AI Regulation Tracker / Industry standard
Taiwan bank rules require a named AI-accountable executive and a "you're talking to a machine" disclosure
Taiwan's Bankers Association issued operational standards that make a senior officer or committee own each bank's AI and require banks to tell customers plainly whether they are dealing with a human or a machine. The FSC has recorded the standards, giving them supervisory weight even though they are self-regulatory.
Taiwan's banking sector now has an explicit operating rule for artificial intelligence, and it does two things that regulators in larger markets are still legislating toward. It puts a named human in charge of every bank's AI, and it requires banks to tell customers, plainly, when they are dealing with a machine rather than a person.
The instrument is the Operational Standards for Financial Institutions' Use of AI Technology (金融機構運用人工智慧技術作業規範), issued by the Bankers Association of the Republic of China on March 14, 2024. It is an industry self-regulatory standard rather than a statute, but the Financial Supervisory Commission recorded it (備查), which folds it into the supervisory expectations examiners apply to member banks. In practice, "self-regulatory" here does not mean optional.
A named owner for the algorithm
The first duty is accountability with a face. Each bank must designate senior management or a committee as accountable for AI oversight. The standard does not let responsibility diffuse across a project team or sit unowned with a vendor. That mirrors the direction of financial-sector AI governance internationally, where supervisors increasingly want a specific, senior person answerable for how a model behaves and what happens when it fails.
For a bank, the practical test is simple. If an examiner or a customer asks who owns a given AI system, there should be one clear answer, and that answer should sit high enough in the organization to change how the system is built and used. The committee option matters for larger institutions, where a single named executive may not be the right fit for a portfolio of models spanning credit, service, and fraud. The standard accommodates that by allowing a committee, provided the accountability is real and traceable rather than a formality on an org chart.
Tell the customer it is a bot
The second duty is disclosure. Banks must clearly disclose to consumers whether they are interacting with a human or a machine. This is the provision that lines up most directly with consumer-protection thinking elsewhere: a customer has a right to know whether the entity answering a chat, recommending a product, or handling a service request is a person or software.
The disclosure duty is tied to where the risk to consumers is real. The standards apply to three scenarios: consumer-facing product recommendation, customer service that affects a customer's transaction rights, and operations with significant impact. The common thread is that the customer's money, choices, or rights are on the line, and confusion about who or what they are dealing with could cause harm. A recommendation engine steering a customer toward a product, a service chatbot resolving a dispute over a transaction, and an internal system whose output significantly affects customers all fall inside the scope. Casual or purely informational uses that do not touch a customer's rights sit further from the core of the rule.
Vendor risk cannot be outsourced away
The third duty addresses the reality that most banks buy AI rather than build it. Where a third-party vendor supplies the AI, the bank and vendor must allocate risk-monitoring duties by contract. Responsibility for watching how a model performs, and for catching when it drifts or misfires, has to be written down and assigned. A bank cannot treat a vendor relationship as a way to make the risk someone else's problem.
What it does not do
The standards are guidance recorded by the FSC, not a penal statute with its own fines. Enforcement runs through the supervisory relationship and the broader FSC financial-sector AI framework rather than through a standalone penalty schedule in this document. The rules also do not ban AI in banking or impose the kind of prior-approval regime seen for high-risk systems in some jurisdictions. They set duties of governance, disclosure, and contracting, and leave the technology choices to the bank.
The cross-border read
For a US reader, the standards do not bind a US bank unless it operates in Taiwan through a covered institution. Their significance is as a signal. The human-or-machine disclosure duty reaches the same result as chatbot-disclosure laws such as California's SB 1001 and the transparency obligations in Article 50 of the EU AI Act, but Taiwan got there through banking self-regulation first, sector by sector, rather than through a single horizontal statute. For firms tracking where financial-sector AI rules are heading, it is a working example of a named-owner-plus-disclosure model already in force.
Frequently Asked Questions
What changed for Taiwan banks under these AI standards?
Since March 14, 2024, banks using AI must designate a senior manager or committee accountable for AI oversight, disclose to consumers whether they are dealing with a human or a machine, and allocate risk-monitoring duties with third-party AI vendors by contract. The Bankers Association issued the standards and the FSC recorded them.
Who has to comply?
Banks and financial institutions in Taiwan that use AI in consumer-facing product recommendation, in customer service that affects a customer's transaction rights, or in operations with significant impact. The duties fall on compliance, model-risk, and vendor-management functions in particular.
Are these standards legally binding with penalties?
They are self-regulatory guidance from the Bankers Association, recorded (備查) by the FSC rather than enacted as a statute with its own fines. Recording gives them supervisory weight, so examiners can hold member banks to them, but the document itself is not a penal law.
Do these rules affect a US bank?
Not directly, unless it operates in Taiwan through a covered institution. The relevance for US firms is as a precedent: the human-or-machine disclosure duty reaches the same place as California's SB 1001 and EU AI Act Article 50, arrived at through banking self-regulation.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.