署和落实《国务院关于深入实施“人工智能+”行动的意见》的重要举措。金融监管总局将持续做好《指导意见》政策宣贯工作,督促金融机构稳步推进人工智能科技创新与金融业务深度融合,加快培育发展金融行业新质生产力,有效应对人工智能发展带来的风险挑战,引导金融领域人工智能应用朝着有益、安全、公平方向健康有序发展。
附:国家金融监督管理总局关于银行业保险业人工智能安全开发应用的指导意见
National Financial Regulatory Administration Issues
"Guiding Opinions on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Sectors"
To thoroughly implement the decisions and plans of the CPC Central Committee and the State Council, carry out the spirit of the Central Economic Work Conference and the Central Financial Work Conference, and ensure the banking and insurance sectors solidly manage the application of artificial intelligence (AI) technology and risk prevention and control, the National Financial Regulatory Administration (NFRA) recently issued the "Guiding Opinions on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Sectors" (hereinafter referred to as the "Guiding Opinions").
The "Guiding Opinions" require banking and insurance financial institutions (hereinafter referred to as "financial institutions") that develop and apply AI to be guided by Xi Jinping Thought on Socialism with Chinese Characteristics for a New Era; to fully, accurately, and comprehensively implement the new development philosophy; to balance development and security; to accelerate the cultivation and development of "new quality productive forces" in the financial sector; to promote AI applications that are compliant, transparent, and trustworthy; to strengthen categorized and graded management; to effectively address the risks and challenges posed by AI development; and to better serve the real economy and meet the needs of the people. Financial institutions developing and applying AI must adhere to the principles of "user responsibility," independent controllability, pragmatism and efficiency, and safe development.
The "Guiding Opinions" put forward 32 guiding measures covering aspects such as governance architecture, development and application, data governance, computing power infrastructure, risk management, capability enhancement, and safeguards and supervision. First, improve the AI governance architecture. Financial institutions are required to strengthen top-level design and overall management, establish and improve a full-lifecycle management system for AI, and strengthen the management of application scenarios and business processes. Second, advance high-level AI development and application. Financial institutions are required to improve development and evaluation systems, achieve full-process management of model development and deployment, prudently explore AI technology R&D and the construction of financial AI agents, and foster an industry application ecosystem. Third, enhance data governance capabilities. Financial institutions are required to improve data management and operational systems, enhance data service capabilities, and continuously advance the construction of high-quality datasets and knowledge engineering tailored to business scenarios. Fourth, strengthen intelligent computing power infrastructure. Financial institutions should deploy and build—based on demand—an independently controllable, safe, and efficient intelligent computing infrastructure; large financial institutions with the capacity to do so are encouraged to provide computing services to small and medium-sized financial institutions, and industry peers are supported in exploring the joint construction and sharing of infrastructure. Fifth, improve the AI risk governance framework. Financial institutions are required to incorporate AI risks into their comprehensive risk management systems, implement categorized and graded risk management and access controls for high-risk applications, establish human oversight and intervention mechanisms for critical stages of high-risk applications, and strengthen risk management regarding outsourcing and supply chains. Sixth, enhance capabilities for the safe development and application of AI. Continuously enhance the robustness of AI models, improve transparency, promote explainability, and ensure that AI applications comply with laws, regulations, and societal values; strengthen cybersecurity, data security, and personal information protection; and bolster operational resilience and business continuity management. Seventh, ensure safeguards and oversight. Clarify that the National Financial Regulatory Administration (NFRA) and its local offices shall strengthen guidance and supervision, urge financial institutions to fully implement risk governance requirements, focus on compliance risks in financial operations, and strictly penalize violations. Strengthen risk response and mitigation, regularly evaluate regulatory policies and their effectiveness, and continuously improve regulatory adaptability.
