In response to the growing use of artificial intelligence (AI) by banks, the Hong Kong Monetary Authority (HKMA) has provided guidance to the banking industry on the use of AI applications. These are high level principles (set out briefly below) which banks are expected to take into account when designing and adopting their AI and big data analytics applications.
- The board and senior management remain accountable for all AI-driven decisions. Accordingly, they should ensure that proper governance framework and risk management measures are in place to oversee the use of AI applications.
Application design and development
- Banks should ensure that their developers have the requisite competence and experience in designing and developing AI applications. Senior management should satisfy themselves that there is an effective mechanism to supervise the relevant staff.
- Trustworthy and robust AI applications should be explainable (i.e. no black-box excuse) to all relevant parties.
- Banks should adopt an effective data governance framework to ensure that the data used to train AI models are of good quality and relevance. Data quality issues identified should be escalated to the responsible parties for rectification in a timely manner.
- Banks should undertake rigorous validation and testing of trained AI models to confirm the accuracy and appropriateness of AI models before deployment.
- Banks should build in sufficient audit logs and produce relevant documentation during the design phase so that incidents or unfavourable outcomes can be tracked on a continuous basis to support investigations.
- Where banks rely on third-party vendors to develop AI applications, they should perform proper due diligence on these vendors (and implement effective vendor management controls including periodic reviews of the services provided).
- Banks should ensure that AI-driven decisions do not discriminate or unintentionally show bias against any group of consumers. The use of AI applications should comply with the banks’ corporate values and ethical standards, and uphold consumer protection principles.
On-going monitoring and maintenance
- Banks should conduct periodic reviews and on-going monitoring to ensure that AI applications continue to perform as intended.
- Banks should implement effective data protection measures. If personal data are collected and processed by AI applications, banks should ensure that they comply with the Personal Data (Privacy) Ordinance and any other applicable local and overseas regulatory requirements.
- Banks should ensure that their security controls can effectively deal with cybersecurity threats or attacks.
- Banks should implement contingency measures that can promptly suspend AI applications and trigger fall back procedures (e.g. human intervention or conventional processes) where unintended outcomes arise.
A copy of the principles can be found here.