WARRANT
[email protected] Open the demo →
ENTRY № 17 · STATUTORY READING · RBI FREE-AI
PUBLISHED 2026-05-09 · ~13-MIN READ · WARRANT COMPLIANCE

RBI FREE-AI, line by line.

The Reserve Bank of India's Committee on a Framework for Responsible and Ethical Enablement of Artificial Intelligence in the Financial Sector, chaired by Dr Pushpak Bhattacharyya of IIT Bombay, submitted its report on 13 August 2025. Seven Sutras. Six pillars. Twenty-six recommendations. Advisory in form, supervisory in effect, and the operative reference any AI agent operating inside an Indian bank, NBFC, or payment-system entity now reads against.

Warrant is regulator-grade evidence infrastructure for AI agents in regulated industries: drop an agent's execution trace, get a record mapped to a specific EU AI Act obligation, independently verifiable without contacting Warrant.

REPORT
13 August 2025· 7 Sutras · 6 pillars · 26 recs
Committee constituted under the RBI Statement on Developmental and Regulatory Policies dated 6 December 2024. Chaired by Dr Pushpak Bhattacharyya of IIT Bombay. Eight members across academia, government, banking, and technology.
AUTHORITY
RBI · advisory· supervisory cycle ready
Non-binding as published. Recommendations are written for incorporation into RBI Master Directions and circulars. Several recommendations expand existing binding directions on outsourcing, cybersecurity, IT governance, and digital lending.
ALIGNMENT
DPDP Act 2023· cross-references
Recommendation 11 directs data governance per the DPDP Act 2023. The framework does not directly cite SEBI, IRDAI, IFSCA, or PFRDA in its operative recommendations [verification pending on full PDF]; counsel reads parallel application across the financial-sector regulators.
01 · THE PUBLICATION MOMENT

13 August 2025, and what it meant.

The Reserve Bank of India released the Report of the Committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence in the Financial Sector on 13 August 2025. The release was announced under press release reference 2025-2026/902. The release closed an arc that started eight months earlier, when the RBI's Statement on Developmental and Regulatory Policies dated 6 December 2024 announced the constitution of a committee to study AI adoption in Indian financial services and recommend a governance framework. The committee was formally constituted on 26 December 2024 under press release 2024-2025/1779.

The publication moment matters in three ways at once. First, it is the first integrated AI policy document any Indian financial regulator has produced. SEBI had circulated a Retail Algo Framework consultation in 2024 covering algorithmic trading on Indian exchanges; IRDAI had a draft on InsurTech sandboxes; IFSCA had run AI sandbox cohorts at GIFT City. None of these spoke to the cross-cutting use-cases banks and NBFCs were already running: AI-driven credit underwriting, fraud screening, KYC verification, and customer-service automation. FREE-AI is the first document that names these use-cases together and describes a single governance model.

Second, FREE-AI lands at a measured policy moment. The Digital Personal Data Protection Act 2023 was notified by Parliament in August 2023; the DPDP Rules followed in 2025. The Bharat AI Mission was approved by Cabinet in March 2024 with INR 10,372 crore over five years for compute, datasets, and model development. The IndiaAI mission's AIKosh dataset platform, which FREE-AI's recommendation 1 binds to, was announced in 2024 [verification pending on exact AIKosh launch date from canonical RBI text]. The framework reads as the financial-sector layer on top of these enabling rails, not as a standalone instrument.

Third, the framework is published into a banking sector with measurable AI adoption. The committee surveyed banks, NBFCs, fintechs, and global regulators before drafting; the survey informed the framework's tolerant supervisory stance and its emphasis on innovation enablement alongside risk mitigation. The report is not a study of AI's potential. It is a study of AI in production, written by people who saw the production stack from the inside.

Nine months on, FREE-AI sits where committee reports usually sit: cited by industry counsel, referenced in supervisory engagement, not yet codified into binding direction. The gap between recommendation and direction is the operative gap regulated entities now manage.