The issuance of these *Guiding Opinions* is a significant measure to implement the strategic directives of the CPC Central Committee regarding the strengthening of AI governance and the *Opinions of the State Council on Deeply Implementing the "AI+" Action*. The NFRA will continue to promote and interpret the *Guiding Opinions*, urge financial institutions to steadily advance the deep integration of AI technological innovation with financial operations, accelerate the cultivation and development of "new quality productive forces" in the financial sector, effectively address the risks and challenges posed by AI development, and guide the application of AI in the financial sector toward healthy and orderly development that is beneficial, safe, and fair.
Attachment: Guiding Opinions of the National Financial Regulatory Administration on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Sectors
索 引 号: 717804719/2026-365 主题分类: 政策法规
办文部门: 科技监管司 发文日期: 2026-06-18
公文名称: 国家金融监督管理总局关于银行业保险业人工智能安全开发应用的指导意见
文 号: 金发〔2026〕8号
国家金融监督管理总局
金发〔2026〕8号
各金融监管局,各政策性银行、大型银行、股份制银行、外资银行、金融资产管理公司、理财公司,各保险集团(控股)公司、保险公司、保险资产管理公司,各金融控股公司,各总局管理单位:
为深入贯彻《中华人民共和国国民经济和社会发展第十五个五年规划纲要》关于加快人工智能技术创新、加强人工智能治理的战略部署,落实《国务院关于深入实施“人工智能+”行动的意见》,推动数字金融高质量发展,有序推进人工智能科技创新与金融业务深度融合,引导金融领域人工智能应用朝着有益、安全、公平方向健康有序发展,现提出如下意见。
一、总体要求
以习近平新时代中国特色社会主义思想为指导,完整准确全面贯彻新发展理念,坚持防风险、强监管、促高质量发展的工作主线,统筹发展和安全,加快培育发展金融行业新质生产力,推动人工智能应用合规、透明、可信赖,加强分类分级管理,有效应对人工智能发展带来的风险挑战,更好服务实体经济和满足人民群众需要。
坚持谁使用谁负责,压实金融机构作为金融服务提供方、人工智能技术使用方的主体责任,强化金融机构内部各环节工作责任落实,明确人工智能开发应用各方分工和权责义务。
坚持自主可控,持续提升人工智能相关技术、设备自主可控水平,提高对业务经营发展有重大影响的关键平台、关键软硬件的自主研发能力,加强信息技术应用创新适配。
坚持务实高效,以提升业务价值为导向,科学规划人工智能开发应用投入,有效平衡成本与效益,推动人工智能切实服务经济高质量发展和金融业务高效运转。
坚持安全发展,严格落实国家网络安全和信息化工作要求,遵守网络安全、数据安全各项法律法规制度,强化技术安全和应用安全保障,全面提升安全防护和应急处置能力。
二、完善人工智能治理架构
(一)加强人工智能安全开发应用治理。开发应用人工智能的银行业保险业金融机构(以下简称金融机构),董(理)事会应指定专门委员会对人工智能开发应用管理负责,统筹制定发展规划,推进能力体系建设,制定制度规范,明确牵头部门和跨业务、科技、数据职能部门的协同机制,加强人才队伍建设,遵循技术发展客观规律,确保人工智能应用与金融机构风险管理能力相匹配。
(二)建立人工智能应用管理体系。金融机构应建立健全人工智能应用需求分析、数据准备、训练开发、部署运行、维护迭代、评估退出的全生命周期管理体系,规范模型研发、应用及资产管理,加强数据安全评估、算法风险筛查、伦理审查评估、责任追溯机制建设,实施人工智能应用风险分类分级管理。探索建立业务价值导向的人工智能应用绩效评估机制。
(三)加强人工智能应用场景和业务流程管理。金融机构应按照应用场景与技术适配原则,加强人工智能算法评估,将合适的人工智能技术应用于适当的业务场景。推动人工智能在服务实体经济、加强金融风险管理等领域发挥积极作用,穿透管控关联交易、资金运用等重点领域风险问题。完善人机协同的业务管理流程,科学设定人工智能的功能边界、系统和数据权限,明确人员岗位责任,确保业务全流程管理责任清晰、可落实、可追溯。
三、推进高水平人工智能开发应用
(四)完善开发与测评体系。鼓励有条件的金融机构建立一站式人工智能开发平台,实现模型开发部署全流程管理。加强面向业务人员的低代码开发、交互式模型验证能力建设。完善人工智能测评体系,建设测试工具链、测评指标和测试用例集,全面评估模型的基础能力、金融业务支持能力、安全可靠性,提高自动化测评能力。
(五)推动新一代人工智能技术应用。支持金融机构在风险可控的前提下,推进生成式人工智能技术的业务应用和配套能力体系建设,稳妥探索人工智能技术研发和金融智能体建设。金融机构对生成式人工智能模型要实施准入管理,评估模型效能及安全合规性。外部引入的生成式人工智能模型需经过网信部门备案。
(六)加强人工智能运营服务体系建设。定期开展对模型效能的测评分析,构建数据闭环反馈机制,形成“数据—模型—应用”的迭代优化。支持有条件的金融机构建立企业级模型即服务(MaaS)平台,实现模型在企业层面共享复用。
(七)促进行业人工智能应用生态建设。推进人工智能金融行业应用基础设施建设,促进人工智能应用成果在行业共享复用。鼓励大型金融机构发挥示范作用,向中小金融机构输出人工智能技术和管理经验。支持中小金融机构加强协作,共同推进应用场景落地。鼓励与人工智能产业加强协同,以金融应用促进产业创新发展,以产业成果促进金融应用提质增效。
四、提升数据治理能力
(八)完善数据管理运营体系。金融机构要推动数据运营机制建设,建立覆盖数据全生命周期的管理流程,提升数据服务能力。构建企业级数据模型和数据资产地图,强化元数据管理,确保数据可寻可用,不同类型的数据可兼容,数据源头可追溯。加强对非结构化数据的管理,制定数据采集、清洗、标注、应用、退出管理规范。稳妥选择使用技术自主、性能可靠、安全防护能力强的数据库产品。
(九)建设人工智能高质量数据集。金融机构应针对人工智能业务场景持续推进高质量数据集建设,确立数据质量标准,建立高效的质量检控机制,确保数据准确性、相关性、一致性、完整性和无偏见。探索运用人工智能技术强化实时数据、非结构化数据的动态感知、智能提取和解析处理。持续监测数据分布漂移,确保数据集及时更新。
(十)支持行业数据集共建共享。鼓励有条件的金融机构协同多源数据,融合行业经验知识与专业判断,通过系统性筛选、清洗、标注、合成等方式形成高质量数据集,支持金融机构间依法合规开展数据集共享。
(十一)推进知识工程建设。支持金融机构构建企业级知识管理体系。坚持服务业务的价值导向,构建核心知识模型,建立知识萃取、整合、共享机制流程,建立从知识创建、审核、发布、更新到归档的全流程管理规范。鼓励利用人工智能技术提升知识萃取、表示、融合和对齐能力。
五、加强智能算力建设
(十二)加强智能算力设施建设。金融机构应充分依托已有算力资源基础,按照国家相关政策要求,按需布局智能算力资源建设,应用绿色低碳技术,建设自主可控、安全高效的算力底座,助力高水平科技自立自强。鼓励有条件的大型金融机构向中小金融机构输出算力服务,支持同业探索基础设施共建共享。支持金融机构在安全合规前提下,使用国家算力节点或行业基础设施降低人工智能研发应用成本,加强对智能算力资源的信息科技重要外包管理。
(十三)提高安全运行能力。金融机构要加强智能算力资源的云化管理,加强对人工智能应用的运行监测,实现对应用、模型、算力、网络的一体化管理,保障人工智能应用安全可靠运行。
六、完善人工智能风险治理框架
(十四)健全风险治理体系。金融机构应将人工智能风险纳入全面风险管理体系,定期开展对人工智能应用风险及管理措施的评估审查。推动模型算法、数据资源、基础设施、应用系统等安全能力建设,完善业务及风险管理流程,防范模型生成结果不可靠风险,防止模型黑箱导致关键业务流程难落责问题。夯实数据安全、网络安全、个人信息与隐私保护和业务连续性基础。有效应对金融业务侧可能产生的投资策略趋同、放大市场波动风险,严禁滥用人工智能技术生成虚假信息、操纵市场价格。
(十五)实施风险分类分级管理。金融机构应根据业务场景重要性、应用规模、对客影响度、模型依赖度、模型复杂度等因素,对人工智能应用进行风险识别和分类分级管理。建立管理制度,制定应用清单,实施分级管控措施,落实管理责任。
(十六)强化高风险应用准入管理。涉及资金交易、资产评估、信贷审批、承保理赔、风险管理等,以及与客户利益直接相关、直接影响金融合约达成的生成式人工智能场景应用应被视为高风险应用。人工智能高风险应用须经本机构风险管理委员会批准后方可实施。
(十七)加强高风险应用监测和干预。金融机构要加强对人工智能在业务场景中的运行监测,及时发现和管控模型风险。在高风险应用关键环节建立人工监督和干预机制,明确紧急停用及模型退出条件,建立备用系统或人工替代流程。
(十八)加强外包风险管理。使用外部人工智能技术时,金融机构应在外包策略、数据安全、集中度管理等方面建立管理机制,通过合同协议明确安全管理方面的权责义务,确保金融机构能够有效管控相关风险。与外部企业开展合作时,应建立有效的风险隔离“防火墙”,防范风险跨业传递。对外包合作机构实行名单制管理,对引入的外部模型建立严格的内部评估框架,有效评价模型的优缺点和适配性。
