ARTICLE
13 July 2026

金诚同达保险新规速递2026年第二期(中英双语)

JT
Beijing Jincheng Tongda & Neal Law Firm

Contributor

Beijing Jincheng Tongda & Neal Law Firm (JT&N) is a large full-service law firm founded in 1992 and headquartered in Beijing. It was one of the first partnership-model law firms in China. To date, JT&N has strategically expanded its footprint across key regions of China's economic development and established overseas offices in Hong Kong, Tokyo, and Singapore.
China's financial regulators have issued comprehensive guidance on artificial intelligence governance in banking and insurance, data classification for financial information services, and measures to attract and optimize foreign investment. These developments establish new compliance frameworks for AI applications in insurance operations, standardize data security practices across financial information services, and introduce targeted policies to facilitate foreign capital flows and market access in key sec
China Finance and Banking
Jincheng Tongda & Neal’s articles from Beijing Jincheng Tongda & Neal Law Firm are most popular:
  • in European Union
  • in European Union
  • in European Union
  • in European Union
  • with readers working within the Healthcare industries
Beijing Jincheng Tongda & Neal Law Firm are most popular:
  • within Finance and Banking, Antitrust/Competition Law and Tax topic(s)

01.《银行业保险业人工智能安全开发应用的指导意见》解读--保险机构合规要点与应对建议

Commentary on the Guiding Opinions on Safe Development and Application of Artificial Intelligence in the Banking and Insurance Industries--Key Compliance Issues and Recommendations for Insurance Institutions

2026年6月18日,国家金融监督管理总局发布《关于银行业保险业人工智能安全开发应用的指导意见》(金发〔2026〕8号,以下简称“《指导意见》”),对银行业保险业金融机构开发应用人工智能提出系统性的规范要求。人工智能技术已广泛应用于保险机构的承保理赔、客户服务、风险管理、产品定价等核心业务环节,《指导意见》的出台对保险行业的人工智能开发应用将会产生深远影响。

一、人工智能安全开发应用的原则

《指导意见》就人工智能安全开发应用提出了四项原则:一是坚持谁使用谁负责。压实金融机构作为金融服务提供方、人工智能技术使用方的主体责任,强化内部各环节工作责任落实,明确人工智能开发应用各方分工和权责义务。二是坚持自主可控。持续提升人工智能相关技术、设备自主可控水平,提高对业务经营发展有重大影响的关键平台、关键软硬件的自主研发能力,加强信息技术应用创新适配。三是坚持务实高效。以提升业务价值为导向,科学规划人工智能开发应用投入,有效平衡成本与效益,推动人工智能切实服务经济高质量发展和金融业务高效运转。四是坚持安全发展。严格落实国家网络安全和信息化工作要求,遵守网络安全、数据安全各项法律法规制度,强化技术安全和应用安全保障,全面提升安全防护和应急处置能力。

二、保险机构应重点关注的条款解读

(一)治理架构与主体责任

《指导意见》第一条要求,对于开发应用人工智能的金融机构,董事会应指定专门委员会对人工智能开发应用管理负责,统筹制定发展规划,推进能力体系建设,制定制度规范,明确牵头部门和跨业务、科技、数据职能部门的协同机制。同时,金融机构应建立健全人工智能应用需求分析、数据准备、训练开发、部署运行、维护迭代、评估退出的全生命周期管理体系,实施人工智能应用风险分类分级管理。

当前,保险机构的人工智能应用经常分散在各业务部门,缺乏统一的治理架构和归口管理部门。《指导意见》明确要求董事会层面指定专门委员会负责,将人工智能治理提升至公司治理层面,这意味着保险机构需对现有治理架构进行调整。此外,人工智能全生命周期管理体系的要求,也对保险机构的相关制度建设和流程管控提出了更高标准。

(二)高风险应用的准入与管控

《指导意见》第十六条明确,涉及资金交易、资产评估、信贷审批、承保理赔、风险管理等,以及与客户利益直接相关、直接影响金融合约达成的生成式人工智能场景应用应被视为高风险应用。人工智能高风险应用须经本机构风险管理委员会批准后方可实施。同时,第二十九条要求,金融机构面向公众服务或高风险场景应用使用生成式人工智能技术的,应向金融监管总局或其派出机构报告。第十七条要求金融机构加强对人工智能在业务场景中的运行监测,在高风险应用关键环节建立人工监督和干预机制,明确紧急停用及模型退出条件,建立备用系统或人工替代流程。

承保理赔是保险业务的核心环节,也是人工智能应用最为广泛的领域之一。智能核保、智能理赔、反欺诈识别等应用均属于《指导意见》界定的高风险应用范畴。这意味着保险机构现有的大量人工智能应用均需纳入高风险管理,履行风险管理委员会审批程序,并建立人工干预机制。对于已实现全自动化的理赔场景,可能需要重新评估其合规性,乃至增设人工复核节点。

(三)数据治理与个人信息保护

《指导意见》第四章对数据治理能力提出系统要求,包括完善数据管理运营体系、建设人工智能高质量数据集、支持行业数据集共建共享、推进知识工程建设等。第二十四条就数据安全与个人信息保护作出规定:金融机构应将人工智能数据安全纳入企业数据安全管理体系,严格落实数据分类分级保护要求。姓名、身份证号、手机号、银行卡号等个人信息和隐私数据不得用于生成式人工智能模型训练和优化,有效防止客户隐私泄露。加强模型安全护栏建设,加强内容过滤及脱敏管理。

