Inside China Merchants Bank’s AI Model Risk Governance: Interview and Assessment Insights

Regulatory Background

To standardize AI activities, China has issued a series of laws and administrative regulations that require model decisions to be safe, reliable, fair, and transparent. Enterprises are now required to establish risk‑management and internal‑control mechanisms for AI models, making AI model risk governance a key future trend.

2021 GOLF+ IT New Governance Leadership Forum

On December 24, 2021, the China Academy of Information and Communications Technology (CAICT) hosted the “2021 GOLF+ IT New Governance Leadership Forum” with the theme “New governance benefits innovation, digital stability for the long term.” The forum focused on building a new ecosystem for technology governance and on XOPS innovation for operations development. Speakers from academia, industry, and research institutions shared experiences that promoted healthy digital governance across sectors.

AI Model Risk Governance Capability Maturity Assessment

During the forum, Mr. He Baohong, Director of the Cloud Computing and Big Data Institute of CAICT, announced the first batch of AI model risk‑governance capability maturity assessment results.

Assessing organization: China Academy of Information and Communications Technology

We interviewed Mr. Li Jinlong, head of the AI Laboratory in the Information Technology Department of China Merchants Bank, to explore the details of the two models that participated in the assessment and to share the bank’s AI model risk‑governance practices.

Interview Highlights

Q: Please introduce the two models that passed the assessment.

Li Jinlong explained that the bank submitted an intelligent‑customer‑service semantic‑matching model and a multimodal customer‑service analysis model for the financial sector. The semantic‑matching model was trained on 13 GB of proprietary financial data using a custom Chinese BERT pre‑training, followed by fine‑tuning for text matching to improve response accuracy. The multimodal model leverages video, audio, and text data to evaluate service quality across multiple dimensions, greatly enhancing service efficiency.

Q: How do you view the AI model risk‑governance maturity assessment?

He noted that the assessment covers the entire model lifecycle—from requirement analysis and data preparation to model revision and decommission—providing concrete guidance at each stage. The bank’s participation helped deepen its understanding of industry best practices and strengthened its internal governance policies.

Q: What motivated the bank to join the assessment?

The bank, an early adopter of AI in banking, recognized risks such as sensitive‑topic avoidance in chatbots and identity‑fraud in facial‑recognition. By joining the assessment, the team learned the latest risk‑governance frameworks and adapted them to build a robust internal governance system.

Q: How does the bank handle risk governance for the semantic‑matching model?

Risk controls include a blacklist of prohibited keywords applied during data preparation, a refusal module that blocks responses containing blacklisted terms, automatic horizontal scaling to handle traffic spikes, and a degradation plan for platform failures.

Q: What challenges did you encounter during the assessment?

Initially, the team’s understanding of AI risk governance was limited. Through multiple rounds of communication with the assessors, they gradually mastered the concepts and applied them using the bank’s own tools, ultimately achieving satisfactory results and improving their governance procedures.

Q: What are the next steps for your AI risk‑governance work?

The team plans to consolidate risk‑management processes onto a unified platform, reducing communication overhead and speeding up incident response.

AI Model Risk Governance Capability Maturity Model

The “AI Model Risk Governance Capability Maturity Model” was jointly developed by CAICT, the China Internet Association’s IT Risk Governance Committee, and more than 20 leading enterprises (including JD, Baidu, China Unicom, Ant Group, ByteDance, Tencent Cloud, etc.). It aligns with regulations such as the Personal Information Protection Law and draft guidelines on algorithm recommendation management, providing a comprehensive framework that covers strategy, organization, resources, and technical measures across the model lifecycle.

The assessment focuses on three key highlights:

Regulatory Alignment: Provides concrete, actionable guidance for enterprises to implement risk‑governance measures that meet current and upcoming regulations.

Industry Trust: Validates the maturity of AI model risk governance, fostering a trust and mutual‑recognition mechanism across sectors.

Cost‑Effective Management: Differentiates management methods for high‑, medium‑, and low‑risk models, helping organizations allocate resources efficiently.

By adhering to this framework, organizations can build robust AI risk‑governance capabilities, ensure transparent model decisions, and promote the responsible development of AI technologies.