The Committee uses the Sutras as guidance to recommend an approach that fosters innovation and mitigates risks, treating these two seemingly competing objectives as complementary forces that must be pursued in tandem. FREE-AI Report · framework framing · 13 August 2025
02 · THE COMMITTEE + THE MANDATE

The chair, the mandate, the surveys.

The Reserve Bank of India set up a Committee with eight members chaired by Dr Pushpak Bhattacharyya from IIT Bombay. The Committee will assess the current level of adoption of AI in financial services globally and domestically, review regulatory and supervisory approaches, identify potential risks associated with AI, and recommend a framework including governance aspects for responsible, ethical adoption of AI models and applications in the Indian financial sector. The Committee shall submit its report within six months from the date of its first meeting. RBI Press Release 2024-2025/1779 · 26 December 2024 · committee mandate

The committee was constituted with eight members. The chair, Dr Pushpak Bhattacharyya, is a professor of computer science at the Indian Institute of Technology Bombay and a former director of IIT Patna, with research focus on natural-language processing. Other members reported in the press release include Ms Debjani Ghosh, then a Distinguished Fellow at NITI Aayog and former president of the National Association of Software and Service Companies; Dr Balaraman Ravindran, professor and head of the Wadhwani School of Data Science and AI at IIT Madras; representatives from HDFC Bank and Microsoft India; and additional members from academia, government, finance, and technology [exact full member list verification pending on the canonical PDF preamble].

The mandate set four questions for the committee: assess adoption (where is AI in Indian financial services today, and globally), review regulation (what supervisory approaches do peer jurisdictions use), identify risks (what failure modes does AI introduce into financial decisioning), recommend a framework (what governance posture should the RBI adopt). The four questions structure the report's chapters [exact chapter titles and count verification pending on the canonical PDF].

The committee engaged a wide range of stakeholders during its eight-month working window. Surveys went to scheduled commercial banks, urban cooperative banks, NBFCs of various sizes, fintech entities, and payment system operators. Submissions were taken from technology vendors, academic researchers, and consumer representatives. Cross-jurisdictional inputs were sought from peer regulators and from industry counsel familiar with European and US regimes. The framework that emerged is, by design, a synthesis of what Indian regulated entities are already doing, what peer regulators are saying, and what the committee judged could realistically be implemented across a sector that ranges from systemically important banks to single-state cooperative banks.

The FinTech Department at the RBI provided secretariat support. The Department of Supervision and the Department of Regulation were consulted at the drafting stage. The framework's tolerant supervisory stance for first-time errors, its emphasis on board-approved policy as the accountability anchor, and its treatment of the AI inventory as the practical model registry all read as the product of supervisor-side input.

03 · THE 7 SUTRAS

The seven Sutras, verbatim.

The Committee has laid down a set of seven overarching principles, "Sutras", to guide responsible AI innovation, governance and policy in the financial sector. FREE-AI Report · Sutra framing language · 13 August 2025

The seven Sutras are the framework's principles spine. They are the values the framework reads downstream recommendations against. Each Sutra is short, declarative, and written in the tone of a charter rather than a regulation. The list is not aspirational; the framework binds each Sutra to operational recommendations under the six pillars.

Sutra 1
Trust is the Foundation. READING · Public trust in AI systems and in the regulated entities deploying them is the prerequisite, not a downstream metric. Confidence in outcomes and processes is built before scale, not earned after.
Sutra 2
People First. READING · Disclosure of AI usage to the affected party. The individual retains final authority to override an AI decision. Human oversight and consumer interests are paramount; AI augments, never displaces, the named accountable human.
Sutra 3
Innovation over Restraint. READING · Responsible, socially useful innovation takes priority over cautionary restraint. The framework treats innovation enablement and risk mitigation as complementary, not opposed. The supervisor does not reach for prohibition where calibrated supervision is available.
Sutra 4
Fairness and Equity. READING · AI systems are designed and tested to promote fairness, equity, and inclusion. Systemic bias is treated as a measurable property of the deployed system, not a residual to be apologised for after harm has occurred.
Sutra 5
Accountability. READING · Entities deploying AI systems are accountable for the decisions of those systems regardless of the level of autonomy. Responsibility sits with identifiable decision-makers; it does not diffuse into algorithms or vendor stacks.
Sutra 6
Understandable by Design. READING · Decisions are explainable; the design choice is upstream, not bolted on. Black-box outputs in customer-facing decisions are inconsistent with this Sutra on the framework's plain reading.
Sutra 7
Safety, Resilience and Sustainability. READING · Stress-tested for shocks, viable across the system's operational lifetime, and engineered for graceful degradation. Operational risk and model risk are treated as overlapping, not separable.
"The Sutras are the values; the pillars are the operational footing. Each downstream recommendation traces back to one Sutra and one pillar at minimum."FREE-AI Report · Sutra-pillar mapping reading

