含羞草社区

Artificial intelligence (AI) regulation in Hong Kong is evolving within a fragmented, sector-specific framework. Different regulatory bodies oversee various industries, leading to a patchwork of guidelines rather than a unified regulatory structure. For instance, the Hong Kong Monetary Authority (HKMA) regulates AI applications in the banking sector, the Securities and Futures Commission (SFC) oversees AI in financial services, and the Office of the Privacy Commissioner for Personal Data (PCPD) provides guidance on data privacy in the use of AI across all sectors.

Additionally, common law principles address AI-related harms not specifically covered by existing regulations, allowing for legal recourse in disputes arising from AI deployment. While this overall approach allows for tailored oversight, it can create compliance challenges for businesses operating across multiple sectors.

This chapter of the guide focuses on key areas that require particular attention on the use of AI in Hong Kong. The authors first examine high-risk AI applications such as financial services, medical services and legal services, where AI use presents heightened regulatory and ethical concerns. We then explore sector-specific considerations, highlighting industries where AI adoption is particularly impactful, or where regulation is advancing quickly.

Following this, the authors discuss AI governance within organisations, explaining how businesses can integrate AI responsibly using structured oversight models such as the “three lines of defence”. Finally, we consider data privacy concerns, which are particularly relevant given the large volume of sensitive information processed by AI tools.

By examining these critical areas, this chapter provides a practical framework to help businesses navigate Hong Kong’s AI regulatory landscape while ensuring compliance and effective risk management.

High-risk AI applications

High-risk AI applications in Hong Kong reflect global trends, particularly in investment advice, fraud detection, legal advice and hiring. These applications and others are considered high-risk because they involve sensitive data such as personal information, affect consumer rights, or have significant financial and legal consequences.

For example, AI-driven investment advice may lead to unsuitable product recommendations, creating financial exposure for consumers and firms. Similarly, AI-powered fraud detection must be highly accurate to avoid false positives or negatives.

AI fraud detection is commonly used in financial services, e-commerce and cybersecurity, where machine learning models assess transaction patterns, user behaviour and device data to identify potential fraud in real time.

Such systems must be carefully monitored to prevent bias and ensure compliance with Hong Kong’s data protection and anti-fraud regulations. Legal AI tools handling case law analysis and contract drafting must ensure accuracy and fairness, while AI-based hiring tools need safeguards against bias and discrimination.

Regulatory bodies such as the SFC and HKMA have issued guidance addressing these types of risks in the financial services context. The SFC’s Circular on Generative AI requires licensed corporations to conduct risk assessments on the use of AI language models and sets out guiding principles for such risk assessment. Licensed corporations must also implement risk mitigation measures and monitoring mechanisms for AI-driven financial services. Meanwhile, the HKMA’s High-Level Principles on Artificial Intelligence provide recommended practices for AI governance. Regulatory sandboxes, such as the HKMA Gen AI Sandbox, offer businesses opportunities to test high-risk AI applications in a controlled environment.

Businesses implementing AI in high-risk areas may consider assessing applicable regulatory frameworks, incorporating human-in-the-loop mechanisms for oversight and ensuring continuous monitoring to mitigate risks.

Sector-specific AI

The use of AI in some sectors warrants particular attention due to regulatory focus, rapid technological advancements or the critical nature of AI applications. In this section, we discuss a range of sector examples.

In the banking and financial services sector, AI is widely used for robo-advisers, fraud detection and customer service. For example, it was reported in February 2024 that ICBC Asia in Hong Kong invested in AI technology to identify potentially fraudulent transactions and investigate alleged scams.

The HKMA and SFC require firms to implement governance frameworks that prioritise model explainability, cybersecurity and risk-based oversight.

The healthcare sector is leveraging AI for diagnostics, patient care tools, and operational efficiency. However, liability risks and data privacy concerns remain significant. For example, the PCPD notes that “healthcare providers use AI to analyse medical records and assist doctors in diagnoses”, and it gives “AI-assisted medical imaging analytics or therapies” as an example of high-risk AI use. The PCPD emphasises the need for human oversight to “reduce the risk of significant adverse impacts on individuals materialising during deployment”.