保险行业拥有大量客户个人信息和健康数据,是数据密集型行业。《指导意见》明确禁止将个人信息和隐私数据用于生成式人工智能模型训练,这对保险机构利用客户数据训练大模型的做法构成直接限制。保险机构需对现有用于模型训练的数据集进行全面梳理和脱敏处理,确保符合监管要求。

(四)算法透明度与可解释性

《指导意见》第二十一条要求,金融机构应加强人工智能应用透明度管理,为高风险场景应用制定透明度和可解释性标准,明确模型设计、数据使用、特征选择及输出结果的逻辑。对人工智能生成内容应进行显著标识,并向金融消费者主动说明。第二十二条进一步规定,可解释性不足的人工智能技术在高风险场景应用时,仅能作为辅助工具,应由人工进行最终决策。人工智能模型应用于涉及客户权益或有实质性财务影响的关键决策时,须设置人工复核节点,完整保留原始数据、推理路径及阈值触发记录,确保责任可追溯。定期对人工智能模型算法开展审计。

人工智能算法的“黑箱”问题是保险行业的合规痛点之一。《指导意见》对可解释性提出明确要求,特别是对于涉及客户权益的关键决策,必须设置人工复核节点并保留完整记录。这意味着保险机构若在核保、理赔、定价等核心环节使用人工智能时完全依赖算法自动决策,将存在合规风险,必须确保人工干预的可及性和决策的可追溯性。对于深度学习等可解释性较弱的模型,在高风险场景中的应用将受到更为严格的限制。

(五)伦理道德与公平性

《指导意见》第二十三条规定,金融机构开发应用人工智能应符合法律法规及社会价值观要求。建立人工智能开发应用伦理审查监测制度,制定符合伦理道德的行为准则,加强数据集审查和对特定群体的影响评估,避免算法歧视等不公平性问题。使用受保护特征或属性时应进行正当性说明,删除偏见样本。

保险产品定价和风险评估中使用的大量变量,可能与性别、年龄、地域等受保护特征存在相关性,容易引发算法歧视问题。《指导意见》要求加强数据集审查和对特定群体的影响评估,删除偏见样本,这对保险机构的数据使用和模型构建提出了具体的合规要求。保险机构需建立伦理审查机制,对人工智能应用进行公平性评估,防止出现对特定群体的不合理差别对待。

(六)外包与供应链风险管理

《指导意见》第十八条规定,使用外部人工智能技术时,金融机构应在外包策略、数据安全、集中度管理等方面建立管理机制,通过合同协议明确安全管理方面的权责义务。与外部企业开展合作时,应建立有效的风险隔离“防火墙”,防范风险跨业传递。对外包合作机构实行名单制管理,对引入的外部模型建立严格的内部评估框架。第十九条规定,金融机构要建立对人工智能算力、模型、数据、技术工具等的供应链安全合规管理机制,确保应用自主可控,防范对个别技术服务过度依赖引发的集中度风险。完善开源技术使用规范,建立开源软件管理台账,对外部引入的开源组件应进行审查评估,加强代码审计、漏洞扫描及安全测试,定期排查开源组件风险隐患,防范供应链投毒。

当前保险机构的人工智能技术经常依赖外部供应商,包括大模型服务、算法平台、数据标注等。《指导意见》对外包和供应链风险管理提出系统要求,意味着保险机构需对现有人工智能供应商进行全面梳理和评估,建立名单制管理和准入退出机制。对于外部引入的模型,需建立内部评估框架,评估其安全性、合规性和适配性。此外,开源技术的使用也需纳入规范管理,防范供应链安全风险。

三、保险机构合规应对建议

(一)建立健全人工智能治理体系

一是明确治理架构。建议保险机构在董事会层面指定现有专门委员会(如风险管理委员会等)或单独设立人工智能治理专门委员会,承担人工智能治理职责,统筹人工智能发展规划和风险管控。

二是明确牵头部门。建议指定科技等相关部门作为牵头部门,建立业务、科技、数据、风控、合规等多部门协同机制,确保人工智能应用全流程管控责任清晰。

三是完善制度体系。建议制定人工智能应用管理办法、数据安全管理制度、算法伦理审查制度等配套制度,建立覆盖需求分析、数据准备、训练开发、部署运行、维护迭代、评估退出的全生命周期管理流程。

(二)完善高风险应用管理机制

一是开展应用梳理与分类分级。建议保险机构对现有和规划中的人工智能应用进行全面梳理,按照业务场景重要性、应用规模、对客影响度、模型依赖度、模型复杂度等因素进行风险分类分级,建立人工智能应用清单。

二是严格高风险应用准入。对承保理赔、风险管理、产品定价等高风险场景的人工智能应用,须履行风险管理委员会审批程序,未经批准不得上线使用。对外部引入的生成式人工智能模型,需确认其已通过网信部门备案。

三是建立人工干预机制。在高风险应用关键环节设置人工监督和干预节点,明确人工复核的触发条件和流程。建立紧急停用机制和模型退出预案,确保在模型出现异常时能够及时切换至人工处理或备用系统。

四是建立报告机制。应当在相关制度中明确:面向公众提供服务,或在涉及资金交易、资产评估、信贷审批、承保理赔、风险管理等与客户利益直接相关、直接影响金融合约达成的高风险场景中应用生成式人工智能技术的,应向金融监管总局或其派出机构报告。

