logologo
Search anything
arrow
WhatsApp Icon

RBI Draft 2026 Model Risk Rules for Banks, NBFCs

What the RBI has proposed, and why it matters

The Reserve Bank of India (RBI) has released a draft titled “Guidance on Regulatory Principles for Model Risk Management, 2026”. The proposals seek to create a common governance framework for models used by regulated entities as banks and NBFCs increase their reliance on automated decision systems, including artificial intelligence (AI) and machine learning (ML). The draft places clear responsibility on regulated entities for how models are built, validated, used, monitored, and retired. It also sets expectations on human oversight for AI-driven decision-making, reflecting the RBI’s concern about over-reliance on automated outputs. The central bank has invited stakeholder feedback on this draft until Jul 24, 2026.

Who the draft guidance applies to

The RBI has said the guidance will apply to a wide range of regulated entities. These include commercial banks, small finance banks, payment banks, co-operative banks, non-banking financial companies (NBFCs), all-India financial institutions, asset reconstruction companies, and credit information companies. The wide scope indicates that model risk management is no longer viewed only as a “large bank” issue, especially as credit underwriting, fraud monitoring, and customer servicing increasingly depend on algorithms. The draft also signals that governance expectations will extend to models deployed through vendors and third-party platforms.

Board-approved Model Risk Management Framework becomes central

A core proposal is that every regulated entity must establish a Board-approved Model Risk Management Framework. The framework is expected to cover governance structures and day-to-day controls across the model lifecycle. The RBI has listed areas such as model risk tiering, inventory and documentation standards, model validation, approvals, deployment, monitoring, change management, business continuity, and decommissioning. This puts structured oversight around model use rather than treating models as purely technology or analytics projects. It also creates a governance trail for supervisory review.

Three-lines-of-defence structure for model governance

The draft framework prescribes a three-lines-of-defence approach. Model owners are proposed as the first line of defence, responsible for correct usage and ongoing performance. The independent model risk management and validation functions form the second line, creating separation between model development and validation. Internal audit is the third line, providing assurance on the overall framework and controls. Oversight is proposed at the top through the Board and the Risk Management Committee of the Board (RMCB), with a particular focus on high-risk models.

Risk tiering and approvals based on model criticality

The RBI has proposed that all models be classified according to their risk profile. Classification is to be based on factors such as materiality, complexity, and other supervisory considerations. The draft states that high-risk models will require approval from the RMCB, while lower-risk models may follow delegated approval mechanisms. This is designed to align governance attention with the potential impact of a model on customers, financial outcomes, and operational stability. It also creates clearer accountability for models that influence key decisions such as credit, collections, and risk assessments.

Mandatory model inventory, including retired models

A notable requirement is the creation and maintenance of a comprehensive inventory of models. The RBI’s draft expects inventories to cover active, inactive, and decommissioned models. It also specifies that no model can be used unless it is included in the inventory, a direct control intended to prevent “shadow models” from being used without governance checks. The inventory must capture key details including model owners, developers, validators, approvers, risk tiers, and key observations from validation and monitoring exercises. This would require institutions to improve internal cataloguing and documentation discipline.

Third-party models: accountability stays with the regulated entity

The RBI has stated that regulated entities remain accountable for outcomes arising from third-party models. Under the draft, banks and NBFCs will be required to independently validate such models irrespective of any certification or assurance provided by vendors. It also requires regulated entities to undertake due diligence before acquisition and deployment. This is an important clarification because many customer-facing and underwriting tools are procured as vendor solutions. The proposal effectively makes model governance a procurement and outsourcing risk issue as well.

Enhanced controls for AI and ML models

The draft guidance introduces specific requirements for AI and ML systems. The RBI has highlighted risks such as hallucinations, bias, discriminatory outcomes, data drift, and adversarial attacks. It also requires regulated entities to test models under stressed scenarios and implement appropriate safeguards and controls. These expectations imply that institutions will have to monitor not just performance metrics, but also model behaviour under unusual conditions and changing data patterns. The guidance also warns against automation bias and over-reliance on model outputs.

Human oversight, overrides, and kill-switches for AI decisions

For AI-driven decision-making, the RBI has proposed mandatory human oversight. The draft lists mechanisms such as human-in-the-loop arrangements, override capabilities, and suspension and deactivation mechanisms, including kill-switches. These measures are intended to ensure that regulated entities can intervene quickly if a model behaves unexpectedly or produces outcomes that require immediate correction. The draft’s emphasis on oversight indicates that governance will be assessed not only on policies but also on operational readiness to control automated systems.

