AI Regulation Tracker / New guidance
China's Financial Regulator Issues Its First AI Rulebook for Banks and Insurers, and Bars Customer Data From Training Generative Models
Regulatory summary: The Guiding Opinions on the Safe Development and Application of Artificial Intelligence in the Banking and Insurance Industry (关于银行业保险业人工智能安全开发应用的指导意见), issued by China's National Financial Regulatory Administration (NFRA) as Jin Fa [2026] No. 8 around June 18, 2026, is China's first comprehensive AI framework written specifically for financial institutions.
China's National Financial Regulatory Administration has issued Guiding Opinions setting 32 requirements across seven pillars for how banks and insurers build and run artificial intelligence, including full-lifecycle model management, human oversight in high-risk uses, and an outright ban on using names, ID numbers, phone numbers, and bank-card numbers to train generative AI.
Key takeaways
- China moved from general, cross-sector AI and data rules to a single sector-specific rulebook for finance. Banks and insurers now face 32 concrete requirements covering governance structure, development and deployment, data governance, computing power, risk governance, safe-development capability, and supervision. New operative duties include full-lifecycle AI management, graded risk classification, mandatory human oversight and emergency shutdown for high-risk applications, admission controls for generative-AI models, mandatory reporting to the regulator when generative AI is used in public-facing or high-risk scenarios, and an explicit prohibition on training or optimizing generative models with personal identifiers.
- Model-risk and AI-governance teams at PRC banks and insurers; chief data officers and data-governance functions; compliance and internal audit; technology and information-security leads; and the AI vendors, foundation-model providers, and cloud and computing suppliers that sell into Chinese financial institutions. Multinational banks and insurers with China operations fall in scope for those operations.
- Status: Issued and in effect as a supervisory framework.
- Build a complete inventory of AI applications, tag which ones are high-risk or public-facing, confirm the human-oversight and kill-switch path for each, and run a data-lineage check to prove that names, ID numbers, phone numbers, and bank-card numbers are excluded from generative-AI training and tuning sets.
| Date | Jurisdiction | Rule | Affected professionals | Status or effective date |
|---|---|---|---|---|
| 2026-07-09 | China | China moved from general, cross-sector AI and data rules to a single sector-specific rulebook for finance. Banks and insurers now face 32 concrete requirements covering governance structure, development and deployment, data governance, computing power, risk governance, safe-development capability, and supervision. New operative duties include full-lifecycle AI management, graded risk classification, mandatory human oversight and emergency shutdown for high-risk applications, admission controls for generative-AI models, mandatory reporting to the regulator when generative AI is used in public-facing or high-risk scenarios, and an explicit prohibition on training or optimizing generative models with personal identifiers. | Model-risk and AI-governance teams at PRC banks and insurers; chief data officers and data-governance functions; compliance and internal audit; technology and information-security leads; and the AI vendors, foundation-model providers, and cloud and computing suppliers that sell into Chinese financial institutions. Multinational banks and insurers with China operations fall in scope for those operations. | Issued and in effect as a supervisory framework. Publicly announced around June 18, 2026, with the NFRA publishing an official interpretation on June 22, 2026. The regulator has committed to build out an industry technical framework, graded classification standards, monitoring, and periodic supervisory assessment. |
Frequently Asked Questions
Is this a binding rule or just guidance?
It is a set of regulatory guiding opinions issued by China's National Financial Regulatory Administration as Jin Fa [2026] No. 8. Guiding opinions are operative supervisory documents that bind the banks and insurers the NFRA regulates and that the regulator inspects and enforces. It is not a consultation draft.
Can a Chinese bank use customer data to train a generative AI model?
Not if that data includes the named identifiers. The document prohibits using personal information and privacy data such as names, ID numbers, phone numbers, and bank-card numbers to train or optimize generative AI models. Institutions must desensitize training and optimization data and prove the exclusion.
What counts as a high-risk AI application under the framework?
The document requires graded risk classification based on factors such as the importance of the business scenario, application scale, impact on customers, degree of model dependence, and model complexity. High-risk applications trigger human oversight and intervention, emergency-shutdown and retirement conditions, backup processes, and mandatory reporting to the regulator when generative AI is used in public-facing or high-risk scenarios.
Does it apply to foreign banks and insurers in China?
It applies to banking and insurance financial institutions operating in China, so the China operations of foreign banks and insurers fall in scope. The duties also extend to AI vendors and computing suppliers through the outsourcing and supply-chain provisions.
When does it take effect?
It is already in effect as a supervisory framework, announced around June 18, 2026, with an official interpretation published on June 22, 2026. The regulator has said it will develop a supporting industry technical framework, classification standards, and ongoing supervision.
Internal links
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.