AI governance for APAC finance, from FEAT to generative AI
MAS, HKMA and peer regulators set the early benchmarks for AI in financial services. The generative AI wave has now pulled those frameworks into resilience and third-party risk territory.

The Monetary Authority of Singapore published the FEAT Principles, covering Fairness, Ethics, Accountability and Transparency in the use of AI and data analytics in finance, in November 2018, and followed with the Veritas industry consortium and a series of assessment methodologies from 2019 onwards. The Hong Kong Monetary Authority issued its High-level Principles on Artificial Intelligence in November 2019, alongside guidance on consumer protection in the use of big data analytics and AI. Those two bodies of work set the early regional benchmark on which generative AI guidance has since been layered.
The generative AI wave shifted the conversation from model-by-model assessment to enterprise-wide governance of third-party models. MAS published its information paper on the use of generative AI in financial services in 2024, setting out supervisory observations on model risk management, data governance, third-party risk and incident response specific to large language models and similar systems. HKMA has issued circulars on generative AI use cases, including consumer-facing applications, and other regional regulators including the Bank of Thailand, OJK and the Reserve Bank of India have begun their own consultations and guidance.
From a resilience perspective, generative AI introduces several distinctive risks. The dominant providers are concentrated, the underlying foundation models change frequently and without granular notice, the input and output channels create new data exfiltration paths and the failure modes are probabilistic rather than deterministic. Each of these maps onto an existing supervisory expectation, but the mapping is non-trivial. A model that drifts in behaviour after a vendor update is not the same as a system that goes offline, and incident playbooks need to recognise the difference.
Third-party risk frameworks built for traditional outsourcing struggle with the foundation model layer. The largest providers do not negotiate bespoke audit rights, transparency on training data is partial and exit is constrained by the scarcity of substitutable models at comparable capability. Regulators have acknowledged these realities and have focused on what institutions can do, including layered controls, robust evaluation pipelines, human oversight for material decisions and contingency plans that anticipate degradation rather than only outage.
Model risk management practice is converging on a common shape across the region. Institutions are extending their existing model inventories to cover AI systems, classifying them by impact, requiring evaluation evidence before deployment and re-evaluation after material change, and instituting monitoring for drift, bias and prompt injection. The supervisory test is whether the framework actually constrains deployment rather than documenting it after the fact.
Consumer protection sits alongside resilience as a parallel supervisory thread. Both MAS and HKMA have emphasised transparency to customers when AI materially affects them, the availability of human recourse for contested outcomes and the importance of not using AI to circumvent existing conduct expectations. Practical implementation requires close coordination between technology, risk, compliance and the customer-facing business, and the institutions that have built that coordination muscle are visibly ahead.
For boards and executives setting AI agendas in 2026, three priorities are emerging. First, ensure the AI inventory is real, current and includes shadow deployments by individual teams. Second, treat the foundation model layer as a concentrated third-party dependency and plan for it explicitly in resilience scenarios. Third, invest in evaluation and monitoring capability rather than only in deployment capability, because supervisory scrutiny will increasingly focus on what the institution knows about its AI systems in production.

