There is a question that sits quietly at the centre of every AI-driven AML programme, rarely asked aloud but increasingly impossible to ignore: when a machine flags a customer as suspicious, freezes an account, or generates a suspicious transaction report – who is actually responsible for that decision?
The honest answer, in most institutions today, is: nobody is entirely sure. Is it the junior analyst, the mid-level analyst or the PO, or does it fall between the cracks?
The AML function has spent the last decade automating itself – transaction monitoring, customer risk scoring, adverse media screening, STR drafting. The tools have become genuinely powerful. But the governance frameworks designed to oversee those tools have perhaps not kept pace with most reporting entities (REs). Most institutions can tell you what their AI model does. Far fewer can tell you whether it does it fairly, consistently, and in a manner they could defend to a regulator, a court, or a customer whose account was wrongly frozen.
That gap between AI capability and AI governance – is where the next wave of AML risk is building. And for Principal Officers and Compliance Officers navigating India’s complex, multi-regulator environment, understanding it is no longer optional.
What “Ethical AI” Actually Means in a Financial Crime Context
The phrase “ethical AI” has accumulated enough corporate vagueness to make most practitioners instinctively distrust it. So let us be precise about what it means – and does not necessarily mean – in an AML context.
Ethical AI in AML is not about giving machines a moral compass. It is about ensuring that automated systems make decisions that are fair, explainable, consistent, and subject to meaningful human oversight. It is about ensuring that when an AI system produces an outcome – a risk score, an alert, a case recommendation that outcome can be interrogated, challenged, and if necessary overturned. Clearly, what rule based AML produced as outputs, AI driven solutions provide outcome influencing explainable outputs.
It means asking four questions that most AML programmes currently cannot answer satisfactorily:
- Can we explain, in plain language, why this customer was flagged?
- Are our models producing systematically different outcomes for different customer groups and if so, why?
- Who is accountable when an AI-driven decision causes harm?
- How do we know our models are still performing as intended, six months after deployment?
These are not philosophical questions. They are operational ones and regulators are beginning to ask them directly.
In India, however, there is a fifth question that sits beneath all of these – and it is one that most institutions are not yet equipped to answer at all: do we even have the internal capability to govern the AI we have deployed?
The Accountability Gap – When AI Flags a Customer, Who Owns That Decision?
Consider a scenario that is playing out daily across Indian financial institutions. An AI-driven transaction monitoring system flags a customer – a small business owner in a Tier 2 city for unusual cash flow patterns. The system generates an alert, scores it high priority, and auto-populates a case report recommending STR filing. The analyst reviews the output, finds nothing obviously wrong with the model’s reasoning, and escalates to the Principal Officer. The STR is filed.
Six months later, the customer’s account was frozen as part of an enforcement action. It turns out the flagged activity was entirely legitimate – seasonal revenue from a festival supply business that the model had no baseline data for.
Who is responsible?
The analyst will say they followed the system’s recommendation. The technology team will say the model performed as designed. The vendor will point to the training data. The Principal Officer will note they relied on the case report prepared below them.
This diffusion of accountability is not hypothetical. It is the structural reality of most AI-assisted compliance workflows in India compounded by the fact that many institutions have deployed AI-driven tools without building the internal capability to question, validate, or govern them. The tool was procured. The governance was not.
This is particularly acute in India because of the sheer diversity of the RE landscape. A large private sector bank with a dedicated model risk team is in a fundamentally different position than a district cooperative bank, a mid-sized NBFC, or an early-stage fintech – all of which are subject to similar AML obligations but operate with vastly different technical resources, compliance depth, and institutional capacity. For the smaller RE, AI governance is not just a gap. It is unknown.
Explainability Is Not a Feature – It Is a Compliance Requirement
A black-box AML model; one that produces outputs without human-readable reasoning – is not merely a technical limitation. It is a liability.
When an STR is challenged before an appellate authority, when a regulatory inspection focuses on a specific case, when a customer disputes an account restriction, the institution must be able to answer one question coherently: on what basis was this decision made?
“The model flagged it” is not an answer. It is an admission that the compliance function does not understand its own decisions.
