RBI draft ‘Guidance on Regulatory Principles for Model Risk Management’ – 24th June 2026

Specific Changes Required:

• Implementation of a formal, Board-approved MRMF covering all models (internal, third-party, and AI/ML).
• Strict demarcation of the Three Lines of Defence (Model Owners, Independent Validation, Internal Audit).
• Risk Management Committee of the Board (RMCB) must directly approve deployment of “high-risk” tiered models and review tiering reports annually.

Management Action Plan:

1. Draft a comprehensive MRMF policy document to be presented to the Board by Q3 2026.
2. Restructure internal teams to ensure the validation function is completely independent of the model development and business usage functions.
3. Update the RMCB’s charter to include mandatory review of model validation reports and high-risk model deployment approvals.

Real-World Example: Previously, a bank’s Chief Risk Officer might have independently approved a new credit-scoring algorithm. Under the new guidance, if this model is classified as “high risk,” the validation report must go to the Board’s RMCB for final deployment approval.

Specific Changes Required:

• Establishment of a composite risk tiering system based on materiality, complexity, and operational impact.
• Creation of a centralized inventory for all active, inactive, under-development, and decommissioned models.
• Decommissioned models must remain in the inventory/documentation for a minimum of 10 years.
• Broadened definition of a “model” to include algorithms, decision rules, and complex spreadsheets.

Management Action Plan:

1. Conduct an enterprise-wide “Model Discovery” audit to identify all computational tools, including complex Excel macros used for pricing.
2. Develop a tiering scorecard (e.g., Tier 1: High, Tier 2: Medium, Tier 3: Low) preventing low complexity from diluting high materiality scores.
3. Procure or develop a centralized IT Model Inventory system with 10-year data retention capabilities.

Real-World Example: An NBFC uses an elaborate, macro-heavy Excel spreadsheet to determine interest rate grids and loan margins. Previously considered just a “tool,” it now qualifies as a “model.” The NBFC must log it in the inventory, assign it a risk tier based on its revenue impact, and formally validate its formulas.

Specific Changes Required:

• The RE remains fully accountable for outcomes of outsourced/third-party models.
• Mandatory independent validation by the RE, regardless of any assurances or certificates provided by the vendor.
• Contractual agreements must include audit rights for the RE and the RBI, plus access to minimum technical documentation of the model’s logic.

Management Action Plan:

1. Initiate a legal review of all existing contracts with third-party model providers (e.g., credit bureaus, SaaS fraud detection platforms).
2. Renegotiate vendor MSAs to insert “right to audit” clauses and demand access to technical design documentation.
3. Design a framework to internally test and validate third-party API outputs (back-testing against RE’s historical data).

Real-World Example: A bank purchases a cloud-based Anti-Money Laundering (AML) monitoring model from a global fintech. The bank can no longer rely solely on the fintech’s “99% accuracy” marketing claim. The bank must independently validate the model with its own customer data and ensure the contract allows RBI inspectors to audit the vendor’s methodology.

Specific Changes Required:

• Implementation of specific controls for AI hallucinations, output bias, and fairness assessments.
• Establishment of strict Explainability (XAI) thresholds. If full explainability isn’t possible, massive compensating controls are required.
• “Human-in-command” arrangements (human-in/on-the-loop) and kill-switch mechanisms for automated AI decisions.
• Specific cybersecurity controls for AI interfaces (e.g., against prompt injection attacks).
• Mandatory disclosure to users when they are interacting with AI, with an option to escalate to a human.

Management Action Plan:

1. Conduct a bias and fairness audit on all existing machine learning models used for credit sanctioning and customer targeting.
2. Update AI chatbot UI/UX to include clear AI disclaimers and a prominent “Speak to a Human Agent” button.
3. Deploy cybersecurity firewalls specifically designed to detect and block adversarial inputs and prompt injections in Generative AI tools.
4. Establish manual review protocols where a human officer randomly samples and overrides AI-generated credit rejections.

Real-World Example: An Urban Co-operative Bank deploys a Generative AI chatbot to answer customer loan queries. To comply with the draft, the bank must (a) explicitly state “You are chatting with an AI assistant,” (b) install filters to prevent users from using “prompt injection” to make the bot offer unauthorized 0% interest rates, and (c) provide a “kill switch” that immediately transfers the chat to a live agent if the AI begins hallucinating incorrect policy details.