RBI’s FREE-AI Framework: Shaping Ethical AI in the Indian Financial Sector

Artificial Intelligence (AI) is rewiring financial services, from fraud detection to credit underwriting, but without clear guardrails, it can magnify risks. To steer this transition, the Reserve Bank of India (RBI) set up a committee in December 2024 to craft the Framework for Responsible and Ethical Enablement of AI (FREE‑AI) for the financial sector. The goal is simple but ambitious: enable innovation while protecting trust, fairness, and stability.

Committee, Mandate, and Methodology

Chaired by Dr. Pushpak Bhattacharyya (IIT Bombay) with members spanning policy, industry and academia, the Committee was tasked to assess adoption, review global approaches, identify risks, and recommend a governance framework tailored to India. It used a four‑pronged method: wide stakeholder engagements, two national surveys (DoS and FTD) across banks/NBFCs/FinTechs, a scan of global standards and laws, and a gap analysis of existing RBI guidelines (IT, cybersecurity, outsourcing, digital lending, and consumer protection).

The Opportunity: Where AI Adds Value

AI promises productivity gains via process automation, personalised customer experience (multilingual chat/voice), sharper risk analytics, and financial inclusion using alternative data. India’s diversity argues for multilingual, domain‑tuned models (including efficient SLMs and LTD “trinity” models), and a GenAI innovation sandbox to speed safe experimentation.

The Risk Landscape: What Can Go Wrong

The report flags model and operational risks—bias, opacity, hallucinations, model drift, data poisoning, adversarial prompts, and third‑party concentration. It notes systemic concerns (herding, procyclicality) and cybersecurity threats (automated phishing, deepfakes). Liability in non‑deterministic systems is complex, and consumer protection requires clear disclosures and contestability of AI‑led decisions.

Global Policy Context and India’s Stance

Approaches vary: the EU AI Act uses horizontal, risk‑tiered rules; Singapore blends toolkits (FEAT/Veritas) with guidance; UK/US lean principle‑based; China regulates by AI type. India’s line is pro‑innovation with safeguards, backed by the IndiaAI Mission (₹10,372 crore) and the AI Safety Institute (AISI) to evaluate models and promote safe, trusted AI.

Seven Sutras (Core Principles) and Six Strategic Pillars

The Committee crystallises adoption around seven Sutras: Trust, People First, Innovation over Restraint, Fairness & Equity, Accountability, Understandable by Design, and Safety, Resilience & Sustainability. These are operationalised through six Pillars that pair enablement with risk control:

• Infrastructure: shared data/compute, AI Innovation Sandbox, sector models.
• Policy: proportional, risk‑based guidance; clarity on outsourcing and vendor AI.
• Capacity: board to frontline AI literacy, Centers of Excellence, shared playbooks.
• Governance: board‑approved AI policy, lifecycle controls, documentation.
• Protection: consumer disclosures, fairness testing, human‑in‑the‑loop.
• Assurance: cybersecurity augmentation, incident reporting, independent audits.

Twenty‑Six Recommendations: What RBI Wants Done (Essentials)

The report clusters actionable steps, notably: create shared compute/data rails; launch a GenAI sandbox; encourage indigenous financial‑grade models; require board‑approved AI policies; extend product approval and audit scopes to cover AI; strengthen AI‑specific cybersecurity and incident reporting; ensure customers are told when engaging with AI; share sector best practices; and allow lighter compliance for clearly low‑risk uses to spur inclusion.

Survey Insights: Current Adoption and Gaps

Adoption remains shallow: only 20.8% (127/612) supervised entities use or are developing AI. Tier‑1 UCBs: 0%; Tier‑2/3 UCBs <10%; among NBFCs, 27% report usage; ARCs: 0%. Typical production/POC use cases: customer support (15.6%), credit underwriting (13.7%), sales/marketing (11.8%), cybersecurity (10.6%). 35% favour the public cloud for scalability. Governance maturity is low: only ~1/3 have board‑level oversight; ~1/4 have formal incident handling. On tooling and controls: SHAP/LIME 15%, audit logs 18%, bias validation 35% (mostly pre‑deployment), periodic retraining 37%, drift monitoring 21%, real‑time monitoring 14%. Barriers cited: talent gaps, costs/compute, data quality, and legal uncertainty.

What these numbers mean: India risks a two‑speed AI economy where large banks move ahead and smaller UCBs/NBFCs lag—precisely why shared infra, clear guidance, and capacity building are central to FREE‑AI.

How FREE‑AI Interlocks with Existing RBI Rules

The report clarifies fitment with outsourcing (vendor AI still needs RE accountability, with AI‑specific clauses), IT/cybersecurity (extend controls to models, data pipelines, access/audit trails), digital lending (auditable, explainable credit models; data minimisation/consent), and consumer protection (disclosures, grievance redress against AI outcomes). It also proposes model registers, lineage, and traceability to aid supervision.

Way Forward (Exam‑Ready Pointers)

Priorities include: operationalising the AI Sandbox; issuing a board‑policy template and incident reporting format; promoting multilingual inclusion models; scaling sector training (boards, risk, audit, tech); and enabling transparent, auditable AI with bias checks and human appeal routes. For low‑risk use (e.g., FAQ chat), a proportional compliance path can accelerate adoption without diluting safety.