Each Sutra carries a Warrant evidence-field correspondent. Trust traces to a record that is independently verifiable without contacting Warrant. People First traces to the human oversight and disclosure flags inside the per-decision trace. Innovation over Restraint is the supervisory posture, not a per-decision artefact, but the framework's emphasis on calibrated incident reporting (recommendation 10) carries through. Fairness and Equity traces to the cohort-level evaluation and bias testing recorded as a record mapped to a specific obligation. Accountability traces to a record mapped to a specific obligation that binds the decision to the named accountable officer's role. Understandable by Design traces to the per-decision rationale and the alternatives-considered field. Safety, Resilience and Sustainability traces to the residual-risk classification recorded in the model inventory entry.

04 · THE 6 PILLARS

The six pillars, twenty-six recommendations.

The framework is structured across 6 strategic Pillars that address the dimensions of innovation enablement as well as risk mitigation. Under innovation enablement, the focus is on Infrastructure, Policy and Capacity and for risk mitigation, the focus is on Governance, Protection and Assurance. The framework includes 26 actionable recommendations, ranging from establishing AI innovation sandboxes and indigenous financial AI models to implementing robust governance, audit, and incident reporting mechanisms. FREE-AI Report · pillar architecture · 13 August 2025

The six pillars sit in two halves. Three pillars enable innovation: Infrastructure (the rails on which AI is built), Policy (the rules governing its use), Capacity (the people who build and run it). Three pillars mitigate risk: Governance (board-level oversight), Protection (consumer and cyber safeguards), Assurance (audit and monitoring). The architecture is deliberate. Innovation enablement and risk mitigation are presented as complementary forces rather than tradeoffs to be balanced.

Pillar 1
Infrastructure. READING · The shared rails. Recommendation 1 directs the establishment of high-quality financial-sector data infrastructure integrated with AIKosh under the IndiaAI Mission. Recommendation 2 establishes an AI Innovation Sandbox for controlled testing before scaled deployment. Recommendation 3 positions indigenous financial AI models as a strategic priority. Compute, data, and evaluation suites sit on this pillar.
Pillar 2
Policy. READING · The regulatory clarity layer. Recommendation 4 establishes a permanent AI Standing Committee under the RBI for long-term oversight. Recommendation 5 develops consolidated AI guidance for regulated entities. Recommendation 25 builds a framework enabling inclusive, affordable, and scalable AI-driven financial services. Recommendation 26 directs periodic policy reviews balancing innovation with emerging risk.
Pillar 3
Capacity. READING · The people layer. Talent development, training, and knowledge-sharing across the sector. The pillar reads against the supply-side constraint that AI competence inside Indian regulated entities is uneven; recommendations under this pillar address shared capacity-building so smaller entities are not foreclosed from AI deployment by skill gaps alone.
Pillar 4
Governance. READING · The board pillar. Recommendation 6 implements a graded liability framework with leniency for first-time breaches accompanied by proper safeguards (the "tolerant supervisory stance" for first-time AI errors). Recommendation 7 establishes board-approved consumer protection frameworks prioritising transparency and recourse. Recommendation 8 mandates AI disclosures in annual reports. Recommendation 9 directs maintenance of an AI inventory available for supervisory inspection. Recommendation 10 creates risk simulation and AI incident reporting mechanisms.
Pillar 5
Protection. READING · The consumer + cyber pillar. Recommendation 11 directs implementation of data governance per the Digital Personal Data Protection Act 2023. Recommendations 16 and 17 invest in consumer awareness and direct regulators to promote consumer education. Recommendations 18 through 24 expand existing RBI Master Directions to cover AI-specific risks: outsourcing, cybersecurity, digital lending, customer service, fraud risk management, IT governance, and IT services outsourcing.
Pillar 6
Assurance. READING · The audit pillar. Recommendation 12 develops an AI Compliance Toolkit for regulatory adherence. Recommendation 13 establishes a risk-based audit framework with internal audits proportional to risk levels. Recommendation 14 requires independent third-party audits for high-risk or complex AI use-cases. Recommendation 15 directs biannual framework reviews incorporating emerging risks and technologies.

