RBI’s Draft Model Risk Management Guidelines, 2026; What NBFCs using AI/ML Need to Know

RBI has published a draft “Guidance on Regulatory Principles for Model Risk Management, 2026” for public consultation and it’s the first time AI/ML models used in credit underwriting, customer interaction and other business processes get a dedicated regulatory lens, applicable across the full spectrum of REs, including NBFC-BL, ML, UL and TL.

Here’s what stood out for NBFCs deploying AI/ML:

𝟏. 𝐈𝐭’𝐬 𝐧𝐨𝐭 𝐣𝐮𝐬𝐭 𝐚𝐛𝐨𝐮𝐭 “𝐀𝐈” — 𝐬𝐜𝐨𝐩𝐞 𝐢𝐬 𝐰𝐢𝐝𝐞 A “model” now covers any system — including spreadsheet-based tools — that takes inputs, applies processing logic, and produces outputs materially affecting decisions, irrespective of whether the RE itself labels it a “model.” A loan pricing calculator that drives lending rates qualifies. Many NBFCs may discover they’re running more “models” than they thought.

𝟐. 𝐀𝐜𝐜𝐨𝐮𝐧𝐭𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐬𝐭𝐚𝐲𝐬 𝐰𝐢𝐭𝐡 𝐭𝐡𝐞 𝐍𝐁𝐅𝐂 — 𝐞𝐯𝐞𝐧 𝐟𝐨𝐫 𝐭𝐡𝐢𝐫𝐝-𝐩𝐚𝐫𝐭𝐲/𝐯𝐞𝐧𝐝𝐨𝐫 𝐀𝐈 Many NBFCs lean on fintech/vendor-provided AI for underwriting or collections scoring. The draft makes clear: outsourcing the model doesn’t outsource the risk. Independent validation by the RE is mandatory regardless of any certification the vendor provides, plus enhanced RMCB oversight irrespective of risk tier, and contractual rights to technical documentation and audit access.

𝟑. 𝐄𝐱𝐩𝐥𝐚𝐢𝐧𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐟𝐨𝐫 𝐦𝐚𝐭𝐞𝐫𝐢𝐚𝐥 𝐝𝐞𝐜𝐢𝐬𝐢𝐨𝐧𝐬 Credit underwriting models fall squarely in “material decision-making” territory — meaning higher explainability thresholds apply. If a model (e.g., a black-box ML scorecard) can’t fully explain itself, NBFCs must compensate with enhanced validation, output verification, frequent monitoring and usage restrictions.

𝟒. 𝐁𝐢𝐚𝐬 𝐚𝐧𝐝 𝐟𝐚𝐢𝐫𝐧𝐞𝐬𝐬 𝐭𝐞𝐬𝐭𝐢𝐧𝐠 𝐛𝐞𝐜𝐨𝐦𝐞𝐬 𝐞𝐱𝐩𝐥𝐢𝐜𝐢𝐭 NBFCs must proactively identify risks of discriminatory outputs — especially unfair treatment of customer groups in credit decisions — run fairness assessments, and recalibrate or redesign where needed.

𝟓. 𝐂𝐡𝐚𝐭𝐛𝐨𝐭𝐬, 𝐯𝐨𝐢𝐜𝐞 𝐛𝐨𝐭𝐬 & 𝐠𝐞𝐧𝐀𝐈 𝐜𝐮𝐬𝐭𝐨𝐦𝐞𝐫 𝐢𝐧𝐭𝐞𝐫𝐟𝐚𝐜𝐞𝐬 𝐠𝐞𝐭 𝐬𝐩𝐞𝐜𝐢𝐟𝐢𝐜 𝐠𝐮𝐚𝐫𝐝𝐫𝐚𝐢𝐥𝐬 For any AI model interfacing with customers, NBFCs must:

• Disclose to customers that they’re interacting with an AI/ML system, with its limitations;
• Provide an option to switch to a human when requested;
• Guard against hallucinations via system-level controls (critical for generative AI);
• Build in protections against prompt injection, adversarial inputs and anomalous usage;
• Run structured “red-teaming” / challenge testing on such models

𝟔. 𝐇𝐮𝐦𝐚𝐧 𝐨𝐯𝐞𝐫𝐬𝐢𝐠𝐡𝐭 𝐢𝐬 𝐧𝐨𝐧-𝐧𝐞𝐠𝐨𝐭𝐢𝐚𝐛𝐥𝐞 Human-in-the-loop/on-the-loop arrangements, kill-switch/override mechanisms, and periodic human review of AI-driven decisions are mandated — with explicit attention to “automation bias” and decision fatigue among reviewing staff.

𝟕. 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞 𝐧𝐞𝐞𝐝𝐬 𝐭𝐨 𝐠𝐨 𝐭𝐨 𝐁𝐨𝐚𝐫𝐝 𝐥𝐞𝐯𝐞𝐥 A Board-approved Model Risk Management Framework covering AI/ML models is mandatory, with high-risk models requiring Risk Management Committee of the Board (RMCB) approval, risk-based tiering, a living model inventory, and decommissioned models retained for 10+ years.

𝐓𝐡𝐞 𝐭𝐚𝐤𝐞𝐚𝐰𝐚𝐲 𝐟𝐨𝐫 𝐍𝐁𝐅𝐂𝐬: this is currently in draft/consultation stage and will eventually replace Chapter 3 (Credit Risk Models) of RBI’s 2002 Guidance Note on Credit Risk Management. NBFCs using AI/ML for credit underwriting, collections, or customer-facing chat/voice interfaces should start mapping their existing models against this framework now — inventory, validation independence, explainability thresholds, and human oversight will likely demand real governance uplift, not just policy paperwork.