Hong Kong AI Governance in Financial Services: Algorithmic Fairness, Transparency, and Accountability

The first set of Hong Kong-specific guidelines for the ethical use of artificial intelligence in financial services took effect in August 2024. The Hong Kong Monetary Authority (HKMA) issued a circular titled “Principles for the Responsible Use of Artificial Intelligence in the Banking Sector,” which applies to all authorised institutions. The Securities and Futures Commission (SFC) followed with its own guidance in December 2024, covering licensed corporations that deploy AI for investment advisory, trading, and risk management. These documents are not voluntary codes. They set out mandatory governance expectations around algorithmic fairness, transparency, and accountability. For any firm applying for a Type 1 (dealing in securities), Type 4 (advising on securities), or Type 9 (asset management) licence, the SFC now requires a written AI governance policy as part of the licence application pack. This article explains what the regulators require, how to structure an AI governance framework, and where the liability falls when an algorithm makes a bad decision.

The Regulatory Baseline: What the SFC and HKMA Require

The SFC’s December 2024 circular on “Use of Artificial Intelligence in Securities and Futures Markets” (the “AI Circular”) applies to all licensed corporations and registered institutions. The HKMA’s “Principles for the Responsible Use of AI” (the “AI Principles”) apply to all authorised institutions under the Banking Ordinance (Cap. 155). Both documents share three core obligations: algorithmic fairness, transparency, and accountability.

Algorithmic fairness means the AI system must not produce discriminatory outcomes based on race, gender, age, or other protected characteristics. The SFC AI Circular states that licensed corporations must test their models for bias before deployment and at least annually thereafter. The HKMA AI Principles require banks to document the demographic impact of credit-scoring algorithms and to have a remediation plan if bias is detected.

Transparency requires firms to disclose to customers when a decision is made by an AI system. The SFC AI Circular mandates that any robo-advisory service must clearly state that the advice is generated by an algorithm, not a human adviser. The HKMA AI Principles require banks to provide a plain-language explanation of how an AI-based credit decision was reached, upon the customer’s request.

Accountability means that a named senior manager is responsible for the AI system’s outputs. The SFC AI Circular requires the Board of Directors or a designated Senior Management Committee to approve the AI governance policy and to review it annually. The HKMA AI Principles require the Chief Executive to sign off on the bank’s AI risk appetite statement.

Step 1: Map Your AI Use Cases

Every licensed corporation must complete an AI use-case inventory. The SFC AI Circular requires firms to classify each AI application into one of three tiers:

• Tier 1 (High Impact): AI systems that make or significantly influence decisions affecting customers, such as credit scoring, investment recommendations, or trade execution.
• Tier 2 (Medium Impact): AI systems that support internal operations but do not directly affect customer outcomes, such as fraud detection or compliance monitoring.
• Tier 3 (Low Impact): AI systems that perform administrative tasks with no customer-facing role, such as document summarisation or internal chatbot.

For Tier 1 systems, the SFC requires a pre-deployment validation report from an independent third party. For Tier 2 systems, internal validation is sufficient. Tier 3 systems require only a documented rationale for the classification.

Step 2: Establish a Model Risk Management Framework

The HKMA’s “Supervisory Policy Manual on Model Risk Management” (SB-1, revised January 2024) provides the baseline. The framework must cover:

• Model development: Documentation of data sources, feature selection, and algorithm choice.
• Model validation: Independent testing of accuracy, stability, and fairness.
• Model monitoring: Ongoing performance tracking, including drift detection and bias monitoring.
• Model retirement: A process for decommissioning outdated or underperforming models.

The SFC AI Circular adds a specific requirement for “explainability.” For any Tier 1 system, the firm must be able to produce a human-readable explanation of how the algorithm reached a particular decision. This is not a “right to explanation” in the GDPR sense, but it is a regulatory expectation that the firm can demonstrate the logic chain.

Algorithmic Fairness: Testing and Documentation

Algorithmic fairness under Hong Kong law is not a standalone statutory right. There is no equivalent of the UK Equality Act 2010 or the US Equal Credit Opportunity Act. Instead, the SFC and HKMA rely on existing anti-discrimination provisions in the Sex Discrimination Ordinance (Cap. 480), the Disability Discrimination Ordinance (Cap. 487), and the Race Discrimination Ordinance (Cap. 602). If an AI system produces a discriminatory outcome, the licensed corporation can be held vicariously liable for the algorithm’s actions under section 48 of the Sex Discrimination Ordinance.

Step 3: Conduct a Bias Audit

The bias audit must cover three dimensions:

1. Data bias: Whether the training data under-represents or misrepresents certain demographic groups.
2. Algorithmic bias: Whether the model’s decision boundary systematically disadvantages a protected group.
3. Outcome bias: Whether the model’s outputs, when applied in practice, produce disparate impact.

The SFC AI Circular recommends using the “four-fifths rule” from the US Equal Employment Opportunity Commission as a benchmark. If the selection rate for a protected group is less than 80% of the selection rate for the most favoured group, the model is presumptively biased. The firm must then either retrain the model or document a business justification for the disparity.