(三)强化数据安全与隐私保护

一是开展数据集合规排查。建议对用于人工智能模型训练的数据集进行全面梳理,核查是否包含姓名、身份证号、手机号、银行卡号等个人信息和隐私数据,对不符合要求的数据集进行脱敏处理或停止使用。

二是完善数据全生命周期管理。建立覆盖数据采集、清洗、标注、应用、退出的全流程管理规范,确保数据源头可追溯。加强非结构化数据管理,制定数据质量标准和检测管控机制。

三是加强生成式AI数据安全管控。严格限制将客户个人信息用于生成式人工智能模型训练和优化。加强模型安全护栏建设,完善内容过滤和脱敏机制,防止客户隐私通过模型输出泄露。

(四)提升算法可解释性与透明度

一是制定可解释性标准。针对高风险场景的人工智能应用,制定明确的透明度和可解释性标准,明确模型设计、数据使用、特征选择及输出结果的逻辑说明要求。

二是优化模型选型与设计。在高风险场景优先选用可解释性较强的模型,对可解释性不足的模型严格限制使用范围,仅作为辅助工具使用。探索运用可解释性人工智能技术提升模型透明度。

三是完善人工复核机制。对涉及客户权益或有实质性财务影响的关键决策,必须设置人工复核节点,完整保留原始数据、推理路径及阈值触发记录,确保决策过程可追溯、责任可落实。

(五)加强外包与供应链风险管理

一是实行供应商名单制管理。对人工智能技术供应商进行全面梳理和评估,建立准入标准和退出机制,实行名单制管理。重点审查供应商的数据安全能力、算法安全水平和服务稳定性。

二是完善合作协议。在与外部供应商的合作协议中,明确数据安全、知识产权、责任承担、应急处置等条款,确保金融机构能够有效管控相关风险。建立风险隔离“防火墙”,防范风险跨业传递。

三是加强开源技术管理。建立开源软件管理台账,对外部引入的开源组件进行审查评估,加强代码审计、漏洞扫描及安全测试,定期排查开源组件风险隐患,防范供应链投毒等安全风险。

(六)建立伦理审查与公平性评估机制

一是设立伦理审查机构。建议设立人工智能伦理委员会或类似机构,负责人工智能应用的伦理审查和监督,制定符合伦理道德的行为准则。

二是开展公平性评估。对人工智能应用进行数据集审查和特定群体影响评估,识别和消除算法偏见,避免出现算法歧视等不公平问题。对使用受保护特征或属性的情形,进行正当性说明。

三是加强对客告知。对人工智能生成内容进行显著标识,向金融消费者主动说明人工智能的使用情况,保障客户的知情权和选择权。

四、结语

《指导意见》的出台说明我国金融领域人工智能监管正逐渐进入系统化、规范化的新阶段。保险机构应重视《指导意见》的贯彻落实,将人工智能治理纳入公司整体治理体系,平衡好创新发展与风险防控的关系,推动人工智能技术在保险行业安全、合规、有序发展,更好地服务实体经济和满足人民群众保险保障需求。

建议保险机构尽快启动人工智能开发应用的合规自查工作,对照《指导意见》的各项要求,梳理现有人工智能开发应用的合规差距,制定整改方案和实施路径,尽快完成合规整改。同时,建议保险机构持续关注监管部门后续可能出台的配套实施细则和技术标准,及时调整完善相关管理制度和技术措施。

On June 18, 2026, the National Financial Regulatory Administration (NFRA) issued the Guiding Opinions on Safe Development and Application of Artificial Intelligence in the Banking and Insurance Industries (Jin Fa [2026] No. 8, “Guiding Opinions”), which put forward systematic regulatory requirements for the AI development and application by banking and insurance institutions. AI technology has been widely adopted in the core business operations of insurance institutions, including underwriting and claims, customer service, risk management, and product pricing. The issuance of the Guiding Opinions will have a profound impact on the AI development and application in the insurance industry.

I. Principles for Safe Development and Application of AI

The Guiding Opinions put forward four principles for the safe development and application of AI:

First, adhering to the principle of “whoever uses it is responsible”.

Financial institutions, as providers of financial services and users of AI technology, should be the responsible subject. The implementation of work responsibilities in all internal links should be strengthened, and the division of labor, rights, responsibilities, and obligations of all parties involved in AI development and application should be clarified.

Second, adhering to the principle of independent and controllable operation.

Financial institutions should continuously improve the independent and controllable level of AI-related technologies and equipment, enhance the independent R&D capabilities for key platforms, key software and hardware that have a significant impact on business operations and development, and strengthen the innovation and adaptation of IT applications.

Third, adhering to the principle of pragmatism and efficiency.

Financial institutions should scientifically plan their investments in AI development and application, with an orientation toward business value enhancement, effectively balance costs and benefits, and promote AI to effectively serve high-quality economic development and efficient operation of financial business.

Fourth, adhering to the principle of secure development.

Financial institutions should strictly implement national requirements for cybersecurity and informatization work, comply with various laws, regulations, and systems on cybersecurity and data security, strengthen technical security and application security safeguards, and comprehensively enhance security protection and emergency response capabilities.

