Cross-regulator · India Deep Dive
AI in BFSI — Regulatory Map
No single Indian 'AI Act' exists yet — AI obligations arrive through sectoral rules. This map consolidates every AI-relevant requirement a BFSI entity faces in 2026.
Last verified: 2026-06-17| Regulator | AI-Relevant Rule / Initiative | What It Requires | Status |
|---|---|---|---|
| RBI | FREE-AI Committee framework (2025) | Framework for Responsible and Ethical Enablement of AI in financial services — governance, explainability and accountability expectations for AI in lending and operations | Recommendations published; supervisory expectations forming |
| RBI | Digital Lending Guidelines 2022 | Algorithmic credit underwriting must remain explainable; lending service providers' models fall within the RE's accountability; no automated decisioning without grievance path | In force |
| RBI | MD-ITGRC model risk expectations | AI/ML systems are 'critical IT assets' — change management, audit trails and validation apply to models in production | In force (Apr 2024) |
| SEBI | Algo trading framework (retail algo rules, 2025) | Exchange approval for retail algos; broker accountability for API-based algo orders; audit trail for every algo order | In force |
| SEBI | AI/ML disclosure circular (2019, updated) | Quarterly reporting by intermediaries of AI/ML systems used in products, surveillance and compliance | In force |
| SEBI | CSCRF coverage of AI systems | AI systems in scope of asset inventory, VAPT and incident reporting under CSCRF | In force (Aug 2024) |
| IRDAI | AI/ML in underwriting & claims | Fairness and non-discrimination expectations for AI-based underwriting, pricing and claims triage; board accountability for model outcomes | Supervisory expectations; guidelines evolving |
| DPDP | SDF algorithm audits (§10) | Significant Data Fiduciaries must audit algorithms for risk to data principals' rights — first statutory algorithm-audit duty in India | Enforceable ~May 2027 |
| DPDP | Automated decision-making + children | No tracking/behavioural monitoring or targeted ads to children; verifiable parental consent gates AI personalisation for minors | Enforceable ~May 2027 |
| CERT-In | AI system incidents reportable | Attacks or malicious/suspicious activity affecting AI/ML systems are a reportable incident category — 6-hour clock applies | In force (Jun 2022) |