The Reserve Bank of India’s draft guidance on model risk management marks an important regulatory moment. It recognises a simple but powerful reality: Indian finance is no longer run only by people, policies and systems. Increasingly, it is being shaped by models.
These models decide credit pricing, fraud alerts, customer segmentation, collection strategies, liquidity assumptions, cyber defence triggers and, increasingly, AI-enabled customer interactions. The RBI’s message is clear. If a model influences a business decision, a customer outcome or a risk judgement, it cannot remain an invisible tool inside technology or analytics teams. It must be governed.
The significance of the draft lies in its breadth. The RBI does not restrict model risk to sophisticated artificial intelligence systems. It defines a model widely enough to include algorithms, analytical tools, decision rules, interfaces and even spreadsheet-based calculators where their outputs materially influence business decisions. This is a crucial regulatory correction. Many institutional failures do not arise from glamorous black-box models, but from ordinary tools used without accountability, validation or periodic review.
At the heart of the guidance is the proposed Model Risk Management Framework, or MRMF. Every regulated entity is expected to put in place a board-approved framework covering model taxonomy, governance, usage, risk tiering, documentation, validation, approval, monitoring, change management, business continuity and decommissioning. This shifts model risk from a technical control issue to a board-level governance issue.
That shift matters. The RBI makes the board responsible for approving the framework, setting risk appetite and ensuring scenario analysis and stress testing inform model risk tolerance. The Risk Management Committee of the Board is expected to review high-risk model validations, third-party models, AI models and material breaches. In effect, the regulator is saying that boards cannot outsource judgement to models, and cannot outsource accountability to vendors.
The draft also introduces a risk-based model tiering approach. Models must be classified according to materiality, complexity, consumer impact, explainability challenges and regulatory relevance. A low-complexity model cannot be treated lightly if it materially affects lending, pricing, customer treatment or financial outcomes. This is especially important for Indian banks and NBFCs, where digital credit underwriting, bureau-driven scoring, fintech partnerships and embedded finance models are rapidly expanding.
The most operationally demanding requirement may be model inventory. The RBI expects regulated entities to maintain a comprehensive inventory of active, inactive, under-development and decommissioned models. No model should be used unless it is part of the inventory. Decommissioned models must remain in inventory for at least ten years. This creates a strong audit trail and will force institutions to confront “shadow models” that sit in business units, spreadsheets, vendor platforms or legacy systems.
The guidance is also notable for its insistence on independent validation. All models, including third-party models, must be validated independently by the regulated entity. Vendor certification will not be enough. This has major implications for financial institutions relying on fintech platforms, cloud-based analytics engines, fraud models, credit decisioning systems or AI tools. The buyer of the model remains accountable for its output.
The RBI’s treatment of AI and machine learning is particularly timely. It recognises foundational AI models, frontier AI models, generative AI, hallucinations, bias, explainability limits, adversarial inputs, data drift, concept drift and prompt injection. These are no longer abstract technology concerns. In a financial services context, they can translate into mis-selling, unfair denial of credit, discriminatory pricing, wrong customer communication, operational disruption and cyber exposure.
The draft rightly insists that AI models should be deployed only where risks can be identified, measured, monitored and managed. Where explainability is limited, institutions must apply enhanced validation, corroboration, usage restrictions and compensating controls. This is a pragmatic approach. The regulator is not banning complex models; it is demanding that complexity be matched by stronger governance.
Consumer protection is a recurring theme. The RBI states that no model should harm consumers and that grievance redressal mechanisms must cover consumer-facing models. This is a vital point for India’s financial ecosystem. As lending, insurance, payments and wealth products become more algorithmic, customer harm may arise not from a rude branch employee but from a silent automated decision. Risk teams will need to develop the ability to explain, challenge and remediate such outcomes.
Human oversight is another strong pillar. The guidance calls for human-in-the-loop or human-on-the-loop arrangements, override mechanisms, suspension and kill-switch capabilities, and review of model-driven decisions. It also warns against automation bias, over-reliance and decision fatigue. This is perhaps the most important cultural message in the document: human oversight must be meaningful, not ceremonial.
For Indian regulated entities, the implications are substantial. Risk teams will need stronger collaboration with technology, data science, compliance, legal, operations, internal audit and business teams. Boards will need model literacy. Internal audit will need technical capability. Vendor contracts will need audit rights, technical documentation access, continuity arrangements and exit provisions. AI governance will need to move beyond policy statements into testing, monitoring and evidence.
The draft also has strategic implications for the broader financial ecosystem. Fintechs, analytics vendors and AI providers serving regulated entities will face higher scrutiny. Black-box models may become harder to sell. Documentation, explainability, validation support and auditability will become commercial differentiators.
The RBI’s draft guidance should therefore be seen not as another compliance document, but as a blueprint for responsible digital finance. It acknowledges that models can improve efficiency, customer service, risk management and cyber defence. But it also recognises that poorly governed models can create flawed decisions, financial losses, operational disruption, compliance failure and systemic concerns.
The next phase of financial risk management in India will not be defined only by capital, liquidity or cyber resilience. It will also be defined by whether institutions truly understand the models they rely on.
The central question for boards is no longer: are we using AI and analytics?
It is: do we know which models are making decisions on our behalf, who owns them, who validates them, when they fail, how customers are protected, and who can switch them off?
That is the new discipline RBI is asking Indian finance to build.
Read RBI’s Draft ‘Guidance on Regulatory principles for Model Risk Management’
