Regulator: Reserve Bank of India (RBI)
Committee: Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI Committee)
1. Background -
The Reserve Bank of India (RBI) constituted the FREE-AI Committee in December 2024 to develop a framework for the responsible and ethical use of Artificial Intelligence (AI) in the financial sector. The initiative responds to the growing adoption of AI in banking, NBFCs, fintech, and insurance, alongside associated risks such as bias, opacity, cybersecurity vulnerabilities, and consumer harm.
The Committee has released a comprehensive framework (FREE-AI) that sets guiding principles, strategic pillars, and compliance expectations for regulated entities (REs).
2. Key Principles (“Seven Sutras”)
The Committee identified seven foundational principles for AI adoption in financial services:
- Trust is the Foundation
- People First
- Innovation over Restraint
- Fairness and Equity
- Accountability
- Understandable by Design
- Safety, Resilience, and Sustainability
3. Six Strategic Pillars of FREE-AI
The recommendations are structured under six strategic pillars balancing innovation and risk mitigation:
A. Innovation Enablement:
(a) Infrastructure: Shared data and compute infrastructure; AI innovation sandbox.
(b) Policy: Clear AI policy guidance and proportionate compliance.
(c) Capacity: Training and skill development at board, management, and workforce levels.
B. Risk Mitigation:
(a) Governance: Board-approved AI policies, clear accountability frameworks.
(b) Protection: Strong consumer protection measures, transparency in AI decisions.
(c) Assurance: Independent audits, cybersecurity resilience, incident reporting.
4. Regulatory Expectations:
The Committee has recommended:
(a) Board-Approved AI Policy: Each regulated entity (RE) must adopt an AI governance policy approved by its Board.
(b) Model Risk Management (MRM): Expanded product approval, audits, and validation mechanisms to include AI.
(c) Consumer Transparency: Customers must be informed when interacting with AI and provided avenues to challenge AI-based decisions.
(d) Cybersecurity & Incident Reporting: AI-specific vulnerabilities (data poisoning, adversarial attacks, deepfakes) must be covered under cybersecurity frameworks. AI incident reporting formats are to be standardised.
(e) Vendor Management: Outsourcing contracts must explicitly cover AI risks, data confidentiality, and accountability.
(f) Bias & Explainability: AI models used for credit, underwriting, and customer service must be explainable, auditable, and free of discriminatory bias.
(g) Capacity Building: Institutions should develop in-house expertise and establish AI Centres of Excellence.
5. What Businesses Must Do to Avoid Penalties
To align with RBI’s expectations, financial institutions and fintechs should:
A. Governance & Compliance
(a) Adopt a Board-approved AI Governance Policy immediately.
(b) Establish AI Risk Management frameworks aligned with RBI guidelines.
(c) Conduct AI impact assessments before launch of new use cases.
B. Transparency & Fairness
(a) Ensure AI models are explainable; use interpretation tools (e.g., SHAP, LIME).
(b) Disclose when consumers interact with AI (chatbots, robo-advisors, underwriting systems).
(c) Provide grievance redressal channels for AI-related disputes.
C. Cybersecurity & Data Protection
(a) Extend IT and cybersecurity policies to cover AI-specific risks.
(b) Incorporate AI into incident reporting frameworks and monitor for model drift.
(c) Avoid over-collection of data; comply with DPDP Act 2023 and RBI IT guidelines.
D. Vendor & Third-Party Risks
(a) Update outsourcing contracts to cover AI risks, audit rights, and liability allocation.
(b) Ensure due diligence of AI vendors and cloud providers.
E. Internal Controls & Training
(a) Build AI literacy across the organisation (Board, management, employees).
(b) Train teams on bias detection, ethical use, and consumer protection.
(c) Monitor AI models post-deployment for bias, fairness, and robustness.
Author: Vishwas Chitwar, Senior Associate.
