RBI Model Risk Management Guidance
4
Views

If you work at an NBFC, a payment bank, or a small finance bank, here is something you cannot afford to ignore. The Reserve Bank of India has come out with a new draft rulebook — the RBI Model Risk Management guidance — and it changes how you are expected to build and use any model, especially AI-based ones.

The message from the RBI is simple but firm: using AI is no longer just a tech decision. It is now a risk you must manage, control, and answer for. Let’s break down what this means in plain, simple words.

What Is the RBI Model Risk Management Guidance?

On 24 June 2026, the RBI released a draft paper called the Guidance on Regulatory Principles for Model Risk Management. It is open for public feedback until 24 July 2026, after which it may become a proper rule.

In short, the RBI Model Risk Management guidance tells every regulated entity how to safely handle the “models” it uses to make decisions — from loan approvals to fraud checks to customer chatbots.

Does This Apply to NBFCs and Small Banks?

Yes — very much so. Many people wrongly think such rules are only for big commercial banks. But this draft covers almost the entire financial system. The list of covered entities includes:

  • Commercial banks and Regional Rural Banks (RRBs)
  • Small finance banks and payment banks
  • Urban and rural co-operative banks
  • NBFCs across all layers, including housing finance companies
  • All-India Financial Institutions such as NABARD, SIDBI, NHB, NaBFID, and EXIM Bank
  • Asset Reconstruction Companies (ARCs) and Credit Information Companies (CICs)

So if you are a smaller player who thought “this won’t affect us,” think again. The RBI Model Risk Management guidance treats you by the same core principles as the biggest banks. The difference is only in how much effort each model needs — based on its risk, not on the size of your company.

Wait — What Counts as a “Model”?

This part surprises a lot of people. A “model” is not only fancy AI or machine learning. According to the draft, anything that takes some input, applies logic, and gives an output that affects a real business decision is a model.

That means even a simple Excel sheet that decides a customer’s interest rate can count as a model. If its output affects a customer or your compliance, it falls under these rules — no matter what you call it.

What Will You Actually Have to Do?

The draft lists several clear duties. In simple terms, an NBFC or small bank will be expected to:

  • Get your Board to own the AI and model risks — it can’t be left to the tech team alone
  • Keep a proper list (inventory) of all models and rank them by risk
  • Get every important model independently checked before trusting it
  • Make sure decisions can be explained and are fair, not a black box
  • Run tough testing (red-teaming) to see where a model can be tricked or fails
  • Protect AI tools from prompt injection and other malicious inputs
  • Keep a human in the loop who can review and step in
  • Secure your APIs and outside vendors connected to your systems
  • Build an override, pause, or “kill switch” to stop a model quickly if it misbehaves
  • Have a backup plan so business continues if the AI fails

The “Three Lines of Defence” — Explained Simply

One of the most important ideas in the RBI Model Risk Management guidance is the three lines of defence. Think of it as three separate people checking the same work, so mistakes don’t slip through:

  • First line — the model owners: the business or tech team that builds and runs the model. They design it and do the first round of testing.
  • Second line — independent validation: a separate model-risk team that checks the model on its own, without being influenced by the people who built it.
  • Third line — internal audit: a final independent review that makes sure the whole system is being followed properly.

For a small NBFC or bank, this means the person who builds a model cannot be the only person who approves it. There must be a second, independent set of eyes.

Not Every Model Needs the Same Effort

The RBI takes a risk-based approach. You don’t have to treat a low-risk calculator the same as a high-risk lending model. But high-risk models — the ones that can seriously affect customers or your finances — need extra care: stricter validation, closer monitoring, and sign-off by the Board’s Risk Management Committee.

You also have to keep a full model inventory that lists every model in your organisation — active ones, ones still being built, inactive ones, and even old ones you have retired. Nothing should be hidden or forgotten.

New Rules for Customer Chatbots and AI Assistants

This part matters a lot for NBFCs and small banks that use chatbots or voice assistants. Under the draft, customer-facing AI tools must:

  • Clearly tell the customer they are talking to an AI, not a human
  • Explain the limits of the AI system honestly
  • Give an easy option to switch to a real human at any point

On the security side, these AI tools must be protected against prompt injection and adversarial inputs (clever tricks that fool the AI), with limits on how long a session stays active and systems to spot unusual or suspicious usage.

Keeping a Human in Charge

The RBI is firm that a machine should not be the final boss. Regulated entities must keep human oversight — often called “human-in-the-loop,” “human-on-the-loop,” or “human-in-command.” A trained person must be able to review, override, pause, or switch off an AI decision.

The draft even warns about human weaknesses like automation bias (blindly trusting the machine), over-reliance on AI outputs, and decision fatigue. So the oversight has to be real and active, not just a name on paper.

Why Is the RBI Doing This?

Because AI can go wrong in costly ways. The RBI Model Risk Management guidance is meant to reduce real dangers such as:

  • AI giving wrong or made-up answers (hallucinations)
  • Systems taking actions on their own without control
  • Biased or unfair decisions against certain customers
  • Hackers tricking the AI with clever inputs
  • Risks coming in through third-party AI vendors
  • Big operational breakdowns when an AI system fails at scale

One Important Point: You Can’t Blame the Vendor

Many NBFCs and small banks buy AI tools from outside companies. The draft is very clear here — outsourcing the model does not outsource the responsibility. If a bought-in AI tool makes a wrong or unfair decision, the regulated entity is still fully answerable to the RBI.

So before you sign up with any AI vendor, you must check and control what they are doing on your behalf.

What Should NBFCs and Small Banks Do Now?

The era of “deploy first, govern later” is ending. Smart, smaller players should not wait for the rule to become final. A few practical first steps:

  • Start listing every model and AI tool you already use today
  • Bring the topic to your Board and senior management
  • Check which of your models are high-risk and need urgent attention
  • Review your AI vendors and the contracts you have with them
  • Send your feedback to the RBI before the 24 July 2026 deadline

Final Thoughts

The RBI Model Risk Management guidance is a big shift. It tells every NBFC, payment bank, and small finance bank that AI resilience is now a boardroom responsibility, not just an IT task.

In the coming years, the winners will not be the ones who use AI the fastest. They will be the ones who can secure it, govern it, and recover smoothly when something goes wrong. For smaller institutions, getting ahead of this now is a real chance to build trust and stay one step ahead.

FAQ

Q1. When was the RBI Model Risk Management guidance released? It was released as a draft for public feedback on 24 June 2026.
Q2. What is the deadline to send feedback? Stakeholders can submit their comments to the RBI until 24 July 2026.
Q3. Does it apply to NBFCs and small finance banks? Yes. It covers NBFCs, payment banks, small finance banks, housing finance companies, co-operative banks, and other regulated entities.
Q4. Is only AI covered, or simple tools too? Any system that takes inputs, applies logic, and produces an output affecting business decisions is a “model” — even a spreadsheet can count.
Q5. If we buy AI from a vendor, are we still responsible? Yes. Outsourcing a model does not transfer accountability. The regulated entity remains fully answerable to the RBI.
Q6. What is a “kill switch”? It is a control that lets you quickly stop, pause, or override an AI model if it starts behaving in a harmful or unexpected way.
Article Tags:
· · ·
Article Categories:
Information Security

Leave a Reply

Your email address will not be published. Required fields are marked *