Back to Blog
5 min read

RBI Mandates AI Kill Switches for Indian Banks and NBFCs

RBI released draft AI model risk guidelines on 24 June 2026, mandating kill switches, human oversight, and board accountability across all banks and NBFCs. Comments close 24 July.

RBI Mandates AI Kill Switches for Indian Banks and NBFCs

RBI Publishes Draft AI Model Risk Framework on 24 June 2026

On 24 June 2026, the Reserve Bank of India published draft guidance titled Model Risk Management Framework, reference PR 2026-2027/528, requiring every bank, non-banking financial company, and regulated entity under its jurisdiction to put in place a comprehensive governance architecture for all AI and machine learning models. The draft is open for public comment until 24 July 2026, giving Indian banks, NBFCs, fintech companies, and AI software vendors approximately one month to submit formal responses before the guidelines are finalised.

The scope is broad. The framework covers 11 categories of RBI-regulated entities: commercial banks, cooperative banks, small finance banks, payment banks, regional rural banks, NBFCs, asset reconstruction companies, credit information companies, prepaid payment instrument issuers, housing finance companies, and all-India financial institutions. Any institution using AI or ML for credit decisioning, fraud detection, risk scoring, customer communication, or operations monitoring falls within the framework's requirements.

The Kill Switch Mandate

The most operationally specific requirement is the mandatory AI kill switch. Every regulated entity must implement override, suspension, or deactivation mechanisms — including kill-switch arrangements — for every AI and ML model in production. The kill switch must allow the institution to immediately halt any model producing harmful, biased, or erroneous outputs without requiring a full model rollback or code deployment cycle.

In practice, every bank and NBFC running AI in production must design its model architecture so that a human operator can disable the AI component and revert to a rule-based or manual fallback within a defined, auditable time frame. Models embedded in real-time systems — credit decisioning, transaction fraud screening, customer-facing chatbots — require the most significant architectural re-engineering to meet this requirement, as they must support clean reversal to non-AI fallback paths on demand.

Risk-Based Model Tiering and Board Accountability

The framework introduces a risk-based classification system that tiers models by materiality, complexity, and potential impact on customers and business operations. High-risk models — those involved in credit decisioning, lending rate setting, or automated customer-impacting decisions — require approval from board-level risk committees before deployment. Lower-tier models used for internal analytics carry reduced documentation requirements, but still need to be included in the institution's formally board-approved Model Risk Management Framework, referred to throughout the guidance as the MRMF.

The MRMF must cover every model deployed by the institution, regardless of whether the model was built internally, sourced from a third-party vendor, or developed in combination. The inclusion of third-party vendor models — covering AI systems sourced from fintech companies, cloud AI platform providers, and software vendors — is the requirement that will create the most significant compliance friction for banks currently using off-the-shelf AI products.

Human Oversight and Explainability Standards

The framework prohibits black-box AI in any customer-facing or credit-related application. Systems where the model's decision logic cannot be traced and explained in plain terms to a customer or regulator are not permissible under the draft guidance. Institutions must implement human oversight at decision points where model outputs could significantly affect a customer's financial position — including credit rejection decisions, loan repricing, and fraud-related account suspension. The explainability requirement will push many regulated entities toward AI architectures that prioritise interpretability over raw prediction accuracy for regulated use cases.

What This Means for Indian Fintech and Software Companies

For Indian fintech companies selling AI-powered credit scoring, fraud detection, or KYC verification to RBI-regulated institutions, the framework creates both a compliance challenge and a market opportunity. Every bank or NBFC using a third-party AI product must now demonstrate that the product meets MRMF requirements — which means fintech vendors that can document their models' decision logic, provide complete audit trails, offer override mechanisms, and produce explainable output will be preferred over those that cannot. Compliance capability becomes a commercial differentiator, not merely a legal obligation.

