ARTICLE
24 March 2026

RBI’s 2026 Digital Banking And Governance Overhaul: Key Action Points For Banks And NBFCs

LP
Legitpro Law

Contributor

Legitpro Law logo
Legitpro is a leading international full service law firm providing integrated legal & business advisory services, operating through 5 locations with 100+ people. Our purpose is to deliver positive outcomes with our colleagues, clients and communities. The firm proudly serves a diverse clientele, including multinational corporations, foreign companies—particularly those from Japan, China, and Australia and dynamic startups across various industries. Additionally, the firm is empanelled with the Competition Commission of India (CCI) to represent it before High Courts across India. Our Partners also serve as Standing Counsel for prestigious institutions such as the Government of India (GOI), the National Highways Authority of India (NHAI), Serious Fraud Investigation Office (SFIO) and the Union Public Service Commission (UPSC).
Explore Firm Details
Indian banks and their group entities will enter a stricter regulatory framework starting in January 2026 when the Reserve Bank of India implements its new digital banking and group governance and liquidity and payment security regulations.
India Finance and Banking
Jolwarhring Hrangbung
Your Author LinkedIn Connections
Jolwarhring Hrangbung’s articles from Legitpro Law are most popular:
  • within Finance and Banking topic(s)
  • with readers working within the Securities & Investment and Law Firm industries
Legitpro Law are most popular:
  • within Finance and Banking, Real Estate and Construction and Strategy topic(s)

Indian banks and their group entities will enter a stricter regulatory framework starting in January 2026 when the Reserve Bank of India implements its new digital banking and group governance and liquidity and payment security regulations. The shift includes a fresh authorisation regime for digital channels, stricter rules on group entity businesses and ring fencing of core banking, enhanced liquidity assumptions for digital deposits, and upgraded authentication standards for digital payments. This article sets out the key regulatory changes and what banks and NBFCs need to do between now and 2028.

1. What Has Changed In RBI’s 2026 Framework

A. New digital banking authorisation- who can offer what

Starting 1 January 2026, only banks that receive explicit authorisation under RBI’s new digital banking framework can offer internet banking, mobile banking, USSD, SMS and other electronic banking channels. The new system replaces previous fragmented standards through the implementation of a complete Digital Banking Channels Authorisation system which establishes eligibility requirements and governance standards and ongoing compliance requirements for commercial banks. Banks must demonstrate robust customer consent mechanisms, secure onboarding and de registration flows, real time alerts and strong grievance redressal to qualify and remain authorised.

Banks that experience frequent outages and high fraud rates and persistent customer complaint backlogs will face stricter enforcement of the framework because they depend on third party fintech partners for customer onboarding and servicing. The RBI will condition its authorisation and renewal process on banks showing progress in three areas which include IT resilience and vendor risk management and business continuity planning that needs both independent auditing and board level supervision.

B. Structural ring fencing of core and non core banking

RBI has directed banks to structurally separate core banking functions such as deposit mobilisation and retail banking from higher risk, non core activities carried out within group entities. Banks must submit board approved plans by March 31, 2026 which will show their methods to protect essential operations and their processes to combine duplicated businesses and their methods to match organizational structures with product “exclusivity” requirements. The complete execution of these restructuring plans will reach its final stage by March 31, 2028 while companies will face restrictions on entering new markets within competing business areas beginning April 1, 2026.

C. Revised liquidity treatment for digital deposits

The upcoming prudential regulations which will start on April 1, 2026 will require banks to use higher outflow rates when calculating their digital deposits for liquidity coverage and stress testing requirements. Banks which handle most of their deposits through digital platforms must maintain larger liquidity reserves and update their internal stress testing procedures. The banks which have built their deposit business through digital channels but failed to improve their liquidity risk management will experience the greatest impact from this situation.

2. Digital Banking - Customer Protection And Operational Expectations

A. Consent, alerts and grievance redressal

The new digital banking guidelines require banks to obtain documented customer consent before granting access to digital banking services. Banks need to establish secure processes for customers to start and stop digital banking services and they have to send transaction notifications for all account activities. They must also clearly lay out liability frameworks for unauthorised or disputed transactions and maintain responsive grievance redressal channels with defined turnaround times. These obligations require banks to review end to end customer journeys, from onboarding and authentication to dispute resolution, across all digital channels.

B. Strengthened authentication for digital payments

RBI’s updated guidelines on digital payment authentication mandates at least two factor authentication for digital payments, with at least one factor being a dynamic element such as a password, OTP or biometric, except for card present transactions. The framework does not prescribe a specific technology but expects institutions to adopt robust, up to date security controls and move away from outdated SMS/email only OTP regimes. Banks and payment providers are therefore redesigning authentication flows, exploring stronger device binding, biometrics and risk based authentication to meet the new baseline.

C. Customer liability and fraud protection

The Reserve Bank of India published draft guidelines which seek to improve protection against digital banking fraud through improved definitions of legitimate and fraudulent transactions and new customer liability regulations. The proposed framework, which will start applying on July 1, 2026, establishes uniform compensation payment timelines while specifying conditions that determine total or partial customer liability. Banks must update their internal procedures and customer interaction methods and fraud detection systems after the final guidelines become available to them.

