This is a sample report for demonstration purposes. Start your own assessment →

Compass GovernReady · AI Governance Audit Report
DEMO

Banking / NBFC / Fintech · 21 June 2026

Meridian Capital Ltd

RBI Model Risk Management DirectionsDPDP Act 2023MAS FEAT Principles
68RISK SCORE / 100High risk

Overall maturity

2.2 / 5

Developing

Gaps identified

8

3 critical · 5 high

Domains assessed

5

governance areas

Priority actions

5

next 90 days

01

Audit readiness

Meridian Capital has deployed several AI models in credit decisioning and fraud detection without establishing the governance scaffolding regulators expect. The most significant exposures are the absence of a formal model inventory, inconsistent validation practices, and no documented bias testing against protected demographics. The organisation can demonstrate technical capability — the gap is governance, not engineering.

Meridian Capital has built meaningful AI capability in credit decisioning and fraud detection. The engineering foundations are solid. The governance scaffolding is not — and the two are increasingly inseparable as RBI, MAS, and the DPDP Act enforcement calendar approaches. This assessment identified 8 gaps across five governance domains. Three are Critical: the absence of a model inventory, the lack of independent validation, and the complete absence of bias testing on customer-facing credit models. None of these require new technology — they require governance decisions, process design, and accountability assignment. The 90-day roadmap below sequences remediation by regulatory exposure and implementation effort. The first 30 days should focus entirely on the three Critical gaps, which represent the highest likelihood of a regulatory finding.

Maturity by domain

AI Inventory & Model…Model Risk & Validat…Data & Privacy Contr…Fairness & Bias Mana…Operational Controls…
02

What to fix first

01

Establish a model inventory covering all AI systems in production within 30 days; assign a named Model Risk Owner for each.

02

Implement independent model validation for the three highest-impact credit scoring models before the next RBI review cycle.

03

Commission a bias audit against gender and geography for the loan origination model — document methodology and results for the regulator.

04

Draft and board-approve an AI Incident Response Plan with defined escalation paths and customer notification procedures.

05

Appoint a senior accountability owner (CRO or equivalent) for AI governance under SMCR/senior-manager accountability frameworks.

03

Findings by domain

AI Inventory & Model Governance

2/5 · Developing

Meridian operates at least seven AI models in production — credit scoring, fraud detection, collections prioritisation, and document processing — with no centralised inventory and no formal risk tiering. RBI MRM Directions Para 4.1 is unambiguous: every model must be inventoried, risk-tiered, and assigned a named owner. The current practice of maintaining informal documentation in Confluence is not sufficient for a regulatory examination.

Strengths

Engineering teams maintain informal documentation of model versions in Confluence.
A model deployment approval process exists for credit models, though it is not formalised.

Gaps (2)

No formal, centralised AI model inventory exists. RBI MRM Directions require a comprehensive inventory of all models with defined risk tiers.

Critical

Fix: Deploy a model registry (Vertex AI Model Registry or equivalent). Populate all production models within 30 days. Assign risk tier (High/Medium/Low) and a named Model Risk Owner to each.

RBI MRM Directions Para 4.1MAS FEAT Principle 1.2Effort: Medium30 days

Model documentation does not meet RBI standards — purpose, assumptions, limitations, and known failure modes are not systematically recorded.

High

Fix: Adopt a standard Model Document template covering purpose, data inputs, algorithm choice, validation results, and known limitations. Retrofit existing models within 60 days.

RBI MRM Directions Para 5.2SR 11-7 Section IIIEffort: Medium90 days

Model Risk & Validation

2/5 · Developing

The credit scoring model has never been independently validated. The data science team back-tests its own models quarterly — a practice that violates the separation of duties requirement in both RBI MRM Directions and SR 11-7. Independent validation is not a luxury for banks using models to make lending decisions; it is a baseline expectation. MAS FEAT Principle 3 makes the same requirement for institutions operating in Singapore.

Strengths

Back-testing is performed quarterly on the primary credit scoring model.
Data science team tracks model performance via an internal dashboard.

Gaps (2)

Model validation is performed by the same team that built the models. RBI and SR 11-7 both require independent validation.

Critical

Fix: Establish an Independent Model Validation function — either an internal team with reporting separation or an external validator. Begin with the three highest-risk credit models.

