The Reserve Bank of India's Digital Lending Guidelines, in their evolving form across 2022 onwards, are the single most important regulatory framework for any AI tool that touches credit decisions in India. Most lending teams know the headline points, direct disbursal to borrower, no balance-sheet risk on the LSP side, mandatory key-fact-statement disclosures. Fewer have worked through what the guidelines mean for the AI layer that sits behind the underwriting decision.
Below is a working field guide to what compliant AI underwriting looks like under RBI DLG, drawn from the questions credit committees and chief risk officers ask us most often.
1. The lender stays accountable
RBI DLG is unambiguous on this. Even if the entire underwriting pipeline is automated and the recommendation engine is operated by a third-party AI vendor, the credit decision is the lender's. The AI tool is a calculator, not a decision-maker. The implication: every recommendation the AI produces must be traceable to its underlying data and reproducible by a human credit committee. Black-box scores that cannot be explained do not clear the bar. Recommendations that cannot be re-derived from the same inputs do not clear the bar either.
2. Data residency
Borrower data, particularly KYC, financial statements, banking history, must remain within India and within the lender's regulatory perimeter. AI tools that send borrower data to public LLMs or third-party APIs hosted outside India are non-compliant. The cleanest architecture is a private, isolated model that runs inside the lender's environment, processes data without egress, and emits only the inference output to the lender's downstream systems.
This is also why we built AICA on a private isolated LLM rather than using a public foundation-model API. The cost is real, but the alternative is non-compliant.
3. Customer consent, every time
Pulling a borrower's bank statement via Account Aggregator, fetching a CIBIL report, accessing GST returns, each requires explicit, time-bound, purpose-limited customer consent. AI tools that fetch data on the lender's behalf must surface the consent flow to the borrower, capture the consent artefact, and respect the time and purpose limits. A consent-based pull that succeeds today does not give the AI a licence to refresh that data next month.
4. The audit trail
Every check the AI runs, every data source it touches, every recommendation it emits, all of it has to be logged in a form an RBI examiner can read. The minimum is: who ran the check, when, against which borrower, with what consent artefact, returning what result, leading to what recommendation. AICA stores all of this with a thirty-day rolling export so any audit pack can be generated on demand.
5. FLDG and the AI vendor's role
First-loss default guarantees are now capped under RBI guidance. The implication for AI vendors is that we cannot bundle an FLDG into our pricing, that would put us in the lending-arrangement perimeter, not the technology perimeter. AICA is technology infrastructure. The credit risk stays with the lender. Our pricing reflects that.
6. Escalation and grievance
Every AI-driven decision that affects a borrower must come with a human escalation path. If the AI declines a loan, the borrower must be able to ask why, and a human must answer. If the AI flags an EWS, the borrower must be able to dispute it, and a human must respond. The AI cannot be the last line. It is always a recommendation that a human can override, and the override has to be possible without rebuilding the system.
What this looks like in practice
A compliant AI underwriting stack looks like this. The borrower applies through a branded channel, WhatsApp, web portal, partner. Consent flows are surfaced and captured. Data is pulled into a private environment via Account Aggregator, GST APIs, and bureau pulls. The AI runs its checks, emits a recommendation with full source attribution, and writes the audit log. A human credit officer reviews, overrides where necessary, and books the decision. The borrower receives the decision with a clear escalation path. The audit trail is regenerable on demand.
That is what AICA is built to do, end to end, on day one of week three. RBI DLG compliance is not a feature we add. It is the architecture.