LendingIQ logo
← How to Build Series

How to Build Series

How to Build a Risk Provisioning Agent for a Lending Institution

Provisioning is the most consequential accounting exercise a lending institution runs. Get the classification wrong and you misstate your balance sheet. Get the provision rate wrong and you either under-provide — storing up a capital shock — or over-provide and distort your P&L. Most risk teams still run this on spreadsheets, with manual DPD lookups and rate tables that lag policy updates by weeks. A well-designed AI Risk Provisioning Agent can automate the entire classification-to-schedule pipeline.

Last updated: May 2026By LendingIQ6 min read

What is a Risk Provisioning Agent?

A Risk Provisioning Agent is an AI agent that automates loan asset classification under IRACP norms, calculates provision requirements at the account and portfolio level, and produces audit-ready provisioning schedules for board and regulator review.

The core tasks it replaces are: pulling repayment records to compute DPD, mapping each account to its correct NPA category, applying the applicable provision rate from the institution's policy, aggregating to a portfolio-level provision requirement, and producing the schedule in the format required for board packs, statutory audit, and RBI inspection. What takes a risk team four to six working days per quarter can be reduced to under an hour of supervised run time.

Scope boundary

A provisioning agent classifies and calculates. It does not make write-off decisions, does not approve provision releases, and does not submit regulatory returns. Those remain human-governed actions.

Why is IRACP the non-negotiable foundation?

IRACP — Income Recognition, Asset Classification, and Provisioning — is the RBI framework that governs how banks and NBFCs classify loan assets and calculate minimum provisions. Any AI provisioning agent deployed in India must implement IRACP classification logic correctly as its base layer; nothing else can substitute for it in a regulated environment.

The IRACP asset classification hierarchy is as follows:

Asset Class Classification trigger Minimum provision rate
Standard No overdue; performing as contracted 0.25%–1% (varies by portfolio segment)
SMA-0 1–30 DPD or interest/principal overdue up to 30 days Standard rates apply; watch-list flag required
SMA-1 31–60 DPD Standard rates apply; heightened monitoring
SMA-2 61–90 DPD Standard rates apply; pre-NPA intervention required
Sub-Standard NPA for up to 12 months (DPD > 90) 15% unsecured; 10% secured (after realisable value)
Doubtful – D1 Sub-Standard for 12–24 months 25% secured portion; 100% unsecured
Doubtful – D2 Sub-Standard for 24–36 months 40% secured portion; 100% unsecured
Doubtful – D3 Sub-Standard for more than 36 months 100% secured portion; 100% unsecured
Loss Identified by bank, auditor, or RBI as unrecoverable 100% of outstanding

The agent must know these rates as a base floor — not targets. The institution's internal provisioning policy may stipulate higher rates than the IRACP minimum, and the agent must always apply whichever is more conservative.

How does DPD logic drive NPA classification?

DPD — Days Past Due — is the number of calendar days since a scheduled repayment obligation (principal, interest, or instalment) was missed. It is the primary trigger variable for IRACP classification, and computing it correctly is the most operationally sensitive part of building a provisioning agent.

Three DPD computation rules the agent must implement precisely:

  1. DPD is account-level, not transaction-level. If a borrower misses a partial payment, the DPD clock starts from the original due date of the overdue amount — not the date of the partial payment. An agent that restarts the DPD clock on partial receipt will systematically under-classify accounts.
  2. Upgrades require a clean repayment period. An account cannot move from NPA back to Standard simply by clearing arrears once. IRACP requires a sustained period of satisfactory repayment — typically one year for Sub-Standard accounts — before an upgrade is permitted. The agent must track the upgrade clock separately from the DPD clock.
  3. The DPD anchor date must be consistent across the portfolio. Whether you use the CBS end-of-day date or a fixed monthly cut-off, it must be the same for every account in a given provisioning run. Inconsistency in the anchor date produces classification differences for accounts with due dates near the cut-off — a common audit finding in manual processes.
Common failure mode

DPD computed from CBS repayment ledgers and DPD computed from LMS records often diverge — due to system timing differences, NACH return processing lags, or manual adjustments. The provisioning agent must be fed from a single authoritative source, with a defined reconciliation rule when the two systems disagree.

When and how should you layer in IFRS-9 ECL?

IFRS-9 ECL (Expected Credit Loss) should be layered on top of IRACP classification, not substituted for it. IRACP compliance is mandatory for RBI reporting; IFRS-9 alignment is additionally required for institutions with international investors, overseas borrowings, listed instruments, or group-level reporting obligations under Ind AS.