II. Analysis of Key Provisions for Insurance Institutions

(1) Governance Framework and Subject Responsibility

Article 1 of the Guiding Opinions requires that, for financial institutions developing and applying AI, their board of directors should designate a special committee to be responsible for the management of AI development and application, which should take charge of formulating development plans, promoting the construction of capability systems, formulating institutional norms, and clarifying the leading department and the coordination mechanism across business, technology, and data functional departments. Meanwhile, financial institutions should establish and improve a full lifecycle management system for AI applications covering demand analysis, data preparation, training and development, deployment and operation, maintenance and iteration, and evaluation and exit, and implement classified and graded management of AI application risks.

Currently, AI applications in insurance institutions are often scattered across various business departments, lacking a unified governance framework and centralized management department. The Guiding Opinions explicitly require the designation of a special committee at the board level to take charge, elevating AI governance to the corporate governance level, which means insurance institutions need to adjust their existing governance frameworks. In addition, the requirements for a full lifecycle management system of AI also set higher standards for the construction of relevant systems and process control in insurance institutions.

(2) Access and Control of High-Risk Applications

Article 16 of the Guiding Opinions clarifies that generative AI scenario applications involving fund transactions, asset valuation, credit approval, underwriting and claims, risk management, etc., as well as those directly related to customer interests and directly affecting the conclusion of financial contracts, should be regarded as high-risk applications. High-risk AI applications should be implemented only after approval by the institution’s Risk Management Committee. Meanwhile, Article 29 stipulates that financial institutions should report to NFRA or its local offices when they apply generative AI technology in public-facing services or high-risk application scenarios. Article 17 requires financial institutions to strengthen operational monitoring of AI in business scenarios, establish human supervision and intervention mechanisms at key links of high-risk applications, clarify conditions for emergency suspension and model exit, and establish backup systems or manual alternative processes.

Underwriting and claims settlement is a core part of insurance business and also one of the areas where AI is most widely adopted. Applications such as intelligent underwriting, intelligent claims, and anti-fraud identification all fall within the scope of high-risk applications defined by the Guiding Opinions. This means that a large number of existing AI applications in insurance institutions need to be included in high-risk management, go through the approval procedure of the Risk Management Committee, and need human intervention mechanisms. For fully automated claims settlement, it may be necessary to reassess the compliance status and even to include manual review modes.

(3) Data Governance and Personal Information Protection

Chapter IV of the Guiding Opinions puts forward systematic requirements for data governance capabilities, including improving the data management and operation system, building high-quality AI datasets, supporting the joint construction and sharing of industry datasets, and promoting the construction of knowledge engineering. Article 24 addresses data security and personal information protection: financial institutions should incorporate AI data security into the enterprise data security management system and strictly implement the requirements for classified and graded data protection. Personal information and privacy data such as names, ID numbers, mobile phone numbers, and bank card numbers should not be used for the training and optimization of generative AI models, so as to effectively prevent customer privacy leakage. The construction of model safety guardrails should be strengthened, and content filtering and desensitization management should be enhanced.

The insurance industry, which possesses a large amount of customer personal information and health data, is a data-intensive industry. The Guiding Opinions explicitly prohibit the use of personal information and privacy data for generative AI model training, which directly restricts the practice of insurance institutions using customer data to train large models. Insurance institutions need to comprehensively sort out and desensitize existing datasets used for model training to ensure compliance with regulatory requirements.

(4) Algorithmic Transparency and Explainability

Article 21 of the Guiding Opinions requires financial institutions to strengthen the transparency management of AI applications, formulate transparency and explainability standards for high-risk scenario applications, and clarify the logic of model design, data usage, feature selection, and output results. AI-generated content should be prominently marked and proactively explained to financial consumers. Article 22 further stipulates that when AI technologies with insufficient explainability are applied in high-risk scenarios, they may only serve as auxiliary tools, and final decisions should be made manually. When AI models are applied to key decisions involving customer rights and interests or having substantial financial impact, manual review modes must be set up, and original data, reasoning paths, and threshold trigger records should be fully retained to ensure traceability of responsibility. AI model algorithms should be audited regularly.

The “black box” problem of AI algorithms is one of the compliance pain points in the insurance industry. The Guiding Opinions put forward clear requirements for explainability, especially for key decisions involving customer rights and interests, where manual review modes must be set up and complete records must be retained. This means that when insurance institutions use AI in core business links such as underwriting, claims, and pricing, there will be compliance risks if they completely rely on algorithmic automatic decision-making. They must ensure the accessibility of human intervention and the traceability of decisions. The application of models with weak explainability, such as deep learning, in high-risk scenarios will be subject to stricter restrictions.

(5) Ethics and Fairness

Article 23 of the Guiding Opinions stipulates that the AI development and application by financial institutions should comply with the requirements of laws, regulations, and social values. An ethical review and monitoring system for AI development and application should be established, ethical codes of conduct should be formulated, dataset review and impact assessment on specific groups should be strengthened, and unfairness issues such as algorithmic discrimination should be avoided. When using protected characteristics or attributes, justification should be provided, and biased samples should be removed.

A large number of variables used in insurance product pricing and risk assessment may be correlated with protected characteristics such as gender, age, and region, which can easily lead to algorithmic discrimination issues. The Guiding Opinions require strengthening dataset review and impact assessment on specific groups and removing biased samples, which puts forward specific compliance requirements for data usage and model construction in insurance institutions. Insurance institutions need to establish an ethical review mechanism to conduct fairness assessments of AI applications and prevent unreasonable differential treatment of specific groups.

