Back

RBI's new digital banking authorisation framework: What it means for banks and their customers

Blog Post Thumbnail

The Reserve Bank of India’s (“RBI”) continued efforts to modernise the regulatory framework for banking have culminated in a comprehensive set of directions titled ‘Reserve Bank of India (Commercial Banks – Digital Banking Channels Authorisation) Directions, 2025’ dated November 28, 2025 bearing reference number RBI/DOR/2025-26/380 DOR.RAUG.AUT.REC.303/24.01.041/2025-26 (“Digital Banking Directions”). While digital banking has become the primary mode of interaction for millions of customers, the regulatory framework governing the launch and operation of digital banking channels has largely evolved through a patchwork of circulars and supervisory expectations over the years.

The new Digital Banking Directions, effective from 1 January 2026, seek to bring greater clarity, consistency and accountability to the manner in which commercial banks offer digital banking services. Although the Digital BankingDirections do not fundamentally alter the digital banking landscape, they establish a more structured regulatory architecture that banks will need to navigate before launching or expanding digital banking channels.

For banks, the Digital BankingDirections introduce enhanced governance and authorisation requirements. For customers, they reinforce transparency, consent and operational safeguards. Together, these measures reflect the RBI's broader objective of ensuring that innovation in banking is accompanied by robust risk management and customer protection.

A clear distinction between view only and transactional banking services

One of the most significant features of the Digital Banking Directions is the formal distinction between ‘view-only’ and ‘transactional’ digital banking facilities. Under the new framework, view only facilities include services such as balance enquiries, account viewing and statement downloads. These facilities do not permit transactions that alter a customer's assets or liabilities. transactional facilities, on the other hand, include fund transfers and other banking services.

This distinction may appear technical, but it has important regulatory consequences. Banks wishing to offer transactional facilities face a higher threshold of regulatory scrutiny than those offering only informational services. By formally categorising digital banking services according to their risk profile, the RBI has adopted a more nuanced approach to regulation. The framework recognises that a customer merely viewing an account presents a different risk profile from a customer executing financial transactions through digital channels.

Higher entry barriers for transactional digital banking

Perhaps the most consequential change for banks is the requirement to obtain prior RBI approval before launching transactional digital banking facilities. To qualify for such approval, banks must satisfy a range of prudential, technological and operational requirements. These include implementation of a Core Banking Solution, readiness of public facing infrastructure to handle IPv6 traffic, compliance with capital adequacy requirements and maintenance of minimum capital or net worth thresholds applicable under their licensing conditions.

Banks must also demonstrate that they possess adequate financial resources, technological capabilities and skilled personnel necessary to support digital banking operations on an ongoing basis. This reflects a broader regulatory trend in which technology is no longer viewed as a support function but as a critical component of banking infrastructure requiring the same level of oversight as traditional banking operations.

Introduction of independent technology assurance

A particularly noteworthy feature of the Digital Banking Directions is the requirement for banks to submit a Gap Assessment and Internal Controls Adequacy (GAICA) Report certified by a CERT-In empanelled auditor. This requirement introduces an additional layer of independent assurance regarding the effectiveness of technological controls and internal systems before a bank can launch or expand transactional digital banking services.

For many institutions, the practical impact may be significant. Technology, cyber security and operational resilience teams will need to engage much earlier in the product development process to ensure that regulatory expectations are addressed before launch. The requirement also reflects the RBI's increasing emphasis on preventive supervision. Rather than identifying weaknesses after a system failure or cyber incident, the regulator is seeking assurance that appropriate controls are embedded at the outset.

Stronger integration with technology and cybersecurity regulations

The Digital Banking Directions expressly link digital banking operations to a broader ecosystem of technology and risk management regulations. Banks offering digital banking services must ensure compliance with requirements relating to information technology (IT) governance, cyber security, digital payment security controls, fraud risk management and outsourcing of information technology services.

This integrated approach is significant because it reinforces the principle that digital banking cannot be regulated in isolation. For banks, compliance with the new framework will therefore require coordination across legal, compliance, technology, information security and operational teams.

Customer consent takes centre stage

From a customer protection perspective, one of the most important provisions is the requirement for explicit customer consent before registration or de-registration for digital banking services.

Banks must ensure that customer consent is appropriately recorded and documented. They must also clearly communicate the terms and conditions applicable to digital banking services, including charges, grievance redressal mechanisms, stop payment processes and customer responsibilities.

Importantly, the Digital Banking Directions require such information to be presented in clear and comprehensible language, preferably in English, Hindi and the relevant local language. This emphasis on informed consent reflects the RBI's recognition that accessibility and transparency are essential components of customer protection in an increasingly digital banking environment.

No forced migration to digital channels

An interesting and customer friendly provision in the Digital Banking Directions is the prohibition on compulsory bundling of digital banking services. Banks cannot require customers to subscribe to digital banking facilities as a precondition for obtaining other banking products or services. The decision to use digital banking channels must remain entirely with the customer.

While many customers today prefer digital channels, the RBI has acknowledged that segments of the population may continue to rely on traditional banking methods. The framework therefore seeks to preserve customer choice rather than forcing migration towards digital platforms. This approach is consistent with the RBI's broader emphasis on financial inclusion and equitable access to banking services.

Restrictions on third party product promotion

The Digital Banking Directions also place limitations on the display of third party products and services through digital banking channels. Unless specifically permitted under applicable RBI regulations, banks cannot use their digital banking platforms as unrestricted marketplaces for external products and services.