香港《有關(guān)使用生成人工智能的消費(fèi)者保障》

OurRef:B1/15C

B9/67C

19August2024

TheChiefExecutive

AllAuthorizedInstitutions

DearSir/Madam,

ConsumerProtectioninrespectofUseofGenerativeArtificialIntelligence

Iamwritingtoprovideauthorizedinstitutionswithasetofguidingprinciplesinrespectofuseofgenerativeartificialintelligence(“GenAI”)incustomer-facingapplicationsfromconsumerprotectionperspective.

Inviewofthedevelopmentofbigdataanalyticsandartificialintelligence(“BDAI”),theHongKongMonetaryAuthority(“HKMA”)issuedasetofguidingprinciplesinthecircular“ConsumerProtectioninrespectofUseofBigDataAnalyticsandArtificialIntelligencebyAuthorizedInstitutions”dated5November2019(“2019BDAIGuidingPrinciples”),focusingonfourmajorareas,namelygovernanceandaccountability,fairness,transparencyanddisclosure,anddataprivacyandprotection(seeAnnex1forahandysummary

1

).Theseguidingprincipleshavedemonstratedtobebeneficialtobanksandcustomers,andhelpedpromotethehealthydevelopmentofBDAIintheHongKongbankingsector,asseenintheproliferationofusecasesofBDAIrevealedinarecentsurveyconductedbytheHKMA(seeAnnex2forasummaryofthesurveyresults).Moreimportantly,the2019BDAIGuidingPrincipleshavealsohelpedenhancecustomerconfidenceinusingbankingservicesadoptingBDAI.

Inrecentmonths,theHKMAnotesanincreasinginterestofthebankingsectorinadoptingGenAIintheiroperations.GenAIisaformofBDAIthatenablesgenerationofnewcontentsuchastext,image,audio,video,codeorothermedia,

1Forguidanceonriskmanagementofauthorizedinstitutionsinrespectoftheuseofartificialintelligence(includingGenAI),pleaserefertotheHKMAcircular“High-levelPrinciplesonArtificialIntelligence”dated1November2019,whichwillbeupdatedfromtimetotimeinthelightofmarketdevelopmentandpracticalexperience.

–2–

basedonvastamountsofdata.Atthismoment,adoptionofGenAIinthebankingsectorisstillatanearlystage,withmostofthecurrentapplicationsfocusingonimprovingbanks’operationalefficiency,suchasinternalchatbotsandcoding.Nonetheless,theabilityofGenAIincontent-creationmeansthatGenAIcouldbemoreextensivelyadoptedbythebankingsectorincustomer-facingactivities.Potentialapplicationsincludebutarenotlimitedtocustomerchatbots,customisedproductandservicedevelopmentanddelivery,targetedsalesandmarketing,androbo-advisorsinwealthmanagementandinsurance.TheuseofGenAIincustomer-facingactivitieswillhaveconsumerprotectionimplications.

GenAI,beingasubfieldofBDAI,basicallysharesasetofsimilarriskdimensions.Assuch,withrespecttoconsumerprotectionincustomer-facingapplications,theHKMAexpectsallauthorizedinstitutionstoapplyandextendthe2019BDAIGuidingPrinciplestotheuseofGenAIandcontinuetoadoptarisk-basedapproachcommensuratewiththerisksinvolved.Havingsaidthat,sinceGenAIusescomplexmodels,potentialriskssuchaslackofexplainabilityandhallucination(i.e.generatingoutputsthatseemrealisticbutarefactuallyincorrect,incomplete,lackimportantinformation,orlackrelevancetothecontext)couldcauseevenmoresignificantimpactoncustomers.TheHKMAhasthereforesetoutthefollowingadditionalprinciplesundereachofthefourmajorareasaimingtoensureappropriatesafeguardsforconsumerprotectionareinplacewhenGenAIisadoptedforcustomer-facingapplications.

1.Governanceandaccountability

TheboardandseniormanagementofauthorizedinstitutionsshouldremainaccountableforalltheGenAI-drivendecisionsandprocesses,andhavethoroughlyconsideredthepotentialimpactofGenAIapplicationsoncustomersthroughanappropriatecommitteeunderthegovernance,oversightandaccountabilityframeworkofauthorizedinstitutions.Theyshouldensure,amongothers:

(a)thescopeofcustomer-facingGenAIapplicationsisclearlydefinedsuchthatGenAIusagewouldnotbeusedinunintendedareas;

(b)properpoliciesandproceduresaredevelopedontheresponsibleuseofGenAIincustomer-facingapplicationsandrelatedcontrolmeasuresareputinplace;and

(c)propervalidationoftheGenAImodelsareputinplace,inparticular,duringtheearlystageofdeployingcustomer-facingGenAIapplications,authorizedinstitutionsshouldadoptthe“human-in-the-loop”approach,i.e.having

–3–

humantoretaincontrolinthedecision-makingprocesstoensurethemodel-generatedoutputsareaccurateandnotmisleading.