(6) Outsourcing and Supply Chain Risk Management

Article 18 of the Guiding Opinions stipulates that when using external AI technologies, financial institutions should establish management mechanisms in terms of outsourcing strategies, data security, and concentration management, and clarify rights, responsibilities, and obligations in security management through contractual agreements. When cooperating with external enterprises, effective “firewalls” for risk isolation should be established to prevent cross-industry risk transmission. List-based management should be implemented for outsourcing partners, and a strict internal evaluation framework should be established for introduced external models. Article 19 stipulates that financial institutions should establish a supply chain security compliance management mechanism for AI computing power, models, data, technical tools, etc., to ensure independent and controllable applications and prevent concentration risks caused by excessive reliance on individual technical services. The specifications for the use of open-source technologies should be improved, and a management ledger for open-source software should be established. Open-source components introduced from outside should be reviewed and evaluated, code audit, vulnerability scanning, and security testing should be strengthened, and potential risks of open-source components should be regularly investigated to prevent supply chain poisoning.

Currently, AI technologies in insurance institutions often rely on external suppliers, including large model services, algorithm platforms, data annotation, etc. The Guiding Opinions put forward systematic requirements for outsourcing and supply chain risk management, which means insurance institutions need to comprehensively sort out and evaluate existing AI suppliers and establish list-based management and access-exit mechanisms. For externally introduced models, an internal evaluation framework needs to be established to assess their security, compliance, and adaptability. In addition, the use of open-source technologies also needs to be brought under standardized management to prevent supply chain security risks.

III. Compliance Recommendations for Insurance Institutions

(1) Establishing and Improving the AI Governance System

First, clarifying the governance framework. It is recommended that insurance institutions designate an existing special committee (such as the Risk Management Committee) at the board level or separately establish a special committee for AI governance to undertake AI governance responsibilities and take charge of AI development planning and risk control.

Second, clarifying the leading department. It is recommended to designate relevant departments such as the technology department as the leading department and establish a multi-department coordination mechanism involving business, technology, data, risk control, and compliance to ensure clear responsibilities for the full-process management and control of AI applications.

Third, improving the institutional system. It is recommended to formulate supporting systems such as AI application management measures, data security management systems, and algorithmic ethics review systems, and establish a full lifecycle management process covering demand analysis, data preparation, training and development, deployment and operation, maintenance and iteration, and evaluation and exit.

(2) Improving the High-Risk Application Management Mechanism

First, conducting application sorting and classification and grading. It is recommended that insurance institutions comprehensively sort out existing and planned AI applications, conduct risk classification and grading based on factors such as the importance of business scenarios, application scale, customer impact, model dependence, and model complexity, and maintain an AI application list.

Second, strictly controlling access to high-risk applications. AI applications in high-risk scenarios such as underwriting and claims, risk management, and product pricing must go through the approval procedure of the Risk Management Committee and should not be launched for use without approval. For externally introduced generative AI models, it is necessary to confirm that they have been filed with the cyberspace administration department.

Third, establishing a human intervention mechanism. Human supervision and intervention modes should be set up at key links of high-risk applications, and the trigger conditions and procedures for manual review should be clarified. An emergency suspension mechanism and model exit plan should be established to ensure timely switching to manual processing or backup systems when model abnormalities occur.

Fourth, establishing a reporting mechanism. Relevant rules should explicitly specify that where generative AI technology is deployed in public-facing services or high-risk scenarios, including those involving fund transactions, asset valuation, credit approval, underwriting and claims, risk management, as well as those directly related to customer interests and directly affecting the conclusion of financial contracts, the financial institutions concerned should report to NFRA or its local offices.

(3) Strengthening Data Security and Privacy Protection

First, conducting compliance inspections of datasets. It is recommended to comprehensively sort out datasets used for AI model training, verify whether they contain personal information and privacy data such as names, ID numbers, mobile phone numbers, and bank card numbers, and desensitize or discontinue the use of non-compliant datasets.

Second, improving full lifecycle data management. Full-process management specifications covering data collection, cleaning, annotation, application, and exit should be established to ensure traceability of data sources. Unstructured data management should be strengthened, and data quality standards and inspection and control mechanisms should be formulated.

Third, strengthening data security control of generative AI. The use of customer personal information for generative AI model training and optimization should be strictly restricted. The construction of model safety guardrails should be strengthened, and content filtering and desensitization mechanisms should be improved to prevent customer privacy leakage through model output.

(4) Enhancing Algorithmic Explainability and Transparency

First, formulating explainability standards. For AI applications in high-risk scenarios, clear transparency and explainability standards should be formulated, and the logical explanation requirements for model design, data usage, feature selection, and output results should be clarified.

Second, optimizing model selection and design. Models with strong explainability should be prioritized in high-risk scenarios, and the scope of use of models with insufficient explainability should be strictly limited to serving only as auxiliary tools. The application of explainable AI technologies should be explored to improve model transparency.

Third, improving the manual review mechanism. For key decisions involving customer rights and interests or having substantial financial impact, manual review modes must be set up, and original data, reasoning paths, and threshold trigger records should be fully retained to ensure traceability of the decision-making process and accountability.

(5) Strengthening Outsourcing and Supply Chain Risk Management

First, implementing list-based management of suppliers. AI technology suppliers should be comprehensively sorted out and evaluated, access standards and exit mechanisms should be established, and list-based management should be implemented. The data security capabilities, algorithm security levels, and service stability of suppliers should be reviewed with emphasis.