(十九)加强供应链风险与开源技术管理。金融机构要建立对人工智能算力、模型、数据、技术工具等的供应链安全合规管理机制,确保应用自主可控,防范对个别技术服务过度依赖引发的集中度风险。完善开源技术使用规范,建立开源软件管理台账,对外部引入的开源组件应进行审查评估,加强代码审计、漏洞扫描及安全测试,定期排查开源组件风险隐患,防范供应链投毒。
七、提升人工智能安全开发应用能力
(二十)增强稳健性。金融机构应确保训练数据集质量、数量和分布符合建模要求,采取合适的模型架构与训练策略,加强对抗样本检测及压力测试,严格评估模型的敏感性、稳定性、抗噪能力和容错能力。模型部署后,持续监测其性能表现,建立训练反馈更新机制,实现模型持续迭代优化。
(二十一)提高透明度。金融机构应加强人工智能应用透明度管理,为高风险场景应用制定透明度和可解释性标准,明确模型设计、数据使用、特征选择及输出结果的逻辑。对人工智能生成内容应进行显著标识,并向金融消费者主动说明。加强模型开发、变更管理和训练过程记录,日志保存期限应不低于业务存续期。
(二十二)促进可解释性。金融机构应制定人工智能模型的可解释性方法,加强推理解释和决策分析。可解释性不足的人工智能技术在高风险场景应用时,仅能作为辅助工具,应由人工进行最终决策。人工智能模型应用于涉及客户权益或有实质性财务影响的关键决策时,须设置人工复核节点,完整保留原始数据、推理路径及阈值触发记录,确保责任可追溯。定期对人工智能模型算法开展审计。
(二十三)保障伦理道德与公平性。金融机构开发应用人工智能应符合法律法规及社会价值观要求。建立人工智能开发应用伦理审查监测制度,制定符合伦理道德的行为准则,加强数据集审查和对特定群体的影响评估,避免算法歧视等不公平性问题。使用受保护特征或属性时应进行正当性说明,删除偏见样本。涉及公共服务、关键信息基础设施及影响公共安全的人工智能应用,应开展伦理风险监测评估,及时对模型运行异常情况进行处置。
(二十四)加强数据安全与个人信息保护。金融机构应将人工智能数据安全纳入企业数据安全管理体系,严格落实数据分类分级保护要求。规范开发过程和数据访问权限,防范数据投毒,完善数据脱敏规范,避免使用可直接识别出个体的数据。姓名、身份证号、手机号、银行卡号等个人信息和隐私数据不得用于生成式人工智能模型训练和优化,有效防止客户隐私泄露。加强模型安全护栏建设,加强内容过滤及脱敏管理。严格管理外包过程中的数据安全。
(二十五)提升网络安全防御能力。金融机构要加强人工智能开发应用中的网络安全管理,加强对抗攻击测试和输出验证,通过数据隔离、访问控制等措施提升模型部署安全,持续监控模型行为,定期扫描、修补人工智能模型及相关系统组件漏洞,有效防范提示词注入、思维链注入、多模态攻击、上下文污染等威胁。提升智能体系统安全保障能力,防范数据泄露、记忆污染、身份越权、工具滥用、运行失控等安全风险。
(二十六)加强运营韧性及业务连续性管理。金融机构要将人工智能应用纳入业务连续性管理体系,开展业务影响分析,制定应急预案,加强安全运行管理、事件处置和容灾能力建设。发生故障时,人工流程要及时介入或启用备份系统,保障人工智能应用稳定性、可靠性。
八、保障与监督
(二十七)加强督促指导。金融监管总局及各级派出机构加强指导,积极推动人工智能技术安全开发应用,督促辖内金融机构全面落实风险治理要求。压实监管部门责任,各级监管部门要加强风险评估和监督检查,重点关注相关金融业务合规风险,督促金融机构健全风险治理体系,对政策落实不到位、执行走偏等问题及时予以纠正,对违规行为严肃查处。
(二十八)推动建立安全应用实施规范。金融监管总局会同相关部门积极推动构建银行业保险业生成式人工智能安全开发应用技术框架,规范分类分级管理,明确安全开发标准规范,引导金融机构有效提升人工智能应用安全开发水平。
(二十九)加强风险监测与应对处置。金融机构面向公众服务或高风险场景应用使用生成式人工智能技术的,应向金融监管总局或其派出机构报告。金融监管总局及派出机构建立监测预警与处置机制,优化风险监测预警指标体系,加强分析处置,完善监管工具方法,督促金融机构做好事前、事中、事后全链条风险防控,加强网络安全、数据安全等风险事件复盘分析,督促金融机构改进优化防御体系,聚焦对客服务、高风险应用场景制定风险应急预案,提升应急响应能力。做好跨部门合作协调,形成合力,避免信息孤岛,防范系统性风险。
(三十)建立监管定期评估机制。金融监管总局及派出机构强化对金融机构开发应用人工智能的监督管理,重点加强高风险场景应用监管。建立对监管政策和监管效果的年度评估机制,持续提高监管适配能力。
(三十一)加强监管人才队伍建设。金融监管总局及派出机构加强数字化、智能化培训,提升监管人员数据分析和智能工具的使用能力,着力培养复合型监管人才,提升与人工智能技术复杂度相匹配的风险识别、监测和处置能力。
(三十二)促进行业交流。鼓励加强人工智能领域沟通交流,通过经验分享、培训研讨、技能竞赛、案例宣传等方式,营造人工智能发展的良好文化氛围。行业自律组织应发挥桥梁纽带作用,促进行业经验交流。
国家金融监督管理总局
2026年6月18日
(此件发至金融监管分局与地方法人银行保险机构)
国家金融监督管理总局发布《关于银行业保险业人工智能安全开发应用的指导意见》
https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1261708&itemId=915&generaltype=0
国家金融监督管理总局有关司局负责人就《关于银行业保险业人工智能安全开发应用的指导意见》答记者问
https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1261710&itemId=917&generaltype=0
Index No.: 717804719/2026-365 | Subject Category: Policies and Regulations
Drafting Department: Department of Science and Technology Supervision | Date of Issuance: June 18, 2026
Document Title: Guiding Opinions of the National Financial Regulatory Administration on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Sectors
Document No.: Jin Fa [2026] No. 8
National Financial Regulatory Administration
Jin Fa [2026] No. 8
Drafting Department: Department of Science and Technology Supervision | Date of Issuance: June 18, 2026
Document Title: Guiding Opinions of the National Financial Regulatory Administration on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Sectors
Document No.: Jin Fa [2026] No. 8
National Financial Regulatory Administration
Jin Fa [2026] No. 8
Guiding Opinions of the National Financial Regulatory Administration on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Sectors
To all local offices of the National Financial Regulatory Administration; policy banks, large banks, joint-stock banks, foreign-funded banks, financial asset management companies, and wealth management companies; insurance groups (holding companies), insurance companies, and insurance asset management companies; financial holding companies; and units directly managed by the Administration:
In order to thoroughly implement the strategic deployment regarding accelerating artificial intelligence (AI) technological innovation and strengthening AI governance as outlined in the *Outline of the 15th Five-Year Plan for National Economic and Social Development of the People's Republic of China*; to implement the *Opinions of the State Council on Deeply Implementing the "AI+" Action*; to promote the high-quality development of digital finance; to advance the deep integration of AI technological innovation with financial business operations in an orderly manner; and to guide the application of AI in the financial sector toward healthy, orderly, beneficial, safe, and fair development, the following opinions are hereby issued.
