The Reserve Bank of India has signaled that AI models will be treated with the same scrutiny as credit risk models. The “black box” excuse is officially dead.
Core Principle: Explainability
If an AI model (including a LLM) is used to make a decision that affects a customer (e.g., credit denial, fraud blocking), the bank must be able to explain why. For LLMs, this means “Chain of Thought” logging. You cannot just log the output; you must log the reasoning trace that led to that output.
Data Lineage and Privacy
The circular emphasizes that banks must know exactly where their training or RAG data is coming from. If an AI agent answers a query based on a document, that document must be identifiable.
Furthermore, PII (Personally Identifiable Information) must be masked before it hits the model context window, especially if using cloud-hosted models. CIOs need to implement “PII Redaction Gateways” that sit between the user and the LLM.
Human-in-the-Loop (HITL) Mandate
For critical functions, fully autonomous AI execution is currently prohibited. The guidelines require a “Maker-Checker” concept where the AI is the Maker, but a Human is the Checker. The UI must explicitly show the AI’s confidence score and require a human to click “Approve” before any funds are moved or legal letters sent.
Model Drift Monitoring
Just like credit scorecards, AI models drift. A prompt that worked in January might hallucinate in June due to a model update or changing data distribution. Banks must set up “Red Teaming” pipelines that continuously test their agents against a set of “Golden Questions” to ensure accuracy hasn’t degraded.