China Issues AI Security Rules for Banking and Insurance

China’s top financial regulator has released its first comprehensive framework governing the safe development and application of artificial intelligence in the banking and insurance sectors, marking a significant step in the country’s push to balance technological innovation with financial stability and data security.

On June 18, the National Financial Regulatory Administration (NFRA) officially published the “Guidelines on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Industries” (Document No. 8 of 2026), as reported by Xinhua News. The framework contains 32 specific recommendations across eight major sections, covering everything from governance structures and data management to risk control and cybersecurity.

Why This Matters Now

The guidelines arrive at a pivotal moment. China’s financial sector has been rapidly integrating AI technologies—including generative AI—into credit assessment, risk management, customer service, and investment advisory. The NFRA stated in its official Q&A session that it had “closely tracked AI development trends” and conducted “in-depth research on the current state, problems, and challenges of AI applications” before formulating the rules.

The regulatory push builds on two key policy foundations: the State Council’s August 2025 “AI+” Action Opinion, which called for accelerating AI deployment across six major areas, and the 15th Five-Year Plan approved in March 2026, which mandated strengthened AI governance alongside technological advancement.

Core Provisions: What the Guidelines Require

Governance and Lifecycle Management

Financial institutions must now designate a board-level committee responsible for AI governance and establish a full lifecycle management system covering requirements analysis, data preparation, model training, deployment, maintenance, and eventual decommissioning. The guidelines mandate that AI applications be matched to appropriate business scenarios with clear human-machine collaboration workflows.

Strict Controls on Generative AI

In a notable provision, the guidelines require “access management” (准入管理) for generative AI models. Any externally sourced generative AI model must be registered with cyberspace authorities. The official document further prohibits the use of personal information—including names, ID numbers, phone numbers, and bank card numbers—in generative AI model training, a significant operational constraint for financial institutions.

Data Governance and Computing Power

Financial institutions are required to build high-quality datasets with standards for accuracy, relevance, consistency, completeness, and freedom from bias. The guidelines encourage enterprise-level knowledge management systems and permit cross-institution data sharing within legal frameworks. On the computing front, the rules emphasize “self-controllable” (自主可控) infrastructure—a key national priority—and encourage large institutions to share computing resources with smaller counterparts.

Risk Management Framework

Perhaps the most consequential section, the risk management provisions require AI risks to be integrated into institutions’ comprehensive risk management systems. High-risk applications—those involving fund transactions, asset evaluation, credit approval, underwriting, and claims—must receive approval from a risk management committee before deployment. These high-risk applications must also have manual supervision and intervention mechanisms, including backup systems and human fallback procedures.

Implications for China’s Financial Sector

The guidelines represent both a compliance challenge and a strategic opportunity for China’s financial institutions. Larger banks and insurers with established AI capabilities and compliance infrastructure may gain a competitive advantage, while smaller institutions may need to rely on shared services and industry platforms.

The emphasis on “self-controllable” technology aligns with China’s broader push for technological sovereignty, potentially accelerating domestic AI chip and software development. The NFRA press release framed the guidelines as part of efforts to “accelerate the cultivation of new quality productive forces” (新质生产力) in the financial industry—a term that has become a central policy concept under the current administration.

What to Watch For

Several questions remain open. The guidelines establish the regulatory framework but leave room for interpretation on enforcement mechanisms and penalties for non-compliance. It remains to be seen whether sector-specific implementation rules will follow for different types of financial institutions, and how the framework will adapt to rapidly evolving AI technologies.

The NFRA has committed to conducting annual assessments of regulatory policies and effectiveness, suggesting that this is the beginning of an iterative regulatory process rather than a static set of rules. As China positions itself as a leader in responsible AI deployment in financial services, the global financial community will be watching closely to see how these guidelines shape the future of AI in banking and insurance—both within China and potentially beyond.