The Reserve Bank of India released its draft Guidance on Regulatory Principles for Model Risk Management, 2026 for public consultation on June 24, making one point unmistakably clear: banks and NBFCs cannot deflect legal responsibility onto an algorithm or technology vendor. The framework affects every institution using AI to approve loans, flag suspicious transactions, or assign risk scores - directly impacting management accountability across the financial sector.
The draft will replace the RBI's 2002 guidance on credit risk models. It does not create a separate liability regime for AI. Instead, it folds artificial intelligence into a broader model risk management discipline, treating AI as a tool deployed by regulated entities that remain answerable for any harmful outcomes.
Accountability stays with the institution
Gowree Gokhale, Advocate & Solicitor and independent legal counsel, said the RBI has consciously kept the regulated entity as the primary point of accountability because lending decisions are ultimately business and regulatory judgments. "The adoption of AI should not become a mechanism to dilute existing obligations relating to consumer protection, fair lending, transparency and accountability. AI may assist decision-making, but it cannot become the legal decision-maker," she said.
This principle runs through the entire draft. Whether a loan rejection or risk score error originates from bad data, a third-party model, or an internal process failure, the bank or NBFC deploying the system must answer first. Customers and regulators are not expected to trace faults through complex AI supply chains.
Human oversight and the vendor question
Dr. Ajai Garg, Head of Digital Tech & AI at Anand and Anand, noted that the framework requires AI systems to be "explainable, auditable, controllable, and subject to human oversight." It does not discourage technology adoption, but compels institutions to move from experimentation to governed deployment under board-approved risk frameworks.
Ravi Goyal, Partner at Scriboard, said the draft reinforces this by requiring human oversight over AI-driven decisions and grievance redressal mechanisms for consumer-facing AI systems. The ownership of decisions stays with the regulated entity, even when models are bought from third parties. Commercial contracts containing indemnities and audit rights cannot weaken regulatory obligations owed to customers or the RBI.
For management teams, this sends a direct signal. AI governance is now a board-level issue. As regulators tighten expectations around AI for Finance, professionals must ensure internal controls, vendor due diligence, and customer complaint mechanisms are not afterthoughts. Similarly, the legal implications demand that in-house counsel and compliance leads stay current on AI for Legal frameworks that intersect with financial regulation.
Supratim Chakraborty, Partner at Khaitan & Co., views the approach as a deliberate regulatory choice - a technology-neutral framework rather than an AI-specific liability law. He suggests further guidance on responsibility allocation across multi-party AI ecosystems will be needed, as internal disputes over accountability could grow complex even if external liability remains pinned on the regulated institution.
Why this matters for management
Management teams at banks, NBFCs, fintechs, and technology vendors supplying the financial sector should read this draft as a line in the sand. The RBI will not allow "the algorithm did it" to become a defense. Every AI-assisted customer decision must have a traceable human owner within the institution. Model risk policies, vendor contracts, audit trails, and customer grievance workflows need updating before the framework is finalised. For management, the task is not to understand the code but to ensure that someone inside the organization can explain every outcome - and take responsibility for it.
Your membership also unlocks: