Introduction

Spanning from credit decisions, fraud detection, customer service, to risk management, banks and other regulated entities in India have gradually shifted their reliance on spreadsheet-based calculators to high-tech AI and machine learning systems. This transition has brought tangible efficiencies but also a new class of risk not covered by traditional banking supervision. To address this, the Reserve Bank of India (RBI) has issued a draft Guidance on Regulatory Principles for Model Risk Management, 2026, which provides a framework for identifying, managing and controlling model risks faced by banks, NBFCs, co-operative banks, fintechs and other regulated entities, including a specific section on model risks that involve artificial intelligence and machine learning.

It’s not that the draft prohibits or restricts the use of AI in financial services, but that it clearly states that regulated entities need to have a high level of governance, oversight and accountability when they use an in-house or vendor-built model.

Significance of the Guidance

The RBI’s logic is very simple. Today banks are using models as a way to change business processes, to secure against cyber attacks and to enhance customer service. However, a lack of control over model risk can result in poor performance, wrongful decisions, financial losses, disruption of operations, and compliance failures all of which can impact the institution as well as its customers and the financial system. As financial institutions rapidly implement generative and predictive AI solutions into their lending, underwriting and customer-facing processes, the regulator is seeking to place guardrails in front of issues rather than after.

Importantly, there are indications that this is just a first step from the RBI. It has said that additional and more detailed requirements for AI models are likely to come in the future and this guidance is “first principles” guidance, not a definitive guidance on AI in Indian banking.

Entities Covered Under the Draft Guidance

The guidance casts a wide net. It applies to commercial banks including foreign banks, small finance banks, payments banks, local area banks, regional rural banks, urban and rural co-operative banks, non-banking financial companies across all layers, all India financial institutions such as NABARD, NaBFID, NHB, EXIM Bank and SIDBI, asset reconstruction companies, and credit information companies. In effect, almost every category of RBI regulated entity that uses models, whether for lending, risk scoring, fraud detection or customer engagement, will need to fall in line.

Crucially, the obligations apply equally to models built internally and those sourced from third parties. An institution cannot outsource its accountability simply because the model came from a technology vendor.

What Counts As A Model

One of the more practical contributions of the draft is its broad definition of a model. It covers any system that takes in data, applies analytical or AI and machine learning techniques to process that data, and produces outputs that influence business decisions, regardless of whether the institution itself labels the tool a model. The RBI’s own illustration is telling: a simple spreadsheet used to calculate loan pricing is just a mathematical tool until it starts driving lending rates, customer margins, or credit terms based on borrower inputs, at which point it becomes a model subject to the full weight of this framework. This wide definition is meant to prevent institutions from quietly running consequential decision tools outside formal oversight simply by calling them something other than a model.

Governance From The Boardroom Down

The framework places clear responsibility at every level. The Board must approve and periodically review a Model Risk Management Framework, set the institution’s risk appetite for model risk, and approve policies including how models are tiered by risk. The Risk Management Committee of the Board reviews validation reports for high-risk models, approves their deployment, oversees monitoring of third-party and AI models, and reviews breach reports. Senior management handles day to day operationalisation, including maintaining the model inventory and implementing the tiering structure. This layered approach ensures model risk is not confined to data science teams but treated as a board level accountability.

Risk-Based Tiering And The Model Lifecycle

Institutions are required to classify every model in their inventory by risk tier, based on materiality, complexity, and other relevant factors such as regulatory considerations. This tier then determines how intensively a model is validated, who approves its deployment, what controls are applied, and how it is monitored. The RBI is also clear that institutions cannot let one factor dilute another; a model that is highly material to the business cannot be assigned a low risk tier simply because it happens to be technically simple.

Beyond tiering, the guidance lays out a full model lifecycle: structured selection and development, independent validation before and after deployment, a formal approval structure including exceptions, ongoing monitoring after deployment, disciplined change management with documented impact assessments, and finally business continuity planning and decommissioning. Decommissioned models must stay in the inventory for at least ten years, reflecting the regulator’s emphasis on long-term traceability.

AMLEGALS Remarks

The draft guidance is a reflection of a maturing regulatory thinking from the boardroom to the code, the RBI is developing a culture of accountability around the model lifecycle, instead of simply reacting to AI failures after the event. The message is clear for banks, NBFCs and the fintech ecosystem that is developed around them that AI usage and regulatory compliance are no longer two different work streams. But entities which make explainability, validation, and human oversight core features of their design, and not add ons, will be best positioned to scale AI responsibly when this guidance and the rules for AI that will likely follow are finalized.

For any queries or feedback, feel free to connect with Dhwani.tandon@amlegals or Hiteashi.desai@amlegals.com

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Disclaimer & Confirmation

As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:

    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.

However, the user is advised to confirm the veracity of the same from independent and expert sources.