/images/ppid_59c68470-image-178231503327681049.webp)
/images/ppid_a911dc6a-image-178231206489630406.webp)
What is the story about?
The Reserve Bank of India (RBI) has proposed a comprehensive regulatory framework governing the use of models, including Artificial Intelligence (AI) and Machine Learning (ML) systems, across banks, NBFCs and other regulated financial entities, signalling a major step towards formal AI governance in the financial sector.
In a draft guideline released for public consultation on Wednesday evening, the RBI said regulated entities are increasingly relying on models to drive lending, risk management, customer service and operational decisions, but warned that these systems also introduce model risks that could lead to “inaccurate outcomes, flawed decisions, financial losses, operational disruptions, compliance failures and other adverse consequences.”
The proposed framework applies to all models used by regulated entities, whether developed internally or sourced from third parties. The RBI has adopted an expansive definition of a model, covering not only AI systems but also algorithms, analytics tools, decision engines and even spreadsheet-based applications if they materially influence business decisions.
The central bank made it clear that accountability cannot be outsourced. “An RE is accountable for the outcomes of all models used by it, irrespective of whether the models are developed internally, sourced from third-parties, or a combination thereof,” the draft said.
Board-level oversight for high-risk models
Under the proposal, every regulated entity will be required to establish a Board-approved Model Risk Management Framework (MRMF), covering governance, validation, monitoring, approval structures and business continuity arrangements.
The RBI has proposed that institutions classify models by risk, based on factors such as business materiality, complexity, consumer impact and regulatory considerations. High-risk models would require approval from the Risk Management Committee of the Board (RMCB).
The framework also mandates a “three lines of defence” structure, with model owners, independent validation teams and internal auditors assigned distinct oversight roles.
Independent validation made mandatory
A key pillar of the framework is mandatory independent validation of all models, including those sourced from external vendors.
The draft states that all models, including third-party models, must undergo independent validation by regulated entities. This would include assessment of data quality, assumptions, conceptual soundness, performance, and alignment with intended use.
The RBI also proposed that no model should be deployed unless it is included in a formal inventory maintained by the institution. Decommissioned models would need to be retained for at least 10 years.
Detailed AI governance framework
A significant part of the proposal focuses on AI and ML systems, including generative AI. The RBI has asked regulated entities to define the scope of AI models, including foundation and frontier AI systems, and deploy them only where risks can be properly identified, measured and managed.
The draft also introduces requirements around explainability, transparency and fairness. “It should define the explainability and transparency thresholds for all AI models and ensure that their outputs are explainable to the extent required for the business process,” it said.
Where full explainability is not possible, the RBI has suggested tighter safeguards, including enhanced validation, restricted usage, more frequent monitoring, and independent verification of outputs.
Focus on hallucinations, bias and black-box risks
The RBI has explicitly flagged emerging risks linked to advanced AI systems. It has asked institutions to implement safeguards against hallucinations in generative AI models and conduct testing under stressed and adversarial conditions.
“It should put in place appropriate control boundaries … to mitigate risks of hallucinations,” the draft said.
The regulator has also directed firms to address bias and discriminatory outcomes, especially in customer-facing applications. For third-party AI systems with limited transparency, institutions may need to restrict usage based on risk assessment.
Human oversight remains central
Despite rising automation, the RBI has emphasised that human oversight remains essential. It has proposed “human-in-command” arrangements, override mechanisms, suspension tools and kill switches for AI systems.
Institutions will also need to periodically review AI-driven decisions and ensure staff have the expertise to challenge or override model outputs where required.
Customer protections introduced
The framework includes customer-facing safeguards for AI systems. Regulated entities will need to disclose when customers are interacting with an AI system, explain its limitations, and offer access to human assistance.
The RBI also said regulated entities “should not use any model that harms consumer,” and grievance systems must specifically address complaints arising from model-driven decisions.
In a draft guideline released for public consultation on Wednesday evening, the RBI said regulated entities are increasingly relying on models to drive lending, risk management, customer service and operational decisions, but warned that these systems also introduce model risks that could lead to “inaccurate outcomes, flawed decisions, financial losses, operational disruptions, compliance failures and other adverse consequences.”
The proposed framework applies to all models used by regulated entities, whether developed internally or sourced from third parties. The RBI has adopted an expansive definition of a model, covering not only AI systems but also algorithms, analytics tools, decision engines and even spreadsheet-based applications if they materially influence business decisions.
The central bank made it clear that accountability cannot be outsourced. “An RE is accountable for the outcomes of all models used by it, irrespective of whether the models are developed internally, sourced from third-parties, or a combination thereof,” the draft said.
Board-level oversight for high-risk models
Under the proposal, every regulated entity will be required to establish a Board-approved Model Risk Management Framework (MRMF), covering governance, validation, monitoring, approval structures and business continuity arrangements.
The RBI has proposed that institutions classify models by risk, based on factors such as business materiality, complexity, consumer impact and regulatory considerations. High-risk models would require approval from the Risk Management Committee of the Board (RMCB).
The framework also mandates a “three lines of defence” structure, with model owners, independent validation teams and internal auditors assigned distinct oversight roles.
Independent validation made mandatory
A key pillar of the framework is mandatory independent validation of all models, including those sourced from external vendors.
The draft states that all models, including third-party models, must undergo independent validation by regulated entities. This would include assessment of data quality, assumptions, conceptual soundness, performance, and alignment with intended use.
The RBI also proposed that no model should be deployed unless it is included in a formal inventory maintained by the institution. Decommissioned models would need to be retained for at least 10 years.
Detailed AI governance framework
A significant part of the proposal focuses on AI and ML systems, including generative AI. The RBI has asked regulated entities to define the scope of AI models, including foundation and frontier AI systems, and deploy them only where risks can be properly identified, measured and managed.
The draft also introduces requirements around explainability, transparency and fairness. “It should define the explainability and transparency thresholds for all AI models and ensure that their outputs are explainable to the extent required for the business process,” it said.
Where full explainability is not possible, the RBI has suggested tighter safeguards, including enhanced validation, restricted usage, more frequent monitoring, and independent verification of outputs.
Focus on hallucinations, bias and black-box risks
The RBI has explicitly flagged emerging risks linked to advanced AI systems. It has asked institutions to implement safeguards against hallucinations in generative AI models and conduct testing under stressed and adversarial conditions.
“It should put in place appropriate control boundaries … to mitigate risks of hallucinations,” the draft said.
The regulator has also directed firms to address bias and discriminatory outcomes, especially in customer-facing applications. For third-party AI systems with limited transparency, institutions may need to restrict usage based on risk assessment.
Human oversight remains central
Despite rising automation, the RBI has emphasised that human oversight remains essential. It has proposed “human-in-command” arrangements, override mechanisms, suspension tools and kill switches for AI systems.
Institutions will also need to periodically review AI-driven decisions and ensure staff have the expertise to challenge or override model outputs where required.
Customer protections introduced
The framework includes customer-facing safeguards for AI systems. Regulated entities will need to disclose when customers are interacting with an AI system, explain its limitations, and offer access to human assistance.
The RBI also said regulated entities “should not use any model that harms consumer,” and grievance systems must specifically address complaints arising from model-driven decisions.
/images/ppid_59c68470-image-178231252735389589.webp)
/images/ppid_59c68470-image-178231256199944106.webp)
/images/ppid_59c68470-image-178231252810937338.webp)
/images/ppid_59c68470-image-178231256567664300.webp)