2.Fairness

AuthorizedinstitutionsshouldensureGenAImodelsproduceobjective,consistent,ethicalandfairoutcomestocustomers,whichincludeensuring,amongothers:

(a)themodel-generatedoutputswouldnotleadtounfairbiasordisadvantageagainstanycustomersorgroupsofcustomers.AuthorizedinstitutionsshouldgiveconsiderationtodifferentapproachesthatmaybedeployedintheGenAImodels,suchasanonymisingcertaincategoriesofdata,deployingdatasetsthatarecomprehensiveandfairrepresentationofthepopulation,makingadjustmentstoremovebiasduringthevalidationandreviewprocess(e.g.byadopting“human-in-the-loop”),etc.;and

(b)duringtheearlystageofdeployingcustomer-facingGenAIapplications,customersareprovidedwiththeoptiontooptoutofusingGenAIandrequesthumaninterventiononGenAI-generateddecisionattheirdiscretionasfaraspracticable.Wherean“opt-out”optioncannotbeprovidedforsomereasons,authorizedinstitutionsshouldprovidechannelsforcustomerstorequestforreviewoftheGenAI-generateddecisions.Withthecontinuousevolutionoftechnology,othermeasuresthatcanyieldthesameeffectof“opt-out”optionwillalsobeacceptable.

3.Transparencyanddisclosure

AuthorizedinstitutionsshouldprovideanappropriateleveloftransparencytocustomersregardingtheirGenAIapplicationsthroughproper,accurateandunderstandabledisclosure.Accordingly,theyshoulddisclosetheuseofGenAItocustomers,and,amongothers,communicatewithcustomersontheuseandpurposeofadoptionoftheGenAImodelsaswellasthelimitationsofsuchmodels,inordertoenhancecustomers’understandingofthemodel-generatedoutputs.

4.Dataprivacyandprotection

Authorizedinstitutionsshouldimplementeffectiveprotectionmeasurestosafeguardcustomerdata.Inparticular,ifpersonaldataarecollectedandprocessedbyGenAIapplications,authorizedinstitutionsshouldcomplywiththePersonalData(Privacy)OrdinanceandpaydueregardtorelevantrecommendationsandgoodpracticesissuedbytheOfficeofthePrivacy

–4–

CommissionerforPersonalData(“PCPD”)relatedtoGenAI,including,amongothers,the“GuidanceontheEthicalDevelopmentandUseofArtificialIntelligence”publishedon18August2021andthe“ArtificialIntelligence:ModelPersonalDataProtectionFramework”publishedon11June2024.

ProactiveuseofBDAIandGenAIinenhancingconsumerprotection

BDAI,inparticularGenAI,hasthepotentialforproduct-featureoptimisationandcustomersegmentationtotheindividuallevel,therebyallowingbankstobepreciseindesigningandpromotingspecificproductsforspecificcustomersinanefficientandcustomisedmanner,posingbusinesspotentialandopportunities.Alongsimilarlogic,authorizedinstitutionsareencouragedtoexploretheuseofBDAI,includingGenAI,inenhancingconsumerprotection.Someexamplesmayincludeidentificationofcustomerswhoarevulnerableandrequiremoreprotectionandeducation;identificationofcustomerswhomayneedmoreinformationorclarificationstobetterunderstandproductfeatures,risks,andtermsandconditionsinthedisclosure;orissuanceoffraudalertstocustomersengagingintransactionswithpotentiallyhigherrisks.

Shouldyouhaveanyquestionsregardingthiscircular,pleasefeelfreetocontactMsCherryYipon2597-0495orMrMichaelLeungon2878-1186.

Yoursfaithfully,

AlanAu

ExecutiveDirector(BankingConduct)

c.c.TheChairman,TheHongKongAssociationofBanks

TheChairman,TheDTCAssociation

SecretaryforFinancialServicesandtheTreasury(Attn:MrJustinTo)

–5–

Annex1

GuidingPrinciplesintheHKMAcircular“ConsumerProtectionin

respectofUseofBigDataAnalyticsandArtificialIntelligenceby

AuthorizedInstitutions”dated5November2019

1.Governanceandaccountability

TheboardandseniormanagementofauthorizedinstitutionsshouldremainaccountableforalltheBDAI-drivendecisionsandprocesses.Accordingly,theyshouldensure,amongothers:

(a)appropriategovernance,oversightandaccountabilityframeworkwhichisestablishedanddocumented;

(b)appropriatelevelofexplainabilityoftheBDAImodelsincludinganyalgorithms(i.e.noblack-boxexcuse),andthatthemodelscanbeunderstoodbytheauthorizedinstitutions;

(c)adherencetotheconsumerprotectionprinciplessetoutintheCodeofBankingPractice,TreatCustomersFairlyCharterandotherapplicableregulatoryrequirements,asinthecaseofprovidingconventionalbankingproductsandservices.BDAIapplicationsshouldalsobeconsistentwiththecorporatevaluesandethicalstandardsofauthorizedinstitutionswhichshouldinclude,amongothers,upholdingcustomer-centriccultureandprinciples;and

(d)propervalidationbeforelaunchofBDAIapplications,andthereafteron-goingreviews,toensurethereliability,fairness,accuracyandrelevanceofthemodels,datausedandtheresults.

