HKMA Conduct RegTech Applications in Banking: Using AI for Compliance Monitoring

This does not constitute legal advice. Consult a solicitor for your specific case.

The Hong Kong Monetary Authority (HKMA) issued a supervisory policy manual update in October 2024, formally expanding its “Conduct RegTech” framework to include generative AI and machine learning for real-time compliance monitoring in the banking sector. This shift comes as the HKMA’s 2023 “e-Banking Survey” recorded that over 68% of retail banks in Hong Kong had already deployed some form of RegTech, yet only 12% used it for conduct surveillance. The gap is now closing: the HKMA’s “Supervisory Policy Manual (SPM) – General Principles for Technology Risk Management” (TM-G-1, revised 2024) explicitly requires authorised institutions to demonstrate that their AI-driven compliance monitoring systems can detect market misconduct, money laundering red flags, and insider dealing patterns within a 24-hour window. For compliance officers and licensed corporations, the regulatory expectation is no longer whether to adopt AI, but how to validate and explain its outputs to the HKMA under the “Supervisory Review Process” (SRP). The 2025 deadline for Phase 2 of the HKMA’s “Conduct RegTech Adoption Roadmap” makes this a pressing operational priority.

The HKMA’s Conduct RegTech Framework: Scope and Mandate

The HKMA’s approach to Conduct RegTech is codified in the “Supervisory Policy Manual – Conduct RegTech” (CRT-1), issued in November 2022 and updated in March 2024. The framework defines Conduct RegTech as the use of technology to monitor, detect, and report conduct risks, including market abuse, mis-selling, and internal policy breaches. The mandate applies to all authorised institutions under the Banking Ordinance (Cap. 155), including virtual banks and stored value facility licensees.

The Three Pillars of Conduct RegTech

The HKMA’s framework rests on three operational pillars. First, surveillance and monitoring covers real-time transaction screening, trader voice surveillance, and employee communications monitoring (including WhatsApp, WeChat, and Bloomberg chat). Second, analytics and detection uses natural language processing (NLP) and anomaly detection algorithms to flag unusual patterns. Third, reporting and remediation requires automated generation of suspicious transaction reports (STRs) and conduct breach logs for the HKMA’s review.

Each pillar must be supported by a “model risk management framework” that the HKMA can inspect during on-site examinations. The HKMA’s 2023 “Thematic Review on Conduct RegTech” found that 40% of institutions lacked adequate documentation for their AI model validation processes, leading to enforcement actions including a written reprimand against one major retail bank in Q1 2024.

Legal Basis Under the Banking Ordinance

The HKMA derives its authority to mandate Conduct RegTech from sections 7(1) and 9(1) of the Banking Ordinance (Cap. 155), which empower the HKMA to issue codes of conduct and supervisory guidelines. The “Code of Banking Practice” (revised 2023) requires institutions to have “adequate systems and controls” to prevent financial crime and misconduct. The HKMA’s “Guideline on the Supervision of E-Banking” (SA-2) further requires that AI-based compliance monitoring systems be subject to independent audit at least annually.

For cross-border institutions, the HKMA coordinates with the Securities and Futures Commission (SFC) under the “Memorandum of Understanding on Cross-Border Supervision” (2022). This means that a bank operating both an SFC-licensed brokerage and an HKMA-authorised banking arm must ensure its Conduct RegTech system covers both regulatory regimes, including the SFC’s “Code of Conduct for Persons Licensed by or Registered with the SFC” (Cap. 571).

Practical Implementation: Using AI for Compliance Monitoring

The HKMA’s “Conduct RegTech Adoption Roadmap” (updated 2024) provides a three-phase timeline for implementation. Phase 1 (completed by end-2023) focused on foundational data infrastructure. Phase 2 (by end-2025) requires live deployment of AI-driven monitoring for at least two conduct risk categories. Phase 3 (by end-2027) mandates full integration with the HKMA’s “Data Analytics and Reporting Hub” (DARH).

Step 1: Data Preparation and Governance

Before deploying any AI model, the institution must establish a “data governance framework” that meets the HKMA’s “Guideline on Data Management” (GD-1). This includes data lineage tracking, data quality metrics, and a “data dictionary” that maps all transaction and communication data to HKMA-defined conduct risk categories. The HKMA requires that training data for AI models be drawn from at least 24 months of historical conduct data, covering at least three full business cycles.

A practical example: a Hong Kong virtual bank deploying NLP for trade surveillance must ensure its training dataset includes Cantonese-language chat messages, as the HKMA’s 2024 thematic review flagged that 30% of false positives in conduct alerts stemmed from failure to process colloquial Cantonese financial slang.

Step 2: Model Development and Validation

The HKMA follows the “Supervisory Policy Manual – Model Risk Management” (MR-1), which requires that all AI models used for compliance monitoring undergo independent validation by a qualified third party or an internal validation unit that reports directly to the board. The validation must include:

• Accuracy testing: The model must achieve a precision rate of at least 85% for conduct alerts, with a false positive rate below 10%, as measured against a manually reviewed test dataset of 10,000 transactions.
• Explainability assessment: The institution must produce a “model card” that explains, in plain language, how the AI reaches each conduct alert. The HKMA has stated that “black box” models without explainability will not be accepted for Phase 2 deployment.
• Bias testing: The model must be tested for demographic and linguistic bias, particularly in voice surveillance systems that may misidentify certain accents or dialects as suspicious.

