RBI's Draft Model Risk Management Guidance: What It Means for NBFCs
In late June 2026, the Reserve Bank of India released its Draft Guidance on Regulatory Principles for Model Risk Management — the enforcement-facing complement to the FREE-AI framework published in August 2025. Where FREE-AI described principles, the draft MRM guidance describes controls. It is open for public comment until July 24, 2026, after which final directions are expected to apply across every RBI-regulated entity: banks, NBFCs, and other financial institutions.
The draft is organised around a small number of demands that are simple to state and hard to retrofit.
A board-approved MRM framework, covering the full model lifecycle. Every regulated entity must maintain a formal, board-approved policy spanning every model it uses — including models procured from vendors. Buying a model does not outsource the risk. If a third-party scoring engine makes a credit decision, the lender answers for it.
Risk-based model tiering. Not every model faces the full control suite. Models are classified by materiality and consequence, and the obligations scale accordingly. High-risk models — credit decisioning sits squarely here — carry the heaviest requirements: pre-deployment assessment, independent validation, and continuous monitoring.
Independent validation and continuous monitoring. Validation cannot be performed by the team that built the model. Post-deployment, performance must be monitored continuously — not revalidated annually and forgotten in between. Drift is a supervisory concern, not an engineering footnote.
Human oversight and explainability. Consequential model decisions require documented human oversight pathways and explanations that can be produced for supervisors and, where applicable, for customers.
For NBFCs, the practical question is not whether these requirements arrive — the direction has been set since FREE-AI — but whether the infrastructure to satisfy them exists before the final circular lands. Most lending stacks today produce a score and a decision, with nothing connecting the two: no per-decision explanation, no pinned model version, no validation record, no monitoring trail a supervisor could independently verify.
This is precisely the gap NomoCrit was built for. Every decision that passes through NomoCrit is written to an append-only ledger with its model version, threshold state, SHAP explanation, and fairness metrics attached at evaluation time — not reconstructed under audit pressure. The model registry, drift monitoring, and recalibration provenance the draft guidance describes are not features we are planning. They are the architecture.
The comment window closes July 24, 2026. Whether or not your institution submits a response, the draft is worth reading in full — it is the clearest statement yet of what the RBI will expect a governed model to look like.