Nepal Rastra Bank issued Artificial Guidelines in December 2025. It is designed as a consultative draft from NRB’s Banks & Financial Institutions Regulation Department, circulated for stakeholder comment. However, it is noticed that it’s a relatively compact, principles-based rulebook that reads more like a binding directive (“LIs are required to…”, “must…”) rather than a discussion paper.
All NRB-licensed institutions — commercial banks (Class A), development banks (B), finance companies (C), microfinance (D), the Infrastructure Bank, plus Payment System Operators and Payment Service Providers are covered by these guidelines and the use cases named in the guidelines include credit scoring, fraud detection, customer service, risk management, and compliance monitoring.
While well intentioned and the need of the hour, the NRB guidelines raises a few questions with regards to industry readiness and execution.
I went through it in detail and wanted to see how it fairs with similar guidelines issued in the neighbourhood and for this, I chose Reserve Bank of India’s FREE-AI (Framework For Responsible and Ethical Enablement of Artificial Intelligence) Report.
The core contents of the NRB guidelines are:
Governance & accountability: Boards and senior management remain ultimately responsible for AI outcomes, just as they are for all other activities within a financial institution. Licensed institutions must set up a cross-disciplinary AI steering committee, approve an AI strategy and governance framework at board level, and designate a senior management member with the expertise to oversee technology and AI risks. This raises a practical question: are Nepalese financial institutions ready, and do they have genuine technology and AI risk professionals—not just CTOs—to provide that oversight?
Outsourcing: The guidelines draw a useful distinction: using third-party tools internally for tasks such as drafting or summarizing is not outsourcing, while procuring an AI-powered service is. The latter triggers due diligence, board approval, and notification to NRB. This again raises the question of whether Nepalese financial institutions have hired or developed sufficient technology and AI risk expertise.
Risk management: Licensed institutions must conduct a pre-deployment assessment to determine whether each AI system is high-risk, based on five criteria: potential for serious harm, broad or systemic impact, limited human oversight, risk to rights, and use of sensitive data. AI risks must be recorded in the risk register with named owners. The guidelines also specifically address deepfakes and synthetic media, requiring institutions to deploy detection tools.
Model risk, data quality, cybersecurity, and ethical use: The guidelines require model validation throughout the AI lifecycle, strong data governance and retention practices, alignment with NRB’s Cyber Resilience Guidelines, penetration testing, and safeguards against bias. This raises a key question: how mature are Nepalese financial institutions in data security, cybersecurity, and the ethical use of data?
Transparency: AI systems must be explainable, AI-generated content must be clearly labelled, customers must be informed when AI affects them, and audit trails must be maintained in line with ISO/IEC 42001.
Data privacy: Licensed institutions must strictly comply with the Privacy Act 2075 (2018) by enforcing data minimization principles and securing explicit customer consent. Crucially, providing an opt-out mechanism must not result in the denial of essential banking services to the customer. However, this mandates a critical look at current market realities:
• The Implementation Gap: Is this compliance happening in daily practice, or is it merely a paper exercise?
• The AI Evolution: As institutions adopt machine learning, how will they evolve their existing data privacy frameworks to mitigate distinct AI risks—such as data lineage tracking, algorithmic bias, and the accidental ingestion of sensitive data into LLMs?
Fairness: Licensed institutions (LIs) must proactively identify and mitigate algorithmic bias to ensure equitable financial outcomes. To achieve this, the framework emphasizes:
• Independent Third-Party Validation: Utilizing objective, external assessments to audit and verify high-risk AI systems before deployment.
• Inclusive Design: Developing AI models using diverse datasets and representative perspectives to prevent the marginalization of vulnerable customer segments.
The Reality Check: While inclusive design sounds great on paper, how feasible is independent third-party validation in a market like Nepal? Do local tech auditors possess the specialized capabilities to stress-test complex algorithms for bias, or will banks be forced to rely on expensive international firms, potentially slowing down innovation?
Monitoring & reporting: The guidelines mandate a structured, risk-based approach to oversight, requiring financial institutions to implement rigorous tracking mechanisms:
• Risk-Based Monitoring: Continuous oversight with increased frequency and scrutiny applied to high-risk AI systems.
• Incident Reporting to NRB: Prompt notification to the Nepal Rastra Bank (NRB) regarding critical AI failures or security incidents, alongside quarterly reporting for non-critical issues.
