Overview

On August 13, 2025, the Reserve Bank of India (“RBI”) released the much-anticipated committee report on Framework for Responsible and Ethical Enablement of Artificial Intelligence (“FREE-AI”) in the financial sector. This comprehensive framework, developed by a committee chaired by Dr. Pushpak Bhattacharyya of IIT Bombay, marks a significant milestone in India’s approach to AI governance in financial services.

This article seeks to unpack the FREE-AI framework in a manner accessible to legal professionals, policymakers, industry professionals and lay readers alike. It explains the core principles and regulatory vision behind the framework, situates it within India’s broader legal landscape, and evaluates its potential impact on financial institutions, regulators, and consumers. Further, it examines whether the framework adequately addresses the pressing challenges of accountability, consumer protection, and liability in AI-driven decision-making, while highlighting areas where additional legal clarity or regulatory alignment may be required.

The Genesis and Necessity

The FREE-AI framework emerges at a critical juncture. As AI rapidly transforms financial services, from customer interactions to credit assessments and fraud detection, it brings both unprecedented opportunities and novel risks. The committee, constituted following the RBI’s Statement on Developmental and Regulatory Policies dated December 6, 2024, was tasked with developing guardrails that would enable innovation while protecting stakeholders. Unlike many reactive regulatory approaches globally, the RBI’s initiative is notably proactive, seeking to establish principles before widespread problems emerge.

Regulatory Context and Authority

The FREE-AI Framework has been released pursuant to RBI’s powers under the Reserve Bank of India Act, 1934 and the Banking Regulation Act, 1949. It reflects the regulator’s intent to bring AI adoption under its supervisory ambit in much the same way as IT governance, outsourcing, and digital lending frameworks were previously regulated.

While the framework itself is not yet a binding regulation, it is evident that several of its provisions are intended to be incorporated into Master Directions, which would make compliance mandatory for regulated entities (“REs”).

Scope of Application

The FREE-AI framework is designed to apply across the spectrum of REs under the RBI’s jurisdiction. This includes Scheduled Commercial Banks (SCBs), Non-Banking Financial Companies (“NBFCs”), Payment System Operators (PSOs), and FinTech entities engaged in providing financial services under RBI’s regulatory ambit. In essence, any institution operating under RBI’s oversight that deploys AI whether for customer interaction, credit assessment, risk monitoring, or operational support falls within the framework’s purview.

Interestingly, the framework also contemplates an indirect extraterritorial reach. While offshore technology providers and AI developers are not directly regulated by RBI, they will inevitably be drawn into the compliance net. This is because Indian financial institutions are expected to “flow down” RBI obligations through their contractual arrangements with third-party vendors and service providers. In practical terms, foreign AI suppliers will need to demonstrate compliance with the framework’s requirements such as explainability, fairness, and incident reporting if they wish to continue providing AI solutions to Indian financial institutions.

Key Compliance Requirements

The FREE-AI framework translates its guiding principles into six major compliance touchpoints for REs. These are not mere technical recommendations but governance mandates that elevate AI oversight to the same level as credit risk or cyber risk management.

    1. Now every RE will need a formal, board-signed AI policy that sets out governance structures, defines risk appetite, and allocates responsibility across the AI lifecycle. This firmly places AI oversight on the agenda of directors, exposing them to accountability for lapses.
    2. Institutions must adopt stricter protocols around how data is collected, used, retained, and deleted, with explicit safeguards on consent and quality. With the Digital Personal Data Protection Act, 2023 (“DPDPA”) now in play, poor datasets or unchecked bias are no longer just operational weaknesses only but are in fact major compliance risks.
    3. AI tools cannot be deployed casually by REs. Design standards, validation, monitoring, and even retirement procedures must follow a documented process. In effect, financial institutions will be expected to exercise the same diligence over AI models as they do over financial products.
    4. Existing approval pipelines will need to expand to capture AI-specific concerns, fairness, explainability, consumer impact, and resilience. This adds time and complexity to product rollouts, but it also reduces the risk of post-launch disputes and regulatory censure.
    5. Banks and NBFCs must tell customers when they are dealing with AI, give them a channel to challenge AI-driven decisions, and provide stronger protection for vulnerable users. These measures effectively create new grounds for consumer redress.
    6. Failures of AI whether in the form of errors, bias, breaches, or breakdowns must be reported promptly. While the RBI signals a cooperative stance, silence or delay in reporting could invite stricter supervisory action.

Yet, as with any first-of-its-kind initiative, questions remain about its enforceability and practical impact.

Gaps and Challenges

While the FREE-AI framework is undoubtedly progressive, several legal and regulatory uncertainties remain that could shape its effectiveness in practice.

    1. Enforceability remains the foremost issue. As things stand, the framework is advisory. Until it is formally codified into RBI’s Master Directions or binding circulars, adoption will likely be uneven. Larger banks with established compliance teams may move quickly, but smaller NBFCs and fintech(s) may delay or dilute implementation, resulting in fragmented sector-wide adherence.
    2. Liability allocation also requires sharper clarity. The framework places primary responsibility on regulated entities, but does not specify how accountability should be distributed between financial institutions, AI developers, and third-party vendors. In the event of consumer harm — say, a discriminatory credit decision, the precise point of liability in the chain of actors remains ambiguous. Without clearer guidance, disputes will inevitably be pushed into the realm of contract negotiation and litigation.
    3. Overlap with existing laws presents another challenge. Many obligations under the FREE-AI framework, such as fairness in decision-making, consent management, and grievance redress, intersect with DPDPA and the Consumer Protection Act, 2019. Without explicit harmonisation, regulated entities may find themselves navigating duplicative or even conflicting compliance requirements, creating both inefficiency and uncertainty.
    4. The operational burden cannot be ignored. The framework expects all REs, regardless of size to establish board-level AI oversight, incident reporting mechanisms, and structured lifecycle management of AI models. For smaller NBFCs and fintech(s), these obligations may be disproportionately onerous, increasing compliance costs and potentially stifling innovation at the very stage where agility is most critical.
    5. Lastly, global alignment is limited. Although FREE-AI endorses universal principles such as fairness, explainability, and accountability, it does not fully engage with emerging international regimes such as the EU AI Act or supervisory guidance from the US and UK. Indian institutions with cross-border operations may therefore face parallel compliance obligations, heightening the complexity of regulatory conformity across jurisdictions.

Final Reflections

The FREE-AI framework is more than just a policy document. It is a signal of intent. By setting ethical and governance guardrails at this early stage, the RBI is positioning India’s financial sector to embrace technological innovation without losing sight of accountability and consumer trust. Its message is clear: AI in finance is no longer a side experiment but a matter of regulatory concern at the highest level.

That said, several questions remain. Until incorporated into binding directions, the framework risks uneven adoption. Further, the liability among institutions, vendors, and developers is yet to be clarified and overlaps with existing data and consumer protection laws could complicate compliance. The path forward will require careful coordination among regulators and alignment with global practices. In this sense, FREE-AI should be viewed as the beginning or a foundation upon which India’s broader AI regulatory architecture will be built.

Co-authored by Vara Gaur, Partner ([email protected]) and Sakina Kapadia, Senior Associate ([email protected]).

 

More from Saga Legal