2.Fairness

AuthorizedinstitutionsshouldensurethatBDAImodelsproduceobjective,consistent,ethicalandfairoutcomestocustomers,whichincludeensuring,amongothers:

(a)compliancewiththeapplicablelaws,includingthoserelevanttodiscrimination;

(b)customeraccesstobasicbankingservicesarenotdeniedunjustifiablywhichwillbeagainstthespiritoffinancialinclusion;

–6–

(c)customers’financialcapabilities,situationandneeds,includingtheirlevelofdigitalliteracy,aretakenintoaccount;

(d)themodelsusedfortheBDAI-drivendecisionarerobustandhaveappropriatelyweighedallrelevantvariables;and

(e)thepossibilityofmanualinterventiontomitigateirresponsiblelendingdecisionswherenecessary(e.g.incasesinvolvinghigherrisksorimpactsfromtheautomateddecision).

3.Transparencyanddisclosure

AuthorizedinstitutionsshouldprovideappropriateleveloftransparencytocustomersregardingtheirBDAIapplicationsthroughproper,accurateandunderstandabledisclosure.Accordingly,theyshould,amongothers:

(a)makecleartocustomers,priortoserviceprovision,thattherelevantserviceispoweredbyBDAItechnologyandoftheassociatedrisks;

(b)provideproperdisclosuretocustomerssothatcustomerscouldunderstandtheapproachofauthorizedinstitutionstousingcustomerdata;

(c)makeavailableamechanismforcustomerstoenquireandrequestreviewsonthedecisionsmadebytheBDAIapplications,andensurethatanyrelatedcomplainthandlingandredressmechanismforBDAI-basedproductsandservicesareaccessibleandfair;

(d)provideexplanationsonwhattypesofdataareused,andwhatfactorsorhowthemodelsaffecttheBDAI-drivendecisions,uponcustomers’requestandwhereappropriate.Fortheavoidanceofdoubt,suchexplanationstocustomersarenotrequiredforsystemsusedformonitoringandpreventionoffraudsormoneylaundering/terroristfinancingactivities;

(e)carryoutappropriateconsumereducationtoenhanceconsumers’understandingonBDAItechnologyinbankingservices;and

(f)ensurethatrelevantcustomercommunicationsareclearandsimpletounderstand.

–7–

4.Dataprivacyandprotection

Authorizedinstitutionsshouldimplementeffectiveprotectionmeasurestosafeguardcustomerdata.Accordingly,theyshould,amongothers:

(a)ifpersonaldataarecollectedandprocessedbyBDAIapplications:

-ensurecompliancewiththePersonalData(Privacy)Ordinance(“PDPO”)includingthe6DataProtectionPrinciples,anyrelevantcodesofpracticeissuedorapprovedbythePrivacyCommissionerforPersonalData(“PCPD”)givingpracticalguidanceoncompliancewiththePDPO,andanyotherapplicablelocalandoverseasstatutoryorregulatoryrequirements;

-payregardtotherelevantgoodpracticesissuedbythePCPDrelatedtoBDAIandFintech,including,amongothers,the“EthicalAccountabilityFramework”(the“Framework”),the“DataStewardshipAccountability,DataImpactAssessmentsandOversightModels”insupportoftheFramework,andthe“InformationLeafletonFintech”;

(b)considerembeddingdataprotectioninthedesignofaproductorsystemfromtheoutset(i.e.“privacybydesign”)andcollectingandstoringonlytheminimumamountofdatafortheminimumamountoftime(i.e.“dataminimisation”);and

(c)whererequestforconsenttothecollectionanduseofpersonaldatainrelationtoabankingproductorservicepoweredbyBDAItechnologyisrequired,ensurethatsuchconsentisasclearandunderstandableaspossibleintheinterestsofensuringinformedconsent.

–8–

Annex2

SurveyonConsumerProtectioninrespectof

theUseofBigDataAnalyticsandArtificialIntelligence

InMay2024,theHKMAconductedasurveyontheuseofbigdataanalyticsandartificialintelligence(“BDAI”)includinggenerativeartificialintelligence(“GenAI”)byauthorizedinstitutions.Atotalof28authorizedinstitutionsprimarilyservingretailcustomersweresurveyedandthefollowingsummariseskeyobservationsfromthesurvey.

A.UseofBDAI

75%ofsurveyedauthorizedinstitutionsreportedadoptingorplanningtoadoptBDAIintheprovisionofgeneralbankingproductsandservices,aswellasdailyoperations.Reportedusecasesspreadacrosscustomer-facingactivities(identityauthentication,customerchatbots,creditassessment),middle-officefunctions(AMLandfrauddetection,controlsandmonitoring)andback-officefunctions(operationalautomationanddocu