If you're deploying AI in Indian financial services, governance isn't optional — it's imminent. RBI, SEBI, and IRDAI are all developing frameworks, and firms that wait for final regulations will be playing catch-up.
The Current Landscape
RBI
The Reserve Bank has been progressively tightening guidance:
- **IT Governance Framework** already requires risk assessment for new technology deployments
- **Outsourcing guidelines** apply to third-party AI model providers
- **Customer protection** norms require explainability for lending and credit decisions
- **Expected next:** Formal AI/ML-specific guidelines, likely building on the Bank of England and MAS frameworks
SEBI
- **Circular on AI/ML usage** in algorithmic trading and advisory — requires pre-approval and ongoing monitoring
- **Cybersecurity framework** implications for AI systems handling market data
- **Expected next:** Broader guidance on AI in compliance, surveillance, and investor services
IRDAI
- **Guidelines on AI in underwriting** — requires human oversight for automated decisions
- **Claims processing** automation must maintain policyholder rights
- **Expected next:** Framework for AI in claims adjudication and fraud detection
What This Means Practically
For BFSI firms deploying AI today, here's what governance should cover:
Model Risk Management
- **Inventory** all AI/ML models in production
- **Classify** by risk tier (customer-facing decisions vs. internal analytics)
- **Document** model purpose, training data, validation results, and known limitations
- **Review cycle** at minimum annually, or when material changes occur
Explainability
- For customer-facing decisions (lending, claims, pricing): you need to explain why a decision was made in terms the customer can understand
- "The AI decided" is not an acceptable explanation
- Build explainability into the model design, not as an afterthought
Data Governance
- **Lineage** — where does training data come from? Is it representative?
- **Bias testing** — does the model perform differently across protected categories?
- **Consent** — is customer data being used in ways the customer agreed to?
- **Retention** — how long do you keep model inputs, outputs, and training data?
Human Oversight
- Define which decisions require human review
- Establish escalation paths for model uncertainty
- Monitor for model drift and performance degradation
- Maintain kill switches for automated systems
Audit Trail
- Log every model decision with inputs, outputs, and reasoning
- Retain logs per regulatory record-keeping requirements
- Enable ex-post review of any individual decision
The DPDP Act Overlay
India's Digital Personal Data Protection Act 2023 adds another layer:
- **Purpose limitation** — AI can only process personal data for the stated purpose
- **Data minimisation** — collect only what's needed
- **Right to explanation** — data principals can ask how their data was used in automated decisions
- **Data Protection Board** — enforcement body that can levy significant penalties
Building Governance Now
Don't wait for final regulations. Build the framework now:
- **Inventory** your current AI/ML deployments — most firms are surprised by how many they have
- **Risk-tier** each deployment — focus governance effort on high-risk, customer-facing systems
- **Document** — model cards, data lineage, validation results, known limitations
- **Test** for bias and fairness — especially on lending, pricing, and claims decisions
- **Build explainability** into new deployments from day one
- **Train** your compliance and risk teams on AI-specific risks
Why This Matters for CoVector AI Clients
We work primarily with BFSI firms. Every AI deployment we build includes governance considerations from the start — not as a compliance checkbox, but as a design principle. Our AI Governance practice helps clients build frameworks that satisfy current requirements and position them for what's coming.
The firms that build governance into their AI practice now will have a significant advantage when formal regulations arrive. The ones that don't will face expensive retrofitting — or worse, enforcement actions on systems already in production.