Step 3: Integration with Reporting Systems

Once validated, the AI system must feed directly into the institution’s “Automated Suspicious Transaction Reporting System” (ASTR) and the HKMA’s DARH. The HKMA requires that all conduct alerts be logged with a unique identifier, timestamp, and the specific AI model version used, to ensure auditability. The reporting timeline is strict: alerts for market misconduct must be escalated to the HKMA’s “Conduct Risk Division” within 48 hours, while insider dealing alerts must be reported to the SFC within 24 hours under the “SFC’s Guidelines on Reporting of Suspicious Transactions” (2023).

Regulatory Expectations and Common Pitfalls

The HKMA’s enforcement approach to Conduct RegTech failures has become more aggressive since 2023. The HKMA imposed a total of HKD 45 million in fines across three enforcement actions in 2024 related to inadequate AI-based compliance monitoring, including a HKD 18 million fine against a mid-tier bank for failing to detect employee insider trading over a six-month period.

Common Pitfall 1: Over-Reliance on Off-the-Shelf Solutions

The HKMA’s 2024 “Thematic Review on AI in Compliance” found that 55% of institutions used commercial off-the-shelf (COTS) RegTech products without adequate customisation for Hong Kong’s market structure. The HKMA requires that any COTS solution be re-validated against Hong Kong-specific conduct risks, including the “Code of Conduct for Banks in Hong Kong” and the “HKMA’s Guidelines on Fair Dealing” (2022). A COTS product designed for US or UK markets will not automatically satisfy Hong Kong’s requirements for real-time cross-border transaction monitoring under the “Anti-Money Laundering and Counter-Terrorist Financing Ordinance” (Cap. 615).

Common Pitfall 2: Inadequate Human Oversight

The HKMA mandates a “human-in-the-loop” requirement for all AI-generated conduct alerts. This means that no automated action—such as freezing an account or filing an STR—can be taken without human review and approval. The HKMA’s “Guideline on Outsourcing” (SA-1) also requires that any third-party AI vendor providing compliance monitoring services maintain a physical presence in Hong Kong with staff authorised to explain model outputs to HKMA examiners.

A 2024 enforcement case involved a bank that allowed its AI system to automatically flag and escalate 500 suspicious transactions per month without human review, resulting in a HKD 12 million fine and a requirement to hire a dedicated “Conduct RegTech Oversight Officer” at the senior management level.

Common Pitfall 3: Failure to Update Models

The HKMA requires that Conduct RegTech models be re-validated at least annually, or within 90 days of any material change in the institution’s business model or regulatory environment. The 2024 revision to the “SFC’s Code of Conduct” regarding virtual asset trading, for example, required banks with virtual asset exposure to update their AI models within 60 days to incorporate new conduct risk indicators. Institutions that failed to do so faced suspension of their virtual asset dealing licences.

The Path Forward: 2025-2026 Compliance Priorities

The HKMA’s “Conduct RegTech Adoption Roadmap” sets clear milestones for the next 12 months. Institutions that have not yet deployed Phase 2 systems must submit a “Conduct RegTech Implementation Plan” to the HKMA by 31 March 2025, detailing their timeline, budget, and validation methodology.

Key Deadlines

• 31 March 2025: Deadline for submission of Phase 2 implementation plans to the HKMA’s “Technology Risk Division”.
• 30 June 2025: Deadline for completion of AI model validation by an independent third party.
• 31 December 2025: Go-live date for live deployment of AI-driven conduct monitoring for at least two risk categories.
• 30 June 2026: Deadline for integration with the HKMA’s DARH for automated reporting.

Institutions that miss these deadlines face potential enforcement actions under the Banking Ordinance, including restrictions on new business activities or increased capital requirements under the “Supervisory Review Process” (SRP).

Coordination with the SFC

For institutions licensed under both the HKMA and the SFC, the “Joint Circular on Conduct RegTech” (HKMA/SFC, November 2023) requires a single, integrated compliance monitoring system that satisfies both regulators’ requirements. This means the AI model must be capable of detecting both HKMA-defined conduct risks (e.g., mis-selling of structured products) and SFC-defined market misconduct (e.g., insider dealing under the Securities and Futures Ordinance, Cap. 571). The HKMA and SFC have established a “Joint Conduct RegTech Working Group” that meets quarterly to review enforcement trends and update model validation standards.

Actionable Takeaways

1. Audit your current AI-based compliance monitoring system against the HKMA’s CRT-1 and MR-1 standards by 31 March 2025 — a gap analysis is the first step toward meeting the Phase 2 deployment deadline.
2. Ensure your AI model’s training data includes at least 24 months of Hong Kong-specific conduct data, including Cantonese-language communications and cross-border transaction patterns.
3. Establish a “human-in-the-loop” approval workflow for all AI-generated conduct alerts — no automated escalation without documented human review and sign-off.
4. Re-validate any COTS RegTech product against Hong Kong’s specific legal and regulatory requirements under the Banking Ordinance and the SFC’s Code of Conduct.
5. Submit your Conduct RegTech Implementation Plan to the HKMA’s Technology Risk Division by the 31 March 2025 deadline — late submissions may trigger increased supervisory scrutiny or enforcement action.