The twenty-six recommendations distribute across the six pillars unevenly. Governance and Protection between them carry the bulk of the operational load: board-approved policy, AI inventory, incident reporting, expanded outsourcing standards, expanded cybersecurity standards, and the DPDP cross-reference. The Infrastructure recommendations (AIKosh integration, sandbox, indigenous models) are state-led; regulated entities consume the rails rather than build them. The Policy recommendations are RBI-internal: the Standing Committee, the consolidated guidance, the periodic review cadence are commitments the RBI makes to itself.

Recommendation 18 deserves separate emphasis. It expands the existing RBI Outsourcing of IT Services Master Direction to include algorithmic bias and accountability clauses for vendors. The expansion is the operative path through which foreign-headquartered foundation-model providers are brought into the framework's perimeter. The Indian regulated entity remains the accountable party, but the contract with the vendor must now carry the accountability terms. This is the recommendation that, when codified, produces the largest contractual rework across the sector.

05 · THE SUPERVISORY CYCLE IMPLICATION

What changed between August 2025 and May 2026.

Nine months sit between FREE-AI publication and the present. Three observations frame the supervisory cycle implication.

First, no public RBI enforcement action has cited FREE-AI as a binding obligation in this period. The framework remains, on the operative read, advisory. Counsel commentary published in the months following release uniformly notes that codification into Master Directions is the path through which FREE-AI becomes binding, and that until codification adoption will likely be uneven. The Lexology, Mondaq, and Bar & Bench commentary all converge on this point.

Second, the framework reads through to existing binding directions even before codification. Recommendation 18's expansion of the Outsourcing Master Direction sits on top of the existing direction. The board-approved AI policy under recommendation 7 reads against the existing IT Governance Master Direction's board-approval expectation. The AI inventory under recommendation 9 reads against the supervisor's existing right to inspect. The framework's operational footprint is larger than its formal status suggests, because much of what it asks for is already implicit in directions the regulated entity already obeys.

Third, the supervisory engagement pattern has shifted. Industry reports from Q1 2026 indicate that on-site inspections and Risk-Based Supervision (RBS) cycles since late 2025 have increasingly probed AI use-cases in line with the framework's recommendations. Examiners ask about the AI inventory. They ask about the board-approved policy. They ask about incident reporting. The framework is being read into the supervisory conversation even where it is not the operative direction. This is the pattern committee reports usually take through Indian financial supervision: the report informs supervisory expectation before binding circulars catch up.

The tolerant supervisory stance under recommendation 6 deserves emphasis. The framework explicitly recommends graded liability and leniency for first-time errors, conditional on the regulated entity having proper safeguards in place: a board-approved policy, an AI inventory, an incident reporting mechanism. Silence or delay in reporting is not protected by the tolerant stance. The stance is conditional on transparency, not a substitute for it.

Failures of AI, whether in the form of errors, bias, breaches, or breakdowns, must be reported promptly. While the RBI signals a cooperative stance, silence or delay in reporting could invite stricter supervisory action. FREE-AI Report · recommendation 10 · AI incident reporting

Counsel reading FREE-AI for client work treats it as a forward read on what binding direction will likely contain. The principles-based reading is the safe-harbor reading: a regulated entity that adopts the framework's recommendations under good-faith interpretation positions itself ahead of codification, and that positioning is itself protective when codification arrives.