I. General Requirements
Guided by Xi Jinping Thought on Socialism with Chinese Characteristics for a New Era, we shall fully, accurately, and comprehensively implement the new development philosophy. We will adhere to the core principle of preventing risks, strengthening supervision, and promoting high-quality development; coordinate development and security; accelerate the cultivation and development of "new quality productive forces" in the financial industry; promote compliant, transparent, and trustworthy AI applications; strengthen classified and graded management; effectively address the risks and challenges brought about by AI development; and better serve the real economy and meet the needs of the people.
We will adhere to the principle that "users bear responsibility," solidifying the primary responsibility of financial institutions as both financial service providers and users of AI technology. We will strengthen the implementation of responsibilities across all internal operational stages of financial institutions and clarify the division of labor, rights, and obligations among all parties involved in AI development and application.
We will adhere to the principle of autonomy and controllability, continuously enhancing the level of independent control over AI-related technologies and equipment. We will improve independent research and development capabilities for critical platforms, software, and hardware that significantly impact business operations and development, and strengthen compatibility regarding the application and innovation of information technology.
We will adhere to a pragmatic and efficient approach, one which is driven by the goal of enhancing business value; scientifically plan investments in AI development and application; effectively balance costs and benefits; and ensure AI genuinely serves high-quality economic development and the efficient operation of financial businesses.
We uphold the principle of secure development; strictly implement national requirements for cybersecurity and information technology; comply with all laws, regulations, and systems regarding cybersecurity and data security; strengthen safeguards for technical and application security; and comprehensively enhance capabilities for security protection and emergency response.
II. Improve the AI Governance Framework
(I) Strengthen governance over AI development and application. For banking and insurance institutions engaged in AI development and application (hereinafter referred to as "financial institutions"), the Board of Directors (or Board of Trustees) shall designate a specialized committee to oversee AI management. This committee shall coordinate development planning, advance capability building, formulate policies and standards, define lead departments and coordination mechanisms across business, technology, and data functions, and strengthen talent development. It shall also ensure adherence to the objective laws of technological evolution and guarantee that AI applications align with the institution's risk management capabilities.
(II) Establish a management system for AI applications. Financial institutions shall establish a sound full-lifecycle management system covering requirements analysis, data preparation, training and development, deployment and operation, maintenance and iteration, and evaluation and decommissioning. They shall standardize model R&D, application, and asset management; strengthen data security assessments, algorithmic risk screening, ethical reviews, and accountability mechanisms; and implement risk-based classification and grading management for AI applications. Institutions should explore establishing performance evaluation mechanisms for AI applications that prioritize business value.
(III) Strengthen management of AI application scenarios and business processes. Financial institutions shall strengthen AI algorithm assessments based on the principle of matching technology to application scenarios, ensuring appropriate AI technologies are applied to suitable business contexts. They shall promote the positive role of AI in serving the real economy and strengthening financial risk management, while implementing "look-through" controls for risks in key areas such as related-party transactions and the use of funds. Institutions shall refine business management processes that feature human-machine collaboration; scientifically define functional boundaries and system/data access rights; clarify personnel responsibilities; and ensure that management responsibilities across the entire business process are clear, actionable, and traceable.
III. Advance High-Level AI Development and Application
(IV) Improve development and testing systems. Financial institutions with the necessary capabilities are encouraged to establish one-stop AI development platforms to manage the entire process from model development to deployment. Efforts should be made to enhance capabilities for low-code development and interactive model validation tailored to business personnel. Improve the AI evaluation system by developing testing toolchains, evaluation metrics, and test case sets; comprehensively assess models regarding their fundamental capabilities, support for financial business operations, and security and reliability; and enhance automated evaluation capabilities.
(V) Promote the application of next-generation AI technologies. Support financial institutions in advancing the business application of generative AI technologies and building supporting capability systems, provided that risks remain controllable; prudently explore AI technology R&D and the development of financial AI agents. Financial institutions must implement access management for generative AI models, evaluating their performance, security, and compliance. Externally sourced generative AI models must be filed with cyberspace administration authorities.
(VI) Strengthen the AI operational service system. Conduct regular performance evaluations and analyses of models, establish a data closed-loop feedback mechanism, and achieve iterative optimization across the "data-model-application" chain. Support qualified financial institutions in establishing enterprise-level Model-as-a-Service (MaaS) platforms to enable model sharing and reuse across the enterprise.
(VII) Foster an AI application ecosystem within the industry. Advance the construction of infrastructure for AI applications in the financial sector and promote the sharing and reuse of AI application outcomes across the industry. Encourage large financial institutions to set an example by sharing AI technologies and management expertise with small and medium-sized financial institutions. Support collaboration among small and medium-sized financial institutions to jointly implement application scenarios. Encourage synergy with the AI industry, using financial applications to drive industrial innovation and development, and leveraging industrial achievements to enhance the quality and efficiency of financial applications.
IV. Enhance Data Governance Capabilities
(VIII) Improve the data management and operations system. Financial institutions should advance the construction of data operation mechanisms, establish management processes covering the entire data lifecycle, and enhance data service capabilities. Build enterprise-level data models and data asset maps, strengthen metadata management, and ensure data is discoverable and usable, compatible across types, and traceable to its source. Strengthen the management of unstructured data by formulating specifications for data collection, cleaning, labeling, application, and retirement. Prudently select database products that feature technological autonomy, reliable performance, and robust security protection capabilities.
(IX) Build high-quality AI datasets. Financial institutions should continuously develop high-quality datasets tailored to AI business scenarios, establish data quality standards, and implement efficient quality control mechanisms to ensure data accuracy, relevance, consistency, completeness, and freedom from bias. Explore the use of AI technologies to enhance the dynamic perception, intelligent extraction, and parsing of real-time and unstructured data. Continuously monitor for data distribution drift to ensure datasets are updated in a timely manner.
