FDUA publishes Updated Version of the "Financial Generative AI Guideline 2025"

The "Guidelines for the Use of Generative AI in Financial Institutions" is a comprehensive framework designed to help Japanese financial institutions navigate the rapidly evolving landscape of Generative AI. Version 1.1 represents a significant update to the initial release, incorporating a year's worth of practical experience, industry feedback, and rapid technological advancements, including the rise of AI Agents.

The foreword, penned by Junichi Nakajima, former Commissioner of Japan's Financial Services Agency (FSA), sets a pragmatic tone. It acknowledges that while Generative AI offers transformative potential for the data-intensive financial industry, its misuse can introduce significant business and societal risks. The guideline, developed by a diverse group of experts from finance, IT, law, and consulting, aims to provide a balanced approach—enabling institutions to mitigate risks while proactively harnessing AI for business innovation and growth. It is positioned not merely as a set of rules but as a "first step" in a continuous, collaborative journey for the entire industry.

Chapter 1: Purpose and Positioning of the Guidelines

This chapter establishes the guideline's objectives, scope, and core conceptual frameworks.

1.1 Purpose of the Guideline:
The primary goal is to promote the innovative and sound use of Generative AI within Japanese financial institutions. Recognizing that the industry is moving from initial exploration to broader implementation, the guideline provides a common set of principles and practical considerations to manage emerging risks and maximize value. It builds upon the Japanese government's broader "AI Operator Guidelines" but focuses specifically on the unique context and responsibilities of the financial sector.

1.2 Positioning and Update Cycle:
The FDUA positions this as a proactive or "offensive" (攻め) guideline, intended to encourage innovation rather than solely focusing on risk avoidance. It is a "living document" designed for continuous updates based on member feedback, technological shifts (like AI Agents and Reasoning models), and evolving regulatory landscapes.

1.3 Three Levels of Generative AI Utilization:
A central framework for classifying AI adoption maturity:

• Level 1: Enhancing/Streamlining Individual Tasks. This is the entry point, where employees use off-the-shelf Generative AI tools (like ChatGPT) for personal productivity tasks such as drafting emails, summarizing documents, and brainstorming. The impact is localized to individual efficiency.
• Level 2: Enhancing/Streamlining Business Processes. This level involves connecting Generative AI models with internal company data and systems. It enables the creation of specialized AI applications for automating or augmenting specific business processes, such as generating initial drafts for loan approval documents or creating customized responses for customer service inquiries.
• Level 3: Providing New Business Models and Customer Experiences. This is the most advanced level, where Generative AI is embedded into customer-facing products and services. Examples include AI-powered financial advisory chatbots, personalized product recommendations, and automated customer support systems. This level directly impacts customers and creates new revenue streams or business models.

1.4 Stakeholder Roles:
The guideline differentiates itself from government publications by introducing the role of the AI Planner (AI企画者), a critical function within a business context responsible for strategic planning and use case definition. The four key stakeholder roles defined are:

1. AI Planner: Plans new GenAI services, defines objectives, and promotes development and use.
2. AI Developer: Builds the GenAI system, including model development, data processing, and system infrastructure.
3. AI Provider: Offers the GenAI model as a service, integrated into applications or business processes.
4. AI User: Utilizes the GenAI system or service in their business activities.

Chapter 2: What is Generative AI?

This chapter provides a foundational understanding of Generative AI technology and its associated risks, updated to include the latest advancements.

2.1 Characteristics of Generative AI:
The guideline explains core concepts beyond basic text generation:

• Prompt Engineering: The craft of designing effective inputs (prompts) to guide the AI's output.
• Retrieval-Augmented Generation (RAG): A technique that enhances AI responses by allowing the model to retrieve and reference information from external, trusted knowledge bases (e.g., internal company documents) in real-time. This reduces "hallucinations" and allows for responses based on current, proprietary data.
• Reasoning Models: AI models capable of complex, multi-step logical inference, often using techniques like "Chain of Thought" to break down problems.
• AI Agents: Autonomous systems that use LLMs as their "core brain" to understand goals, create plans, and execute tasks by interacting with other tools and systems.

