On 18 June 2026, China's National Financial Regulatory Administration (NFRA) issued the Guidelines on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Industry (NFRA [2026] No. 8). Comprising 32 guiding principles across seven pillars: governance, development and deployment, data governance, computing infrastructure, risk management, capability building, and supervisory support. The document represents China's first comprehensive regulatory framework governing AI specifically within financial services.

The most significant change is organisational rather than technical. The guidelines require boards of directors to establish dedicated governance arrangements for AI, formulate institution-wide AI strategies, and create cross-functional coordination mechanisms spanning business, technology, risk management, legal and data teams.

This effectively elevates AI from an IT initiative into a strategic enterprise capability. Future AI decisions will no longer be driven solely by technology departments, but increasingly shaped by boards and senior executives responsible for balancing innovation, operational resilience and regulatory compliance.

China's leading banks are already well advanced. ICBC has built its "Gongyin Smart" enterprise large language model platform, deploying AI across more than twenty major business domains, including corporate lending, retail credit, customer service and remote banking. China Merchants Bank reported that by the end of 2025 nearly 98% of employees had completed foundational AI capability training, reflecting its strategy of embedding AI across the organisation rather than concentrating expertise within technology teams.

Even these industry leaders, however, will need to strengthen governance structures to satisfy the guidelines. For regional and medium-sized banks that remain at an earlier stage of AI adoption, establishing dedicated governance frameworks may prove a far greater organisational challenge than deploying the technology itself.

The move also aligns China with an emerging global trend. In the United States, although regulators have not introduced sector-specific AI legislation for banking, institutions including JPMorgan Chase, Bank of America and Capital One have established Chief AI Officers or enterprise AI governance committees. Similarly, European regulators increasingly expect boards to assume explicit accountability for AI oversight under the EU AI Act and the Digital Operational Resilience Act (DORA).

NFRA requires full AI lifecycle governance from banks

The guidelines require banks to establish comprehensive lifecycle management covering every stage of AI development — from business requirement analysis and data preparation through model development, testing, deployment, monitoring, upgrading and eventual retirement. This represents a fundamental shift from project-based AI experimentation towards industrial-scale AI governance.

Banks are also encouraged to build unified AI development platforms while implementing formal access management procedures for foundation models and generative AI systems. The immediate implication is that AI development will become considerably more disciplined and expensive.

Globally, banks are moving rapidly from pilot projects into production. According to Evident Insights, 47 of the world's 50 largest banks announced 173 new AI use cases during the past year alone, spanning customer service, software engineering, financial crime detection, risk management and internal productivity.

Within China, Bank of China had already deployed AI across 274 internal application scenarios by mid-2025. Under the new guidelines, however, externally sourced foundation models will face significantly higher governance requirements, while the principle of "autonomous controllability" will encourage greater investment in proprietary AI capabilities, domestic model development and internally governed AI platforms.

Rather than slowing AI adoption, the guidelines are likely to accelerate the transition from isolated AI applications to enterprise-scale AI operating models.

NFRA bars personal data from AI model training

Among all provisions, the data governance requirements are likely to have the most immediate operational impact. The guidelines establish a clear regulatory boundary by prohibiting personally identifiable information, including names, identification numbers, mobile numbers and bank account information, from being used to train or fine-tune generative AI models.

For banks, whose greatest competitive asset is often their extensive customer data, this fundamentally changes the economics of AI development. Institutions will need sophisticated data anonymisation, masking and synthetic data generation capabilities before sensitive information can be incorporated into AI development pipelines. Data lineage, governance and auditability therefore become just as important as model performance.
Interestingly, stricter data restrictions may strengthen the competitive position of larger banks. Institutions with mature data governance frameworks, high-quality structured data and dedicated compliance resources will be better positioned to develop AI safely while remaining compliant.

Internationally, the approach mirrors broader regulatory developments. The European Union's General Data Protection Regulation (GDPR) already places stringent restrictions on personal data processing, while the EU AI Act reinforces requirements around transparency, documentation and risk management. Singapore's Monetary Authority of Singapore (MAS) has similarly promoted responsible AI through the FEAT Principles (Fairness, Ethics, Accountability and Transparency) and the Veritas framework, both of which emphasise explainability and responsible data governance in financial services.

China's guidelines therefore reflect an increasingly shared international consensus, that responsible data governance is becoming the foundation upon which trustworthy AI must be built.