(X) Support the joint development and sharing of industry datasets. Encourage financial institutions with the necessary capabilities to coordinate multi-source data and integrate industry expertise and professional judgment. High-quality datasets should be created through systematic screening, cleaning, labeling, and synthesis, while facilitating lawful and compliant dataset sharing among financial institutions.
(XI) Advance the development of knowledge engineering. Support financial institutions in building enterprise-level knowledge management systems. Adhere to a value-oriented approach that serves business needs by constructing core knowledge models and establishing mechanisms and workflows for knowledge extraction, integration, and sharing. Implement comprehensive management standards covering the entire lifecycle—from knowledge creation, review, publication, and updating to archiving. Encourage the use of artificial intelligence technologies to enhance capabilities in knowledge extraction, representation, fusion, and alignment.
V. Strengthen Intelligent Computing Infrastructure
(XII) Strengthen the construction of intelligent computing infrastructure. Financial institutions should leverage existing computing resources and deploy intelligent computing capacity based on demand and in accordance with national policies. They should adopt green, low-carbon technologies to build secure, efficient, and independently controllable computing foundations, thereby supporting high-level technological self-reliance. Large financial institutions with the necessary capabilities are encouraged to provide computing services to small and medium-sized financial institutions, and industry peers are encouraged to explore the joint development and sharing of infrastructure. Subject to security and compliance requirements, financial institutions are supported in using national computing nodes or industry infrastructure to reduce the costs of AI research and application, while strengthening the management of critical IT outsourcing related to intelligent computing resources.
(XIII) Enhance secure operational capabilities. Financial institutions should strengthen the cloud-based management of intelligent computing resources and enhance operational monitoring of AI applications. Integrated management of applications, models, computing power, and networks should be implemented to ensure the safe and reliable operation of AI applications.
VI. Refine the AI Risk Governance Framework
(XIV) Improve the risk governance system. Financial institutions should incorporate AI-related risks into their comprehensive risk management systems and conduct regular assessments and reviews of AI application risks and management measures. Efforts should be made to strengthen security capabilities regarding model algorithms, data resources, infrastructure, and application systems, as well as to refine business and risk management processes. Measures must be taken to mitigate risks associated with unreliable model-generated outputs and to prevent accountability issues in critical business processes caused by "black-box" models. Solidify the foundations of data security, cybersecurity, personal information and privacy protection, and business continuity. Effectively address potential risks in financial operations—such as the convergence of investment strategies and the amplification of market volatility—and strictly prohibit the abuse of AI technology to generate false information or manipulate market prices. (XV) Implement risk-based classification and tiered management. Financial institutions shall identify risks and implement classification and tiered management for artificial intelligence (AI) applications based on factors such as the importance of business scenarios, scale of application, impact on customers, reliance on models, and model complexity. Institutions must establish management policies, compile application inventories, implement tiered control measures, and assign management responsibilities.
(XVI) Strengthen access management for high-risk applications. Applications involving financial transactions, asset valuation, credit approval, underwriting and claims settlement, risk management, and other areas—as well as generative AI scenarios directly affecting customer interests or the conclusion of financial contracts—shall be classified as high-risk applications. High-risk AI applications must be approved by the institution's risk management committee before implementation.
(XVII) Strengthen monitoring and intervention for high-risk applications. Financial institutions shall enhance operational monitoring of AI within business scenarios to timely identify and control model risks. Mechanisms for human oversight and intervention must be established at critical stages of high-risk applications; conditions for emergency deactivation and model decommissioning must be clearly defined; and backup systems or manual fallback processes must be put in place.
(XVIII) Strengthen outsourcing risk management. When utilizing external AI technologies, financial institutions shall establish management mechanisms covering outsourcing strategies, data security, and concentration risk management. Rights, responsibilities, and obligations regarding security management must be clearly defined through contractual agreements to ensure effective risk control. Effective "firewalls" for risk isolation must be established when collaborating with external enterprises to prevent cross-sector risk contagion. A "whitelist" or similar list-based management system shall be implemented for outsourcing partners, and a rigorous internal assessment framework must be established for introduced external models to effectively evaluate their strengths, weaknesses, and suitability.
(XIX) Strengthen supply chain risk and open-source technology management. Financial institutions shall establish mechanisms for managing the security and compliance of the AI supply chain—including computing power, models, data, and technical tools—to ensure the autonomy and controllability of applications and to prevent concentration risks arising from over-reliance on specific technology service providers. Standards for the use of open-source technology must be refined, and management logs for open-source software maintained. Externally introduced open-source components must undergo review and assessment; code audits, vulnerability scanning, and security testing must be strengthened; and regular checks for potential risks in open-source components must be conducted to prevent supply chain poisoning attacks.
VII. Enhance Capabilities for Secure AI Development and Application
(XX) Enhance robustness. Financial institutions must ensure that the quality, quantity, and distribution of training datasets meet modeling requirements; adopt appropriate model architectures and training strategies; strengthen adversarial example detection and stress testing; and rigorously evaluate model sensitivity, stability, noise resilience, and fault tolerance. Following deployment, institutions should continuously monitor model performance and establish a feedback-driven update mechanism to facilitate iterative optimization.
(XXI) Enhance transparency. Financial institutions should strengthen the management of transparency in AI applications, establish standards for transparency and explainability in high-risk scenarios, and clearly articulate the logic behind model design, data usage, feature selection, and output results. AI-generated content must be clearly labeled and proactively disclosed to financial consumers. Institutions should also strengthen record-keeping for model development, change management, and training processes, ensuring that logs are retained for a period no shorter than the duration of the business activity.
(XXII) Promote explainability. Financial institutions should develop methods for AI model explainability and enhance inference interpretation and decision analysis. AI technologies with limited explainability may serve only as auxiliary tools in high-risk scenarios, with final decisions made by humans. When AI models are used for critical decisions affecting customer rights or having substantial financial impact, institutions must implement human review checkpoints and fully retain records of raw data, inference paths, and threshold triggers to ensure accountability. Regular audits of AI model algorithms should be conducted.
(XXIII) Ensure ethics and fairness. The development and application of AI by financial institutions must comply with laws, regulations, and societal values. Institutions should establish ethical review and monitoring systems for AI development and application, formulate ethical codes of conduct, strengthen dataset reviews and impact assessments regarding specific groups, and prevent unfair practices such as algorithmic discrimination. The use of protected characteristics or attributes must be justified, and biased samples should be removed. For AI applications involving public services, critical information infrastructure, or public safety, institutions should conduct ethical risk monitoring and assessment, and promptly address any operational anomalies.
(XXIV) Strengthen data security and personal information protection. Financial institutions should integrate AI data security into their corporate data security management systems and strictly implement requirements for data classification and graded protection. They should standardize development processes and data access controls, guard against data poisoning, refine data de-identification protocols, and avoid using data that can directly identify individuals. Personal information and private data—such as names, ID numbers, mobile phone numbers, and bank card numbers—must not be used for the training or optimization of generative AI models, thereby effectively preventing the leakage of customer privacy. Efforts must be made to strengthen model security guardrails and enhance content filtering and data de-identification management. Data security during outsourcing processes must be strictly managed.
