RBI Draft Model Risk Management Guidance 2026: AI Kill Switches and Board-Level Oversight for Banks

On June 24, 2026, the Reserve Bank of India released a Draft Guidance Note on Model Risk Management (PR 2026-2027/528), inviting public consultation with a deadline for comments by July 24, 2026. The guidance represents the RBI's most comprehensive attempt to regulate quantitative models, particularly artificial intelligence and machine learning systems, across India's financial sector. For regulated entities relying on AI for credit scoring, fraud detection, and cyber defence, this draft introduces significant obligations around board-level oversight, model validation, and customer transparency.

Background: Why the RBI Issued This Guidance

Financial institutions in India have rapidly adopted quantitative models for lending, risk assessment, and customer interaction. The proliferation of AI and ML systems has introduced risks that traditional governance frameworks were not designed to address, including hallucinations, algorithmic bias, lack of explainability, and overdependence on opaque third-party models.

The RBI's draft guidance responds to this environment by proposing a unified Model Risk Management Framework (MRMF) that regulated entities must adopt. This is consistent with the RBI's broader push toward strengthening governance standards across the financial sector. Entities already navigating the RBI's draft compliance function directions for NBFCs will recognize the regulatory pattern: the RBI is systematically raising the bar on internal governance, risk management, and accountability.

Scope: Who Is Covered

The draft guidance applies to 11 categories of regulated entities (REs), covering virtually the entire spectrum of India's formal financial system. These include Commercial Banks, Small Finance Banks, Payments Banks, Local Area Banks, Regional Rural Banks, Urban Co-operative Banks, Rural Co-operative Banks, Non-Banking Financial Companies across all layers, All-India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB, and SIDBI), Asset Reconstruction Companies, and Credit Information Companies.

The breadth of coverage is notable. By including NBFCs at every layer, smaller fintech lenders using AI-based underwriting fall within the framework's ambit. The inclusion of Credit Information Companies means bureaus supplying credit scores face the same governance expectations. For entities managing compliance with other recent changes, such as the RBI's updated TReDS master direction for MSME invoice financing, the model risk management requirements will add another layer of governance obligation.

Key Requirements of the MRMF

At the centre of the draft guidance is the requirement for every regulated entity to adopt a Board-approved Model Risk Management Framework. The MRMF must cover the full model lifecycle across all business processes: credit decisioning, operations, customer interaction, risk management, and cyber defence. It applies to any quantitative model used for decision-making, forecasting, or risk assessment.

Board-level involvement is a recurring theme. The Risk Management Committee of the Board (RMCB) must review validation reports of high-risk models before deployment, oversee monitoring of third-party and AI-based models, and review model-risk classification reports at least annually. This signals the RBI's expectation that model risk should be treated as a strategic governance concern rather than a purely technical matter.

The governance expectations here reflect a broader regulatory trend. Just as SEBI's GARUDA framework for AIFs introduces structured oversight for alternative investment funds, the RBI is building comparable structures for model risk in the banking and lending ecosystem.

AI-Specific Provisions: Kill Switches, Explainability, and Customer Disclosure

The most significant provisions in the draft guidance relate specifically to AI and ML models. The RBI identifies seven distinct risk dimensions for AI systems: explainability, hallucinations, bias, overfitting, spurious correlations, output variability, and data risks. Regulated entities must address each of these dimensions within their MRMF, demonstrating that they have controls in place to identify, measure, and mitigate these risks.

Perhaps the most notable requirement is the mandate for "override, suspension, or deactivation mechanisms, including kill-switch arrangements" for AI and ML models. Every AI system deployed by a regulated entity must have a mechanism allowing it to be shut down immediately if it produces unreliable, biased, or harmful outputs. This reflects the RBI's insistence that institutions retain the ability to intervene rapidly when automated systems malfunction.

Explainability is another critical pillar. Banks and other REs must be able to explain, in simple terms, why an AI model reached a specific decision. This obligation has immediate implications for institutions using deep learning or other complex models for credit underwriting, where the reasoning behind a loan approval or rejection must be communicated clearly to the affected customer.

The guidance also introduces customer disclosure obligations. Customers must be informed when interacting with an AI model and given the option to speak with a human. No decision that significantly affects a customer's financial life can be made entirely by an AI system without a human oversight mechanism, and high-risk automated decisions must include defined human review checkpoints. These provisions align with emerging global standards on AI transparency.

Third-Party Model Accountability

The draft also addresses third-party models, including vendor-supplied software and externally developed AI tools. The RBI's position is unambiguous: regulated entities remain fully responsible for the outcomes of any model they use, regardless of its origin. Third-party development does not diminish the RE's accountability for performance, accuracy, or fairness.

REs must independently validate third-party models before deployment, a challenging obligation when vendors do not provide full access to model internals. The RMCB is specifically tasked with overseeing third-party and AI-based model monitoring, ensuring board-level attention extends to outsourced model risk. In an era of technology platforms and lending-as-a-service solutions, including those involving FEMA-regulated cross-border investment structures, the question of who bears responsibility for model outputs becomes increasingly complex.

What Regulated Entities Must Do Next

With the comment period closing on July 24, 2026, regulated entities should take several immediate steps. First, they should conduct a comprehensive inventory of all quantitative models currently in use, including AI and ML systems, across every business function. Second, they should assess current governance structures against the draft's requirements, particularly the role assigned to the RMCB and the expectations around independent model validation.

Third, entities using AI for customer-facing processes must evaluate readiness to comply with disclosure and explainability requirements, which will demand both technological and operational investment. Fourth, institutions should review third-party model agreements to ensure they can satisfy the independent validation requirement and that contractual terms provide adequate access for governance purposes.

The kill-switch requirement deserves particular attention. Institutions that have deployed AI models without built-in deactivation mechanisms will need to retrofit these controls, potentially requiring significant re-engineering of production systems. Entities should also consider submitting comments to the RBI during the consultation period, particularly on compliance timelines and proportionality thresholds.

The broader regulatory landscape reinforces the urgency. The Supreme Court's concerns about delays in NCLT insolvency proceedings and the MCA's migration from legacy portal systems both illustrate how India's regulatory infrastructure is being modernised at pace. Financial institutions that delay building robust model governance frameworks risk falling behind a regulatory curve that is moving quickly and decisively.

The developments in adjacent areas of financial regulation further underscore the need for proactive compliance planning. SEBI's approval of intraday borrowing for mutual funds and the use of IBC proceedings against technology companies demonstrate that regulators across India's financial ecosystem are intensifying scrutiny. For banks, NBFCs, and other regulated entities deploying AI models, the RBI's draft model risk management guidance is not merely a consultation document; it is a clear signal of the regulatory standards that lie ahead.