Credit models trained on historical data inherit the biases of past lending decisions. If NBFCs historically avoided lending to retailers in certain states or trade categories, the training data will show higher "defaults" for those cohorts — not because those retailers are riskier, but because they were never given credit to repay. This creates a self-fulfilling exclusion loop. The fairness guardrail exists to detect and break this loop.

Geography is explicitly excluded as a direct feature. But indirect geographic signals (seasonal patterns, SKU categories, distributor tenure norms) can still encode regional bias. The guardrail tests outcomes, not just inputs.

• Cohort definitions: State (28 states + 8 UTs), district tier (1/2/3/4), trade category (FMCG / auto parts / general trade / agri-input / pharma), gender proxy (name-based inference — used only for audit, never as a feature)
• Matched cohort construction: For each audit, retailers are binned by behavioral similarity (GMV range × payment delay band × tenure band). Score distributions compared within bins across cohort segments.
• Disparate impact test: Adverse Impact Ratio = (fraction of cohort A receiving Band A/B) ÷ (fraction of reference cohort receiving Band A/B). Threshold: AIR ≥ 0.80 required.
• Geography exclusion verification: Geography-related features (state, district) must not appear in top-20 SHAP features globally. If they do, feature removal and model retraining is mandatory.
• Audit frequency: Quarterly scheduled; also triggered if any cohort's score distribution shifts >10% vs. prior quarter.

• Order velocity inflation: Retailer places unusually large orders in the 30–60 days before a scoring event to increase GMV and order frequency signals
• Return suppression: Retailer accepts delivery of ordered goods (not returning them as usual) to reduce return rate signal during look-back window
• Payment timing manipulation: Retailer pays invoices unusually early for 1–2 months before scoring to reduce payment delay signal
• Collusion with distributor: Distributor records fake invoices or early payments on behalf of retailer in exchange for kickback

• Isolation Forest (primary): Unsupervised anomaly detector trained on 12 months of historical behavior per retailer. Flags samples where order velocity, payment timing, or return rate deviates >3σ from the retailer's own baseline. Contamination parameter set at 5% (top 5% most anomalous are flagged).
• 60-day look-back window: Scoring event evaluates behavior over a rolling 60-day window. Manipulation must be sustained for 2 full months — not just 1–2 weeks — to influence the window meaningfully.
• Return rate counter-signal: Order inflation is often paired with low returns (retailer keeps goods they don't need). This unusual combination (high GMV + abnormally low return rate vs. baseline) is a gaming signature.
• Long-term history dominance: Payment delay signal weights 3-year history vs. recent 60-day behavior at approximately 70:30. Short-term manipulation cannot overcome multi-year payment patterns.

RBI FLDG guidelines require reason codes for credit decisions made using algorithmic scoring. The DPDP Act gives data principals the right to understand decisions made about them. And practically: a retailer told "your score is 580" with no explanation cannot do anything with that information. A retailer told "your score would improve if your payment delays reduced below 10 days" has an actionable goal.

Explainability serves three distinct audiences: the lender (credit decision audit), the retailer (understanding and appeal), and the regulator (compliance evidence). The reason code design must work for all three — without exposing the exact feature weights that would allow model gaming.

• SHAP values computed: TreeSHAP computed on every score inference. Produces a SHAP value per feature indicating contribution to the final score (positive or negative).
• Reason code mapping: SHAP values mapped to 24 categorical reason codes (12 positive, 12 negative). Mapping uses absolute SHAP value threshold (top contributing features selected). Raw SHAP numbers never exposed.
• Mandatory output: Every score response must include ≥3 positive and ≥2 negative reason codes. If SHAP computation fails, score is blocked — not served without codes.
• Retailer-facing translations: All 24 reason codes have plain-language translations in English and Hindi (regional languages in Phase 2). Translations reviewed by native speakers and plain-language accessibility testers.
• Grievance integration: Reason codes are the basis for the retailer grievance flow. If a retailer disputes a negative reason code, the grievance is routed to the correct team with the SHAP evidence attached.

Primary ceiling: 30% of trailing 6-month GMV. Rationale: a retailer's working capital need is bounded by their stock-turn cycle. A retailer with ₹5L/month GMV needs approximately ₹1–2L in working capital (stock cycle of 2–4 weeks). At 30% of 6-month GMV (≈ 5% of annual GMV), the limit is conservative enough to prevent over-indebtedness while being meaningful for the average kirana's festival-season need.