2.2 Risks of Generative AI:
A comprehensive list of potential dangers, with a new focus on risks emerging from AI Agents:

• Information Leakage: Leakage of personal or confidential data entered into prompts.
• Hallucination: The generation of plausible but incorrect or fabricated information.
• Prompt Injection: Malicious attacks where users manipulate prompts to bypass safety controls or elicit unintended behavior.
• Third-Party Risk: Risks associated with using external AI services, including data security and service dependency.
• Copyright Infringement: AI generating content that closely resembles copyrighted material from its training data.
• Inappropriate Input/Output: Generation of biased, harmful, or toxic content.
• AI Agent-Specific Risks:
  • Unexpected Actions: Agents performing unintended or harmful actions due to their autonomy.
  • Black-Box Processes: Difficulty in explaining an agent's decision-making process.
  • Unclear Liability: Ambiguity over who is responsible when an autonomous agent causes harm.
  • Agent Hijacking: Malicious takeover or manipulation of an agent by external actors.
  • Negative Interaction Loops: Multiple agents interacting in unforeseen ways that lead to cascading failures or harmful emergent behavior.

Chapter 3: AI Principles to Consider

This chapter outlines ten core ethical and operational principles for responsible AI use, structured based on a survey of FDUA members that revealed the industry's priorities. The principles are grouped into three "steps" reflecting their adoption maturity.

Step A: Foundational Principles (High Interest, High Implementation)

• A-1. Security: Ensuring the security of AI systems and data against cyberattacks, data breaches, and model manipulation (e.g., data poisoning, adversarial attacks). For AI Agents, this includes securing access to external tools and APIs.
• A-2. Safety: Ensuring that AI systems do not harm human life, property, or the environment. This includes managing risks from system malfunctions and misuse, with a particular focus on the potential for harm from flawed reasoning in complex models.
• A-3. Privacy: Protecting personal and sensitive information in accordance with laws like the APPI. For RAG systems, this includes preventing the unintentional output of personal data contained in reference documents.

Step B: Next-Level Principles (High Interest, Moderate Implementation)

• B-1. Human-Centricity: Designing and operating AI systems to prioritize human well-being, dignity, and autonomy. This involves ensuring human oversight ("human-in-the-loop"), preventing manipulation, and combating misinformation.
• B-2. Innovation: Promoting an environment that fosters technological advancement through open innovation, interoperability, and international collaboration.
• B-3. Education & Literacy: Ensuring that all stakeholders (from employees to executives) have the necessary knowledge and skills to understand and use Generative AI safely, ethically, and effectively.

Step C: Advanced Principles (Lower but Growing Implementation)

• C-1. Transparency: Ensuring that the decision-making processes of AI systems are understandable and verifiable. This includes logging, documentation, and the ability to trace outputs back to their sources, which is especially complex for Reasoning models and AI Agents.
• C-2. Fairness: Preventing AI systems from producing biased or discriminatory outcomes. This requires careful management of data quality, bias detection and mitigation, and ensuring equitable access to services.
• C-3. Accountability: Establishing clear lines of responsibility for the outcomes of AI systems. This includes defining roles, documenting decisions, and ensuring that there are mechanisms for redress when problems occur.
• C-4. Ensuring Fair Competition: Preventing the monopolistic use of AI technology or data that could stifle market competition.

Chapter 4: Building an AI Governance Framework

This entirely new chapter in Version 1.1 provides a practical guide for establishing a robust AI governance system within a financial institution.

• Necessity of Governance: Financial institutions have a high degree of public and social responsibility. Strong governance is essential to manage AI risks at an acceptable level while maximizing benefits, ensuring a consistent and controlled approach across the organization.
• AI Basic Policy and Internal Rules: The framework starts with a high-level AI Basic Policy set by management, outlining the institution's philosophy on AI. This is translated into detailed Internal Rules that provide practical guidance for development and operational teams. Education and training are crucial for embedding these rules into daily practice.
• Clarifying Roles and Responsibilities: A "three lines of defense" model is recommended:
  1. First Line: Business and development departments that use and build AI systems are responsible for day-to-day risk management.
  2. Second Line: A central AI Governance Body (e.g., a committee of IT, risk, legal, and compliance experts) provides oversight, sets standards, and supports the first line.
  3. Third Line: The internal audit department independently assesses the effectiveness of the AI governance framework.
• AI Risk Assessment and Management Framework: The guideline advocates for a structured process:
  • AI System Registry: Maintain a central inventory of all AI systems in use or development.
  • Risk Classification: Classify AI systems based on their potential impact (e.g., "High-Risk AI"). High-risk applications, such as those making autonomous decisions affecting customer finances, require stricter controls and management approval.
  • Checklists: Use checklists for risk assessment at both the introduction phase (planning/development) and the operational phase ( monitoring/maintenance ).

Chapter 5: Overview of AI-related Laws and Regulations

This chapter maps the principles from Chapter 3 to the existing Japanese legal and regulatory framework. It clarifies that while there is no single, comprehensive "AI law" in Japan, a matrix of existing laws applies.