Disclosure norms for customer-facing AI systems

The RBI has also addressed customer experience where AI systems interact directly with users. Banks and NBFCs using customer-facing AI will have to disclose that customers are interacting with AI-based systems. They will also need to inform customers about limitations of such systems and provide an option to switch to human assistance when requested. This is positioned as a transparency and consumer-protection expectation, particularly as chatbots and automated servicing tools become common across financial services.

Parallel governance push: control functions and internal audit reforms

Alongside model risk proposals, the RBI has issued draft “Commercial Banks – Governance (Second Amendment) Directions, 2026” to strengthen governance norms for banks’ control functions. The directions are intended to consolidate and harmonise regulatory instructions and enhance board-level oversight of the control architecture. Under this revised framework, banks will be required to establish clearly defined and independent Risk Management, Compliance and Internal Audit functions, led by a Chief Risk Officer (CRO), Chief Compliance Officer (CCO), and Head of Internal Audit (HIA). These roles must operate with full independence from business lines, with no revenue-generation responsibilities and no performance-linked remuneration tied to business outcomes. The directions are stated to come into effect from January 1, 2027.

The RBI has also specified governance safeguards for these roles. The CRO, CCO and HIA will functionally report to the board or its committees, while administratively reporting to the MD and CEO. They will have unrestricted access to records and board committees, and will be required to meet the board at least quarterly without the presence of senior management. Their final performance evaluation will rest with the board or relevant committee. The RBI has also formally embedded the Risk-Based Internal Audit (RBIA) framework into regulatory expectations, shifting away from transaction-heavy audits to risk-prioritised planning based on materiality, systemic relevance and emerging vulnerabilities.

Key dates and requirements at a glance

ItemWhat RBI proposedWho it impactsTimeline in draft
Model Risk Management Guidance, 2026Board-approved framework, three-lines-of-defence, tiering, independent validation, inventory, AI oversightBanks, NBFCs, co-ops, AIFIs, ARCs, CICsFeedback open until Jul 24, 2026
Commercial Banks - Governance (Second Amendment) Directions, 2026Stronger independence for CRO/CCO/HIA, board reporting, quarterly board meetings without senior management, RBIA embeddedCommercial banksEffective Jan 1, 2027
RBI (Commercial Banks – Governance) Amendment Directions, 2026 (draft)Principle-based approach for matters placed before bank boards; delegation of routine itemsCommercial banksDraft issued Apr 8, 2026; feedback invited until May 7, 2026

Market impact: what changes operationally for lenders

The draft model risk guidance, if finalised, would increase the amount of governance work required around model development and use. Lenders and NBFCs would need stronger documentation discipline, clearer ownership, and independent validation capacity across model portfolios. Vendor sourcing may also change because third-party models would still need independent validation and due diligence before deployment. For institutions using AI for customer servicing, the proposed disclosure and human-assistance option would require changes in customer journeys and escalation processes. Across the sector, the combined thrust of model risk governance and control-function independence points to tighter board-level accountability for how risk and compliance systems operate.

Analysis: why the RBI is tightening expectations now

The RBI’s model risk draft reflects a supervisory view that models are now core to decision-making and can amplify operational and conduct risk if left unmanaged. By requiring inventories, tiering, validation, and kill-switch style controls, the RBI is pushing institutions to treat models as governed assets across their lifecycle. The AI-focused elements indicate the regulator is directly acknowledging new risk channels such as hallucinations, bias, and adversarial manipulation. In parallel, the governance directions for banks reinforce independence for control functions and formalise risk-based internal audits, strengthening the broader control environment in which model governance will sit.

Conclusion

The RBI’s draft Model Risk Management Guidance, 2026 sets expectations for board-led governance, independent validation, inventory controls, and human oversight for AI-driven decisions across a wide set of regulated entities. In parallel, draft governance directions for commercial banks propose stronger independence for control functions and an RBIA-led audit approach, with the second amendment directions slated to take effect from Jan 1, 2027. Stakeholders can submit feedback on the model risk guidance until Jul 24, 2026, while the separate governance amendment directions had invited comments until May 7, 2026. The next step is the RBI’s review of stakeholder inputs before finalising these frameworks.

Frequently Asked Questions

It is a draft framework proposing governance, validation, inventory and oversight requirements for models used by regulated entities, including AI and ML systems.
It applies to commercial banks, small finance banks, payment banks, co-operative banks, NBFCs, all-India financial institutions, ARCs and credit information companies.
Model owners are the first line, independent model risk management and validation functions are the second line, and internal audit is the third line of defence.
The draft calls for assessing risks like hallucinations, bias, discriminatory outcomes, data drift and adversarial attacks, along with stress testing and safeguards.
Entities must disclose AI interaction, explain limitations, and offer customers an option to switch to human assistance when requested.

Did your stocks survive the war?

See what broke. See what stood.

Live Q1 Earnings Tracker