BSP sets governance principles for banks’ responsible, ethical AI use

PHILIPPINE financial institutions should develop artificial intelligence (AI) governance frameworks that reflect the extent and complexity of their use of these emerging technologies in their operations to manage potential risks and establish safeguards for ethical use, the Bangko Sentral ng Pilipinas (BSP) said.

The BSP, through Memorandum No. M-2026-031 dated June 24, issued a guidance paper titled “Governance Principles for Artificial Intelligence in Financial Services” that its BSP-supervised financial institutions (BSFIs) can use in crafting their own AI policies.

“As artificial intelligence continues to advance and integrate into the financial sector, financial institutions must establish effective controls and safeguards against the attendant risks of AI adoption, such as data privacy concerns, bias leading to unfair and discriminatory practices, and misuse of technology, among others,” BSP Deputy Governor Lyn I. Javier said.

“It is recommended that financial institutions formally develop their own AI Governance Framework, proportionate to the nature, extent, scale, complexity, and materiality of their AI systems, as well as the institution’s overall operational complexity and risk profile, following the principles put forth in the guidance paper.”

Ms. Javier said having these controls in place will ensure that institutions can use AI safely and reap its benefits. “Ultimately, the ethical and responsible use of AI can foster trust, strengthen resilience, and promote sustainable innovation within the financial ecosystem.”

“While the BSP recognizes the significant potential of these technologies, it emphasizes the importance of upholding the highest standards of ethics, transparency, and accountability across the AI system lifecycle, particularly when AI is integrated into the strategic operations of financial institutions,” the BSP added.

The guidance paper outlines the minimum supervisory expectations for AI adoption, but the BSP said these principles are non-binding and compliance is voluntary as the regulator said it is up to BSFIs to formulate their own AI governance policies and risk management frameworks.

This is as it acknowledges that financial institutions are at different stages of AI maturity, which means their risk exposures vary. It added that AI governance frameworks can help address operational, information technology (IT), model, market conduct, reputational, strategic, and legal risks associated with AI use.

Aside from BSFIs, the principles also cover vendors or outsourced service providers that support these institutions’ AI-related activities under a shared responsibility model.

For its part, the BSP’s existing IT Risk Management framework covers emerging technologies as it focuses on information security, outsourcing, and project management. It will also release a Model Risk Management framework that will focus on algorithmic fairness and model risks throughout the entire model lifecycle using a proportionate and risk-based approach.

The BSP said AI governance across the financial sector should be governed by STARS principles, which stand for sustainability, transparency, accountability, responsibility, and security.

These principles should be considered at each stage of the AI system lifecycle: plan, develop, validate, deploy, and monitor.

For sustainability, BSFIs must ensure that their AI solutions are “materially” beneficial to the entire financial, environmental, and societal ecosystem, the central bank said. The development of these AI systems must aim to minimize carbon footprints, opt for energy efficiency, and must be “human-centered.”

The BSP added that for transparency, relevant and necessary information must be available and tailored to the knowledge and expertise of intended users or stakeholders. These transparency principles must also apply to third-party providers.

“To avoid blind reliance on AI system recommendations, users must be equipped to answer the questions such as ‘how’ the output was derived and ‘why’ a recommendation was made.”

The central bank said BSFIs must have a centralized AI systems inventory, and users should  be notified when the AI’s output is being used in the product or is included in the process.

They should also have documentation on the design process, decision-making process, error tracking and resolution, and options in algorithm build and data sources to ensure auditability of these systems. BSFIs must also ensure that identified risks, errors, and uncertainties have clearly defined mitigation procedures.

“Regular review of all AI systems should be done for appropriate monitoring and assessment of stakeholders.”

For accountability, the BSP said institutions must clearly define responsibility among management, developers, and all relevant stakeholders, emphasizing the importance of having a human in the loop.

“While AI systems provide recommendations, humans are ultimately accountable for decisions made. The output of AI systems should not replace or diminish human responsibility,” it said.

Human oversight and proper segregation of roles and ownership should be integrated across the AI system lifecycle, and those responsible for developing and deploying AI have sufficient experience and competence, the central bank said.

The BSP should also be able to monitor, oversee, and review the development and deployment of the AI algorithm and technology.

For responsibility and social fairness or ethical AI use, the central bank said the AI system should avoid unfair practices or potential harm to users, the institution, and the broader financial ecosystem. This covers data privacy concerns and avoiding potential bias against any demographic, particularly on minority or vulnerable groups through proper training data.

It added that BSFIs must “ensure that the main objective of the AI system is to contribute positively to the individual’s well-being and support the greater good of the financial system.”

Lastly, for security, BSFIs must have rigorous cybersecurity and data quality controls in place, the central bank said. They must conduct regular risk-based assessment for potential vulnerabilities in the AI systems and have risk mitigation controls, systems testing, and incident response procedures that also cover their AI models and systems.

It added that they should “regularly monitor and evaluate data quality and model performance to detect anomalies (such as bias and hallucination) early on.”

“AI system’s overall accuracy, reliability, and effectiveness hinge on the quality of its data sets.”

The guidelines push banks towards formal AI governance with clear standards on transparency, accountability, fairness, security, and human oversight, rather than just impromptu AI management, Philippine Institute for Development Studies Senior Research Fellow John Paolo R. Rivera said in a Viber message.

“The memo is timely because banks are already using AI for credit scoring, fraud detection, customer service, compliance, and risk management,” he said.

He larger banks already have measures against model risks, cybersecurity, data privacy, and compliance systems, while smaller lenders may need to improve aspects of their governance such as in AI inventory, documentation, independent validation, vendor oversight, and bias testing. — Aaron Michael C. Sy