Explainable AI frameworks – SHAP values, LIME, decision trees layered atop deep learning models – exist precisely to solve this problem. They allow a compliance officer to say, with specificity: “This alert was generated because the customer’s inward remittance volume increased 340% against their six-month baseline, two counterparty accounts had appeared in adverse media scans in the preceding fortnight, and the transaction timing pattern matched a structuring typology flagged in FIU-IND’s most recent advisory.”
That is auditable. That is defensible. That is what a regulator conducting a model governance review will expect to hear.
India’s regulatory framework is moving in this direction but not uniformly. The RBI has the most developed model risk management framework among Indian regulators, built initially around credit models but increasingly referenced in compliance contexts. Its guidance establishes clear expectations around model validation, performance monitoring, and documentation of model assumptions. For RBI-regulated entities – banks, NBFCs, payment aggregators – this framework provides at least a baseline reference point for AI governance in AML.
SEBI’s enforcement posture is sharpening in a related direction. Recent orders have begun examining not just whether institutions had compliance systems, but whether those systems’ outputs were subjected to genuine human scrutiny and whether the reasoning behind compliance decisions was documented. IFSCA’s RegTech/SupTech framework for GIFT City entities goes further – explicitly acknowledging technology governance as integral to compliance governance, and setting expectations that are, in several respects, ahead of the mainland regulatory framework.
But for the majority of India’s reporting entities – the thousands of NBFCs, cooperative banks, insurance intermediaries, securities brokers, and fintechs regulated by a patchwork of frameworks – the explainability expectation remains largely implicit. It has not been made explicit, consistently, across the regulatory landscape. And that inconsistency is itself a governance problem.
Algorithmic Bias – Are Your Models Profiling the Wrong People?
This is perhaps the most uncomfortable dimension of AI governance in AML – and the one least discussed in Indian compliance circles. Globally, algorithmic bias in non-AML contexts have been observed in cases such as the Wells Fargo (2022), Apple Card / Goldman Sachs (2024) events to name a few. Every AI model learns from historical data. In AML, that means historical patterns of flagged transactions, filed STRs, and confirmed cases of financial crime. The problem is that historical AML data is not neutral. It reflects the decisions made by previous compliance programmes – decisions shaped by the rules, biases, and resource constraints of their time. They demonstrate how algorithmic transparency issues are symptomatic of broader operational challenges
The specific problem in AML contexts is the false positive trap, where key risks include algorithmic bias (models discriminating against certain customer groups), model opacity (inability to explain AI decisions to regulators), data quality issues (AI learning from incomplete or biased data), and adversarial attacks. In the Indian context, this problem has a specific and largely unexamined dimension. India’s financial inclusion journey – the rapid onboarding of hundreds of millions of first-time formal financial system users through Jan Dhan accounts, UPI, and digital lending – has created a vast new customer base whose transaction patterns look unfamiliar to models trained on older, more limited datasets. A daily wage worker who receives irregular cash credits and makes large withdrawals before festivals is not structuring. But to a model trained primarily on urban, salaried customer data, that pattern may look anomalous.
The risk is real: models that were not trained on demographically representative data will systematically over-flag customers from newly included segments – rural customers, informal sector workers, small traders – while potentially under-flagging sophisticated financial crime that operates through profiles the model was trained to treat as low-risk.
This is not a hypothetical bias. It is a structural one, embedded in the data that most Indian AML models were built on. And it has consequences not just for compliance effectiveness but for financial inclusion – the regulatory and social priority that India has invested enormously in advancing.
For the Principal Officer, the obligation is clear. Model validation must include explicit testing for systematic outcome variation across customer geographies, income segments, and transaction profiles. A model that flags Tier 3 city cash businesses at three times the rate of equivalent Tier 1 city businesses, without a risk-based justification for that difference, is not performing well. It is performing in a biased manner – and that bias is a governance gap.
The Continuous Governance Problem – Deployment Is Not the Finish Line
Most AML technology programmes treat model deployment as the endpoint of a project. The model is built, validated, approved, and launched. The project is closed. The team moves on.
This is precisely the wrong mental model – and it is where a significant proportion of AI governance failures in Indian institutions will likely originate over the next three to five years.
India’s financial landscape is changing faster than almost any other in the world. UPI transaction volumes have grown at a pace that no model trained three years ago could have anticipated. The crypto ecosystem has been formalised and regulated. New payment rails, new lending products, and new categories of reporting entities are being added continuously. The typologies of financial crime are evolving with equal speed.
