RBI Mandates Kill Switches for Bank AI Models, Board Approval Required
What You Need to Know
- RBI requires kill switches in AI deployments with board-level approval for high-risk models.
- Banks must maintain complete inventories of all AI models and remain accountable for third-party tools.
- RBI explicitly addresses automation bias, the tendency for staff to approve AI outputs without independent judgment.
- Customer-facing AI systems must disclose non-human nature and provide access to human agents.
India’s central bank has proposed rules requiring every bank and regulated financial entity to embed kill switches into their AI deployments, with board-level sign-off required for high-risk models. The Reserve Bank of India’s draft guidelines, open for public comment until July 24, would represent the first time the RBI has proposed a comprehensive accountability structure specifically for AI model risk across the entire financial sector.
The framework is notably broad in scope: it covers everything from basic spreadsheet calculators to generative AI systems, and requires banks to maintain full inventories of every model in operation. Third-party AI vendors get no exemption. Banks remain fully accountable for any model they deploy regardless of origin, and independent validation is required for all externally sourced tools. The RBI flagged supply chain concentration as a specific concern, pointing to systemic risk if banks cluster around a small number of global AI providers. That concern has a real precedent in financial technology: the 2023 CrowdStrike-adjacent disruptions showed how a single-vendor dependency across regulated institutions can cascade well beyond one firm’s failure.
The proposal also names “automation bias” explicitly, which is the tendency for staff to approve AI outputs without independent judgment. That is a more honest diagnosis than most central bank documents manage.
Customer-facing AI systems would be required to disclose their non-human nature and offer users a path to a human agent at any point. Generative AI models interacting with external users face additional cybersecurity requirements under the draft. The tiered risk classification structure, where the highest-risk models require Risk Management Committee approval at the board level, mirrors the approach the EU’s AI Act takes toward high-risk system categories, suggesting RBI is watching international regulatory architecture closely rather than building from scratch. For global banks operating in India, that alignment matters: a framework that rhymes with EU rules is easier to absorb into existing compliance infrastructure than a purely idiosyncratic one.
The public comment window closes July 24, after which the RBI would be expected to finalize or revise the guidelines before any formal implementation timeline is set.
0 Comments