(XXV) Enhance cybersecurity defense capabilities. Financial institutions must strengthen cybersecurity management in the development and application of AI, reinforce adversarial attack testing and output verification, and improve model deployment security through measures such as data isolation and access control. They must continuously monitor model behavior and regularly scan for and patch vulnerabilities in AI models and related system components to effectively guard against threats such as prompt injection, chain-of-thought injection, multimodal attacks, and context pollution. Security assurance capabilities for intelligent agent systems must be enhanced to prevent risks such as data leakage, memory pollution, unauthorized privilege escalation, tool misuse, and loss of operational control.
(XXVI) Strengthen operational resilience and business continuity management. Financial institutions must incorporate AI applications into their business continuity management systems, conduct business impact analyses, formulate emergency response plans, and bolster security operations management, incident handling, and disaster recovery capabilities. In the event of a malfunction, manual processes must intervene promptly or backup systems must be activated to ensure the stability and reliability of AI applications.
VIII. Safeguards and Supervision
(XXVII) Strengthen supervision and guidance. The National Financial Regulatory Administration and its local offices shall strengthen guidance, actively promote the safe development and application of artificial intelligence technology, and urge financial institutions within their jurisdictions to fully implement risk governance requirements. Regulatory authorities at all levels must fulfill their responsibilities by strengthening risk assessment and supervisory inspections; they should focus on compliance risks associated with relevant financial activities, urge financial institutions to improve their risk governance systems, promptly rectify issues such as inadequate policy implementation or deviations in execution, and strictly penalize violations.
(XXVIII) Promote the establishment of standards for safe application implementation. The National Financial Regulatory Administration (NFRA), in conjunction with relevant departments, will actively promote the construction of a technical framework for the safe development and application of generative AI in the banking and insurance sectors. Efforts will be made to standardize classification and grading management, clarify standards and specifications for safe development, and guide financial institutions to effectively enhance the safety of AI application development.
(XXIX) Strengthen risk monitoring and response. Financial institutions utilizing generative AI technology for public-facing services or high-risk application scenarios must report such usage to the NFRA or its local offices. The NFRA and its local offices will establish monitoring, early warning, and response mechanisms; optimize risk monitoring and early warning indicator systems; strengthen analysis and handling; and refine regulatory tools and methods. They will urge financial institutions to implement comprehensive risk prevention and control across the entire chain—before, during, and after operations—and to conduct post-incident reviews and analyses of cybersecurity and data security risks. Financial institutions will be urged to improve and optimize their defense systems, formulate risk contingency plans focusing on customer services and high-risk application scenarios, and enhance emergency response capabilities. Cross-departmental cooperation and coordination will be strengthened to create synergy, eliminate information silos, and prevent systemic risks.
(XXX) Establish a mechanism for regular regulatory assessment. The NFRA and its local offices will strengthen the supervision and management of AI development and application by financial institutions, with a particular focus on high-risk application scenarios. An annual assessment mechanism for regulatory policies and their effectiveness will be established to continuously improve regulatory adaptability.
(XXXI) Strengthen the development of regulatory talent. The NFRA and its local offices will enhance training in digitalization and intelligent technologies, improve the data analysis and intelligent tool proficiency of regulatory personnel, and focus on cultivating multidisciplinary regulatory talent. Efforts will be made to enhance capabilities in risk identification, monitoring, and handling that match the complexity of AI technology.
(XXXII) Promote industry exchange. Communication and exchange within the AI field will be encouraged. A favorable cultural atmosphere for AI development will be fostered through methods such as experience sharing, training seminars, skills competitions, and the promotion of case studies. Industry self-regulatory organizations should act as bridges and links to facilitate the exchange of industry experience.
National Financial Regulatory Administration
June 18, 2026
(Distributed to local branches of the financial regulatory authority and local incorporated banking and insurance institutions)
National Financial Regulatory Administration Issues "Guiding Opinions on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Sectors"
https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1261708&itemId=915&generaltype=0
Officials from Relevant Departments of the National Financial Regulatory Administration Answer Reporters' Questions Regarding the "Guiding Opinions on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Sectors"
https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1261710&itemId=917&generaltype=0
We uphold the principle of secure development; strictly implement national requirements for cybersecurity and information technology; comply with all laws, regulations, and systems regarding cybersecurity and data security; strengthen safeguards for technical and application security; and comprehensively enhance capabilities for security protection and emergency response.
II. Improve the AI Governance Framework
(I) Strengthen governance over AI development and application. For banking and insurance institutions engaged in AI development and application (hereinafter referred to as "financial institutions"), the Board of Directors (or Board of Trustees) shall designate a specialized committee to oversee AI management. This committee shall coordinate development planning, advance capability building, formulate policies and standards, define lead departments and coordination mechanisms across business, technology, and data functions, and strengthen talent development. It shall also ensure adherence to the objective laws of technological evolution and guarantee that AI applications align with the institution's risk management capabilities.
(II) Establish a management system for AI applications. Financial institutions shall establish a sound full-lifecycle management system covering requirements analysis, data preparation, training and development, deployment and operation, maintenance and iteration, and evaluation and decommissioning. They shall standardize model R&D, application, and asset management; strengthen data security assessments, algorithmic risk screening, ethical reviews, and accountability mechanisms; and implement risk-based classification and grading management for AI applications. Institutions should explore establishing performance evaluation mechanisms for AI applications that prioritize business value.
(III) Strengthen management of AI application scenarios and business processes. Financial institutions shall strengthen AI algorithm assessments based on the principle of matching technology to application scenarios, ensuring appropriate AI technologies are applied to suitable business contexts. They shall promote the positive role of AI in serving the real economy and strengthening financial risk management, while implementing "look-through" controls for risks in key areas such as related-party transactions and the use of funds. Institutions shall refine business management processes that feature human-machine collaboration; scientifically define functional boundaries and system/data access rights; clarify personnel responsibilities; and ensure that management responsibilities across the entire business process are clear, actionable, and traceable.
III. Advance High-Level AI Development and Application
(IV) Improve development and testing systems. Financial institutions with the necessary capabilities are encouraged to establish one-stop AI development platforms to manage the entire process from model development to deployment. Efforts should be made to enhance capabilities for low-code development and interactive model validation tailored to business personnel. Improve the AI evaluation system by developing testing toolchains, evaluation metrics, and test case sets; comprehensively assess models regarding their fundamental capabilities, support for financial business operations, and security and reliability; and enhance automated evaluation capabilities.
