Compliance News • 4 min read
US AI Licensing Paused: Why BFSI General Counsels Bear the DPDP Liability for Frontier Models
With the US deciding against an FDA-style AI regulator, Indian BFSI entities deploying global AI models face increased pressure to secure vendor indemnities and prove DPDP compliance independently.
Last updated:
What Happened
On July 3, 2026, former White House AI adviser Sriram Krishnan stated that the US administration will not create a centralized AI licensing agency or an FDA-style approval process for model releases. The policy direction follows a June 2026 AI security executive order that favors private-sector collaboration over strict pre-release approvals. The focus will remain on voluntary engagement, classified benchmarking, and cyber-focused reviews rather than heavy formal licensing for frontier AI models.
Does The DPDP Act Apply Here
For a General Counsel at an Indian bank or insurer, US regulatory choices directly impact domestic compliance risk. Under Section 3 of the DPDP Act, the law applies to digital personal data processed within India, and processing outside India connected to offering goods or services to Data Principals in India. If your institution integrates a US-based AI model for customer service or credit scoring and feeds it digital personal data, the DPDP Act applies in full. The Act does not apply if the data sent to the AI vendor is irreversibly anonymised, but achieving true anonymisation in complex financial datasets is technically difficult and legally fraught.
Legal Implications Under DPDP
The absence of a US federal AI certification shifts the compliance burden entirely to the Indian Data Fiduciary deploying the tool. Under Section 4, processing requires a lawful purpose. Consent is the primary basis for processing, except where Section 7 legitimate uses apply. If an enterprise AI vendor utilizes your customer data to train its underlying model without itemised notice and clear consent under the DPDP Rules, 2025, your organisation holds the legal liability. Cross-border transfers of this data to foreign AI servers are generally permitted unless the Central Government restricts transfer to notified countries or territories (a negative list), but this makes contract clauses governing data handling vital.
Could This Happen To You
Consider a scenario where a popular frontier model integrated into your retail banking app hallucinates or inadvertently exposes another customer's financial history. The DPBI will look to the bank, not the foreign AI developer, for accountability. Under the DPDP Rules, 2025, you would need to execute an intimation to affected Data Principals without delay plus a detailed report to the Data Protection Board within 72 hours. Your legal team must ask if you can currently extract system logs from foreign AI vendors fast enough to meet this 72-hour window, or if vague limitation of liability clauses will leave you exposed to a penalty ceiling of 250 crore rupees.
What Companies Should Do In The Next 30 Days
1. Audit active vendor agreements for AI and machine learning platforms to review indemnity clauses and limitation of liability caps. Owner: General Counsel. Artifact: Contract risk matrix.
2. Map the data flows to these external models to determine exactly what digital personal data is transmitted. Owner: IT Security and Legal. Artifact: Data processing inventory.
3. Revise customer facing privacy notices to ensure AI processing is listed as a distinct, itemised purpose as required by the DPDP Rules, 2025. Owner: Compliance Head. Artifact: Updated consent notice.
4. Establish a binding SLA with AI vendors for breach notification timelines that allow you to meet your own reporting duties. Owner: Procurement and Legal. Artifact: Vendor addendum.
What To Watch
Exactly 311 days remain until the DPDP hard compliance deadline of 13 May 2027. Legal teams must monitor upcoming DPBI enforcement actions for signals on how automated decision-making and algorithmic processing will be scrutinised in the BFSI sector. Expect outside counsel spend to increase as institutions rush to renegotiate legacy technology contracts before the deadline. To evaluate your AI vendor exposure and build defensibility for your data processing activities, start a free assessment at freescan.complydp.com.
Sources
Frequently asked questions
How does the lack of a US AI regulator affect Indian businesses?
Without a US certification body for AI models, Indian Data Fiduciaries cannot rely on foreign safety approvals as a legal shield. The liability to prove lawful purpose and secure data falls entirely on the Indian company deploying the tool under the DPDP Act.
Are we allowed to send customer data to US-based AI servers?
Yes, under the DPDP Act, cross-border transfers are generally permitted unless the Central Government restricts transfer to notified countries or territories on a negative list. However, you remain fully accountable for how that foreign vendor processes your data.
What is the penalty if our AI vendor causes a data breach?
The DPDP Act establishes a penalty ceiling of up to 250 crore rupees for failure to take reasonable security safeguards. The Data Fiduciary faces this penalty even if the technical failure originated with a third-party AI provider.
How quickly must we report a breach involving an AI tool?
The DPDP Rules, 2025 require intimation to affected Data Principals without delay. You must also submit a detailed report to the Data Protection Board within 72 hours of becoming aware of the breach.
Do we need consent to process financial data through an AI model?
Consent is the primary basis for processing, except where Section 7 legitimate uses apply. You must provide an itemised notice explaining the exact purpose of the AI processing to secure valid consent.
ComplyDP