For most of the last decade, validating a credit model in India was a matter of internal discipline — something good risk teams did, and others got away without. That era is closing.
Between RBI’s draft principles on model risk and the Credit Risk Management Directions that are now in force, the regulator has made its direction unmistakable. Credit models must be governed across their full lifecycle, and validated by someone other than the people who built them.
For banks, NBFCs and fintech lenders, the practical question is no longer whether to put independent validation in place, but how quickly and to what standard.
What RBI requires
In August 2024, the RBI released a draft circular, Regulatory Principles for Management of Model Risks in Credit. It applies to the models regulated entities use across credit decisioning — appraisal, borrower scoring, pricing and risk management. These sit together with the Credit Risk Management Directions, 2025 and are binding.
The core asks are these:
- A board-approved model risk policy covering the entire lifecycle. The policy must span model development, selection, documentation, deployment, ongoing validation, change control, and monitoring — with governance calibrated to how material each model is.
- A model inventory. A registery of all models in use, in-house or third-party, with the critical information needed to govern them.
- Risk-committee sign-off on deployment. The Risk Management Committee of the Board, or a delegated sub-committee, must approve each model before it goes live, and again whenever inputs or assumptions change materially.
- A defined approach to third-party models. The policy must address how externally sourced or vendor models are adopted, used and governed. Accountability stays with the regulated entity regardless of who built the model.
The part that matters most: validation must be independent
The heart of the framework is its validation framework. RBI expects regulated entities to run a model vetting and validation process that is organisationally independent of the team that developed or selected the model. Each model should be validated before it goes live, again after any material change, and on a periodic basis — at least once a year. Critically, the draft explicitly allows lenders to engage external experts to perform this validation.
Three things follow from this for any risk or compliance head:
- A developer cannot validate their own model. Independence is the point. If the same team builds and signs off, the control has failed on its face.
- Validation is recurring, not one-and-done. Annual review is the floor, with event-driven re-validation on top whenever the model or its inputs change materially.
- Outsourcing validation is explicitly on the table. For lenders without a separate, suitably skilled internal validation function — which is most NBFCs and fintechs — an external specialist is a sanctioned route to compliance, not a workaround.
This is precisely the gap that independent third-party validation fills. It gives genuine organisational separation without standing up a parallel team, and it produces a report whose objectivity is hard to dispute.
How this lines up with global norms
None of this is uniqueto India. The RBI framework rhymes with the model-risk regimes lenders’ banking partners and investors already recognise – the Basel framework’s expectations around periodic independent review of internal models and US Fed’s requirements.
Co-lending makes this an external requirement, not just an internal one
In a co-lending or digital lending arrangement, the bank or NBFC on whose books the loan sits carries the model risk, regardless of who originated the customer. Partner due diligence has caught up to that reality. Banks now routinely ask fintech and NBFC sourcing partners to share model documentation and an independent validation report before go-live, and to re-share both after any material change to the model or its inputs.
For the originating fintech, this turns the validation report into a portable credential. Produce it once to a credible standard and it shortens onboarding with every subsequent bank partner. Without it, the conversation stalls at compliance review, no matter how strong the underlying model is.
What lenders should do now
If you run credit models and haven’t yet built this out, a sensible sequence looks like:
- Build or refresh the model inventory. You cannot govern what you haven’t catalogued. List every model — application scorecards, PD models, ML underwriting models, vendor scores — with owner, version, last validation date and materiality.
- Run a gap assessment against the lifecycle policy. Map what RBI expects (governance, documentation, validation, change control, monitoring) against what you actually have, and flag where independence is missing.
- Get independent validation on your material models first. Prioritise the models that drive the most lending decisions or the most capital. For each, confirm discrimination, calibration, stability and rank ordering still hold on current data — and document it.
- Make it repeatable. Set the annual cadence, define the triggers for event-driven re-validation, and ensure the reporting line runs to risk, not to the business that owns the model’s outcomes.
The work is real, but the payoff is more than a clean audit.
A well-governed model book gives you sharper credit decisions, fewer nasty surprises, and — increasingly — a credential your funding and co-lending partners will ask to see.
That last point deserves its own discussion. In the next post in this series, we look at how an independent validation report functions as a trust credential in co-lending and fintech–bank partnerships — and why your banking partners increasingly treat it as table stakes for the relationship.
Frequently asked questions
Is RBI's model-risk circular final or still a draft?
The Regulatory Principles for Management of Model Risks in Credit were issued in draft form in August 2024. While the final circular's status may evolve, the supervisory direction is clear, and the broader Credit Risk Management Directions, 2025 — which are in force — reinforce the same expectations around governed, well-documented credit risk management.
Can our in-house team validate our own models?
Not the team that built them. The framework's central requirement is that validation be organisationally independent of model development and selection. A separate internal function can do it; many lenders use external specialists instead.
How often does RBI expect models to be validated?
At least annually, plus before initial deployment and after any material change to the model or its inputs and assumptions.
Does this apply to third-party and vendor models?
Yes. Accountability stays with the regulated entity regardless of who developed the model, and the policy is expected to define how third-party models are adopted, used and governed.
Are fintechs and smaller NBFCs in scope?
The expectations apply broadly to regulated entities using models for credit decisions. Smaller lenders without a dedicated validation function are the most likely to benefit from engaging an external validator, which the framework explicitly permits.
Need to get your material models validation-ready before your next review or partner due diligence? Schedule a scoping call with Think360.ai — independent, RBI-aligned validation, with a structured turnaround from data to report.
