Adoption of Artificial Intelligence in the FinTech sector: A regulatory overview

The evolution of partnerships between banks and financial technology (‘FinTech’) companies is facilitating the widespread adoption of advanced technologies, including artificial intelligence (‘AI’), machine learning (‘ML’) and Generative AI (‘GenAI’) in the financial sector. These innovations enable financial institutions (‘FIs’) to significantly improve operational efficiency, by enhancing risk management, fraud detection and customer engagement. Regulatory bodies, particularly the Reserve Bank of India, are actively leading efforts to promote technological innovation within the financial sector through various initiatives, including the RBI Innovation Hub, the EmTech Repository and regulatory sandboxes, while adopting a risk-based approach to the application of such emerging technologies in financial services.

Leveraging AI in the Financial Sector

Banks and FIs have leveraged AI and other technologies as part of various functions and processes. The use of such technologies has, in some instances, been recognized and enabled by regulations. For instance, the RBI Master Direction on KYC[1] enables the use of AI/ML solutions by regulated entities for periodic monitoring of transactions as well as for video-based customer identification.

1. Customer Onboarding: Organizations have adopted ML models as part of onboarding customers and merchants to conduct automated KYC and AML checks including biometric and ‘liveness’ checks, document verification, data validation, geolocation verification and risk profiling. Such technologies are being utilized extensively in the FinTech sector[2], especially with the aid of Government stack and infrastructure.
2. Periodic Monitoring: The use of AI/ML has aided many entities in undertaking continuous transaction monitoring, risk assessment and management, providing real-time alerts for fraud detection and identifying policy and legal non-compliances in cybersecurity and financial data processing. Most recently, the Ministry of Finance and the RBI have asked banks and FIs to use AI tools including ‘MuleHunter.ai’ developed by the RBI to rein in growing financial frauds.[3]
3. Customer Engagement: The use of chatbots equipped with generative AI capabilities has ushered customer engagement and support significantly. These chatbots not only have capabilities to interact with customers, but also provide informational services and increase customer engagement with platforms. The RBI, in its Report on Trend and Progress of Banking in India[4] remarked upon the rapid rate at which chatbots had been adopted by public sector and other banks for customer support and engagement.
4. Credit Risk Assessment: The use of emerging technologies for credit risk assessment is one of the most crucial implementations which can aid banks in making credit decisions based on verifiable data insights generated by AI / ML. While the introduction of Unified Lending Interface[5] may help in automation of disbursement, the use of such technologies may aid further in credit assessment and decision making.
5. Cybersecurity and Compliance: AI/ML may also aid organizations in enabling real-time threat detection by monitoring traffic, identifying cybersecurity incidents and responding to them by taking proportionate measures. They may also aid in privacy compliance, for example, by supporting data integrity, identifying unauthorized use, enforcing minimization, and automating consent and privacy management systems.

Regulatory and Compliance Risks

1. Intellectual Property: The adoption of AI in the FinTech sector necessitates careful consideration of ownership and licensing risks for FIs as well as for third-party technology service providers (TSPs) offering AI/ML services. This is especially important when proprietary information, such as source code, is involved, as it may be subject to regulatory scrutiny where adverse decisions could be made against individuals or where a potential threat to the stability of the financial sector exists.
2. Transparency: Transparency is a crucial element of financial operations; however, it can present significant challenges and risks when integrating AI/ML products within the sector. As the complexity of AI systems increases, the explainability of their decision-making processes becomes more difficult to ascertain. This lack of clarity may impede organizations in providing necessary justifications for adverse decisions, thereby exposing FIs to potential legal liabilities.
3. Accountability for AI systems: Regulators globally have consistently endeavoured to hold organizations accountable for the outputs produced by AI systems deployed by them. For instance, the Securities and Exchange Board of India (SEBI) has issued a consultation paper[6] proposing amendments to various regulations pertaining to the utilization of AI tools by regulated entities, including market infrastructure institutions, stockbrokers and other intermediaries. This step by SEBI aims to ensure that such entities assume responsibility for any outputs generated by AI tools, thereby safeguarding data integrity and enhancing investor security.
4. Contractual Risks: FIs and other regulated entities must evaluate the contracting risks associated with engaging TSPs for the deployment of AI systems. Contracts executed with such third parties should explicitly delineate the functionality and limitations of AI models, as well as the rights related to audits, explainability and periodic compliance assessments, apart from other protective measures, such as indemnification clauses. It is imperative for entities to achieve a balance between protecting the intellectual property and proprietary interests of third parties while ensuring adherence to compliance requirements.
5. Data Privacy: Entities implementing AI systems must factor risks associated with personal data, especially in view of increased regulatory interest in data privacy. Such risks must be factored in when training AI systems, as well as when such systems handle personal data in production environments. While the Digital Personal Data Protection Act, 2023 does not explicitly address automated processing and related decision-making, the implementation of ‘privacy-by-design’ principles during the product development stage can mitigate the risk of future non-compliance associated with the use of such models.
6. Cyber Risks: The increasing reliance on third-party service providers, coupled with the growing interconnectivity of information technology systems, raises the potential for threat actors to exploit various vulnerabilities in AI systems used by regulated entities or their service providers. These threats may include data poisoning, model extraction and the exploitation of security vulnerabilities, highlighting the urgent need for a dynamic cybersecurity framework to protect such data and systems.

Way forward

While India has not officially enacted any legislation governing the use of AI systems, sectoral regulators such as RBI have endeavored to regulate AI systems, particularly to formulate guidelines for the ethical use of AI in financial services.[7] Global efforts in regulation of AI systems (such as the EU's AI Act) have indicated a risk-based approach to address the potential harmful effects of AI systems, by classifying such systems and applying differential obligations based on the risk classification. In many instances, AI systems deployed for credit assessments, biometric identification, insurance eligibility and pricing determinations have been classified as ‘high-risk’ systems, having significant regulatory oversight due to their potential impact on individuals and the broader financial system.

While such global laws provide insights into the regulation of AI systems basis risk, adopting a ‘principles-based’ and ‘technology-neutral’ framework that prioritizes transparency, explainability and privacy-by-design may likely be a suitable approach for regulating AI systems without inhibiting innovation and protecting customer interests. Furthermore, the implementation of alternative standards, such as benchmarking, can enhance the evaluation of the suitability of AI models provided by TSPs to banks and FIs, thereby facilitating more effective regulation, minimizing liability issues, and protecting intellectual property rights.

[The authors are Principal Associate and Associate, respectively, in Technology and Data Protection practice at Lakshmikumaran & Sridharan Attorneys, Hyderabad]

[1] RBI/DBR/2015-16/18 Master Direction DBR.AML.BC.No.81/14.01.001/2015-16

[2] Your Story report, as available here.

[3] Economic Times report, as available here.

[4] Report on Trend and Progress of Banking in India, as available here.

[5] Unified Lending Interface Mission, as available here.

[6] SEBI Consultation Paper, as available here.

[7] Indian Express news report, as available here.