The IFRS-9 staging logic maps approximately — but not identically — to IRACP classification:

IFRS-9 Stage Definition Approximate IRACP equivalent Provision basis
Stage 1 No significant increase in credit risk since origination Standard 12-month ECL
Stage 2 Significant increase in credit risk; not yet in default SMA-1 / SMA-2 Lifetime ECL
Stage 3 Credit-impaired; in default Sub-Standard / Doubtful / Loss Lifetime ECL on net carrying amount

The practical implication for the provisioning agent: IRACP classification must be computed first, and the IFRS-9 stage is then derived from it — with one important difference. IFRS-9 Stage 2 can be triggered by qualitative signals (significant deterioration in borrower risk profile, macro sector stress, covenant breach) even before DPD reaches 31 days. The agent must be able to receive qualitative risk flags from the Early Warning System and incorporate them into stage assignment, not rely on DPD alone.

What data does a Risk Provisioning Agent need?

Four data feeds are required at invocation. All of them should be injected as structured files — the agent should not pull from live systems autonomously.

  1. Loan-level repayment ledger: Account ID, scheduled due dates, actual payment dates, amounts paid vs. billed, NACH return codes where applicable. This is the primary input for DPD computation. It must be extracted at a fixed cut-off date and version-locked for the provisioning run.
  2. Outstanding balance and security register: Current principal outstanding, accrued interest, collateral type, and estimated realisable security value per account. Required for applying the secured/unsecured bifurcation in Doubtful-category provision rates.
  3. Provisioning policy document: The institution's current provisioning policy — IRACP minimum rates, any internal overlay rates, specific rules for product categories (e.g., gold loan, MSME, agri), and the write-off and upgrade criteria. This should be loaded via RAG at invocation so the agent always applies the current approved policy, not a cached version.
  4. Prior-period NPA register: The NPA classification from the previous provisioning cycle. Required for tracking upgrade and downgrade movements, computing net NPA accretion, and producing the period-on-period comparison table that statutory auditors and RBI inspectors always request.

How should the provisioning agent outputs be designed?

A provisioning agent that only produces a provision number is half-built. The outputs need to serve four distinct consumers: the risk team (verification), the CFO (P&L impact), the board (governance visibility), and the auditor / regulator (audit trail).

OutputConsumerWhat it must contain
Account-level classification schedule Risk team, auditor Every loan account with its DPD, asset class, secured/unsecured split, provision rate applied, and provision amount. Sortable by DPD, segment, and product.
Portfolio provision summary CFO, board Total provision required vs. provision held, gap (shortfall or excess), movement from prior period split into: fresh NPAs, upgrades, write-offs, and rate changes.
NPA movement schedule Board, auditor, RBI Opening NPA balance, additions (slippages), reductions (upgrades, write-offs, recoveries), closing NPA balance — by asset class and product segment.
Provision coverage ratio Board, CRO Total provisions held as a percentage of gross NPA — with trend vs. prior quarters and comparison to the institution's RAF threshold.
Exception list Risk team Accounts where classification is ambiguous, data is missing, or the computed DPD conflicts with the prior NPA register. Each exception requires a human decision before the schedule is finalised.

What hard guardrails must a Risk Provisioning Agent have?

Provisioning agents operate on data that directly affects the institution's published financial statements. The guardrails are correspondingly strict.

  • Will not classify or reclassify accounts without a complete repayment ledger. If the data for an account is missing or inconsistent, the agent flags it as an exception — it does not estimate or interpolate a classification.
  • Will not apply provision rates below the IRACP minimum. Even if the institution's internal policy contains a rate that appears to be below the regulatory floor, the agent must apply the higher of the two and flag the policy conflict for review.
  • Will not approve provision releases or write-offs. Reducing a previously held provision is an accounting decision with P&L impact. It requires CFO and audit committee sign-off — the agent can recommend and document, but cannot execute.
  • Will not produce outputs from a prior-period data set without flagging the vintage. Every provisioning output must be clearly stamped with the data cut-off date it was computed from. Undated provisioning schedules are an audit risk.
  • Will not retain loan-level data between sessions. Account-level repayment and balance data is sensitive financial information. Session-scoped memory is the only compliant default.

What does the human governance layer look like?

A well-designed provisioning agent reduces the human workload from days to hours — but it does not eliminate the human decision points. There are four that cannot be automated away.

