RBI AI Guidelines for Banks
Compliance Team Briefing [2025]

Table of Contents

1. The RBI AI Compliance Framework — No Single Direction
2. AI Use Cases in Banking and Applicable RBI Requirements
3. Master Direction on IT Governance — What It Requires
4. DPDP Act and Automated Decision-Making Rights
5. Model Explainability — Practical Requirements for Banks
6. Compliance Action Plan for Bank AI Systems
7. FAQs — RBI AI Compliance

Indian banks seeking a single RBI circular on AI governance will not find one. The Reserve Bank of India has chosen a principles-based, sectoral approach rather than issuing a standalone AI regulation. This means AI compliance for banks requires mapping across multiple existing frameworks — an exercise most bank compliance teams have not yet completed.

The primary frameworks that collectively govern AI in banking are: (1) the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices dated 7 April 2023, which establishes IT governance including emerging technology adoption; (2) the Fair Practices Code and its revisions, which mandate transparency in lending decisions; (3) the Digital Lending Guidelines dated 2 September 2022, which impose disclosure requirements on digital lending models; (4) the Master Direction on Outsourcing of Information Technology Services dated 10 April 2023, which governs third-party AI vendors; (5) the Charter of Customer Rights dated 3 December 2014, which guarantees the right to fair treatment and transparency; and (6) the Framework on Regulation of Payment Aggregators and Payment Gateways, which applies to AI in payment systems.

Overlay on these RBI frameworks the Digital Personal Data Protection Act 2023 — which applies to all personal data processing including AI-driven processing by banks — and you have the complete regulatory envelope. Banks that treat AI governance as solely an IT function, or solely a legal function, will find gaps. AI compliance requires coordinated action across IT governance, legal, compliance, risk management, and business units.

The IT Governance Direction is the closest the RBI has come to addressing AI governance. Chapter IV on IT and Information Security Risk Management requires banks to identify and manage risks arising from emerging technologies — explicitly including artificial intelligence and machine learning. Banks must document risk assessments for each AI deployment, including model risk, data quality risk, and vendor dependency risk.

Chapter V mandates a comprehensive IT audit framework. AI systems fall within the audit scope. Banks must ensure that their internal audit teams — or external auditors — have the competence to audit AI models, including validation of training data, model drift monitoring, and output accuracy. The Direction does not prescribe specific AI audit standards, but the expectation is that banks adopt internationally recognised frameworks such as NIST AI RMF or ISO/IEC 42001.

Chapter III on IT Governance requires board-level oversight of technology strategy, including AI adoption. The Board or its IT Committee must approve significant AI deployments. The Direction requires that IT governance policies address emerging technology adoption — banks that deploy AI without board-level or IT Committee approval are in non-compliance.

For third-party AI systems — including cloud-based AI scoring engines, vendor chatbot platforms, and outsourced fraud detection — the Outsourcing Direction applies in parallel. Banks must ensure that AI vendors provide audit access, that data processing occurs in compliance with RBI data localisation requirements, and that the bank retains ultimate responsibility for AI outputs regardless of the vendor relationship.

Section 11 of the DPDP Act 2023 is the provision that most directly impacts AI in banking. It gives every Data Principal — every bank customer — the right to challenge decisions made solely by automated processing. For banks, this means that AI-only credit decisions, automated account closures, automated KYC rejections, and AI-driven product recommendations that have material financial impact all require a human review mechanism.

The practical compliance requirement is a documented human-in-the-loop process. When a customer exercises their Section 11 right, the bank must be able to route the AI decision to a human reviewer who can assess the decision on its merits, not merely rubber-stamp the algorithm. This requires that AI models produce interpretable outputs — or that the bank maintains a parallel manual review capability.

Section 6 consent requirements add another layer. Using customer data to train AI models, to run credit scoring algorithms, or to perform behavioural profiling requires consent that is free, specific, informed, unconditional, and unambiguous. The consent notice under Section 5 must describe the AI processing in terms the customer can understand. Generic consent to “data processing for banking purposes” is unlikely to satisfy the specificity requirement for AI model training.

Banks that process children’s data through AI systems — for example, in insurance linked to education loans — must comply with Section 9, which requires verifiable parental consent and prohibits tracking, behavioural monitoring, and targeted advertising directed at children. AI-driven marketing platforms must be configured to exclude minors.

Model explainability is where regulatory compliance meets technical implementation. Indian banks must be able to explain AI decisions to three audiences: (1) the customer, who under DPDP and the Fair Practices Code has the right to understand why a decision was made; (2) the RBI inspection team, which during on-site inspections will assess whether AI systems comply with governance directions; and (3) the internal audit function, which must validate AI model outputs.

For credit scoring models, global best practice — and the direction Indian regulation is heading — requires at minimum: feature importance rankings (which factors most influenced the score), counterfactual explanations (what would have to change for the outcome to be different), and confidence levels (how certain the model is of its prediction). Banks using black-box deep learning models for credit decisions face a higher regulatory risk than those using interpretable models such as logistic regression, decision trees, or gradient boosting with SHAP values.

The Responsible AI principles articulated by NITI Aayog — safety, fairness, non-discrimination, transparency, accountability, and privacy — are not legally binding, but they signal the direction of Indian AI regulation. Banks that adopt these principles proactively will be better positioned when the RBI issues more prescriptive AI governance directions, which RBI Deputy Governor T. Rabi Sankar has publicly indicated are under consideration.

Documentation is critical. Every AI model deployed in a bank should have a model card documenting: the model’s purpose, training data characteristics, performance metrics, known limitations, bias testing results, and the human review process. This documentation serves both regulatory compliance (IT Governance Direction audit requirements) and legal defence (if a customer challenges an AI decision before the Banking Ombudsman or Data Protection Board).