BSP pushes AI governance framework for financial stability

MANILA, Philippines — The Bangko Sentral ng Pilipinas (BSP) is urging banks and nonbanks to craft their artificial intelligence (AI) governance frameworks to address adoption risks, such as data privacy concerns, bias and reputational damage.

In Memorandum M-2026-031, the BSP released a guidance paper titled “Governance Principles for Artificial Intelligence in Financial Services,” seeking to guide financial institutions in formulating their own governance policies and risk management frameworks.

BSP Deputy Governor Lyn Javier said frameworks must be tailored to their “nature, extent, scale, complexity and materiality of their AI systems” as the bank acknowledges that financial institutions are at different stages of AI maturity.

Javier added that overall operational complexity and risk profile should also be considered.

Under the memorandum, the BSP said the absence of a comprehensive AI governance framework introduces multiple layers of risk, spanning operational, information technology, model, market conduct, reputational, strategic and legal risks.

The central bank also said that in the absence of clear guidelines and safeguards, AI systems could perpetuate biases, leading to unfair practices and the exclusion of individuals from access to financial products and services.

With this, the BSP introduced the STARS principle, which stands for sustainability, transparency, accountability, responsibility and security.

Under the transparency pillar, BSP said financial institutions should notify users when AI outputs are embedded in products or processes by incorporating this information into the product’s terms and conditions or other relevant documentation.

Responsibility, meanwhile, calls for AI systems to be designed and deployed in ways that avoid unfair practices or potential harm to users, institutions or the broader financial ecosystem.

“AI systems must incorporate clear and transparent opt-in and opt-out mechanisms, as applicable, which should be available and clear to the data owners,” it said.

Meanwhile, the security pillar entails conducting risk based assessments, strengthening defenses against adversarial attacks and guarding against data poisoning.

However, the BSP said the principles presented in this document are “non-binding” and compliance is voluntary.

“This policy shall be implemented in a manner consistent with and without prejudice to existing laws and regulations,” the central bank said.