Contents (4 sections)
Most vendor pitch decks aimed at NBFCs don't mention FREE-AI. That's a mistake they'll regret when the binding circular lands.
In August 2025, RBI published the "Framework for Responsible and Ethical Enablement of Artificial Intelligence" — FREE-AI — a consultative paper chaired by Dr. Pushpak Bhattacharyya. The document is not a Master Direction. It carries no penalty provisions today. But RBI consultative papers are not academic exercises: the 2023 IT Outsourcing Master Direction followed exactly this pattern, arriving as a consultation, absorbing industry comment, and then hardening into enforceable text. FREE-AI is on the same conveyor belt. Vendors who read it now as a signal about RBI's direction — rather than waiting for the binding circular — will have a structural advantage when the guidance lands.
The four pillars at a glance
FREE-AI organises its recommendations around four broad areas:
Foundational principles. The paper opens with the values that should underpin AI deployment in regulated finance: transparency, accountability, fairness, and ethics. These are not decorative. The paper explicitly states that "the mere act of outsourcing a function does not diminish the liability of the organisation." That sentence is load-bearing. An NBFC that buys an AI product from a vendor and something goes wrong cannot point at the vendor and walk away. The liability stays inside the regulated entity.
Governance structures. FREE-AI signals that board-level oversight of AI deployments is expected, not optional. The paper references model risk management as a discipline that needs formalising. For a vendor, this means the NBFC's board or AI committee will eventually sign off on vendor-supplied AI systems — requiring architecture documentation, model lineage records, and a governance trail that can survive a walk-in RBI audit.
Risk mitigation. The paper addresses data quality, bias testing, and model validation as active risk categories. The emphasis on bias testing is particularly notable in the context of credit and collections workloads. A model that makes credit decisions and cannot demonstrate fairness testing across demographic slices will be a regulatory liability once FREE-AI hardens.
Operational guidance. The fourth area covers incident handling and vendor management. The paper envisions regulated entities maintaining inventories of AI systems and the vendors behind them, with clear escalation paths when things break. This is a direct signal that "just call AWS Support" will not satisfy an RBI examiner.
Five vendor positions that survive
- On-prem model deployment. FREE-AI's preference for keeping "data and decisions inside the regulated entity's perimeter" is one of the clearest signals in the document. Cloud LLM vendors — where the model runs on someone else's infrastructure in a data centre the NBFC cannot audit, in a jurisdiction the NBFC cannot control — are at structural risk. An on-prem deployment, where the model runs on hardware the NBFC owns in a server room RBI can walk into, is the architecture the paper is implicitly pointing toward. See our NBFC page for use cases.
- Open-weight, inspectable models. FREE-AI's repeated emphasis on explainability is not satisfied by a vendor saying "trust us, the model is fair." A vendor running GPT-4o or Claude via a closed API cannot satisfy that review. The model is a black box. Open-weight models — Qwen 3, DeepSeek-R1-Distill-Qwen, Phi-4 — are not black boxes. This is not academic: it is the difference between passing and failing a serious model-risk review.
- Documented training-data provenance. FREE-AI signals that data lineage will become a reviewable requirement. Vendors who fine-tune on customer data without maintaining a clean chain of custody are exposed. The OwnAI pattern: training-data upload over TLS, encrypted volume on a cloud GPU, adapter delivery, and signed certificate of destruction within seven days, creates a documented chain.
- Indian data residency by default. Cross-border training is reviewable, and a vendor who cannot explain where customer data went and when it was destroyed will have difficulty in that review. Our model creates a managed, time-bounded cross-border touch: data travels to a cloud GPU for training, the adapter returns to India, the cloud volume is destroyed, and a certificate documents the destruction. That is a defensible audit position.
- Vendor-side incident reporting discipline. The FREE-AI operational guidance aligns with the 6-hour incident reporting obligation already in the IT Outsourcing Master Direction §17(8). Cloud LLM SLAs are already structurally non-compliant. On-prem deployment, where the NBFC's own SIEM raises the alert and the 6-hour clock is the NBFC's to manage, solves this at the architectural level. See the compliance page.
What FREE-AI does NOT do (yet)
Honesty matters here. There are things the consultative paper does not do that some commentators have implied it does:
It does not set specific quantitative bias thresholds. There is no "bias score must be below X" in the paper. The direction is clear — bias testing is expected — but the metrics are not yet prescribed.
It does not mandate specific model types or licences. FREE-AI does not say "you must use an open-weight model." The paper's emphasis on explainability and auditability creates strong pressure in that direction, but the letter of the consultative paper is flexible on implementation.
It does not require RBI pre-approval of AI deployments. There is no application process, no notification regime, no sandbox requirement in the current text.
The honest read: the spirit of FREE-AI is clearly restrictive — it is pulling toward transparency, residency, accountability, and auditability. The letter is still flexible, and the binding guidance has not yet landed.
The 12-month read
RBI's pattern with consultative papers in the IT and outsourcing space has been consistent: a gap of roughly 12 to 24 months between consultation closing and a binding circular issuing. FREE-AI was published in August 2025. The direction of travel is not ambiguous.
Vendors with the cloud-LLM model — inference runs on their infrastructure, data crosses borders on every API call, the model is a closed box, incident reporting depends on vendor SLA rather than customer SIEM — should be writing contingency plans now, not after the circular. Retrofitting data residency and explainability onto a cloud architecture is not a configuration change. It is a rebuild.
Vendors with an on-prem, open-weight, Indian-residency story are aligned with the direction of travel. The consultative paper describes an architecture that, for regulated Indian financial entities, looks more like OwnAI's deployment model than like a GPT API subscription.
Bottom line.
FREE-AI is not yet law. But it is a precise map of where RBI is heading, written by a committee that included representatives from regulated entities, technology firms, and the regulator itself. Reading it as a vendor means asking a simple question: if everything in this paper became binding tomorrow, which parts of my architecture would I need to change? If the honest answer is "most of it," the planning horizon is not comfortable. If the answer is "very little," you are in a structurally better position than most of the field.
For NBFCs evaluating AI vendors right now: FREE-AI gives you a useful filter. Ask your vendors where their inference runs, whether you can inspect the model weights, what happens to your data during training, and how incident reporting works at the architectural level. The answers will tell you more about regulatory durability than any compliance deck. Book a discovery call to walk through your AI committee's checklist.