• Key Laws:
  • Copyright Act: Particularly relevant for training data and generated content. The guideline discusses the "non-enjoyment purpose" exception (Article 30-4) that allows for use of copyrighted works for information analysis, but also its limitations.
  • Act on the Protection of Personal Information (APPI): Governs the collection, use, and transfer of personal data, which is central to many AI applications.
  • Financial Regulations: Various industry-specific laws (e.g., Banking Act, Financial Instruments and Exchange Act) that impose duties of care, suitability, and explanation on institutions, all of which are impacted by AI use.
• Soft Law and Guidelines: The chapter emphasizes the importance of guidelines from regulatory bodies like the FSA, METI, and MIC, as well as industry standards bodies like FISC (The Center for Financial Industry Information Systems). These provide practical interpretation and best practices.
• International Trends: Briefly covers the influence of international regulations, most notably the EU AI Act, noting its risk-based approach and potential global impact.

Chapter 6: Mapping to the Generative AI Lifecycle

This section provides a practical, phase-based guide for managing a Generative AI project from conception to retirement.

• Lifecycle Stages:
  1. Planning: Define the business objective, target users, quality requirements, and risk tolerance. Crucially, define the level of AI autonomy and the points where human judgment is required.
  2. Development: Build the AI model and surrounding logic. This includes data collection, model selection/tuning (e.g., RAG vs. fine-tuning), and developing the user interface and control mechanisms.
  3. Provision/Deployment: Implement the system in the production environment. This involves user training, system stabilization, and careful assessment of the output's impact on business workflows.
  4. Operation: Continuously monitor the system's performance, accuracy, and risks. This includes collecting user feedback, retraining models as needed, and responding to incidents like hallucinations or inappropriate outputs.
• Best Practices for RAG: An appendix to this chapter offers a deep dive into best practices for implementing RAG systems, covering everything from use case design and data preparation to evaluation metrics and operational monitoring.

Chapter 7: Generative AI Use Cases in Finance

This chapter provides concrete examples of how financial institutions are currently using or piloting Generative AI, categorized by business area and the three levels of utilization.

• Market Overview: Cites surveys showing high and growing adoption of Generative AI in the Japanese financial sector, which is ahead of many other industries.
• Example Use Cases:
  • Customer Interface:
    • (Level 1/2) Internal tools for sales staff to draft customer emails or prepare for meetings.
    • (Level 3) Customer-facing AI chatbots for inquiries, AI avatars for in-branch assistance.
  • Operations:
    • (Level 2) Automating the drafting of loan approval documents by summarizing applicant data.
    • (Level 2) Summarizing thousands of pages of regulatory documents for compliance teams.
    • (Level 2/3) AI Agents for automating back-office processes like data entry and reconciliation.
  • IT/Systems:
    • (Level 2) Code generation and debugging assistance for developers (e.g., AI co-pilots).
    • (Level 2) Automated generation of test cases and system documentation.
  • Corporate:
    • (Level 2) HR applications for matching employee skills with internal job openings.
    • (Level 2) Automated analysis of internal communications (e.g., emails) for compliance monitoring.

Chapter 8: Further Issues for Expanded Use of Generative AI

This final chapter looks to the future, addressing the key challenges and strategic considerations for moving beyond initial successes to achieve transformative business impact.

• Current Challenges: The main hurdle is moving from PoCs that demonstrate efficiency gains (cost reduction) to scalable applications that generate significant business value (revenue growth, new markets) and justify the investment.
• Key Technologies: Re-emphasizes the importance of mastering techniques like RAG, fine-tuning, and Function Calling, as well as the foundational need for a robust and well-governed data infrastructure ("AI-Ready" data).
• Organizational Strengthening and HR Development: Success with AI requires more than just technology; it demands organizational change. This includes cultivating new roles (like the Business Architect), upskilling the workforce in AI literacy and prompt engineering, and fostering a culture of experimentation and continuous learning.
• AI's Progress and Impact on Management: Management must understand the strategic implications of AI's rapid progress, including:
  • Multimodality: AI that can process text, images, and voice simultaneously will open new possibilities.
  • AI Agents: The shift towards autonomous AI will fundamentally change workflows.
  • The Future of Work: The focus for human employees will shift from routine tasks to uniquely human skills: strategic thinking, complex problem-solving, empathy, and ethical judgment. Management's role is to lead this transition and redesign the organization around a human-AI collaborative model.

Conclusion

The "Financial Generative AI Guideline (Ver 1.1)" concludes by reaffirming its purpose as a dynamic and collaborative tool for the industry. It is not a static book of rules but a shared framework for balancing innovation ("offense") with safety and responsibility ("defense"). The FDUA encourages a continuous dialogue around this framework, inviting all stakeholders to help evolve the industry's collective wisdom as they navigate the profound changes brought by Generative AI.