A transaction monitoring model trained on 2022 data and deployed in 2023 is operating in a materially different environment today. Without active retraining and performance monitoring, it is detecting yesterday’s crime patterns while potentially missing today’s. Model drift – the gradual degradation of performance as the real world moves away from the training distribution – is a documented phenomenon with serious compliance consequences. In India’s fast-moving financial environment, that drift happens faster than in more stable markets.
The question every Principal Officer should be asking is not “when was this model deployed?” It is “when was it last validated against current transaction patterns, current typologies, and current regulatory expectations – and what did that validation find?”
For most Indian institutions, the honest answer is that they do not have a formal answer to that question. Model retraining cycles, where they exist at all, are driven by vendor contracts rather than compliance requirements. That gap needs to close – and it will, one way or another, whether proactively or under regulatory pressure.
Autonomous AI in AML – Where the Human Must Stay in the Loop
The direction of AML technology is toward greater autonomy. Auto-generated STR drafts. Risk scores that trigger automatic enhanced due diligence. Screening matches that result in immediate transaction holds. These capabilities are real, valuable, and being deployed today across Indian financial institutions.
But autonomy without governance is not efficient. It is unaccountable decision-making at scale.
The Human-in-the-Loop principle – the deliberate architectural choice to insert human judgment at defined points in an automated workflow – is not a compromise between full automation and full manual review. It is a recognition that certain decisions carry consequences serious enough that they must be owned by a human being who can be held accountable for them.
In India, this principle has a specific regulatory dimension. FIU-IND has signalled clearly and repeatedly that the quality and analytical depth of STR filings is under active scrutiny – not just the volume. A fully automated STR process with no documented human sign-off produces filings that are formulaic, thin on analytical narrative, and of limited intelligence value to law enforcement. It also produces an institution that cannot demonstrate, under examination, that a human being with relevant competence actually reviewed and owned the decision to file.
For the Principal Officer, HITL is not just best practice. It is the mechanism by which their personal statutory accountability under the PMLA is meaningfully discharged – rather than nominally delegated to an algorithm.
India’s Regulatory Asymmetry – The Governance Problem Nobody Is Coordinating
This is the dimension of AI governance in Indian AML that is most consequential and least discussed: the profound asymmetry in how different Indian regulators approach AI governance in compliance and what that asymmetry means for institutions operating across multiple regulatory perimeters.
Consider the landscape as it currently stands. The RBI has the most developed model risk management framework built on international best practice, increasingly applied to compliance contexts, and backed by supervisory capacity to examine model governance in detail. For a large private sector bank, this provides a meaningful baseline.
SEBI’s framework is evolving but remains primarily focused on market integrity rather than model governance in compliance systems. Its enforcement posture is sharpening, but its explicit guidance on AI governance for AML purposes remains limited. IRDAI’s AML guidelines for insurers are comparatively less prescriptive on technology governance. IFSCA, paradoxically, has the most forward-looking RegTech framework of any Indian regulator – but it covers only the relatively small universe of GIFT City entities.
The result is a landscape in which a conglomerate financial group – a bank with an NBFC subsidiary, an insurance arm, and a securities broking entity – faces materially different AI governance expectations depending on which regulated entity is being examined and by which regulator. The bank’s transaction monitoring model may be subject to rigorous model risk review. The NBFC’s model, performing essentially the same function, may face no equivalent scrutiny.
This regulatory asymmetry creates several problems simultaneously. It creates compliance arbitrage opportunities – sophisticated bad actors understand that the weakest link in a multi-entity financial group is the least-regulated entity. It creates inconsistent standards of AML effectiveness across the financial system. And it creates genuine uncertainty for compliance officers trying to build AI governance frameworks that work across a group structure with multiple regulatory masters.
What needs to happen – and what India’s regulators ought to consider:
First, a baseline AI governance standard for AML needs to be established across regulators – not identical in every detail, but consistent in its core requirements: explainability, bias testing, continuous monitoring, and documented human accountability. The FATF’s evolving guidance on the use of AI in AML provides a natural reference point. India should adopt it explicitly, across all relevant regulators, rather than allowing each to develop its own framework at its own pace.