RBI MRM Directions Para 6.1SR 11-7 Section IVMAS FEAT Principle 3Effort: High90 days

No defined model performance thresholds triggering mandatory re-validation. Models continue in production past their intended operating range.

High

Fix: Define KPI thresholds (Gini, PSI, accuracy degradation) for each model. Automate monitoring and trigger re-validation when thresholds are breached.

RBI MRM Directions Para 6.3Effort: Low30 days

Data & Privacy Controls

3/5 · Defined

Data access controls are the strongest element of the governance posture. RBAC is enforced, PII is masked in test environments, and a DPO has been appointed. The gap is DPDP Act readiness: the existing consent management system captures broad data processing consent but does not segregate AI-specific processing purposes as the Act requires. This is a solvable problem with a targeted extension to the consent capture flow.

Strengths

RBAC is implemented across data systems; access is role-limited.
A Data Protection Officer has been appointed ahead of DPDP Act enforcement.
PII is masked in non-production environments.

Gaps (1)

Consent trails for AI-specific data processing are not separately captured. DPDP Act requires explicit consent for each processing purpose.

High

Fix: Extend the existing consent management system to capture AI-specific processing consent. Audit current user agreements for DPDP compliance before the enforcement date.

DPDP Act 2023 Section 6GDPR Article 22Effort: Medium90 days

Fairness & Bias Management

1/5 · Ad Hoc

No bias testing has been conducted on any customer-facing model. For an NBFC making thousands of credit decisions per day, this is the highest-consequence gap in the portfolio. A single adverse finding on disparate impact — particularly gender or geography — would expose the organisation to DPDP Act enforcement, CFPB-style regulatory scrutiny in any US-touching operations, and reputational risk that is difficult to contain once public. A bias audit should be commissioned immediately.

Gaps (2)

No bias testing has been conducted on the loan origination model. Disparate impact on gender and geography has not been measured.

Critical

Fix: Commission an immediate bias audit. Measure disparate impact on gender, age, and geography using statistical parity and equalised odds. Document and publish results internally.

MAS FEAT Principle 2CFPB UDAAP guidanceEU AI Act Article 9Effort: Medium30 days

No process exists for affected customers to challenge AI-driven credit decisions. DPDP Act and EU AI Act both require a right to contest automated decisions.

High

Fix: Implement an adverse action notification process with human review escalation. Document the override procedure and train customer-facing staff.

DPDP Act 2023 Section 12GDPR Article 22(3)EU AI Act Article 14Effort: Medium90 days

Operational Controls & Incident Response

3/5 · Defined

Operational controls are above average by industry norms. The CI/CD pipeline, staged deployments, and on-call rotations show engineering maturity. The gap is the AI-specific layer: the incident response plan was written for IT failures, not for a credit model that begins outputting discriminatory results at 2am. An AI annex to the existing IRP is a low-effort, high-value addition.

Strengths

Model deployment uses CI/CD with staged rollouts.
An incident response plan exists for IT systems, partially covering AI.
On-call rotations are defined for production model failures.

Gaps (1)

The existing incident response plan does not address AI-specific failure modes: model drift, discriminatory output, or regulatory notification obligations.

High

Fix: Extend the IRP with an AI annex covering: drift-triggered response, discriminatory output escalation, regulator notification timelines, and a named AI Incident Commander role.

RBI MRM Directions Para 7.2FCA SS1/23 Section 4Effort: Low30 days
04

90-day remediation roadmap

The 90-day roadmap is sequenced to close the highest-risk gaps first while building the governance infrastructure that makes subsequent remediation systematic rather than reactive. **Immediate (0–30 days):** Model inventory, bias audit, and performance threshold definition. These three actions require no new technology, close the three Critical gaps, and can be executed in parallel. **Phase 2 (30–60 days):** Model documentation retrofitting, consent management extension, and AI IRP annex. These build on the inventory and threshold work from Phase 1. **Phase 3 (60–90 days):** Independent validation programme for the top three models, adverse action notification process, and board governance reporting pack. These require more coordination but should be completable within the 90-day window with executive sponsorship. At 90 days, Meridian should be in a position to present a credible governance posture to any of the five regulators covered by this assessment.