News & Insights

Use of Generative AI: 3 regulatory steps for licensed corporations

View PDF

Authored by: Isabella Wong

The Securities and Futures Commission (SFC) has issued a circular for licensed corporations using generative artificial intelligence language models (AI LMs). Effective 12 November 2024, licensed corporations must comply with specific notification, senior management and risk management requirements as set out in the circular when adopting AI LMs for their regulated business activities. These requirements can be distilled into the following steps that licensed corporations need to address for use of AI LMs.

1. Identify high-risk use case and notify the SFC

Licensed corporations should consider the use cases for AI LMs before adoption. Utilizing AI LMs to provide investment recommendations, advice, or research to investors or clients is considered a “high-risk use case” by the SFC. This type of usage would be viewed as a significant change to the nature of business and services offered by a licensed corporation, triggering a mandatory notification to the SFC within 7 business days of implementation. The SFC encourages licensed corporations to discuss their plans for high-risk use cases involving AI LMs with the SFC.

2. Engage senior management to prepare for the expanded responsibilities

Senior management of a licensed corporation using AI LMs for regulated activities should aware the risks and limitations of the AI LM and its input data, to ensure the deployed model is fit for purpose given those considerations. Senior management responsibilities could expand to the (i) design, implementation, customization, training, testing, and calibration (Model Development) and (ii) validation, approval, ongoing review and monitoring, use, and decommissioning (Model Management) of the AI LMs. Senior management need to ensure that throughout the lifecycle of Model Development and Model Management, the licensed corporation would implement:

  • effective policies, procedures, and internal controls for using AI LMs for proper performance of business activities; and
  • adequate oversight (and particularly on high-risk use cases) and governance by qualified and experienced individuals.

An effective governance framework should identify high-risk use cases, considering potential adverse client impact if the AI LM’s output is inaccurate or inappropriate. This requires responsible staff from the business, risk, compliance, and technology functions who have relevant knowledge, experience or qualification in AI, data science, model risk management, and domain expertise to manage the licensed corporation’s adoption and implementation of AI LMs, along with legal and compliance personnel assessing the legal and compliance risks.

3. Enhance risk management controls

Licensed corporations can adopt a risk-based approach to implement controls commensurate with the materiality of the impact and level of risks presented by the specific use cases for AI LMs. Below is a high-level matrix outlining the SFC’s risk management expectations for the use of AI LMs across different aspects:

Key Contacts

Isabella Wong

Partner | Financial Services

Email or call +852 2825 9577

Portfolio Builder

Select the legal services that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)