May Global Regulatory Brief: Digital finance

The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.

Digital finance regulatory developments

As technology continues to reshape financial services, regulators and policy setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. The following digital finance policy developments represent a sample of wider regulatory and policy coverage available to Bloomberg Terminal customers. Run REGS <GO> to find out more or contact your Bloomberg representative to learn more:

• Saudi Arabia: Government consults on AI Hub and data centres
• Indonesia: OJK publishes AI governance guidebook
• New Zealand: RBNZ highlights AI impact on financial stability
• Abu Dhabi: FSRA proposes updates to cyber risk management framework

Saudi Arabia consults on AI Hub / Data Centre Law

Saudi Arabia’s Communications, Space & Technology Commission (CST) has published a draft Global AI Hub Law for public consultation.

Types of Data Hubs: The law introduces three types of data centres—Private, Extended, and Virtual Hubs—allowing foreign entities to host data under their own legal jurisdictions.

Cross-Border Data Jurisdiction: A central innovation of the law is the “data embassy” model, where data hosted in the Kingdom remains under the jurisdiction of the country of origin. In Virtual Hubs, foreign authorities may issue binding legal orders for data access, which Saudi authorities may enforce—provided such requests align with international treaties and national interests. However, the Kingdom reserves the right to intervene in cases that threaten its sovereignty or security.

Diplomatic Privileges: Private Hubs enjoy significant legal protections: Saudi authorities may only access these facilities in emergencies (e.g., natural disasters or national threats). Additionally, bilateral agreements are required to establish these hubs, including commitments to secure connectivity and continuity.

Regulatory Oversight: The law will be overseen by a “Competent Authority”, which may be CST or another designated body. This authority will:

Approve and register all Hubs, Operators, and Service Providers.

Monitor compliance with global standards.

Receive regular updates from foreign jurisdictions on legal orders affecting data hosted in the Kingdom.

Next Steps: Consultation period ended on May 14, 2025.

Indonesia OJK publishes AI governance guidebook

The Indonesian Financial Services Authority (OJK) launched the “Tata Kelola Kecerdasan Artifisial Perbankan Indonesia,” a comprehensive AI governance guidebook for the banking sector. This initiative aims to promote responsible use of artificial intelligence (AI) in banking to accelerate digital transformation while ensuring ethical and secure AI deployment.

In more detail: The AI governance guidebook, unveiled by OJK’s Chief Executive of Banking Supervision, Dian Ediana Rae, provides a framework for the responsible development and implementation of AI technologies in the banking industry. 

• The guidebook emphasises the importance of integrating AI across various banking activities, including customer interactions, product development, pricing, compliance, risk management, fraud prevention, and data analytics.
• The guidebook outlines the AI life cycle and business cycle in banking, ensuring that AI systems are developed and operated ethically, safely, and in compliance with regulations. 
• The goal is to enhance efficiency and service quality while maintaining public trust, protecting customer interests, and contributing to the stability of the banking and financial systems. 
• This initiative complements other OJK policies supporting digital transformation in banking.

Next steps: The OJK will work closely with the banking industry to implement the guidelines effectively. 

• Banks are expected to adopt the principles outlined in the guidebook to ensure responsible AI usage. 
• OJK will also monitor the implementation process and provide support to banks in addressing challenges related to AI deployment. 
• Additionally, OJK plans to continue updating and refining the guidebook to keep pace with technological advancements and emerging risks. 
• This ongoing effort aims to foster a robust and secure AI ecosystem in Indonesia’s banking sector, ultimately contributing to the country’s broader digital transformation goals.

RBNZ highlights AI impact on financial stability

The Reserve Bank of New Zealand (RBNZ) released a report outlining both the benefits and risks of AI for financial stability

In more detail: This special topic from the Financial Stability Report 2025 outlines the current use of AI within the financial sector. It explores its potential benefits and challenges, and provides an overview of the evolving regulatory landscape.

Key findings of the report: The report noted that while AI offers enhanced risk management, productivity, innovation, and personalized services, it also introduces vulnerabilities such as system errors, data privacy issues, and market distortions. Regulated entities are expected to manage AI-related risks under their existing obligations. 

• AI adoption is accelerating: Models and tools are becoming increasingly sophisticated, with widespread use across financial services.
• AI can potentially benefit financial stability: AI can improve model accuracy, enhance risk assessment, strengthen cyber resilience, and help financial institutions better manage threats.
• AI may pose risks to financial stability: These include AI-driven errors, data privacy concerns, market distortions, and increased exposure to cyber attacks—all of which could amplify existing systemic risks.
• Market concentration poses risks: Heavy reliance on a few critical third-party providers could increase systemic vulnerabilities, particularly in a context of limited market competition.

What’s next: New Zealand is set to introduce the Risk Management Standard (RMS) and Operational Resilience Standard (ORS) for deposit takers by 2028, addressing AI-related risks within their existing frameworks, including cyber resilience and fair conduct principles under the CoFI Act 2022. 

• Despite these efforts, the rapid evolution of AI and its cross-border nature pose ongoing challenges for effective regulation globally. 
• RBNZ will continue to monitor AI risks and global regulatory developments through regular industry engagement.

ADGM FSRA proposes updates to cyber risk management framework

The Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM) published a consultation seeking feedback on proposed enhancements to its cyber risk management framework.

Summary: The proposed updates aim to strengthen operational resilience amidst growing cyber threat exposure across the financial sector. They build upon the FSRA’s Information Technology Risk Management Guidance and Governance Principles, and Practices to Mitigate Cyber Threats and Crime. 

The main proposed changes include incorporating cyber risk into governance and enterprise risk management processes, improving incident response and recovery planning, enhancing third-party risk oversight, and introducing regular cyber resilience assessments. 

Next steps: The consultation is open until 11 June 2025.

View the additional regulatory briefs from this month:

• Trading and markets
• Risk, capital and financial stability
• Green finance

Sign up to receive these updates in your inbox first.

How we can help

Bloomberg’s Public Policy and Regulatory team brings you insight and analysis on policy developments to help navigate the complex and fast changing global regulatory landscape. To discuss regulatory solutions, please get in touch with our specialists or read more insights from our Regulatory team.