RBI Issues Draft Guidelines on Digital Banking Channels: Proposes New Compliance Norms and Ban on Third-Party Promotions

The Reserve Bank of India (RBI) has issued the draft “Digital Banking Channels Authorisation Directions, 2025”, introducing a comprehensive regulatory framework aimed at strengthening the governance, security, and transparency of digital banking services. The draft proposes significant restrictions, including a prohibition on the display of third-party products and services on banks’ digital platforms, and mandates customer consent for availing digital services.

Key Proposals in the Draft Directions

As per the draft issued on July 22, 2025, the RBI has explicitly stated:

“Third-party products and services, including those of promoter groups or bank group entities (subsidiaries/joint ventures/associates), shall not be displayed on banks’ digital banking channels except as specifically permitted by the Reserve Bank from time to time.”

The directions aim to standardize the framework across all digital banking channels and establish uniform definitions and eligibility criteria.

Definitions under the Draft Directions

• Digital Banking Channels: Platforms offered by banks for financial and other banking transactions using internet, mobile, or other electronic means.
• Internet Banking: Web-based access to bank accounts and services (excluding mobile applications).
• Mobile Banking: Services accessed through mobile applications, SMS, or USSD.
• View-Only Banking Facility: Allows customers to access non-transactional services such as balance enquiry or statement downloads.
• Transactional Banking Facility: Enables customers to execute fund-based and non-fund-based banking transactions.

Applicability and Scope

These directions are applicable to all commercial and cooperative banks. They encompass technological standards, compliance obligations, customer service requirements, risk management frameworks, and prudential norms. The RBI has invited feedback from stakeholders until August 11, 2025, following which the final guidelines will be issued.

Eligibility Criteria

1. View-Only Banking Facility

Banks are eligible to offer view-only services if they:

• Have implemented a Core Banking Solution (CBS).
• Possess IT infrastructure compatible with Internet Protocol Version 6 (IPv6).

Upon launching the facility, banks must submit a Gap Assessment and Internal Controls Adequacy (GAICA) report to the RBI within 30 days.

2. Transactional Banking Facility

Banks seeking to offer transactional services must obtain prior RBI approval and meet the following criteria:

• Full CBS implementation and IPv6-enabled IT infrastructure.
• Minimum regulatory Capital to Risk-weighted Assets Ratio (CRAR).
• Net worth of ₹50 crore or higher as of the preceding financial year-end.
• Adequate financial and technical capability, including a cost-benefit analysis, technology plan, and skilled personnel.
• A sound track record of compliance, including:
  • GAICA report certified by CERT-In empanelled auditors.
  • No significant adverse observations in Information Security audits from the past two years.
  • Supervisory authority feedback.

Banks approved under this framework will require additional approvals to introduce any new digital banking channel not previously authorised.

Customer Consent and Transparency

Banks must obtain explicit consent from customers before providing digital banking services. Terms and conditions must be:

• Clear, simple, and available in English, Hindi, and the local language.
• Inclusive of details regarding charges, service terms, grievance redress mechanisms, and customer liabilities.

Customers must not be compelled to adopt digital channels to access other banking services (e.g., debit cards). However, banks may collect and use customer mobile numbers to send alerts and notifications as part of KYC compliance.

Risk Mitigation and Monitoring

Banks must implement robust risk-based monitoring, including transaction and velocity limits, fraud checks, and surveillance systems that track anomalous behaviour. Risk mitigation must align with the stricter of RBI or payment network standards (e.g., NPCI, Visa, Mastercard).

Mobile banking services (excluding apps) must be network-agnostic, accessible across all telecom operators.

Legal and Regulatory Compliance

Banks must ensure ongoing compliance with the following:

• Information Technology Act, 2000, Digital Personal Data Protection Act, 2023, and other relevant statutes.
• RBI circulars on domestic money transfer, customer service standards, disabled access, FEMA, and KYC/AML/CFT norms.
• Guidelines issued under the Payment and Settlement Systems (PSS) Act, 2007.

Prohibition on Third-Party Product Promotion

The draft directions reaffirm the RBI’s position against the advertisement or sale of third-party financial products—including those by bank promoter groups—through digital channels, unless explicitly permitted. This aligns with earlier instructions under:

• Master Direction – Reserve Bank of India (Financial Services provided by Banks) Directions, 2016
• Circular on Digital Banking Units (DBUs) dated April 7, 2022
• RBI guidelines on branch authorisation and related matters.

Conclusion

The Digital Banking Channels Authorisation Directions, 2025 seek to instill greater discipline and transparency in the digital banking ecosystem, ensuring enhanced customer protection, operational integrity, and regulatory oversight. Stakeholder feedback will shape the final directive, expected to come into effect shortly after the consultation window closes on August 11, 2025.