Second, improving cooperation agreements. In cooperation agreements with external suppliers, clauses on data security, IP rights, liability assumption, and emergency response should be clarified to ensure that financial institutions can effectively control relevant risks. “Firewalls” for risk isolation should be established to prevent cross-industry risk transmission.

Third, strengthening open-source technology management. A management ledger for open-source software should be established, open-source components introduced from outside should be reviewed and evaluated, code audit, vulnerability scanning, and security testing should be strengthened, and potential risks of open-source components should be regularly investigated to prevent security risks such as supply chain poisoning.

(6) Establishing an Ethical Review and Fairness Assessment Mechanism

First, establishing an ethical review body. It is recommended to establish an AI ethics committee or similar body responsible for the ethical review and supervision of AI applications and formulating ethical codes of conduct.

Second, conducting fairness assessments. Dataset review and impact assessment on specific groups should be conducted for AI applications to identify and eliminate algorithmic bias and avoid unfairness issues such as algorithmic discrimination. Justification should be provided for the use of protected characteristics or attributes.

Third, strengthening customer notification. AI-generated content should be prominently marked, and the use of AI should be proactively explained to financial consumers to protect customers’ right to know and right to choose.

IV. Conclusions

The issuance of the Guiding Opinions indicates that AI regulation in China’s financial sector is gradually entering a new stage of systematization and standardization. Insurance institutions should attach importance to the implementation of the Guiding Opinions, incorporate AI governance into the overall governance system, balance the relationship between innovative development and risk prevention and control, promote the safe, compliant, and orderly development of AI technology in the insurance industry, and better serve the real economy and meet the insurance protection needs of the people.

It is recommended that insurance institutions promptly launch compliance self-inspection on AI development and application, sort out the compliance gaps in existing AI development and application against the various requirements of the Guiding Opinions, formulate rectification plans and implementation paths, and complete compliance rectification as soon as possible. Meanwhile, it is recommended that insurance institutions continuously pay attention to the supporting implementation rules and technical standards that may be subsequently issued by regulatory authorities, and timely adjust and improve relevant management systems and technical measures.

02.金融监管总局推动落实〈关于支持上海国际金融中心建设行动方案〉有关举措(2026年6月)

NFRA Measures to Promote the Implementation of the Action Plan for Supporting Shanghai’s Development as an International Financial Center (June 2026)

2026年6月17日,金监总局发布《金融监管总局推动落实〈关于支持上海国际金融中心建设行动方案〉有关举措(2026年6月)》(“《举措》”),总结2025年6月《行动方案》发布以来的进展,围绕上海国际金融中心的建设需要出台新举措,进一步推动相关政策任务落地。

发展再保险和航运金融。《举措》指出,金监总局拟与上海市进一步出台支持上海国际再保险中心建设的措施,推动跨境再保险分入业务收入境外投资试点,并在浦东新区研究探索巨灾风险转移工具。航运保险和航贸金融方面,相关举措包括支持金融机构参与航贸金融数字化国际标准制定、推动发布航贸金融数据标准、开展航运保险研究,并探索以上海为重点推进国际航运保险合作。

拓展养老金融和养老服务信托。围绕养老金融,《举措》提出推动商业养老金业务试点机构按照商业可持续原则,开发商业养老金产品“沪养保”,以满足差异化养老保障需求。同时,上海将探索养老服务信托试点,推动形成“意定监护+养老服务信托+养老服务机构”的全链条养老服务生态体系,发挥信托机制在大都市养老服务领域的作用。

加强科技监管建设。拟设立的“金监工程数智监管(上海)研发基地”将围绕监管数据贯通性和穿透性应用、监管流程标准化和数字化再造、监管工具自动化和智能化升级等方向开展建设,以提升与上海国际金融中心竞争力和影响力相适应的金融监管能力。

On June 17, 2026, NFRA issued the NFRA Measures to Promote the Implementation of the Action Plan for Supporting Shanghai’s Development as an International Financial Center (June 2026) (the “Measures”), summarizing the progress made since the issuance of the Action Plan in June 2025, and introducing new measures in light of the needs of Shanghai’s development as an international financial center, so as to further advance the implementation of relevant policy tasks.

Developing Reinsurance and Shipping Finance. According to the Measures, NFRA plans to work with Shanghai Municipality to introduce further measures supporting Shanghai’s development as an international reinsurance center, promote the pilot overseas investment of revenues from cross-border reinsurance business accepted, and explore catastrophe risk transfer tools in Pudong New Area. In relation to shipping insurance and shipping-trade finance, the relevant measures include supporting financial institutions in participating in the formulation of international digital standards for shipping-trade finance, promoting the release of shipping-trade finance data standards, conducting shipping insurance research, and exploring international shipping insurance cooperation focusing on Shanghai.

Expanding Pension Finance and Elderly Care Service Trusts. In relation to pension finance, the Measures propose to promote pilot commercial pension business institutions in developing the “Huyangbao” (Shanghai pension insurance) commercial pension product on a commercially sustainable basis, so as to meet differentiated pension protection needs. At the same time, Shanghai will explore pilot elderly care service trusts, promote the formation of a full-chain elderly care service ecosystem integrating “voluntary guardianship + elderly care service trusts + elderly care service institutions”, and leverage trust mechanisms in metropolitan elderly care services.

Enhancing RegTech Construction. The proposed “NFRA Digital Intelligent Supervision (Shanghai) R&D Base” will focus on integrated and look-through applications of regulatory data, standardization and digital restructuring of regulatory processes, and automation and intelligent upgrading of regulatory tools, with a view to enhancing financial regulatorycapabilities commensurate with Shanghai’s competitiveness and influence as an international financial center.