The legal sector is also increasingly adopting AI for tasks including contract analysis, legal research and document automation. The Law Society of Hong Kong’s 2024 position paper highlights the need for specialised roles such as legal knowledge engineers – also known as “prompt engineers” – who develop knowledge bases, encode legal rules and optimise AI outputs. Legal technologists and automation specialists can also play a key role in implementing and managing AI tools, requiring expertise in areas like natural language processing, logic programming and workflow automation.

In the judicial context, specific guidelines have been introduced to ensure AI use aligns with principles of judicial independence, impartiality and accountability, emphasising that AI may not be used to usurp or encroach on judicial functions but may support and facilitate judicial work.

AI governance

For businesses using AI, regulatory compliance and risk management are key considerations. A governance framework can help organisations balance innovation with accountability. The authors have assisted financial institutions with reviewing their policies for AI use.

A model we have seen includes the three lines of defence framework, which helps integrate AI oversight across different functions within a business. The three lines of defence framework is widely used by financial institutions in corporate compliance and applies to their day-to-day operations to enhance efficiency.

The framework aims to balance compliance obligations with AI innovation by ensuring independent checks at multiple levels:

• • The first line of defence consists of business units that develop and deploy AI-driven tools for uses including customer engagement, fraud detection and process automation. These units must ensure AI-driven decisions align with regulatory expectations and ethical considerations such as bias mitigation and transparency in decision making.
  • The second line of defence includes risk management and compliance teams that assess AI models for vulnerabilities, cybersecurity threats and regulatory alignment. Many organisations use AI risk assessment frameworks, drawing from the HKMA and SFC best practices to ensure AI systems remain compliant and robust.
  • The third line of defence involves independent audits to validate AI governance and risk management effectiveness. These periodic reviews help businesses detect potential regulatory gaps, enhance accountability and strengthen trust in AI-driven processes.

Data privacy and AI

As AI systems process increasing volumes of sensitive data, data privacy has become a key regulatory concern in Hong Kong. The “Artificial Intelligence: Model Personal Data Protection Framework”, published by the PCPD in June 2024, provides detailed guidelines on the handling of personal data by organisations (including financial institutions) procuring, implementing and using AI systems that involve personal data.

Adopting a risk-based approach, the PCPD framework provides recommendations for local enterprises, while the Data Protection Principles under the Personal Data (Privacy) Ordinance (cap 486) remains applicable.

An increasing concern is data scraping, in which AI models collect publicly available online data without explicit consent for unauthorised uses such as reselling the data, facilitating cyberattacks, committing identity fraud, or enabling unsolicited direct marketing and spam messages.

The PCPD has warned that data scraping can lead to significant privacy risks. The PCPD’s joint statement on data scraping highlights that businesses using AI must take proactive measures to ensure compliance with data protection laws.

Conclusion

In the absence of a unified AI regulatory framework, businesses and other stakeholders that proactively address high-risk AI applications, tailor industry-specific compliance strategies and establish robust AI governance models will be better positioned to mitigate regulatory risks.

Companies may consider thoroughly assessing applicable regulations, engaging with regulatory sandboxes and implementing governance structures such as the three lines of defence model. Data privacy remains a central issue, and organisations may consider best practices in data protection, including anonymisation and transparent AI decision making.

A proactive approach to governance, risk management and regulatory engagement will be essential for businesses looking to integrate AI while maintaining compliance. Expert legal guidance can help navigate the evolving AI landscape and ensure responsible, compliant AI deployment that aligns with business objectives.

STEVENSON, WONG & CO.
39/F, Gloucester Tower,
The Landmark, 15 Queen’s
Road Central, Hong Kong
Tel: +852 2526 6311
Email: info@sw-hk.com