The FREE AI report of the of Dr Pushpak Bhattacharyya has submitted a report to RBI consisting of 26 recommendations.
For these 26 recommendations , action and time line responsibilities have also been assigned. Twelve of the actions ( 1, 2, 3, 4, 5, 6,7, 8, 9 , 11, 13 and 23) are indicated as responsibilities of Regulators and Government. Industry and SRO s are indicated as responsible for some of the actions. (4,12,13* and 14) .
13 action points (10, 14,15,16,17,18,19,20,21,22,23,24 and 25) are attributed to REs and they are listed below. These REs are the Data Fiduciaries to whom DGPSI-AI is applicable.
These requirements can be summarised below.
| No | Requirement |
| 10 | Capacity Building within REs: REs should develop AI-related capacity and governance competencies for the Board and C suite, as well as structured and continuous training, upskilling, and reskilling programs across the broader workforce who use AI, to effectively mitigate AI risks and guide ethical as well as ensure responsible AI adoption. |
| 14 | Board Approved AI Policy: To ensure the safe and responsible adoption of AI within institutions, REs should establish a board-approved AI policy which covers key areas such as governance structure, accountability, risk appetite, operational safeguards, auditability, consumer protection measures, AI disclosures, model life cycle framework, and liability framework. Industry bodies should support smaller entities with an indicative policy template. |
| 15 | Data Lifecycle Governance: REs must establish robust data governance frameworks, including internal controls and policies for data collection, access, usage, retention, and deletion for AI systems. These frameworks should ensure compliance with the applicable legislations, such as the DPDP Act, throughout the data life cycle. |
| 16 | AI System Governance Framework: REs must implement robust model governance mechanisms covering the entire AI model lifecycle, including model design, development, deployment, and decommissioning. Model documentation, validation, and ongoing monitoring, including mechanisms to detect and address model drift and degradation, should be carried out to ensure safe usage. REs should also put in place strong governance before deploying autonomous AI systems that are capable of acting independently in financial decision- making. Given the higher potential for real world consequences, this should include human oversight, especially for medium and high-risk use cases and applications. |
| 17 | Product Approval Process: REs should ensure that all AI- enabled products and solutions are brought within the scope of the institutional product approval framework, and that AI- specific risk evaluations are included in the product approval frameworks. |
| 18 | Consumer Protection: REs should establish a board- approved consumer protection framework that prioritises transparency, fairness, and accessible recourse mechanisms for customers. REs must invest in ongoing education campaigns to raise consumer awareness regarding safe AI usage and their rights. |
| 19 | Cybersecurity Measures: REs must identify potential security risks on account of their use of AI and strengthen their cybersecurity ecosystems (hardware, software, processes) to address them. REs may also make use of AI tools to strengthen cybersecurity, including dynamic threat detection and response mechanisms. |
| 20 | Red Teaming: REs should establish structured red teaming processes that span the entire AI lifecycle. The frequency and intensity of red teaming should be proportionate to the assessed risk level and potential impact of the AI application, with higher risk models being subject to more frequent and comprehensive red teaming. Trigger-based red teaming should also be considered to address evolving threats and changes. |
| 21 | Business Continuity Plan for AI Systems: REs must augment their existing BCP frameworks to include both traditional system failures as well as AI model-specific performance degradation. REs should establish fallback mechanisms and periodically test the fallback workflows and AI model resilience through BCP drills. |
| 22 | AI Incident Reporting and Sectoral Risk Intelligence Framework: Financial sector regulators should establish a dedicated AI incident reporting framework for REs and FinTechs and encourage timely detection and reporting of AI- related incidents. The framework should adopt a tolerant, good-faith approach to encourage timely disclosure. |
| 23 | AI Inventory within REs and Sector-Wide Repository: REs should maintain a comprehensive, internal AI inventory that includes all models, use cases, target groups, dependencies, risks and grievances, updated at least half yearly, and it must be made available for supervisory inspections and audits. In parallel, regulators should establish a sector-wide AI repository that tracks AI adoption trends, concentration risks, and systemic vulnerabilities across the financial system with due anonymisation of entity details. |
| 24 |
AI Audit Framework: REs should implement a comprehensive, risk-based, calibrated AI audit framework, aligned with a board-approved AI risk categorisation, to ensure responsible adoption across the AI lifecycle, covering data inputs, model and algorithm, and the decision outputs. a. Internal Audits: As the first level, REs should conduct internal audits proportionate to the risk level of AI application b. Third-Party Audits: For high risk or complex AI use cases, independent third-party audits should be undertaken. c. Periodic Review: The overall audit framework should be reviewed and updated at least biennially to incorporate emerging risks, technologies, and regulatory developments. Supervisors should also develop AI-specific audit frameworks, with clear guidance on what to audit, how to assess it, and how to demonstrate compliance. |
| 25 |
Disclosures by REs: REs should include AI-related disclosures in their annual reports and websites. Regulators should specify an AI-specific disclosure framework to ensure consistency and adequacy of information across institutions. |
Readers may kindly map DGPSI-AI with this list. At first glance DGPSI-AI seems to cover all these aspects.
