The RBI's Framework for Responsible and Ethical Enablement of AI (FREE-AI) is the first detailed, AI-specific regulation in Indian financial services. It does not replace existing risk management circulars — it sits on top of them. If you are an NBFC, bank, or payment system operator deploying any AI feature in 2025, FREE-AI is the document you need to read.
The 7 Sutras
FREE-AI organises its principles into seven Sutras: Trust, People-First, Innovation Under Risk-Based Regulation, Fairness and Equity, Accountability, Understandable by Design, and Safety, Resilience and Sustainability. These are not slogans — each maps to specific obligations later in the document.
"Understandable by Design" in particular sets a high bar. It is not enough to say a model is explainable; the explanation must be intelligible to the affected customer in the language they were served in.
The 6 pillars
Governance, Risk Management, Model Lifecycle, Data Management, Third-Party Management, and Audit and Assurance. Each pillar is laid out as a set of operational requirements, not principles. Governance requires a named officer; Model Lifecycle requires documented model cards; Audit and Assurance requires evidence that an independent function can review the system.
Annex V and Annex VI
Annex V is a model card template — the artefact you produce per model in production. Annex VI is the AI use-case register — the inventory of every place AI is used in your regulated entity, classified by risk tier.
Both are auditable artefacts. Both need to be in place before Phase 3 begins. "We use OpenAI" is not a model card.
The 4-phase rollout
Phase 1 — self-assessment against FREE-AI and gap remediation planning. Phase 2 — implementation of governance, model registry, and DPIA-equivalent process for AI. Phase 3 — mandatory audit by qualified independent assessors. Phase 4 — supervisory review by the RBI and ongoing reporting.
Most regulated entities are currently in Phase 1 or early Phase 2. The earlier you stand up the governance and registry, the cheaper Phase 3 becomes — because the auditor is looking for evidence, not intent.
What "AI use" actually triggers FREE-AI
Anything that materially influences a customer-facing decision: credit underwriting, fraud detection, suitability scoring for investment, KYC risk grading, complaint routing, chatbot responses that quote rates or terms. "It is a third-party API" is not a defence — third-party AI is explicitly in scope under the Third-Party Management pillar.
How to get from zero to Phase 3 ready
Inventory every AI use case (Annex VI). Build a model card for each (Annex V). Stand up a governance forum that meets and minutes. Establish a DPIA-equivalent for new AI projects. Build a third-party AI register and renegotiate where needed. Engage an independent reviewer to dry-run the Phase 3 audit before the deadline.
Our compliance programme runs this end-to-end for NBFCs and banks, mapped against DPDP Act in parallel so the same control evidence serves both regulators.