06 · SEBI · IRDAI · IFSCA

The cross-regulator perimeter.

India's financial-sector regulatory architecture is plural. The RBI is one of several authorities. The Securities and Exchange Board of India (SEBI) regulates the securities market and asset management. The Insurance Regulatory and Development Authority of India (IRDAI) regulates insurance. The International Financial Services Centres Authority (IFSCA) regulates the GIFT City IFSC. The Pension Fund Regulatory and Development Authority (PFRDA) regulates pension funds. The Ministry of Electronics and Information Technology (MeitY) administers the DPDP Act 2023 and the IndiaAI Mission.

FREE-AI's operative perimeter is RBI-regulated entities: scheduled commercial banks, urban cooperative banks, NBFCs, payment system operators, and entities under the Payments and Settlement Systems Act 2007. The framework does not formally bind SEBI, IRDAI, IFSCA, or PFRDA regulated entities through direct application [exact verification of cross-regulator language inside the FREE-AI canonical PDF pending; secondary commentary uniformly reports the framework as RBI-perimeter focused].

In practice, three overlap patterns matter. Where an entity holds licences across multiple authorities (a banking-cum-insurance distributor; a wealth platform that lends and recommends mutual funds; a neo-broker that holds payment-system authorisation), each regulator's framework applies inside its own perimeter. The AI agent that issues a credit decision under bank licence reads against FREE-AI; the same agent recommending a mutual fund reads against SEBI's AI guidance; the same agent quoting an insurance product reads against IRDAI's posture. The agent does not split; the supervision does.

The IFSCA case is the cleanest. The GIFT City IFSC operates as a deemed foreign jurisdiction under the IFSCA Act 2019 and runs its own AI sandbox cohorts. An entity inside IFSCA jurisdiction obeys IFSCA direction and reads RBI guidance as informational; the entity outside IFSCA but transacting with one obeys its principal supervisor's direction. Inter-regulator coordination on AI is, as of May 2026, ad hoc rather than institutionalised; the FREE-AI Standing Committee under recommendation 4 is the most likely vehicle through which coordination becomes structural [verification pending on cross-regulator coordination language inside the canonical PDF].

The MeitY interface is different. The DPDP Act 2023 is a statutory regime that binds all entities (including all financial-sector entities) processing personal data of Indian residents. The DPDP Board sits under MeitY. FREE-AI's recommendation 11 directs adoption of DPDP-aligned data governance; the framework defers to the DPDP regime on personal-data questions and overlays AI-governance expectations on top.

Many obligations under the FREE-AI framework, such as fairness in decision-making, consent management, and grievance redress, intersect with the Digital Personal Data Protection Act, 2023. FREE-AI Report · DPDP cross-reference reading · recommendation 11
07 · IMPLEMENTATION CALENDAR

What FREE-AI says about when.

FREE-AI does not specify binding adoption deadlines. It is a committee report, not a regulation. The framework is presented as a direction of travel rather than a calendar.

The framework does, however, recommend a review cadence. Recommendation 15 directs biannual framework reviews to incorporate emerging risks and technologies. Recommendation 26 directs the regulator to undertake periodic policy reviews balancing innovation with emerging-risk management. The two recommendations together set an institutional rhythm: the framework is intended to be a living document refreshed at six-monthly intervals, with policy review on a longer cycle.

The implementation calendar is therefore the regulator's calendar, not the regulated entity's. The RBI will, on the framework's logic, codify recommendations into Master Directions or circulars on its own timetable. The regulated entity's optimal posture is forward-leaning: adopt the framework's recommendations under principles-based interpretation now, treating the as-yet-uncodified recommendations as the most likely shape of forthcoming direction.

The recommendations that read most directly into existing binding directions (recommendation 18 on outsourcing; recommendation 19 on cybersecurity; recommendation 20 on digital lending; recommendation 21 on customer service; recommendation 22 on fraud risk management; recommendation 23 on IT governance; recommendation 24 on IT services outsourcing) are the highest-probability candidates for early codification. An entity tracking the gap between framework and direction watches these seven recommendations most closely.