03.金融信息服务数据分类分级指南

Guidelines on the Classification and Grading of Financial Information Service Data

2026年6月8日,国家互联网信息办公室、中国人民银行、国家金融监督管理总局、中国证券监督管理委员会、国家统计局及国家外汇管理局联合发布《金融信息服务数据分类分级指南》(国信办通字〔2026〕2号)(“《指南》”),明确金融信息服务领域数据分类分级的统一框架,以规范金融信息服务数据收集和处理活动并提升数据安全治理水平。

明确金融信息服务数据分类框架。《指南》按照业务属性将金融信息服务数据划分为业务数据、用户数据及企业数据三大类,并在此基础上进一步细分为9个二级类别及67个三级类别。其中,业务数据包括金融市场数据、宏观经济数据、组织机构数据、行业指标数据及资讯报告数据;用户数据包括个人用户数据及机构用户数据;企业数据包括经营管理数据及系统运维数据,形成覆盖金融信息服务主要数据形态的分类体系。

建立四级数据分级体系。《指南》参照国家标准GB/T 43697-2024《数据安全技术 数据分类分级规则》,将金融信息服务数据自高至低划分为核心数据、重要数据、敏感一般数据及常规一般数据,并结合数据覆盖度、时间跨度、精度、公开状态及地域等因素进行综合判定,以反映数据潜在风险影响程度。影响程度从高到低可进一步分为特别严重危害、严重危害及一般危害。其中,核心数据与重要数据主要关注对国家安全、经济运行、社会秩序及重大公共利益等方面的潜在影响,敏感一般数据及常规一般数据则更多涉及组织及个人权益等层面的影响。

细化数据分类分级实施路径。《指南》为金融信息服务提供者开展数据分类分级工作提供操作路径,包括数据资源梳理、数据分类、数据分级、形成分类分级清单、报送重要数据目录及动态更新管理等步骤,并通过附录A提供三级分类数据的描述、示例以及数据分级的参考最低级别,以增强分类分级工作的可操作性与一致性。

On June 8, 2026, the Cyberspace Administration of China, the People’s Bank of China, the National Financial Regulatory Administration, the China Securities Regulatory Commission, the National Bureau of Statistics, and the State Administration of Foreign Exchange jointly issued the Guidelines on the Classification and Grading of Financial Information Service Data (No. Guo Xin Ban Tong Zi [2026] No. 2) (the “Guidelines”), which establish a unified framework for the classification and grading of financial information service data, with a view to standardizing the collection and processing of financial information service data and enhancing data security governance.

Clarification of the Data Classification Framework for Financial Information Services. The Guidelines classify financial information service data by business attributes into three primary categories, namely business data, user data, and enterprise data, and further subdivide them into 9 secondary categories and 67 tertiary categories. Specifically, business data include financial market data, macroeconomic data, organizational entity data, industry indicator data, and information and research report data; user data include individual user data and institutional user data; enterprise data include operational management data and system operation and maintenance data, thereby forming a classification system that covers the principal data types in financial information services.

Establishment of a Four-Tier Data Classification Framework. The Guidelines, with reference to the national standard GB/T 43697-2024 “Data Security Technology Data Classification and Grading Rules”, classify financial information service data, from high to low, into core data, important data, sensitive general data, and ordinary general data. The classification of individual data items is determined on a comprehensive basis, taking into account factors such as data coverage, time span, precision, public availability status, and geographic scope, so as to reflect the potential risk impact of the data. The level of impact is further categorized, from high to low, into particularly severe harm, severe harm, and general harm. In particular, core data and important data primarily concern potential impacts on national security, economic operation, social order, and major public interests, while sensitive general data and ordinary general data are more likely to involve organizational and individual rights and interests.

Refinement of the Implementation Path for Data Classification and Grading. The Guidelines provide an operational framework for financial information service providers to carry out data classification and grading, including steps such as data resource mapping, data classification, data grading, preparation of classification and grading inventories, submission of important data catalogs, and dynamic update management. In addition, Annex A to the Guidelines provides descriptions and examples of all tertiary-level data categories, as well as reference minimum grading levels for data items, so as to enhance the operability and consistency of classification and grading practices.

04.利用外资固稳促优行动方案

Action Plan for Stabilizing and Optimizing the Utilization of Foreign Capital

2026年6月16日,商务部、国家发展改革委、财政部联合发布《利用外资固稳促优行动方案》(“2026年方案”)。相较于《2025年稳外资行动方案》(“2025年方案”),2026年方案从2025年的“稳外资、扩开放、促落地”进一步转向“存量稳住、结构优化、便利化和权益保障更细化”。

市场准入。2025年方案主要提出扩大电信、医疗等领域开放试点,并落实制造业外资准入限制全面取消、优化服务业扩大开放综合试点等安排。2026年方案则将“扩大市场准入”细化为服务业、金融业、医药等产业三条主线。其中,金融业开放被单独列为一项,包括支持外资机构使用国债期货等风险管理工具、依法开展基金投资顾问业务、为重点外资企业提供跨境融资便利化额度、支持符合条件的重点外资企业境内上市融资等。

并购与股权投资。2025年方案提出修订《关于外国投资者并购境内企业的规定》,优化外资并购规则和并购交易程序,并降低跨境换股门槛。2026年方案继续强调加快修订该规定,但新增并突出了两点:一是优化并购管理流程和对价支付要求,强化部门监管协同;二是允许符合条件的外资股权投资机构以战略投资者身份参与非相关行业上市公司证券发行。

