Mint Explainer | New RBI digital banking rules kick in 2026—here’s what it means
The central bank’s new framework tightens approvals, raises compliance standards and reshapes how banks deliver digital services to millions of users.
MUMBAI: The Reserve Bank of India (RBI) has issued guidelines for how banks can offer services through digital channels, following industry feedback on the draft guidelines issued in July. Coming into force on 1 January 2026, these rules tighten approvals for banks, raise compliance and customer-protection requirements, and strengthen disclosure and grievance-redressal standards.
The new guidelines are a response to increasing complaints against banks for pushing customers to download bank mobile applications to avail internet banking services or to activate cards. These rules come at a time when the regulator has been focussing on customer experience and cracking down on banks to stop bundling of services.
“RBI’s Digital Banking Channels Directions mark a decisive tightening in digital governance while placing customer protection at the centre," Pratik Shah, partner and national leader - financial services at EY India said, calling the circular “progressive".
Mint examines the implications of the new framework for banks and their digital banking customers.
What are digital banking channels?
Digital banking channels are the modes through which banks offer services via internet banking, mobile banking and other electronic platforms. These channels enable financial, banking and related transactions, supported by significant process automation and cross-institutional service capabilities.
They include full transaction-banking facilities, covering all fund-based and non-fund-based services, as well as ‘view-only’ facilities that let customers check balances, view account information and download statements without altering their assets or liabilities.
Banks offering only view-only access cannot provide loans, fund transfers or any service that creates liability or moves funds. They may, however, offer downloadable forms for such services.
Who are the new rules applicable to?
Industry players had sought to extend the guidelines to non-banking financial companies (NBFCs) and fintechs, but the RBI has restricted their scope to different categories of banks.
However, if banks outsource activities to third parties or fintechs, they must ensure that those services comply with the existing instructions applicable to the underlying products or services.
What permissions are required to offer services via digital banking channels?
Any bank with a core banking solution (CBS) and public-facing IT infrastructure capable of handling Internet Protocol Version 6 (IPv6) traffic can offer view-only internet, mobile and other digital banking services.
Launching transactional digital banking, however, requires prior approval from the RBI. Banks must meet additional conditions, including having an operational CBS and IPv6-enabled infrastructure, complying with the minimum regulatory capital-to-risk-weighted assets ratio and net-worth requirements, demonstrating adequate financial and technical capability, a strong track record of regulatory and cybersecurity compliance, and robust internal controls.
Applicant banks must also submit a detailed report outlining expected expenditure on setup, maintenance and upgrades, availability of funds, cost-benefit analysis, involvement of third-party technology providers, proposed technology, and the availability of skilled personnel to manage operations or oversee outsourced functions.
Banks must now meet strict prudential, cybersecurity and audit criteria before offering transactional digital services, including minimum capital thresholds, third-party CERT-In certified gap assessments and a clean cyber-audit track record.
EY’s Shah said this ‘consent-first, convenience-later’ approach ensures customers opt into digital banking on their terms, with clear visibility of charges, rights, liability limits and grievance pathways. Further, the norms will help control digital fraud, improve transparency, and build greater confidence especially among first-time and rural users.
“In a way, this moves digital banking from a self-declared launch model to a controlled authorisation regime, ensuring only institutions with robust risk and fraud management can scale digital channels," he said. “RBI is sending a clear message: innovation must ride on responsibility — digital growth should not come at the expense of consumer choice or security."
What are the rules for banks?
The framework requires explicit, documented customer consent for registering or deregistering digital banking services. Banks cannot display third-party products or services after a customer logs in, unless specifically permitted.
Banks must send SMS or email alerts to customers for all financial and non-financial account operations and provide multiple registration channels to reduce the need for branch visits.
Banks offering mobile banking outside mobile apps must ensure access across mobile network operators. They must also adopt risk-mitigation measures such as transaction limits, velocity limits and fraud checks. Where requirements from the RBI and a payment-system operator both apply, the stricter rule will prevail.
According to Vivek Mandhata, managing director and partner, BCG, the biggest takeaway is the changes on the mobile banking and card linkage. As of now, debit card activation, limit management and other services are mobile-driven, whereas the new rules will force banks to think about how they deliver it.
“However, it’s not something they cannot deal with, especially given most customers are expected to still prefer mobile," Mandhata said, adding that the new norms are balanced and don’t challenge banks too much given that they are used to taking customer consent and can’t force mobile or internet banking on any consumer.
“To that extent, it's not going to hurt the banking business. Also the focus on core business has been consistent from the regulator. The spirit is that third party products don't take mainstage and that banks are different from fintechs or e-commerce platforms," he added.
How will the new rules help users?
Customers are not required to opt into digital channels to access other services, such as debit cards. They may choose any combination of digital-banking services, and banks cannot bundle them. Banks may obtain and record customer mobile numbers solely for the purpose of sending alerts.
For registration, banks must present terms and conditions in clear, simple language, ideally in English, Hindi and the local language, covering charges, stop-payment processes, helpdesk information, grievance-redressal channels, and customer responsibilities and liabilities.
Banks must also follow existing customer-protection rules, including limiting liability for unauthorised electronic transactions and sending mandatory alerts, and ensure that all terms and conditions comply with these requirements. These measures are expected to improve protection and clarity for users of digital-banking services.
“The norms continue to emphasise on customer consent, whether its on how banks display information on the website, the services, the outsourcing, even the partnerships, everything has been made transparent to the consumer. So it’s very customer choice driven," BCG’s Mandhata said.
topics