The Innovation Sandbox under recommendation 2 has a separate operational track. Sandbox cohorts operate on calendars set by the RBI's FinTech Department. The committee's Standing Committee under recommendation 4 has not, as of May 2026, been publicly announced as constituted [verification pending on RBI announcements between August 2025 and May 2026].

08 · WHERE WARRANT MAPS RBI FREE-AI

The FREE-AI field map.

The mapping below names each operative FREE-AI clause and the Warrant evidence field that satisfies it. Each row is keyed to a verified recommendation number under the six pillars; verification is against secondary canonical commentary plus the released framework's structure. This is the table an RBI examiner reads against the evidence package on supervisory engagement.

FREE-AI clause What evidence must show Warrant evidence field
Sutra 1 · Trust Third-party-verifiable record of decision a record independently verifiable without contacting Warrant
Sutra 2 · People First Disclosure to data principal + override path trace.actions[].human_oversight_flag
Sutra 5 · Accountability Named accountable officer bound to regulated officer role a record mapped to a specific obligation, bound to the officer's role
Sutra 6 · Understandable Per-decision rationale + alternatives considered trace.actions[].decision_rationale
Rec 7 · Board policy Active policy version at decision time trace.actions[].policy_engagement
Rec 9 · AI inventory Model id and version per decision trace.metadata.model_inventory_id
Rec 10 · Incident report Detection trail + reporting timestamp regulator_evidence.incident_record
Rec 11 · DPDP alignment Lawful basis + purpose limitation per use trace.metadata.dpdp_lawful_basis
Rec 13/14 · Audit Independent eval results recorded separately a record mapped to a specific obligation, carrying the eval-suite result
Rec 18 · Outsourcing Vendor lineage and accountability chain classification.dev_provenance
Sutra 1
Trust · third-party-verifiable record of decision. FIELD · a record that is independently verifiable without contacting Warrant, placing the decision at a fixed point in time. A third party reads the record and confirms it on their own; the record also attests to the regulated officer's role at the moment of decision.
Sutra 5
Accountability · named accountable officer bound to regulated officer role. FIELD · a record mapped to a specific obligation that binds the decision to the named accountable officer's role. Accountability does not diffuse into the agent; it is recorded against a person.
Rec 9
AI inventory · model id and version per decision. FIELD · trace.metadata.model_inventory_id is the per-decision binding to the entity's MRM inventory. An examiner pulling a single decision walks back from trace through inventory_id to the model card and the active validation. Recommendation 9's inventory becomes operational at this layer.
Rec 10
Incident reporting · detection trail and timestamp. FIELD · regulator_evidence.incident_record records detection time, root-cause classification, scope of impact, and reporting status. The tolerant supervisory stance under recommendation 6 is conditional on this record being produced; absence converts an in-tolerance error into an out-of-tolerance event.
Rec 11
DPDP alignment · lawful basis and purpose limitation per use. FIELD · trace.metadata.dpdp_lawful_basis records the section of the DPDP Act under which personal data is being processed for the specific decision, plus the purpose-limitation read on the data flow. The same artefact satisfies the FREE-AI principle and the DPDP statutory record.
W
Sample Indian evidence package · NBFC small-business lending agentINDEPENDENTLY VERIFIABLE WITHOUT CONTACTING WARRANT
→ /samples/india-nbfc.pdf
09 · DPDP ACT 2023

FREE-AI and the DPDP Act, in parallel.

The Digital Personal Data Protection Act 2023 is the operative privacy statute in India. It received presidential assent on 11 August 2023 and was notified into the central legislative record. The DPDP Rules followed in 2025. The Act is binding law; FREE-AI is committee guidance. They run in parallel for any AI-driven decision that processes personal data of an Indian data principal.

The DPDP Act attaches at the personal-data layer. Section 6 establishes consent as the primary lawful basis for processing personal data, with limited categories of legitimate uses under section 7 (employment, health emergency, public interest, performance of state function). Section 8 requires data fiduciaries to implement reasonable security safeguards. Section 9 requires breach notification to the Data Protection Board and the affected data principal. Section 11 establishes data-principal rights: access, correction, erasure, grievance redressal, nomination. Sections 33 to 37 establish significant data fiduciary obligations including data protection impact assessments and independent audits.

