RBI Proposes AI Governance Norms, Mandates Human Oversight In Banking

New Delhi, Jun 25 (KNN) The Reserve Bank of India (RBI) on Wednesday released draft guidance on regulatory principles for model risk management, citing the rapid adoption of artificial intelligence, machine learning, and automated decision-making systems across the financial sector.

The central bank said that while such technologies improve efficiency and customer experience, they also introduce risks that, if left unmanaged, could lead to inaccurate outcomes, financial losses, operational disruptions, compliance failures and consumer harm.

The guidance applies to commercial banks, small finance banks, payments banks, cooperative banks, non-banking financial companies, all-India financial institutions, asset reconstruction companies and credit information companies.

A Board-Approved Governance Structure

The RBI has proposed that every regulated entity establish a Board-approved Model Risk Management Framework covering governance, model risk tiering, inventory and documentation, validation, approvals, deployment, monitoring, change management and decommissioning.

The framework prescribes a three-lines-of-defence structure: model owners as the first line, an independent model risk management and validation function as the second, and internal audit as the third. High-risk models will require approval from the Board and the Risk Management Committee of the Board (RMCB), while lower-risk models may follow delegated approval mechanisms.

Regulated entities will be required to maintain a comprehensive inventory of all active, inactive and decommissioned models. No model may be used unless it is included in this inventory. Decommissioned models must remain in the inventory for at least ten years.

Third-Party Models Carry Full Accountability

The RBI has made clear that regulated entities remain fully accountable for outcomes arising from third-party models, including those supplied by external vendors. 

Banks and non-banking financial companies (NBFCs) will be required to independently validate such models regardless of any certification or assurance provided by vendors, and must conduct due diligence before acquisition and deployment. 

Contractual arrangements with third-party providers must include provisions for access to technical documentation, audit rights and continuity arrangements.

Specific Controls for AI and ML Systems

The draft guidance introduces enhanced requirements for AI and ML models, including assessment of risks arising from hallucinations, bias, discriminatory outputs, data drift and adversarial attacks. Entities must test models under stressed and atypical scenarios and ensure outputs are explainable to the degree required for each business process.

Banks and NBFCs deploying customer-facing AI systems must disclose to users that they are interacting with an AI-based system, inform them of the system's limitations and provide an option to switch to human assistance on request.

The RBI has also proposed mandatory human oversight for AI-driven decision-making, including human-in-the-loop arrangements, override and suspension mechanisms and kill-switch capabilities. 

The guidance also warns against automation bias and over-reliance on model outputs.

The RBI's definition of a model is deliberately broad, covering any system — including spreadsheet-based tools — that uses data and analytical techniques to produce outputs that materially influence business decisions such as lending rates or customer pricing.

(KNN Bureau)