The Reserve Bank of India (RBI) has ushered in a new era of digital banking governance with its finalized Digital Banking Channels Directions. Issued after considering industry feedback on a draft from July, the comprehensive framework is set to become mandatory for all banks from 1 January 2026. The rules fundamentally reshape how banks can offer services online, placing unprecedented emphasis on customer protection, explicit consent, and institutional accountability.
Core Objectives: Curbing Complaints and Enhancing Governance
The central bank's move is a direct response to a surge in customer grievances. A primary trigger has been banks compelling customers to download mobile applications simply to activate debit cards or access basic internet banking services. The regulator is cracking down on this forced bundling of services, ensuring that digital adoption is driven by customer choice, not coercion.
Pratik Shah, Partner and National Leader for Financial Services at EY India, hailed the circular as "progressive." He stated that it marks a decisive tightening in digital governance while firmly placing customer protection at its core. The shift is from a self-declared model to a controlled authorization regime, meaning banks must now prove their mettle before launching full-scale transactional digital services.
Key Changes for Banks: A Higher Bar for Digital Launch
The new framework introduces a two-tiered system for digital banking permissions. While banks with a Core Banking Solution (CBS) and IPv6-ready infrastructure can offer 'view-only' services (checking balances, statements) freely, launching transactional services (fund transfers, loans) now requires explicit prior approval from the RBI.
To earn this approval, banks must meet stringent criteria. This includes maintaining the required capital ratios, demonstrating a strong track record of regulatory and cybersecurity compliance, and having robust internal controls. They must also submit detailed reports on technology expenditure, third-party involvement, and skilled personnel availability. Crucially, banks need a clean cyber-audit record and must conduct gap assessments certified by third-party agencies like CERT-In.
Vivek Mandhata, Managing Director and Partner at BCG, noted that the biggest operational change concerns mobile banking and card linkages. Services like debit card activation, traditionally pushed through mobile apps, will now need alternative, consent-based pathways. However, he believes banks are well-equipped to adapt, as the norms are balanced and reinforce existing principles of customer consent.
Empowering the Customer: Choice, Transparency, and Redressal
For millions of digital banking users in India, the new rules translate into greater control and clarity. The cornerstone principle is explicit, documented customer consent for registering or de-registering any digital service. Banks are prohibited from forcing customers into digital channels to avail of other services like debit cards.
Key user benefits include:
- No Bundling: Customers can choose any combination of digital services; banks cannot bundle them together.
- Transparent Communication: Terms and conditions must be presented in clear, simple language, ideally in English, Hindi, and the local language, detailing all charges, liability limits, and grievance-redressal channels.
- Clean Interfaces: After login, banks cannot display third-party products or services unless specifically permitted, ensuring a focused banking experience.
- Multiple Registration Channels: Banks must provide options beyond branch visits to register for services, reducing friction.
- Strengthened Alerts: Mandatory SMS/email alerts for all financial and non-financial account operations remain a key protection layer.
Mandhata emphasized that the norms make the entire ecosystem—from service display to partnerships—transparent to the consumer, making it intensely customer-choice driven.
Scope, Outsourcing, and the Road Ahead
While the industry had hoped for the rules to cover Non-Banking Financial Companies (NBFCs) and fintechs directly, the RBI has currently restricted the scope to various categories of banks. However, a critical clause ensures that if banks outsource any digital banking activities to third parties or fintechs, the banks remain responsible for ensuring those services comply with all underlying regulatory instructions.
Analysts see this framework as RBI's clear message that innovation must ride on responsibility. Digital growth cannot come at the expense of consumer security or choice. By raising the entry barrier for banks and empowering customers with unambiguous rights, the regulator aims to build a more resilient, trustworthy, and inclusive digital banking landscape for India's future.