• Annual Regulatory Reporting: Submission of a comprehensive, standardized annual report detailing the institution’s AI footprint, risks, and mitigations.
The Operational Hurdle: Implementing a risk-based monitoring system requires dynamic, real-time tracking tools that many Nepalese banks lack. Furthermore, with the NRB demanding prompt incident reporting, are both the central bank and the licensed institutions equipped with the clear definitions and technical infrastructure needed to distinguish, log, and respond to an “AI incident” versus a traditional IT glitch?
• Capacity building & grievances: Training for board through staff, customer education, and grievance channels for AI-driven decisions.
RBI’s equivalent — the FREE-AI framework
RBI’s counterpart is the FREE-AI report (Framework for Responsible and Ethical Enablement of Artificial Intelligence), issued on 13 August 2025 by a committee constituted in December 2024, chaired by Dr. Pushpak Bhattacharyya (IIT Bombay). The most important structural difference: it is a committee report and is advisory, not itself binding. Its recommendations are expressly designed so that RBI may convert them into supervisory expectations, Master Directions, or circulars for regulated entities (banks, cooperative banks, NBFCs, payment system operators, fintechs).
It’s organized as 7 Sutras, 6 Pillars, and 26 recommendations. The seven guiding principles are: Trust is the Foundation; People First; Innovation over Restraint; Fairness and Equity; Accountability; Understandable by Design; and Safety, Resilience and Sustainability. The six pillars are Infrastructure, Policy, Capacity, Governance, Protection, and Assurance — deliberately split so that three (Infrastructure, Policy, Capacity) enable innovation and three (Governance, Protection, Assurance) mitigate risk. A defining theme is that innovation and risk mitigation are treated as complementary forces to be pursued in tandem rather than in opposition.
How the two compare?
Substantial overlap: Both put board-level accountability at the centre, require board-approved AI policy, demand explainability and disclosure when customers interact with or are affected by AI, fold AI risk into existing risk/cyber frameworks, require incident reporting and audits, and link to a national data-protection law (the Privacy Act 2075 for Nepal; the DPDP Act 2023 for India). Both also tie themselves to existing IT/cyber guidelines and emphasize bias mitigation and capacity building. On the substance of risk controls, they’re close cousins — unsurprising, since NRB’s document says it follows international best practice.
Meaningful differences:
Legal status: NRB’s document is drafted as a binding guideline, currently at the consultative stage. RBI’s FREE-AI is an advisory committee report, whose binding force depends on RBI later issuing formal directions.
Orientation: NRB leads with compliance and risk, setting out prescriptive obligations. RBI deliberately balances enablement against risk, with three of its six pillars being pro-innovation.
Innovation tooling: NRB’s guidelines are largely silent on this. RBI actively recommends AI sandboxes, shared data and compute infrastructure, indigenous financial AI models, and even a dedicated funding pool.
Structure: NRB uses conventional thematic sections capped with a reporting annex. RBI adopts its distinctive “7 Sutras / 6 Pillars / 26 recommendations” architecture.
High-risk systems: NRB applies an explicit five-criterion classification test that triggers heavier obligations. RBI incorporates risk-tiering through its governance and assurance recommendations rather than a single codified test.
Specific call-outs: NRB flags deepfake and synthetic-media detection, references ISO/IEC 42001, and requires explicit consent with an opt-out. RBI foregrounds a customer’s “right to override” AI decisions, model-drift monitoring, and the maintenance of an AI system registry.
The big-picture contrast: NRB has produced a tighter, more prescriptive supervisory instrument aimed straight at compliance — appropriate for a smaller financial system that wants guardrails in place before AI adoption scales. RBI’s FREE-AI is broader and more developmental, explicitly trying not to over-regulate and instead build sector-wide capability (sandboxes, infrastructure, indigenous models) alongside the safeguards. In effect, NRB is regulating; RBI is, for now, recommending an approach that it intends to operationalize through later binding instruments.
One thing worth flagging on how up to date this is: the FREE-AI framework remains a report, and the timeline for RBI converting it into formal directions is still evolving — there’s been continued high-level attention to systemic AI risk in Indian finance into 2026, so the binding version may look somewhat different when it lands.
https://open.substack.com/pub/lakshmanpandey/p/nrb-ai-guidelines?r=4cq73l&utm_medium=ios