Step 4: Document the Fairness Remediation Plan

If bias is detected, the firm must have a documented remediation plan. The HKMA AI Principles require the plan to include:

• A root-cause analysis of the bias.
• A timeline for retraining or replacing the model.
• A communication strategy for affected customers.
• A monitoring mechanism to ensure the remediation is effective.

The SFC AI Circular adds that the remediation plan must be approved by the Board or a designated committee, and that the firm must notify the SFC within 10 business days of detecting a material bias issue.

Transparency and Explainability: What Customers Must Be Told

Transparency obligations under the SFC AI Circular are disclosure-based. The firm must provide the following information to customers before they use any AI-driven service:

• That the service is powered by AI.
• The nature and scope of the AI’s decision-making authority.
• The customer’s right to request human review of any AI-generated decision.
• The firm’s complaints-handling process for AI-related disputes.

The HKMA AI Principles require banks to go further. For credit decisions made by AI, the bank must provide a “meaningful explanation” that includes:

• The key factors that influenced the decision.
• The relative weight of each factor.
• The data sources used.
• The customer’s right to dispute the decision.

Step 5: Build a Customer-Facing Explanation Interface

The practical challenge is that most AI models, particularly deep learning models, are not inherently explainable. The SFC AI Circular acknowledges this and allows firms to use post-hoc explainability techniques such as LIME (Local Interpretable Model-Agnostic Explanations) or SHAP (SHapley Additive exPlanations). The firm must document which technique it uses and why it is appropriate for the model in question.

The explanation must be in plain language. The SFC AI Circular gives the example of a robo-advisory service: “Your portfolio was rebalanced because the AI detected that your target asset allocation had drifted by 5% due to market movements. The rebalancing increased your exposure to technology stocks by 3%.” This is acceptable. A SHAP value of 0.42 is not.

Accountability: Who Is Liable When the Algorithm Gets It Wrong

Accountability is the most legally consequential of the three principles. The SFC AI Circular states that “the licensed corporation, not the AI system, is responsible for all decisions made or influenced by the AI.” This means that the existing regulatory liability framework applies without modification. If an AI system gives unsuitable investment advice, the firm is in breach of the Code of Conduct for Persons Licensed by or Registered with the SFC (the “Code of Conduct”), specifically paragraph 5.2 on suitability.

Step 6: Appoint a Designated AI Officer

The HKMA AI Principles require each authorised institution to appoint a Designated AI Officer (DAIO) at the Senior Management level. The DAIO’s responsibilities include:

• Overseeing the AI governance framework.
• Approving the AI risk appetite statement.
• Reporting to the Board on AI-related risks and incidents.
• Liaising with the HKMA on AI-related regulatory matters.

The SFC AI Circular does not require a specific title, but it does require that a named senior manager be responsible for each AI system. That manager must have sufficient authority to stop the system if a material risk is identified.

Step 7: Establish an AI Incident Reporting Protocol

Both regulators require mandatory incident reporting. The SFC AI Circular requires licensed corporations to report any “material AI incident” to the SFC within 24 hours. A material AI incident includes:

• A system failure that causes customer loss.
• A bias detection that results in discriminatory outcomes.
• A data breach involving the AI training data.
• Any regulatory investigation or enforcement action related to the AI system.

The HKMA AI Principles require banks to report similar incidents to the HKMA within 48 hours. The report must include a root-cause analysis, a remediation plan, and a timeline for implementation.

Enforcement and Penalties

The SFC can take enforcement action under the Securities and Futures Ordinance (Cap. 571). For a breach of the AI Circular, the SFC can impose a fine, suspend or revoke a licence, or issue a public reprimand. The HKMA can take enforcement action under the Banking Ordinance (Cap. 155), including financial penalties and restrictions on business activities.

In 2023, the SFC fined a licensed corporation HK$4 million for using an AI-driven robo-advisory service that failed to conduct proper suitability assessments. The SFC’s enforcement notice stated that the firm “did not have adequate governance and controls over the AI system, and the system’s recommendations were not in the best interests of clients.” This case, while predating the AI Circular, illustrates the enforcement approach the SFC is likely to take.

Practical Takeaways for Licence Applicants and Compliance Officers

1. Prepare an AI governance policy before you submit your licence application. The SFC now expects this document as part of the application pack for Type 1, 4, and 9 licences.
2. Conduct a bias audit on any AI system that makes or influences customer-facing decisions. Use the four-fifths rule as a benchmark and document the results.
3. Designate a senior manager as the accountable person for each AI system. The SFC and HKMA both require a named individual who can stop the system if needed.
4. Build a customer-facing explanation interface for all Tier 1 AI systems. The explanation must be in plain language and must include the key factors and their relative weights.
5. Establish an incident reporting protocol that meets the 24-hour (SFC) or 48-hour (HKMA) deadline. Include a root-cause analysis template and a remediation plan template in the protocol.

This does not constitute legal advice. Consult a solicitor for your specific case.