On November 12, 2024, the Securities and Futures Commission (SFC) issued a circular to licensed corporations (LCs) on the use of generative artificial intelligence language models (GenAI LMs). The SFC noted that while it encourages the responsible use of artificial intelligence (AI) and GenAI LMs by LCs to innovate, improve their services, or enhance their operational efficiency, it still emphasizes the risks of GenAI LMs, including that their output can be inaccurate, biased, unreliable, and inconsistent, as well as that the heightened risks of cyberattacks and personal data breaches.

Additionally, the SFC emphasized that the circular applies to LCs offering services or functionality provided by GenAI LMs regardless of whether it is developed by the LC itself, its group company, a third-party provider, or comes from an open source.

What are the core principles?

The SFC listed the following four core principles that it believes an LC can implement in a risk-based manner that is commensurate with the materiality of the impact and the level of risk presented by the GenAI:

• senior management responsibilities - throughout the full lifecycle of a GenAI LM, senior management should ensure the implementation of effective policies and adequate oversight;
• effective AI model risk management framework - an LC can undertake Model Development activities, validate GenAI LMs before approving them, or, when there is a material change, conduct comprehensive end-to-end testing, adopt risk mitigation measures, etc.;
• cybersecurity and data risk management - an LC should have policies in place to manage cybersecurity risks related to GenAI LMs, such as adversarial attacks, and should ensure confidentiality and security by encrypting non-public data; and
• third-party provider risk management - an LC should perform due diligence checks when choosing a third-party provider and conduct ongoing monitoring to assess their skills, expertise, resources, and controls.

What are the notification requirements?

The SFC reminded LCs of their notification obligations to the SFC under the Securities and Futures (Licensing and Registration) (Information) Rules in relation to the use of GenAI LMs in high-risk use cases. These include notifying the SFC of any significant changes in the nature of their business and the types of service they provide and discussing their plans with the SFC at the business planning and development stage to avoid potential adverse regulatory implications.

Furthermore, the SFC mentioned that the circular takes immediate effect and LCs must review their existing policies, procedures, and internal controls to ensure proper implementation.

You can read the circular here.