FREE-AI attaches at the AI-governance layer. Recommendation 11 explicitly directs implementation of data governance per the DPDP Act 2023; the framework does not duplicate the DPDP regime, it defers to it. The framework's other recommendations (board-approved AI policy, AI inventory, incident reporting, fairness testing, audit) overlay AI-governance expectations on top of the personal-data foundation.

The two regimes meet at the per-decision evidence layer. The lawful-basis record under DPDP and the model-decision rationale under FREE-AI live on the same trace. An evidence package that records the DPDP section under which data was processed, alongside the AI-governance metadata required by FREE-AI, satisfies both regimes simultaneously without duplication.

Cross-border data transfer under the DPDP Act becomes operative when a regulated entity sends personal data to a foreign-headquartered AI provider for inference. Section 16 of the DPDP Act empowers the central government to restrict cross-border transfers by notification; in the absence of a restriction, transfers are permitted subject to the standard obligations under sections 6, 8, and 11. An Indian regulated entity using a foreign foundation model on personal data therefore carries DPDP cross-border obligations and FREE-AI recommendation 18 outsourcing obligations on the same data flow. The evidence package binds both. For European analog reading on cross-border AI evidence, see /blog/eu-ai-act-article-12.

The Data Protection Board under the DPDP Act and the proposed FREE-AI Standing Committee under recommendation 4 are separate institutional bodies. The Data Protection Board has statutory power to investigate breaches and impose financial penalties (up to INR 250 crore for the most severe categories). The FREE-AI Standing Committee, when constituted, will have advisory rather than enforcement power. Counsel reading both regimes treats the DPDP Board as the binding venue for personal-data questions and the RBI itself (through Master Direction enforcement) as the binding venue for AI-governance questions.

10 · THE FAQ + THE SOURCE

Questions a CCO and an RBI examiner ask first.

Is RBI FREE-AI binding?

Not as published. FREE-AI is a committee report. The Committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence in the Financial Sector was constituted under the Statement on Developmental and Regulatory Policies dated 6 December 2024 and submitted its report on 13 August 2025. The recommendations are advisory until the RBI codifies them into Master Directions, circulars, or amends existing directions. The committee itself recommends incorporation into Master Directions, and law-firm commentary published since the report treats Master Direction adoption as the operative path. Until codification, regulated entities adopt FREE-AI on a principles-based reading; supervisors are expected to reference the framework in supervisory cycles.

Does FREE-AI apply to non-bank fintechs?

FREE-AI's terms of reference cover the Indian financial sector. Banks, NBFCs, payment system operators, and other entities regulated by the RBI fall within scope. Non-bank fintechs operating under a regulated partner (BaaS, sponsor-bank arrangements, payment aggregator licensing) inherit the framework through the regulated principal. Where a fintech operates outside RBI licensing entirely, FREE-AI does not bind directly, but a partner bank's or NBFC's AI policy reads through to the fintech's models on the third-party outsourcing leg of recommendation 18, which expands the existing Outsourcing Master Direction to cover algorithmic accountability.

How does FREE-AI relate to the DPDP Act?

The Digital Personal Data Protection Act 2023 is binding statute. FREE-AI is committee guidance. They run in parallel. DPDP attaches to the personal-data leg of any AI-driven decision: lawful basis, purpose limitation, consent, data minimisation, breach notification, data principal rights. FREE-AI attaches to the model-governance and accountability leg: board-approved AI policy, incident reporting, fairness testing, audit. Recommendation 11 of FREE-AI explicitly directs implementation of data governance per the DPDP Act 2023. The two regimes meet at the per-decision evidence layer: the lawful-basis record under DPDP and the model-decision rationale under FREE-AI live on the same trace.

What is the difference between FREE-AI and SEBI's AI guidance?