Seasonal adjustment: The ceiling is computed on the trailing 6 months at scoring time. Scoring in October uses April–September GMV. If this under-represents the festival quarter, lenders can request a seasonal-adjusted limit — which uses the highest 6-month trailing window in the past 24 months instead.

Additional affordability check: Where bureau data is available via Account Aggregator (v2), existing NBFC exposure is checked against the proposed limit. Total formal credit exposure should not exceed 40% of annualised GMV.

• Ceiling enforcement layer: Applied in the Score API service, post-model-inference. The model may produce a recommended limit; the ceiling clamps it. Model output is never served directly without passing through the ceiling layer.
• Hard-coded constant: The 30% ceiling is a compile-time constant, not a configurable parameter. Any change requires a code change, PR review, deployment, and Risk team sign-off — not a config toggle.
• API transparency: If ceiling is applied, the response includes: limit_source="gmv_ceiling", gmv_6m_trailing, ceiling_applied=true. Lenders always know when the ceiling, not the model, determined the limit.
• Lender manual override: Lender can set a higher limit via the dashboard with a documented justification. Override is capped at 150% of the GMV ceiling. Override creates an immutable audit record. All overriding lenders receive a monthly override performance report (default rates on overridden loans vs. non-overridden).
• Zero-GMV cold-start: Retailers with insufficient GMV history receive a conservative fixed starting limit (₹25,000) regardless of model score. This prevents the ceiling from being infinite for retailers with no computable GMV baseline.

Every distributor's data batch receives a completeness score (0–100%) computed across five dimensions:

• Invoice completeness: % of invoices with all required fields populated (date, amount, retailer_id, SKU category)
• Payment completeness: % of invoices with at least one associated payment record
• Temporal coverage: % of months in the last 24 months with at least 5 invoice records
• Retailer identity completeness: % of retailer records with GST or verified phone number
• Schema conformance: % of records matching expected data types and value ranges

Overall completeness = weighted average of five dimensions. Weights: Invoice 30%, Payment 30%, Temporal 20%, Identity 10%, Schema 10%.

• Completeness ≥ 70%: Full scoring permitted. Score serves without quality flag.
• Completeness 50–69%: Score served with low_confidence=true flag. Recommended limit capped at 50% of standard ceiling. Lender notified. Distributor prompted to improve data quality via dashboard.
• Completeness < 50%: Scoring blocked for this distributor's retailers. Rules-based conservative limit applied if lender explicitly requests it. Distributor alerted with specific dimension breakdowns.
• Anomalous batch detected: Bulk payment recording, duplicate invoices, all-same-day transactions → batch quarantined; feature pipeline does not process until reviewed.
• Data freshness: If last sync >7 days ago, data_freshness_days prominently surfaced in API response; >14 days, low_confidence=true automatically applied.

• Population Stability Index (PSI): Computed monthly by comparing the score distribution of the current live population vs. the training baseline distribution. PSI quantifies distribution shift across deciles. PSI <0.10 = stable; 0.10–0.20 = monitor; >0.20 = model refresh triggered.
• KS Statistic on live data: Kolmogorov-Smirnov statistic tracked monthly on the subset of retailers with known repayment outcomes (pilot + Phase 4 cohorts). If KS drops >10 points vs. validation baseline, model refresh is triggered regardless of PSI.
• PD Calibration: Predicted probability of default vs. actual 90-day default rate tracked monthly for all retailers with resolved loan outcomes. Divergence >3% triggers investigation.
• Feature drift: Individual feature distributions monitored for shift. If a top-5 SHAP feature drifts significantly (PSI >0.2 at feature level), root cause is investigated — may indicate ERP data change, not model failure.

• Champion/Challenger framework: New model versions run in shadow mode for minimum 30 days, scoring real retailers without driving decisions. Shadow mode AUROC, KS, PSI, and fairness metrics compared to champion.
• Promotion gate: Challenger must exceed champion on AUROC by ≥0.01 and not degrade on KS, PSI, or any fairness metric. Requires sign-off from: ML Lead + Head of Risk.
• Rollback protocol: If promoted model causes AUROC to drop >5% on next monthly evaluation, automatic rollback to previous champion. Rollback takes <10 minutes (pre-baked previous model artifact).
• Emergency freeze: Any team member can trigger a model freeze via the ML Ops dashboard. Frozen model serves last pre-freeze scores from cache. Freeze must be reviewed by ML Lead + CTO within 4 hours.
• Version stamping: Every API response includes model_version. Enables exact reproducibility of any historical scoring decision for audit purposes.