RBI’s AI risk framework
The draft guidelines propose a board-approved model risk management framework (MRMF), which covers all models, including AI/ML models, used by regulated entities.
Under the proposed framework, boards will be required to periodically review the MRMF, approve the entity’s risk appetite and tolerance for model risk, and ensure that these assessments are supported by scenario analysis and stress testing. They must also approve policies governing model risk management and model-risk classification.
Ajay Sirikonda, partner and leader (financial services risk management), EY India, said the draft guidelines provide Indian banks with a clear playbook to model and manage AI risks, although implementation will be the major challenge. Banks that treat AI governance as core infrastructure will emerge as leaders, he said.
“The guidelines have a channeling effect on AI use cases. They introduce additional governance and explainability requirements, but mainly for high-risk areas such as credit, pricing and autonomous decision making,” he said. “Elsewhere, they remove the biggest hurdle – regulatory uncertainty. Banks have held off on adopting AI not only because of cost, but because there was little clarity on what was acceptable. These guidelines provide that clarity. For most use cases, this will accelerate rather than hinder adoption.”
RBI has also proposed measures to address risks arising from the use of third-party AI models. Regulated entities will need to assess the behavioral risks associated with such models and test their performance under abnormal and stressed scenarios. The draft framework requires institutions to evaluate models against edge cases, unusual inputs, manipulation attempts and adverse conditions to identify vulnerabilities that may not emerge under normal operating conditions.
Rajesh Chhabra, general manager (APAC and large markets) at Acronis, said the framework comes as AI has become increasingly embedded in financial services and is no longer a peripheral tool in banking operations.
“As AI adoption deepens in the country, this well-defined governance framework is an essential step to mitigate the associated risks, especially in the highly interconnected credit ecosystem where banks, NBFCs and fintechs are increasingly relying on algorithm-led financial decisions,” he said.
For customer-facing AI systems, including generative AI applications, RBI has proposed additional cybersecurity safeguards, including protections against accelerated injection attacks and adversarial inputs, limits on session and context persistence, and mechanisms to detect unusual usage patterns.