(V) Promote the application of next-generation AI technologies. Support financial institutions in advancing the business application of generative AI technologies and building supporting capability systems, provided that risks remain controllable; prudently explore AI technology R&D and the development of financial AI agents. Financial institutions must implement access management for generative AI models, evaluating their performance, security, and compliance. Externally sourced generative AI models must be filed with cyberspace administration authorities.
(VI) Strengthen the AI operational service system. Conduct regular performance evaluations and analyses of models, establish a data closed-loop feedback mechanism, and achieve iterative optimization across the "data-model-application" chain. Support qualified financial institutions in establishing enterprise-level Model-as-a-Service (MaaS) platforms to enable model sharing and reuse across the enterprise.
(VII) Foster an AI application ecosystem within the industry. Advance the construction of infrastructure for AI applications in the financial sector and promote the sharing and reuse of AI application outcomes across the industry. Encourage large financial institutions to set an example by sharing AI technologies and management expertise with small and medium-sized financial institutions. Support collaboration among small and medium-sized financial institutions to jointly implement application scenarios. Encourage synergy with the AI industry, using financial applications to drive industrial innovation and development, and leveraging industrial achievements to enhance the quality and efficiency of financial applications.
IV. Enhance Data Governance Capabilities
(VIII) Improve the data management and operations system. Financial institutions should advance the construction of data operation mechanisms, establish management processes covering the entire data lifecycle, and enhance data service capabilities. Build enterprise-level data models and data asset maps, strengthen metadata management, and ensure data is discoverable and usable, compatible across types, and traceable to its source. Strengthen the management of unstructured data by formulating specifications for data collection, cleaning, labeling, application, and retirement. Prudently select database products that feature technological autonomy, reliable performance, and robust security protection capabilities.
(IX) Build high-quality AI datasets. Financial institutions should continuously develop high-quality datasets tailored to AI business scenarios, establish data quality standards, and implement efficient quality control mechanisms to ensure data accuracy, relevance, consistency, completeness, and freedom from bias. Explore the use of AI technologies to enhance the dynamic perception, intelligent extraction, and parsing of real-time and unstructured data. Continuously monitor for data distribution drift to ensure datasets are updated in a timely manner.
(X) Support the joint development and sharing of industry datasets. Encourage financial institutions with the necessary capabilities to coordinate multi-source data and integrate industry expertise and professional judgment. High-quality datasets should be created through systematic screening, cleaning, labeling, and synthesis, while facilitating lawful and compliant dataset sharing among financial institutions.
(XI) Advance the development of knowledge engineering. Support financial institutions in building enterprise-level knowledge management systems. Adhere to a value-oriented approach that serves business needs by constructing core knowledge models and establishing mechanisms and workflows for knowledge extraction, integration, and sharing. Implement comprehensive management standards covering the entire lifecycle—from knowledge creation, review, publication, and updating to archiving. Encourage the use of artificial intelligence technologies to enhance capabilities in knowledge extraction, representation, fusion, and alignment.
V. Strengthen Intelligent Computing Infrastructure
(XII) Strengthen the construction of intelligent computing infrastructure. Financial institutions should leverage existing computing resources and deploy intelligent computing capacity based on demand and in accordance with national policies. They should adopt green, low-carbon technologies to build secure, efficient, and independently controllable computing foundations, thereby supporting high-level technological self-reliance. Large financial institutions with the necessary capabilities are encouraged to provide computing services to small and medium-sized financial institutions, and industry peers are encouraged to explore the joint development and sharing of infrastructure. Subject to security and compliance requirements, financial institutions are supported in using national computing nodes or industry infrastructure to reduce the costs of AI research and application, while strengthening the management of critical IT outsourcing related to intelligent computing resources.
(XIII) Enhance secure operational capabilities. Financial institutions should strengthen the cloud-based management of intelligent computing resources and enhance operational monitoring of AI applications. Integrated management of applications, models, computing power, and networks should be implemented to ensure the safe and reliable operation of AI applications.
VI. Refine the AI Risk Governance Framework
(XIV) Improve the risk governance system. Financial institutions should incorporate AI-related risks into their comprehensive risk management systems and conduct regular assessments and reviews of AI application risks and management measures. Efforts should be made to strengthen security capabilities regarding model algorithms, data resources, infrastructure, and application systems, as well as to refine business and risk management processes. Measures must be taken to mitigate risks associated with unreliable model-generated outputs and to prevent accountability issues in critical business processes caused by "black-box" models. Solidify the foundations of data security, cybersecurity, personal information and privacy protection, and business continuity. Effectively address potential risks in financial operations—such as the convergence of investment strategies and the amplification of market volatility—and strictly prohibit the abuse of AI technology to generate false information or manipulate market prices. (XV) Implement risk-based classification and tiered management. Financial institutions shall identify risks and implement classification and tiered management for artificial intelligence (AI) applications based on factors such as the importance of business scenarios, scale of application, impact on customers, reliance on models, and model complexity. Institutions must establish management policies, compile application inventories, implement tiered control measures, and assign management responsibilities.
(XVI) Strengthen access management for high-risk applications. Applications involving financial transactions, asset valuation, credit approval, underwriting and claims settlement, risk management, and other areas—as well as generative AI scenarios directly affecting customer interests or the conclusion of financial contracts—shall be classified as high-risk applications. High-risk AI applications must be approved by the institution's risk management committee before implementation.
(XVII) Strengthen monitoring and intervention for high-risk applications. Financial institutions shall enhance operational monitoring of AI within business scenarios to timely identify and control model risks. Mechanisms for human oversight and intervention must be established at critical stages of high-risk applications; conditions for emergency deactivation and model decommissioning must be clearly defined; and backup systems or manual fallback processes must be put in place.
(XVIII) Strengthen outsourcing risk management. When utilizing external AI technologies, financial institutions shall establish management mechanisms covering outsourcing strategies, data security, and concentration risk management. Rights, responsibilities, and obligations regarding security management must be clearly defined through contractual agreements to ensure effective risk control. Effective "firewalls" for risk isolation must be established when collaborating with external enterprises to prevent cross-sector risk contagion. A "whitelist" or similar list-based management system shall be implemented for outsourcing partners, and a rigorous internal assessment framework must be established for introduced external models to effectively evaluate their strengths, weaknesses, and suitability.
(XIX) Strengthen supply chain risk and open-source technology management. Financial institutions shall establish mechanisms for managing the security and compliance of the AI supply chain—including computing power, models, data, and technical tools—to ensure the autonomy and controllability of applications and to prevent concentration risks arising from over-reliance on specific technology service providers. Standards for the use of open-source technology must be refined, and management logs for open-source software maintained. Externally introduced open-source components must undergo review and assessment; code audits, vulnerability scanning, and security testing must be strengthened; and regular checks for potential risks in open-source components must be conducted to prevent supply chain poisoning attacks.
