HKMA publishes generative AI principles for authorized institutions

The Hong Kong Monetary Authority (HKMA) published its framework for generative AI governance in authorised institutions, setting out supervisory expectations for how licensed banks, deposit-taking companies, and money service operators should govern, deploy, and monitor generative AI systems. The circular updates and extends the HKMA's 2021 High-level Principles on Artificial Intelligence by specifically addressing the risks and governance requirements unique to large language models and multimodal systems.

**Core governance requirements.** The HKMA framework establishes five governance expectations for institutions deploying generative AI: (1) Board and senior management accountability for GenAI risks, including designation of a named senior officer responsible for the AI risk framework; (2) A model risk management programme covering GenAI systems, with hallucination risk and prompt injection risk explicitly identified as model risks requiring assessment; (3) Third-party AI vendor due diligence covering data residency, API security, model version control, and contractual provisions for audit access; (4) Customer disclosure when GenAI substantially contributes to a product recommendation or credit decision; (5) Ongoing monitoring of GenAI output quality, with human review escalation protocols for high-stakes outputs.

**Practical implications for APAC financial institutions.** For Hong Kong-based banks already compliant with the HKMA's 2021 AI Principles, the new framework requires three concrete additions: updating model risk management documentation to specifically address LLM/GenAI risks (the 2021 framework predated commercial GenAI deployment), adding prompt injection to the threat model in cybersecurity assessments, and establishing board-level reporting on GenAI risk appetite. These are documentation and governance updates — not fundamental changes to deployed AI systems.

**Cross-border implications.** Hong Kong-based banks with operations in mainland China, Singapore, and other APAC jurisdictions face multiple overlapping AI governance requirements. The HKMA framework aligns broadly with MAS's GenAI guidelines and PBOC's AI risk circulars, but diverges on data residency expectations (HKMA is more permissive of cross-border data processing than mainland regulators) and customer disclosure thresholds. Institutions operating in multiple APAC jurisdictions should map requirements to their most restrictive applicable regulation.

**AIMenta's editorial read.** For HKMA-regulated institutions, this framework is a compliance mandate with a 12-month implementation timeline for the governance documentation components. Begin with the board accountability designation and the model risk management programme update — both are prerequisite for satisfying the HKMA's supervisory review process. The vendor due diligence checklist section of the circular is the most practically useful part for procurement decisions.