RBI Drafts Sweeping AI Governance Rules for Financial Firms

MUMBAI — The Reserve Bank of India (RBI) has unveiled a comprehensive draft framework aimed at tightening the governance of Artificial Intelligence (AI) and machine learning models across the country's financial sector. Released on June 25, 2026, the Guidance on Regulatory Principles for Model Risk Management, 2026 seeks to establish rigorous guardrails for banks, Non-Banking Financial Companies (NBFCs), and other regulated entities amid their deepening reliance on automated systems.

The proposal marks a significant shift in prudential supervision, effectively treating AI infrastructure as a controlled asset that requires continuous validation and governance. With the adoption of AI-driven tools surging in areas like lending, risk assessment, fraud detection, and customer service, the RBI aims to mitigate risks such as algorithmic bias, data drift, and operational disruptions.

Accountability and Governance Standards

At the core of the RBI’s proposal is the principle of institutional accountability. The framework mandates that every regulated entity adopt a Board-approved Model Risk Management Framework (MRMF) covering the entire lifecycle of models—from development and validation to deployment and decommissioning.

The RBI emphasized that financial institutions cannot deflect responsibility for failures by blaming external technology providers. Whether models are built in-house or sourced from third-party vendors, the regulated entity remains fully liable for outcomes. Under the draft, no model can be deployed without being formally recorded in a comprehensive inventory, and high-risk models will require explicit approval from the Risk Management Committee of the Board (RMCB) before they go live.

Mandatory Human Oversight and "Kill Switches"

One of the most notable aspects of the framework is the requirement for "human-in-the-loop" mechanisms. The central bank has proposed that institutions establish clear protocols to prevent automation bias and "decision fatigue." Key requirements include:

• Kill Switches: Mandatory emergency mechanisms to suspend or fully deactivate AI models if they begin producing harmful, biased, or incorrect outputs.

• Human Override: Systems must allow for human review and the ability to reverse or override AI-driven decisions.

• Customer Disclosures: For customer-facing AI, firms must clearly disclose the use of AI, explain the technology's limitations, and provide customers with the option to switch to a human representative upon request.

• Cybersecurity Protections: Enhanced safeguards are required for customer-facing systems to prevent adversarial attacks, such as "prompt injection" or manipulation attempts.

Assessment of AI-Specific Risks

Recognizing that AI systems behave differently than traditional quantitative models, the RBI has directed firms to evaluate unique vulnerabilities, including AI "hallucinations," discriminatory outcomes, and adversarial inputs. Institutions are encouraged to conduct "red teaming" or stress-testing exercises to identify how AI systems perform under abnormal or stressed market scenarios.

Official Sources

The guidelines are open for public consultation until July 24, 2026. The RBI’s draft applies to a wide range of institutions, including commercial banks, small finance banks, payment banks, co-operative banks, NBFCs, and credit information companies.

"According to officials, the framework is designed to address weaknesses in governance and controls that could expose financial institutions to severe operational, compliance, and reputational risks as they integrate advanced analytics into their core business processes."

Why It Matters

For India’s financial sector, this move signifies the transition of AI from a "black box" experiment to a regulated, strategic asset. By mandating explainability standards and continuous monitoring, the RBI is forcing a shift in how banks approach software testing and quality engineering. For the average consumer, these rules offer a layer of protection against unfair algorithmic decisions and provide a guaranteed path to human assistance when dealing with automated banking services.

Key Facts at a Glance

• Consultation Deadline: July 24, 2026.

• Scope: All regulated entities including Banks, NBFCs, and ARCs.

• Accountability: Financial institutions remain fully liable for vendor-supplied AI models.

• Lifecycle Management: Requires a central inventory of all active, inactive, and retired models.

• Governance: Mandatory Board-approved Model Risk Management Framework (MRMF).

Frequently Asked Questions (FAQ)

1. What is the RBI’s definition of a "model" under these new rules? The RBI defines models broadly to include any system that uses data and analytical techniques—such as AI, machine learning, algorithms, and even spreadsheet-based tools—if they materially influence business decisions.

2. Can banks shift liability to AI vendors? No. The RBI has made it clear that regulated entities remain entirely responsible for the outcomes of AI models, regardless of whether they are developed internally or sourced from third-party vendors.

3. What happens if an AI model starts acting unexpectedly? The framework mandates the installation of "kill switches" and deactivation controls, allowing banks to immediately suspend or override the model to prevent harm or incorrect outputs.

4. Will customers know if they are interacting with an AI? Yes, the draft mandates that firms clearly disclose when a customer is interacting with an AI and provide an explicit option to switch to a human representative on request.