NFRA treats computing infrastructure as a shared banking resource

Unlike many overseas AI frameworks, the NFRA’s guidelines explicitly recognise computing infrastructure as a strategic financial resource. Large financial institutions are encouraged to provide AI computing services to smaller institutions while supporting shared infrastructure, collaborative platforms and resource pooling across the industry.

This reflects China's broader national strategy of developing domestic AI infrastructure and reducing dependence on external technology ecosystems. ICBC has already constructed the banking industry's first domestically controlled AI computing cloud capable of trillion-parameter model training using thousands of AI accelerators.

For major banks, computing power could evolve into an entirely new service offering, complementing traditional financial products. Smaller banks, meanwhile, gain access to advanced AI capabilities without bearing the substantial capital expenditure associated with building proprietary infrastructure.

However, shared infrastructure may also deepen technological dependence on larger institutions, potentially widening competitive gaps in AI capability despite improving overall industry access.

Similar trends are emerging globally. Several international banking groups have increasingly partnered with hyperscale cloud providers such as Microsoft Azure, Google Cloud and Amazon Web Services to access advanced AI infrastructure, although regulators continue to scrutinise concentration risk and operational resilience associated with cloud dependency.

NFRA classifies credit approval and lending as high-risk AI

Perhaps the most consequential regulatory innovation is the formal classification of "high-risk AI applications." The guidelines identify fund transfers, asset valuation, credit approval, underwriting, claims assessment, risk management and any AI application directly influencing financial contract decisions as high-risk scenarios. These applications require approval by institutional risk committees, mandatory human oversight at critical decision points, and regulatory reporting when generative AI is deployed in customer-facing or high-risk use cases.

Credit approval is particularly significant. Many banks have invested heavily in AI-assisted lending over recent years. The guidelines make clear that AI should support, not replace, human judgement. China Construction Bank's "human-in-the-loop" lending model, combining AI recommendations with expert review, already aligns closely with this regulatory direction.

Globally, regulators are reaching similar conclusions, albeit through different mechanisms. The EU AI Act classifies credit scoring as a high-risk AI application, triggering some of the strictest compliance obligations under European law. The Bank for International Settlements (BIS) has repeatedly emphasised the need for explainability, governance and human accountability in AI-driven financial decision-making. Meanwhile, US banking regulators, including the Federal Reserve, Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation (FDIC), continue to rely largely on existing model risk management principles while gradually incorporating AI-specific supervisory expectations rather than introducing standalone AI legislation.

Compared with these approaches, China's guidelines strike a relatively pragmatic balance. Rather than imposing rigid statutory requirements, they establish operational expectations that provide institutions with flexibility while signalling regulators' long-term supervisory direction.

NFRA pushes banks to invest in AI talent and capability

Beyond technology and compliance, the guidelines recognise that AI transformation ultimately depends on people. Banks are encouraged to strengthen AI talent development, improve employee AI literacy, establish multidisciplinary teams and cultivate expertise spanning technology, business, risk management and legal compliance. This reflects a growing international consensus that successful AI adoption requires organisational capability rather than technology deployment alone.

Leading global banks increasingly measure AI readiness not simply by the number of models deployed but by workforce capability, governance maturity and institutional adaptability. China's emphasis on enterprise-wide capability building therefore represents an important evolution from technology investment towards organisational transformation.

The NFRA guidelines signal a decisive evolution in China's AI strategy for financial services. The regulatory focus is shifting from deploying AI as quickly as possible towards deploying AI responsibly, transparently and sustainably.

Although compliance will inevitably increase short-term costs, particularly in governance, data management and model oversight, the framework also provides greater regulatory certainty for long-term investment.

For large banks, stronger governance will reinforce existing competitive advantages built on scale, data and technology. For smaller institutions, shared infrastructure and clearer regulatory expectations lower some of the barriers to AI adoption while encouraging industry collaboration.

More broadly, China's approach reflects a global convergence in financial regulation. Whether through the EU AI Act, Singapore's responsible AI initiatives, emerging US supervisory practices or the BIS's governance principles, regulators increasingly agree on one fundamental proposition, that AI must remain accountable, explainable and subject to meaningful human oversight when applied to critical financial decisions.

Rather than constraining innovation, China's new Guidelines establish the governance architecture necessary for AI to become a trusted component of the banking system. In doing so, they position safety not as the opposite of innovation, but as its essential prerequisite for long-term, high-quality development.