On 24 June, the Reserve Bank of India dropped a draft that does not look like an AI regulation at first read. It is titled Guidance on Regulatory Principles for Model Risk Management, 2026, and the language is pure prudential supervision: board-approved frameworks, three lines of defence, independent validation, risk tiering, model inventories retained for ten years after decommissioning. Spend twenty minutes with it and a sharper thought lands. India's central bank has just pulled AI into the family of supervisory tools normally reserved for capital and liquidity. The principle that a regulated entity remains fully accountable for the outcomes of every model it uses, including those sourced from third-party vendors, quietly closes a loophole that the entire fintech-banking AI stack had been leaning on.
What the draft actually says
The reach is wide. Eleven categories of regulated entities — commercial banks, small finance and payments banks, urban and rural co-operatives, NBFCs across all layers, AIFIs, ARCs, credit information companies — are inside the perimeter. The definition of “model” is wider still. It covers not just neural networks and generative AI but also algorithms, analytics tools, decision rules, even spreadsheet-based tools where they materially influence credit, pricing or risk decisions. Every such model must sit under a Board-approved Model Risk Management Framework. Every high-risk model must be cleared by the Risk Management Committee of the Board before deployment. Every customer-facing AI interface must disclose that it is AI, list its limitations, and offer the user a way to switch to a human. And every deployed AI system needs a working kill switch — a one-button deactivation if the outputs go wrong. Comments are invited until 24 July.
The deep idea: models as a new line on the risk ledger
This is the consequential part, and most early commentary is missing it. When a regulator says you cannot offload accountability to a vendor's API, it is doing for AI what Basel did for credit risk in the early 1990s. Models become a class of exposure. They have to be inventoried, tiered by materiality, validated independently, monitored for drift, and signed off at the highest level. That is the grammar of capital, not the grammar of code.
It is also the only grammar that scales. The RBI's own FREE-AI Committee survey last year found that nearly 21% of regulated entities were already deploying AI in production — across credit underwriting, cybersecurity, customer support, sales — and 67% wanted to go deeper. At that level of penetration, telling boards “your tech team has this” is not serious supervision. Every credit cycle eventually meets its model failure mode. A regulator that waits to discover the failure is a regulator already too late.
The kill switch rewrites the vendor market
Look at the supply side and the picture sharpens. A small set of global tech firms quietly supplies a disproportionate share of the AI models running inside Indian financial services. The draft flags this concentration explicitly as a systemic supply-chain risk. Combine it with the third-party-is-no-defence clause and the direction of travel is unmistakable: a serious push toward indigenous, auditable, swap-out-able model stacks. The new market is not the bank's market. It is a RegTech market — model validation firms, bias-testing labs, explainability auditors, red-teaming shops. A compliance officer reading this draft on Monday morning is realising that the next critical hire is not another data scientist; it is an independent validator who can sign off on someone else's data scientist.
Why this logic will travel beyond banking
I have spent enough time inside a national administration deploying AI on citizen-facing systems to read this draft as a template, not an end-point. Tax, customs, social security, urban service delivery, public health records — every government body running models on millions of files faces the same accountability question the RBI is now putting to banks. Who signs off on the model that decides a refund? A scrutiny notice? An eligibility threshold? The answer cannot be “the algorithm”. It has to be a named human, with a department behind them, with an institutional framework above them.
Three things from this draft will, I think, become the standard public-sector discipline within two budget cycles:
- the inventory rule — every active and decommissioned model on a register, with a ten-year tail;
- the explainability threshold — outputs interpretable to the extent the business process actually requires;
- the kill switch as a non-negotiable product feature, not a nice-to-have.
The trade-off, and the right side of it
The cost is real. Industry analysts already estimate a 50 to 100 basis point rise in IT spending for serious adopters. Smaller NBFCs and co-operative banks will feel it the most. Time-to-market for AI-driven products will lengthen. None of this is free, and the smaller institutions will need a transition window the draft does not yet promise.
But picture the alternative. A black-box model, bought from a vendor, denying loans to a cluster of small borrowers in a particular district, operating under no one's clear authority. Someone eventually discovers it — they always do. The regulator pays, the bank pays, the customer pays, and trust in AI itself pays the heaviest tax of all. The cost of the RBI's draft is the cost of preventing that discovery.
The cleaner way to say it: in a regulated industry, AI stops being a technology decision and becomes a capital decision. Capital decisions are made in boardrooms, not in model repositories. The window closes on 24 July. The more interesting question is not whether this framework is right for finance — it broadly is — but how quickly the rest of the public-private edge of AI adoption catches up. The RBI has, almost without saying so, written the first chapter of an Indian AI accountability code. Other regulators will write the rest, or they will inherit the failures of not having done so.
#RBI #AIGovernance #ModelRisk #BankingRegulation #IndianEconomy #AIAccountability #PublicFinance #RegTech
No comments:
Post a Comment