In operational terms, this will require banks to overhaul their operational requirements for banks to establish dedicated fraud dispute queues and create standard communication templates for provisional credit and rejection processes and to implement time stamping and audit tracking for all contact points will necessitate banks to develop new incident management procedures. Product and UX teams will also need to redesign in-app journeys so that customers can easily report disputed transactions, freeze channels and track the status of their complaints, rather than relying solely on call centre escalation.

3. Group Governance, Business Restrictions And Compliance Timelines

A. Overlapping businesses and exclusivity principle

RBI’s amendments to the “Commercial Banks - Undertaking of Financial Services” Directions, 2025, tighten rules on overlapping businesses between banks and their group entities. In particular, paragraph 18 introduces an “exclusivity” principle under which activities that are already carried out departmentally by the bank such as certain lending products should not be replicated in group entities without a board approved justification. Banks which do not comply with these restrictions must cease their operations in affected business areas starting on April 1, 2026 and they need to achieve complete compliance by March 31, 2028.

B. Board oversight and restructuring plans

Banks are required to submit comprehensive compliance and restructuring plans to RBI by March 31, 2026 detailing how they will bring group structures, intra group exposures and overlapping activities into line with the revised Directions. These plans must be backed by board approved policies on group entity activities, conflict management, capital allocation and risk sharing. Supervisory commentary indicates that RBI will closely scrutinise entities with complex group structures, significant related party transactions or heavy reliance on group entities for certain products.

C. Supervisory focus and thematic reviews

Current supervisory communications indicate that RBI will use data driven, off site monitoring together with specific thematic inspections to evaluate bank compliance with 2026 reforms. Organizations that operate with complicated group structures and experience elevated digital fraud rates and multiple violations of customer protection rules will face intensified examination of their board meeting records and outsourcing contracts and technology modification logs and investigation results. The current situation will result in negative supervisory evaluations when organizations treat their new regulations as temporary compliance tasks instead of permanent governance and risk management transformation efforts.

4. Compliance And Risk Management Checklist For Banks And NBFCs

A. Digital banking readiness by January 1, 2026

  1. Map all digital channels and services, including internet banking, mobile apps, USSD, SMS, call centre assisted flows and APIs, to the new authorisation framework.
  2. Review consent capture, activation/deactivation mechanics, alerting mechanisms and grievance redressal against the new standards and remediate gaps.
  3. Prepare documentation and evidence packs for RBI showing compliance with digital banking authorisation conditions.

B. Payment security and authentication by April 1, 2026

  1. Re design authentication flows for digital payments to ensure at least one dynamic factor and move away from exclusive reliance on SMS/email OTPs.
  2. Align device binding, biometrics and step up authentication with the improved security baseline, without compromising user experience where possible.
  3. Update internal policies, customer terms and incident response playbooks for the new payment security regime.

5. Group structure, overlapping business and liquidity by March 31, 2026 and beyond

  1. Conduct a group wide mapping of all financial services activities, identifying overlaps between bank departments and group entities in light of paragraph 18 of the amended Directions.
  2. Prepare board approved restructuring and compliance plans for submission to RBI by March 31, 2026, with a clear roadmap to full alignment by March 31, 2028.
  3. Re calibrate liquidity risk management and stress testing frameworks to reflect higher outflow assumptions on digital deposits from April 1, 2026.

6. Key Takeaways For Banks And NBFCs

RBI’s 2026 reforms signal a decisive tightening of expectations on digital banking security, customer protection, liquidity management and group governance. For banks and NBFC led groups, the 2026–28 window is both a compliance challenge and an opportunity to rationalise group structures, modernise digital infrastructure and strengthen trust with customers and regulators. Institutions that proactively re design their digital channels, ring fence core banking and upgrade risk management frameworks are likely to be better positioned in the next supervisory cycle.

7. Practical FAQs On RBI’s 2026 Banking Overhaul

Q. Can all banks continue offering internet and mobile banking after January 1, 2026?

No. Only banks that meet the criteria and obtain authorisation under the new digital banking framework can continue to offer internet, mobile, USSD and SMS banking beyond January 1, 2026. Banks that fall short on governance, security or customer protection standards may face restrictions or conditions.

Q. What happens if a bank does not restructure overlapping group businesses by March 31, 2028?

Banks that do not match their organizational structure and business operations with the new Directions requirements should expect their business activities to be restricted through supervisory actions which include limitations on their ability to expand operations and distribute capital and introduce new products. From April 1 2026, all businesses must cease operations in specific overlapping market segments, but existing business activities will continue until complete reduction of their previous market presence.

Q. How will customers be protected against digital banking frauds under the new framework?

The draft guidelines from RBI establish distinct definitions for three types of transactions which include authorized transactions, unauthorized transactions and fraudulently conducted transactions. The guidelines establish unified timeframes which financial institutions must follow to report incidents and resolve those incidents. The guidelines define under which circumstances customers will have no liability, limited liability or complete liability for their financial obligations. Banks will have to implement changes to their internal operations and their communication methods and their compensation procedures after the standards receive final approval.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Jolwarhring Hrangbung
Jolwarhring Hrangbung
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More