NEWS · March 2026 · 5 min read

RBI advisory on AI in banking — customer data protection now a supervisory priority

The Reserve Bank of India's latest circular puts AI-mediated data handling squarely in the supervisory spotlight. Banks have 90 days to demonstrate controls. Here is what it says, what it does not say, and what to do this week.

What the advisory says

The RBI circular, issued to all Scheduled Commercial Banks, NBFCs, and payment aggregators, states that AI and machine learning systems used in customer-facing operations — including KYC, credit decisioning, fraud detection, and customer service — must adhere to the same data protection standards as other regulated processes. Specifically:

  • Customer data used as input to AI models must not leave the bank's regulated perimeter without explicit consent mapping.
  • Banks must maintain an audit trail of which customer data was processed by which AI system, and when.
  • Third-party AI providers must be assessed under the bank's existing vendor risk management framework — including data residency verification.
  • Employees must not use public generative AI tools for tasks involving non-anonymised customer data.
⚠️
The key phrase

The circular uses the phrase "non-anonymised customer data" — which includes names, account numbers, PAN, CIBIL scores, addresses, and income figures. Every time an analyst pastes any of these into ChatGPT, Gemini, or Copilot, the bank is in breach of this advisory.

Who is in scope

The advisory covers any entity regulated by the RBI that processes customer financial data using AI systems — regardless of whether those systems are built in-house or procured from third parties. This includes:

  • Scheduled Commercial Banks — public sector, private sector, foreign banks with Indian operations
  • Non-Banking Financial Companies (NBFCs) — including housing finance companies
  • Payment Aggregators and Payment Gateways
  • Credit Information Companies — including those interfacing with CIBIL, Experian, CRIF

If your organisation is regulated by the RBI and your employees use any external AI tool — even for "productivity" tasks like summarising loan notes or drafting communications — you are in scope.

The 90-day clock

The circular gives regulated entities 90 days from the date of issue to submit a compliance declaration to their RBI-assigned supervisory team. The declaration must include:

  1. An inventory of all AI systems processing customer data, internal and third-party.
  2. Evidence that each system's data handling complies with the bank's data residency policy.
  3. A description of controls preventing employees from exposing customer PII to unapproved external AI systems.
  4. An audit log sample demonstrating that AI interactions are traceable.
🚨
Non-declaration risk

Failure to submit the declaration — or submitting one that the supervisory team finds inadequate — will trigger a supervisory examination. Examination findings can result in directions under Section 35A of the Banking Regulation Act, which carry both financial and reputational consequences.

Common gaps the RBI is looking for

Based on the advisory's language and what supervisory teams have flagged in prior examinations, the most common gaps are:

  • Shadow AI use — Employees using personal ChatGPT, Gemini, or Copilot accounts on work data, outside any bank-approved channel.
  • No audit trail — AI interactions happening with no record of what data was sent, to which system, by whom.
  • Vendor risk gap — Third-party AI vendors onboarded without a formal data residency assessment — the bank does not know where customer data is stored post-processing.
  • Consent mismatch — Customer data being processed by AI systems for purposes not covered in the original consent collected under DPDP 2023.

The controls that satisfy the advisory

The advisory does not prescribe a specific technical architecture, but the controls it describes map cleanly to a gateway model:

Advisory requirementControl that satisfies it
Customer data must not leave the regulated perimeter unanonymisedPII redaction gateway that strips identifiers before any prompt reaches an external model
Audit trail of AI interactionsImmutable per-interaction log: user, timestamp, data class redacted, model destination
Vendor risk assessment for AI providersGateway acts as the single approved channel — one vendor assessment covers all underlying models
Employee policy enforcementTechnical enforcement at the network level — policy alone is insufficient

What to do this week

If you are a CTO, CISO, DPO, or Head of Compliance at an RBI-regulated entity, here is the immediate action list:

  1. Audit AI usage — Survey business units for any use of external AI tools on customer data. Assume the answer is yes in every team that works with KYC, credit, or customer service.
  2. Block unapproved channels — Work with IT security to block or monitor direct access to public AI endpoints (api.openai.com, generativelanguage.googleapis.com, etc.) from corporate networks.
  3. Stand up an approved channel — Deploy a gateway that employees can use for AI tasks, with PII automatically stripped and every interaction logged. This is what satisfies the RBI's audit trail and data residency requirements simultaneously.
  4. Prepare the declaration — The inventory and audit log requirements can be met from day one if the gateway is logging to your existing SIEM or object store.
Pinaakini Enterprise can be deployed in your VPC in under two weeks

The gateway deploys in your existing cloud environment, requires no changes to employee workflows, and generates the audit log and evidence pack the RBI declaration requires from day one. Talk to our enterprise team.

Continue reading
GUIDE

A complete DPDP 2023 compliance guide for enterprise AI usage

 BLOG

Sovereign AI vs Cloud AI — why India's critical sectors cannot afford to be agnostic

 GUIDE

How Pinaakini maps to DPDP 2023 section by section

 BLOG

PII in the enterprise AI era — the Indian data type taxonomy