VII. Enhance Capabilities for Secure AI Development and Application
(XX) Enhance robustness. Financial institutions must ensure that the quality, quantity, and distribution of training datasets meet modeling requirements; adopt appropriate model architectures and training strategies; strengthen adversarial example detection and stress testing; and rigorously evaluate model sensitivity, stability, noise resilience, and fault tolerance. Following deployment, institutions should continuously monitor model performance and establish a feedback-driven update mechanism to facilitate iterative optimization.
(XXI) Enhance transparency. Financial institutions should strengthen the management of transparency in AI applications, establish standards for transparency and explainability in high-risk scenarios, and clearly articulate the logic behind model design, data usage, feature selection, and output results. AI-generated content must be clearly labeled and proactively disclosed to financial consumers. Institutions should also strengthen record-keeping for model development, change management, and training processes, ensuring that logs are retained for a period no shorter than the duration of the business activity.
(XXII) Promote explainability. Financial institutions should develop methods for AI model explainability and enhance inference interpretation and decision analysis. AI technologies with limited explainability may serve only as auxiliary tools in high-risk scenarios, with final decisions made by humans. When AI models are used for critical decisions affecting customer rights or having substantial financial impact, institutions must implement human review checkpoints and fully retain records of raw data, inference paths, and threshold triggers to ensure accountability. Regular audits of AI model algorithms should be conducted.
(XXIII) Ensure ethics and fairness. The development and application of AI by financial institutions must comply with laws, regulations, and societal values. Institutions should establish ethical review and monitoring systems for AI development and application, formulate ethical codes of conduct, strengthen dataset reviews and impact assessments regarding specific groups, and prevent unfair practices such as algorithmic discrimination. The use of protected characteristics or attributes must be justified, and biased samples should be removed. For AI applications involving public services, critical information infrastructure, or public safety, institutions should conduct ethical risk monitoring and assessment, and promptly address any operational anomalies.
(XXIV) Strengthen data security and personal information protection. Financial institutions should integrate AI data security into their corporate data security management systems and strictly implement requirements for data classification and graded protection. They should standardize development processes and data access controls, guard against data poisoning, refine data de-identification protocols, and avoid using data that can directly identify individuals. Personal information and private data—such as names, ID numbers, mobile phone numbers, and bank card numbers—must not be used for the training or optimization of generative AI models, thereby effectively preventing the leakage of customer privacy. Efforts must be made to strengthen model security guardrails and enhance content filtering and data de-identification management. Data security during outsourcing processes must be strictly managed.
(XXV) Enhance cybersecurity defense capabilities. Financial institutions must strengthen cybersecurity management in the development and application of AI, reinforce adversarial attack testing and output verification, and improve model deployment security through measures such as data isolation and access control. They must continuously monitor model behavior and regularly scan for and patch vulnerabilities in AI models and related system components to effectively guard against threats such as prompt injection, chain-of-thought injection, multimodal attacks, and context pollution. Security assurance capabilities for intelligent agent systems must be enhanced to prevent risks such as data leakage, memory pollution, unauthorized privilege escalation, tool misuse, and loss of operational control.
(XXVI) Strengthen operational resilience and business continuity management. Financial institutions must incorporate AI applications into their business continuity management systems, conduct business impact analyses, formulate emergency response plans, and bolster security operations management, incident handling, and disaster recovery capabilities. In the event of a malfunction, manual processes must intervene promptly or backup systems must be activated to ensure the stability and reliability of AI applications.
VIII. Safeguards and Supervision
(XXVII) Strengthen supervision and guidance. The National Financial Regulatory Administration and its local offices shall strengthen guidance, actively promote the safe development and application of artificial intelligence technology, and urge financial institutions within their jurisdictions to fully implement risk governance requirements. Regulatory authorities at all levels must fulfill their responsibilities by strengthening risk assessment and supervisory inspections; they should focus on compliance risks associated with relevant financial activities, urge financial institutions to improve their risk governance systems, promptly rectify issues such as inadequate policy implementation or deviations in execution, and strictly penalize violations.
(XXVIII) Promote the establishment of standards for safe application implementation. The National Financial Regulatory Administration (NFRA), in conjunction with relevant departments, will actively promote the construction of a technical framework for the safe development and application of generative AI in the banking and insurance sectors. Efforts will be made to standardize classification and grading management, clarify standards and specifications for safe development, and guide financial institutions to effectively enhance the safety of AI application development.
(XXIX) Strengthen risk monitoring and response. Financial institutions utilizing generative AI technology for public-facing services or high-risk application scenarios must report such usage to the NFRA or its local offices. The NFRA and its local offices will establish monitoring, early warning, and response mechanisms; optimize risk monitoring and early warning indicator systems; strengthen analysis and handling; and refine regulatory tools and methods. They will urge financial institutions to implement comprehensive risk prevention and control across the entire chain—before, during, and after operations—and to conduct post-incident reviews and analyses of cybersecurity and data security risks. Financial institutions will be urged to improve and optimize their defense systems, formulate risk contingency plans focusing on customer services and high-risk application scenarios, and enhance emergency response capabilities. Cross-departmental cooperation and coordination will be strengthened to create synergy, eliminate information silos, and prevent systemic risks.
(XXX) Establish a mechanism for regular regulatory assessment. The NFRA and its local offices will strengthen the supervision and management of AI development and application by financial institutions, with a particular focus on high-risk application scenarios. An annual assessment mechanism for regulatory policies and their effectiveness will be established to continuously improve regulatory adaptability.
(XXXI) Strengthen the development of regulatory talent. The NFRA and its local offices will enhance training in digitalization and intelligent technologies, improve the data analysis and intelligent tool proficiency of regulatory personnel, and focus on cultivating multidisciplinary regulatory talent. Efforts will be made to enhance capabilities in risk identification, monitoring, and handling that match the complexity of AI technology.
(XXXII) Promote industry exchange. Communication and exchange within the AI field will be encouraged. A favorable cultural atmosphere for AI development will be fostered through methods such as experience sharing, training seminars, skills competitions, and the promotion of case studies. Industry self-regulatory organizations should act as bridges and links to facilitate the exchange of industry experience.
National Financial Regulatory Administration
June 18, 2026
(Distributed to local branches of the financial regulatory authority and local incorporated banking and insurance institutions)
National Financial Regulatory Administration Issues "Guiding Opinions on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Sectors"
https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1261708&itemId=915&generaltype=0
Officials from Relevant Departments of the National Financial Regulatory Administration Answer Reporters' Questions Regarding the "Guiding Opinions on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Sectors"
https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1261710&itemId=917&generaltype=0
No comments:
Post a Comment