FREE-AI is RBI's framework for the banking, NBFC, and payment-system perimeter. SEBI's AI work runs in parallel for the securities market: the SEBI Retail Algo Framework (2024), the broker-side circular on AI use disclosure, and the consultation paper on AI in mutual funds. Where an AI agent crosses both perimeters (a wealth platform that lends and recommends mutual funds; a neo-broker that holds a payment-system licence) both frameworks attach. The Sutras and pillars under FREE-AI overlap conceptually with SEBI's principles-based guidance but are not identical text. Counsel reading both should treat each AI use-case as in scope for the supervisor whose perimeter it sits inside, with the higher-bar evidence package satisfying both.

Has the RBI cited FREE-AI in any enforcement action since publication?

As of May 2026, no public RBI enforcement action has cited FREE-AI as a binding obligation. The framework remains advisory pending Master Direction codification. The RBI signalled at release that the framework would inform supervisory approaches, and law-firm commentary observes that several recommendations (board-approved AI policy under recommendation 7, AI inventory under recommendation 9, AI incident reporting under recommendation 10) read directly into existing supervisory expectations under the IT Governance Master Direction and the Cyber Security Framework. Regulated entities are advised to track the gap between the framework's recommendations and binding directions, since the gap is the most likely subject of the next round of circulars.

Does FREE-AI require model registration?

Recommendation 9 directs regulated entities to maintain an AI inventory available for supervisory inspection. The inventory is the operational analogue of model registration: every AI system in use at the entity is enumerated with version, owner, intended use, validation status, and risk classification. The framework does not establish a centralised RBI registry. The inventory sits inside the entity, and the supervisor reads it on examination. Recommendation 8 separately directs disclosure of AI usage in annual reports, which is the public-facing leg of the same accountability principle.

What does Understandable by Design mean for an LLM-driven decision?

Understandable by Design is the sixth Sutra. The principle is that AI systems should be designed and operated such that their decisions can be examined, challenged, and explained to the affected party. For a deterministic linear model, the explanation is the coefficients and the input values. For an LLM-driven decision, the explanation is the chain of tool calls, retrievals, and reasoning steps that produced the output, plus the rationale for the chosen action against the alternatives the model considered. The Warrant trace.actions[*].decision_rationale field plus alternative_paths_considered together produce the artefact a customer or supervisor reads. Black-box LLM output without an audit trail does not satisfy this Sutra under the framework's plain reading.

How does FREE-AI handle foreign-headquartered AI providers?

Recommendation 18 expands the existing RBI Outsourcing of IT Services Master Direction to include algorithmic bias and accountability clauses for vendors. Foreign-headquartered foundation-model providers (Anthropic, OpenAI, Google, Meta) supplying AI services to Indian regulated entities sit on the outsourcing leg. The regulated entity remains the accountable party under recommendation 6 and must hold the vendor to the same Sutra-aligned standard the entity is held to. Vendor model cards and system cards satisfy part of the development standard but do not displace the Indian regulated entity's accountability. The DPDP Act 2023 cross-border transfer rules attach in parallel where personal data flows to the vendor.

Read the source directly.

Authored by Warrant Compliance, the regulatory-analysis function at Warrant. [email protected]. Editorial commentary on regulatory text. Not legal advice. References to FREE-AI reflect the Report of the Committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence in the Financial Sector dated 13 August 2025; the framework remains advisory pending RBI codification into Master Directions or circulars. Quotations from the framework reflect the report's published structure as released by the RBI; the canonical text is the PDF accessible at rbidocs.rbi.org.in via the URL above.

FILED ALONGSIDE
ENTRY · MULTI-JURISDICTIONAL
One agent, many jurisdictions.
One AI agent. One evidence shape, independently verifiable without contacting Warrant. India alongside the EU, UK, US, and Singapore reading the same artefact.
ENTRY · VOLUNTARY-STANDARD SISTER
ISO/IEC 42001, line by line.
The voluntary AI management system standard that maps onto FREE-AI's governance pillar at the management-system layer.
REGULATOR · INDIA
India · full deep-dive.
Per-recommendation Warrant evidence field mapping, sample Indian evidence package, DPDP overlay walk-through.