数据跨境。2025年方案主要是在鼓励跨国公司设立投资性公司时提到,在数据跨境流动等方面提供便利。2026年方案则把“优化数据跨境流动管理”单独列为一项,提出支持自贸试验区、国家服务业扩大开放试点城市在更多领域制定“场景化、字段级”数据出境负面清单,并推动制定工业、电信、地理信息、汽车、医药、航天、民航等行业领域重要数据识别目录国家标准。

再投资和研发中心。2025年方案提出研究制定鼓励外资企业境内再投资政策措施,并开展外资企业境内投资信息报告试点。2026年方案则进一步提出落实境外投资者以分配利润直接投资税收优惠政策,并将更多外资企业再投资项目纳入重大和重点外资项目清单,扩大服务保障范围。

招商引资。2025年方案侧重“投资中国”品牌、境外投资促进、差异化引资目标等。2026年方案新增“统筹做好外资项目规范招引”,提出加快出台地方政府招商引资鼓励和禁止事项清单,省级人民政府可按规定给予支持措施,并要求政府部门严格兑现依法作出的政策承诺。

外资管理。2026年方案新增“提升外商投资管理信息化水平”,提出全面优化外商投资信息报告制度,并健全外商投资信息共享机制,为外汇登记、行政许可、固定资产投资等领域外资管理提供支撑。2026年已从试点性安排进一步转向外资管理数字化、信息共享和跨部门支撑机制。

On June 16, 2026, the Ministry of Commerce, the National Development and Reform Commission, and the Ministry of Finance jointly issued the Action Plan for Stabilizing and Optimizing the Utilization of Foreign Capital (the “2026 Action Plan”). Compared with the Action Plan for Stabilizing Foreign Investment in 2025 (the “2025 Action Plan”), the 2026 Action Plan marks a further shift from the 2025 focus on “stabilizing foreign investment, expanding opening-up and promoting project implementation” to “stabilizing stock, optimizing structure, and enhancing facilitation and rights protection”.

Market Access. The 2025 Action Plan primarily proposed expanding pilot programs for opening up sectors such as telecommunications and healthcare, implementing the full removal of foreign investment access restrictions in manufacturing, and optimizing comprehensive pilot programs for expanding services sector opening-up. The 2026 Action Plan further refines “expanding market access” into three main lines: services sector, financial sector, and pharmaceutical industry. Notably, financial sector opening-up is designated as a standalone item, encompassing: supporting foreign institutions in utilizing risk management tools such as government bond futures; conducting fund investment advisory business in accordance with law; providing cross-border financing facilitation quotas for key foreign-invested enterprises; and supporting eligible key foreign-invested enterprises in listing and raising capital on domestic stock exchanges.

M&A and Equity Investment. The 2025 Action Plan proposed revising the Provisions on the Acquisition of Domestic Enterprises by Foreign Investors, optimizing foreign investment M&A rules and transaction procedures, and lowering the threshold for cross-border share swaps. The 2026 Action Plan continues to emphasize accelerating the revision of those provisions, but newly highlights two additional points: first, optimizing M&A management processes and consideration payment requirements while strengthening regulatory coordination among government departments; and second, allowing qualified foreign equity investment institutions to participate as strategic investors in securities issuance by listed companies in non-related industries.

Cross-Border Data Flows. The 2025 Action Plan mainly mentioned providing facilitation in cross-border data flows when encouraging multinational corporations to establish investment companies. The 2026 Action Plan designates “optimizing cross-border data flow management” as a standalone item, proposing to support pilot free trade zones and national pilot cities for expanding services sector opening-up in formulating “scenario-based and field-level” negative lists for cross-border data transfer in more sectors, and promoting the development of national standards for identifying important data in industries such as manufacturing, telecommunications, geographic information, automotive, pharmaceuticals, aerospace, and civil aviation.

Reinvestment and R&D Centers. The 2025 Action Plan proposed researching and formulating policy measures to encourage foreign-invested enterprises to reinvest domestically, and piloting information reporting for foreign-invested enterprises’ domestic investment. The 2026 Action Plan goes further by proposing to implement tax preferential policiesfor overseas investors making direct investment with distributed profits, and incorporating more foreign-invested enterprises’ reinvestment projects into the lists of major and key foreign investment projects, thereby expanding the scope of service guarantees.

Investment Promotion. The 2025 Action Plan focused on the “Invest in China” brand, overseas investment promotion, and differentiated investment attraction targets. The 2026 Action Plan newly adds “coordinating and standardizing the attraction of foreign investment projects”, proposing to accelerate the issuance of lists of encouraged and prohibitedpractices for local government investment promotion, allowing provincial-level people’s governments to provide support measures in accordance with regulations, and requiring government departments to strictly honor policy commitments made in accordance with law and to uphold credibility.

Foreign Investment Administration. The 2026 Action Plan newly adds “enhancing the informatization level of foreign investment administration”, proposing to comprehensively optimize the foreign investment information reporting system, and strengthen the foreign investment information sharing mechanism to provide support for foreign investment administration in foreign exchange registration, administrative licensing, fixed asset investment, and other areas. The 2026 Action Plan has further shifted from pilot arrangements to digitalization of foreign investment administration, information sharing, and cross-departmental support mechanisms.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More