Second, FIU-IND as the central AML authority with visibility across all reporting entities – is the natural coordinator of this effort. Its existing role in setting STR quality expectations, issuing typology guidance, and engaging with reporting entities across sectors positions it to drive cross-regulator alignment on AI governance standards in a way that individual sectoral regulators cannot.
Third, the capacity gap must be acknowledged honestly. Most Indian reporting entities – particularly the thousands of smaller NBFCs, cooperative banks, and insurance intermediaries – have not adopted AI based AML solutions or have plans to use them in a phased manner. They do not currently have the internal capability to govern AI models to the standard that the evolving regulatory expectation requires. Mandating standards without building capacity is an enforcement exercise, not a governance one. Regulators should consider what industry level support – guidance, training, shared typology data, model benchmarking frameworks – would help smaller REs gradually meet a standard they currently cannot reach on their own.
Fourth, the vendor accountability question needs regulatory attention. A large proportion of Indian institutions use third-party AML technology platforms – they did not build their models, they procured them. The governance question of who is responsible when a vendor’s model produces biased, opaque, or drifting outputs is largely unresolved in Indian regulation. Clear guidance on what institutions must contractually require of their AML technology vendors – explainability, validation documentation, retraining commitments, bias disclosures – would address a real gap.
What Good Ethical AI Governance Looks Like in Practice
Translating principles into practice requires a framework. At minimum, a credible ethical AI governance programme for AML in the Indian context should include:
Model ownership. Every AI model in the AML stack should have a named owner within the compliance function – accountable for its performance, its outputs, and its ongoing governance. Technology builds the model. Compliance owns it. This distinction must be explicit, documented, and understood by the board.
Explainability by design. XAI frameworks should be implemented at the point of model development, not retrofitted after deployment. Every model output that influences a compliance decision should be accompanied by a human-readable explanation of the factors that drove it – one that a regulator, an auditor, and a non-specialist board member can all understand.
Bias testing as standard. Model validation must include explicit testing for systematic outcome variation across customer segments – geography, income profile, business type, transaction corridor, onboarding channel. In India specifically, this must include testing across the urban-rural divide and across the formally included vs. long-banked customer segments.
Continuous performance monitoring. Models should be monitored against defined metrics on a regular cycle. In India’s fast-evolving financial landscape, annual validation is insufficient. Quarterly performance reviews, with formal retraining triggers, should be the standard.
Documented HITL checkpoints. Every compliance workflow must have defined points at which human judgment is required, documented, and attributable to a named individual. The Principal Officer’s sign-off on an STR must be a genuine review – not a formality, and not a rubber stamp on an algorithmic output.
Vendor governance standards. Institutions using third-party AML platforms must contractually require explainability documentation, bias testing evidence, model validation reports, and retraining commitments. Procurement of an AML tool is not a transfer of governance responsibility. It is the beginning of it.
The Competitive and Institutional Case for Getting This Right
There is a version of this argument that is purely about risk avoidance – build ethical AI governance or face regulatory consequences. That argument is correct, but it is incomplete.
The institutions that govern their AI well will also perform better. Explainable models are easier to validate, easier to improve, and easier to defend. Bias-tested models produce fewer false positives – less analyst time wasted, lower operational cost, better customer experience, and less collateral damage to the financially included customers India has worked hard to bring into the formal system. Continuously monitored models catch drift before it becomes a detection failure. Human-in-the-loop workflows produce STRs that are analytically richer and more valuable to law enforcement.
For India specifically, there is an additional imperative that sits above the institutional level: the integrity of the AML system as a whole depends on the quality of the AI that powers it. A financial system in which AI models are opaque, biased, ungoverned, and drifting is not a system that is effectively preventing financial crime. It is a system that is performing the theatre of prevention while the substance deteriorates quietly beneath.
India is building one of the most ambitious financial systems in the world – in terms of scale, inclusion, and digital infrastructure. The AI that governs its compliance function must be built to the same standard of ambition. That means being explainable, fair, continuously governed, and genuinely accountable.
The algorithm is a powerful tool. But a tool without governance is just a risk with a user interface. And in India’s financial system, the consequences of getting that wrong will not be contained to the institutions that deploy the tools. They will be felt across the system – and eventually, across the customers it is supposed to serve.