Software companies building AI products for the banking sector should treat the comment period — open until 24 July 2026 — as an active opportunity to influence the final requirements. Industry bodies including the Fintech Association for Consumer Empowerment and the Internet and Mobile Association of India will submit consolidated responses. Independent technical submissions from AI vendors identifying specific architectural constraints are likely to receive consideration.

For engineering teams at banks and NBFCs architecting AI systems now, the 24 July deadline is the last practical window to flag requirements that are operationally difficult before the guidelines are finalised. Production AI systems being designed in mid-2026 that will still be running in 2027 and 2028 should incorporate MRMF compliance as a first-class engineering requirement from the outset, not as a retrofit.

The Bottom Line

The RBI published draft Model Risk Management Framework guidelines on 24 June 2026, with public comments open until 24 July. The framework covers all 11 categories of RBI-regulated entities — commercial banks, NBFCs, cooperative banks, small finance banks, payment banks, ARCs, and more — and mandates board-approved governance for every AI and ML model in production, whether built internally or sourced from third parties. Key enforceable requirements include mandatory AI kill switches, risk-based model tiering with board-level approval for high-risk deployments, prohibition of black-box AI in customer-facing applications, and mandatory human oversight at consequential decision points. For Indian fintech companies selling AI products to banks, the framework defines the compliance baseline their customers will require. The comment window closes 24 July 2026.

Frequently Asked Questions

What did the RBI release on 24 June 2026 regarding AI in banking?+

On 24 June 2026, the Reserve Bank of India published draft guidance on Model Risk Management (reference PR 2026-2027/528), requiring every bank, NBFC, and RBI-regulated entity to implement a formal Model Risk Management Framework covering all AI and machine learning models in production. The framework mandates mandatory AI kill switches, risk-based model tiering, board-level approval for high-risk AI deployments, explainability requirements, and human oversight at consequential decision points. Public comments are open until 24 July 2026, after which the guidance is expected to be finalised and enforced across 11 categories of regulated entities.

What is the mandatory AI kill switch the RBI is requiring for banks?+

The RBI's draft framework requires every regulated entity to implement override, suspension, or deactivation mechanisms — specifically described as kill-switch arrangements — for every AI and ML model in production. The kill switch must allow the institution to immediately halt any model producing harmful, biased, or erroneous outputs without requiring a full model rollback or code deployment cycle. Models embedded in real-time banking systems such as credit decisioning, transaction fraud screening, and customer-facing chatbots require the most significant architectural changes to meet this requirement, as they must support reversion to rule-based or manual fallback processes on demand.

Which institutions does the RBI draft AI model risk framework cover?+

The RBI draft Model Risk Management Framework covers 11 categories of regulated entities: commercial banks, cooperative banks, small finance banks, payment banks, regional rural banks, non-banking financial companies (NBFCs), asset reconstruction companies (ARCs), credit information companies (CICs), prepaid payment instrument issuers, housing finance companies, and all-India financial institutions. The framework applies regardless of whether the AI model was developed internally by the institution, sourced from a third-party vendor, or built in a combination of both approaches.

How does the RBI framework affect fintech companies selling AI to banks?+

The RBI framework directly affects fintech companies selling AI-powered products to banks and NBFCs because it applies to third-party vendor models as well as internally developed ones. Every bank or NBFC using a third-party AI system must include it in their formal board-approved MRMF and verify that it meets kill-switch, audit trail, and explainability requirements. Fintech vendors able to document their models' decision logic, provide complete audit trails, offer override and deactivation mechanisms, and produce explainable output will be preferred by compliant institutions. Vendors that cannot meet these requirements will be at a commercial disadvantage once the guidelines are finalised. The public comment period is open until 24 July 2026.

TT

Written by

TechPillow Team

Sharing insights on technology, product development, and the Indian tech ecosystem.

Ready to Build Something Extraordinary?

From ideation to launch, we're your end-to-end technology partner.

Book a Free Strategy Call