RBI’s new digital banking rules kick in, pushing banks into tighter authorisation regime
By Cygnus | 05 Jan 2026
MUMBAI — Indian banks began 2026 under a far stricter regulatory lens as the Reserve Bank of India’s new framework governing digital banking channels came into force on January 1, 2026. The Digital Banking Channels Authorisation Directions, 2025 shift the sector to a controlled authorisation model, requiring banks to demonstrate both financial strength and technical readiness before offering transactional digital services.
The new rules mark a clear change from the earlier, more permissive approach to digital rollouts. Banks can no longer launch or continue digital offerings by default. Instead, each service must now meet defined prudential, infrastructure, and cybersecurity benchmarks, effectively tying digital expansion to operational maturity.
Financial and Technical Benchmarks
At the heart of the framework are tighter eligibility thresholds. Only banks with a fully implemented core banking system (CBS) and an IPv6-enabled IT network qualify to offer transactional digital services. In addition, institutions must meet a minimum net worth of ₹50 crore and remain compliant with capital adequacy norms, linking digital ambition directly to balance-sheet resilience.
The “Consent-First” Mandate
Customer protection is another central pillar. Banks are now required to obtain explicit, recorded customer consent before activating any digital banking channel. The practice of bundling digital access with other products—such as forcing digital enrollment for debit card issuance—has been explicitly disallowed. Every digital transaction or account-related action must also trigger a real-time SMS or email alert, tightening transparency and audit trails.
Cybersecurity standards have been raised in parallel. Banks must submit a Gap Assessment and Internal Controls Adequacy (GAICA) report, certified by a CERT-In empanelled auditor, before receiving authorisation. For lenders with legacy systems, this requirement could translate into higher near-term compliance costs.
Next Phase: April 2026 Biometrics
While January 2026 marks the formal start of the authorisation regime, the regulatory shift is only partly complete. The RBI has already set April 1, 2026, as the next milestone, when a new Digital Payment Authentication Framework will come into effect. This phase is expected to push banks away from SMS-based OTPs toward more secure methods such as biometrics or app-based authentication tokens.
Summary
The RBI’s Digital Banking Directions, 2025, became effective on January 1, 2026, introducing a controlled approval regime. Banks must now meet stricter financial (₹50cr net worth), infrastructure (IPv6/CBS), and cybersecurity (GAICA) requirements. This is phase one of a broader reset, with tougher biometric-led authentication standards scheduled for April 1, 2026.
