Experts say data collection and continuous consent will be the biggest challenge for companies
India has rules like RBI guidelines and a data protection law but neither are designed for AI-specific challenges like autonomous decision-making. Without a dedicated AI law, institutions may end up collecting more data than necessary.
Banks in India will soon have to figure out how to walk the fine line between effective usage of artificial intelligence (AI) and customer privacy following the Reserve Bank of India’s (RBI) call for a comprehensive AI framework for the financial sector.
Reacting to an RBI committee report that asked regulators to work on an “AI Liability Framework,” encouraging responsible innovation, experts said that data collection and continuous consent will be the biggest challenge for companies. This is important considering companies in finance already use AI for critical operations like credit scoring and compliance checks, with big players allowing AI models access to a lot of data.
“AI can act like a data vacuum, collecting more information than needed, sometimes from unusual or even inferred sources,” said Vaibhav Koul, Managing Director, Protiviti Member Firm for India, suggesting that AI governance reflect local realities rather than just copy global standards.
This puts Indian banks in a unique position compared to their global counterparts. For example, India has rules like RBI guidelines and a data protection law but neither are designed for AI-specific challenges like autonomous decision-making. Without a dedicated AI law, institutions may end up collecting more data than necessary.
Similarly, Pawan Prabhat, Co-Founder of Shorthills AI, said the line between “useful” and “intrusive” can blur quickly and put the onus on companies to self-regulate. Under India’s data protection law, users must comprehensively understand why and how their data is used. This is tricky with AI since models can evolve and start using data in new ways.
“Companies will need to make consent simple to understand, easy to update and just as easy to withdraw. This means building consent as a living process, not a one-time form,” said Prabhat, advising players to set up systems that regularly refresh consent when AI capabilities change.
Aside from regulatory concerns, Mishi Choudhary, Founder of the digital rights advocacy group SFLC.in, said the RBI report lacks specific cybersecurity requirements and makes generic recommendations as it relies on limited survey and entities.
Affected players
An AI framework could also reshape competitive dynamics across the sector. Kishan Sundar, Senior Vice President, Chief Technology Officer at Maveric Systems, said the policy may encourage tier 2 and 3 players to use AI.
So far, AI has been largely used by large banks and NBFCs. However, Nakul Kundra, Co-Founder of AI-powered translation platform Devnagri, pointed out that while generative AI can deliver up to 46 per cent efficiency gains in banking processes, only 20.8 per cent of banks and NBFCs use it. The RBI framework’s focus on indigenous models will give smaller players legitimacy to be at the forefront of this change, he said.
However, AI in finance can force vendors like fintech companies, software & service providers to follow AI governance clauses and third party AI audits, as per Kartik Shinde, Partner – Cybersecurity, Financial Services Consulting, EY India. This can impact the growth of smaller players and stretch their resources.
“Tier 2 and 3 institutions will need to be more mindful about removing biases, cyber security defences have to be stronger, investment in infrastructure, talent, and governance, but addressing these issues openly is the first step in the right direction,” said Sundar.
Article Originally published in The Hindu Business Line