  1. Exception resolution. Every account on the exception list requires a human decision before the schedule is finalised. The risk team reviews exceptions, applies judgment, and documents the rationale. The agent provides the exception list and the data behind each flag; the human provides the decision.
  2. Policy override documentation. Where the institution applies a provision rate higher than the IRACP minimum — or where a management overlay is applied to a segment — the rationale must be documented and approved by the risk head. The agent surfaces where overrides exist; the risk head signs off on them.
  3. Board and audit committee review. The portfolio provision summary and NPA movement schedule go to the board risk committee and audit committee for review and approval before the figures are incorporated into financial statements. The agent produces board-ready outputs; the board approves them.
  4. Regulatory submission sign-off. Any provision data submitted to RBI — whether in an NBS return, an ICAAP filing, or an inspection response — must be signed off by the CFO or authorised officer. The agent produces the data; the signatory certifies it.

Frequently Asked Questions

What is a Risk Provisioning Agent?

A Risk Provisioning Agent is an AI agent that automates loan asset classification under IRACP norms, calculates provision requirements at the account and portfolio level, and produces audit-ready provisioning schedules for board and regulator review. It handles the classification-to-schedule pipeline that most lending institutions currently run on spreadsheets.

What is IRACP and why does it matter for provisioning agents?

IRACP is the RBI framework governing Income Recognition, Asset Classification, and Provisioning for Indian lending institutions. It mandates specific DPD triggers for NPA classification and minimum provision rates for each asset class. Any AI provisioning agent deployed in India must implement IRACP logic as its base layer — it is not optional for regulated institutions.

What is the difference between IRACP provisioning and IFRS-9 ECL?

IRACP is a rules-based framework with mandated classification triggers and minimum provision rates set by RBI. IFRS-9 ECL is a forward-looking, model-driven approach requiring lifetime expected credit loss estimation. Indian lenders must comply with IRACP; IFRS-9 is additionally required for institutions with international reporting obligations. A well-built provisioning agent runs IRACP first and derives IFRS-9 stage assignments from it.

What is DPD and how does it drive NPA classification?

DPD is Days Past Due — the number of calendar days since a scheduled repayment was missed. Under IRACP, 90 DPD triggers NPA classification. DPD also drives sub-classification: SMA-0 (1–30 DPD), SMA-1 (31–60 DPD), SMA-2 (61–90 DPD). Accurate DPD computation from a single authoritative repayment source is the most operationally critical part of building a provisioning agent.

Can an AI provisioning agent replace the manual provisioning process?

It can automate the data assembly, DPD computation, classification logic, provision calculation, and schedule generation — reducing a four-to-six-day quarterly exercise to under an hour of supervised run time. The final provisioning schedule still requires CFO, risk head, and audit committee review before incorporation into financial statements. The agent removes the manual labour; the governance sign-off remains human.

What data does a Risk Provisioning Agent need to run?

Four inputs are required: a loan-level repayment ledger (for DPD computation), an outstanding balance and security register (for secured/unsecured provision rate bifurcation), the institution's current provisioning policy document (loaded via RAG), and the prior-period NPA register (for movement tracking). All should be injected at invocation — the agent should not access live systems autonomously.

See a production-ready Provisioning Agent in action

LendingIQ's Provisioning & IRACP Agent is purpose-built for Indian banks and NBFCs — running IRACP classification, provision schedule generation, and board-ready NPA movement reports on AWS Bedrock, integrated with the Risk Reporting and CRO AI agents.

View the agent catalogue →

Related reading: How to Build an AI Chief Risk Officer · Provisioning & IRACP Agent · RBI Master Direction on IRACP · IFRS 9 Financial Instruments — Deloitte IAS Plus

Recommended Next Read

Blog

The Rise of AI Agents in Banking Operations

Banks lose billions each year to risk and fraud while compliance backlogs stretch for weeks. AI agents monitor data continuously, reason over complex signals, and take action in real time.

Read now →

Case Study

How a ₹1,000 Crore NBFC Cut Underwriting Time by 75% with an AI BRE & Co-Pilot

LendingIQ redesigned underwriting for a large Indian NBFC, deploying an AI-powered Business Rules Engine (BRE) and underwriter co-pilot - enabling credit teams to configure live policy rules and evaluate every application against them in real time.

Read now →

See a production-ready AI CRO in action

LendingIQ builds AI agents for risk, underwriting, collections, compliance, and operations - with governance and auditability built in.

Book a Demo