Draft for Comments

RBI/2025-26/xx
DoR.RAUG.AUT.REC.Sxxxx/24.01.041/2025-26

July xx, 2025

Reserve Bank of India – Digital Banking Channels Authorisation Directions, 2025

In exercise of the powers conferred under Section 35A read with Section 56 of the Banking Regulation Act, 1949 (hereinafter called the Act), the Reserve Bank, being satisfied that it is necessary and expedient in the public interest to do so, hereby, issues the following directions.

CHAPTER I
Preliminary

1. Short Title and Commencement

These Directions shall be called the Reserve Bank of India (Digital Banking Channels Authorisation) Directions, 2025.

2. Effective Date

These Directions shall come into effect from the date of final issuance of these directions.

3. Applicability

The provisions of these Directions shall apply to all banks authorised to operate in India (commercial banks and cooperative banks).

4. Definitions

4.1 In these Master Directions, unless the context otherwise requires, the following definitions shall be applicable:

1. Digital Banking Channels – Digital Banking Channels refer to modes provided by the banks over web sites (i.e., internet banking), mobile phones (i.e., mobile banking) or other digital channels through electronic devices/equipment for the execution of financial, banking and other transactions as required for digital banking services which involve significant level of process automation and cross-institutional service capabilities.

2. Internet Banking – Digital banking channel offered by a bank to its customers for managing their accounts and accessing its services over the internet (including web browser-based applications but excluding mobile applications).

3. Mobile Banking – Digital banking channel offered by a bank to its customers for managing their accounts and accessing its services using mobile applications, unstructured supplementary service data (USSD), and short message service (SMS).

4. View Only Banking Facility – A feature of digital banking channels which only allows banking services that do not alter the asset or liability of the customer viz. balance enquiry, balance viewing, account statement download, etc.
   
   Note: Loans, funds transfers, and other such facilities, which create liability for the customer and/or involve movement of funds, cannot be provided by banks having view only facility over digital channels. However, banks providing view only facility can provide downloadable forms for such facilities.

5. Transactional Banking facility – A feature of digital banking channels through which all fund-based or non-fund-based banking services can be provided.

6. Commercial Banks - These include Public Sector Banks (PSBs), Private Sector Banks (PVBs), Foreign Banks (FBs), Regional Rural Banks (RRBs), Small Finance Banks (SFBs), Payment Banks, and Local Area Banks (LABs).

7. Cooperative Banks – These include Primary (Urban) Co-operative Banks (UCBs), State Co-operative Banks (StCBs), and District Central Co-operative Banks (DCCBs).

4.2 All other expressions unless defined herein shall have the same meaning as have been assigned to them under the Banking Regulation Act, 1949 or the Reserve Bank of India Act, 1934 and rules / regulations made thereunder, or any statutory modification or re-enactment thereto or as used in commercial parlance, as the case may be.

Chapter II
Prudential Requirements

5. Policies and Procedures

Banks shall put in place comprehensive policy(s) for all digital banking channels keeping in account all statutory and regulatory requirements (including on management of liquidity and operational risks in digital banking scenario). The responsibility of oversight for management of risks emanating from these facilities shall remain with the senior management.

6. Eligibility Criteria for providing view only banking facility

6.1 All banks which have implemented Core Banking Solution (CBS) and have enabled their public facing Information technology (IT) infrastructure to handle Internet Protocol Version 6 (IPv6) traffic are eligible to provide view only banking facility for internet banking, mobile banking, and other digital banking channels-based services.

6.2 The banks commencing view only digital banking channel(s), from date of applicability (in para 3), shall inform the concerned regional office of the Reserve Bank along with a copy of a ‘Gap Assessment and Internal Controls Adequacy’ (GAICA) report as prescribed in para 7.1(e)(i) below within thirty days of the launch of the facility. The process shall be subject to scrutiny as deemed fit by the respective supervisors.

7. Eligibility Criteria for providing transactional banking facility

7.1 Banks shall require prior approval of the Reserve Bank for launching transactional banking facility. Subject to fulfilment of the prudential eligibility criteria as enumerated below, banks may apply to the respective Regional Office of Reserve bank (through the PRAVAAH portal) for launch of transactional banking facility, along with a board resolution and other necessary, supporting documents.

a) Full implementation of CBS and public facing IT infrastructure being enabled to handle Internet Protocol Version 6 (IPv6) traffic.

b) Compliance with minimum regulatory CRAR requirement.

c) Net worth as per minimum regulatory requirement or ₹50 crore, whichever is higher, as on March 31^st of the immediately preceding financial year.

d) Availability of adequate financial and technical capabilities for this facility. The applicant bank shall submit detailed report indicating the expected expenditure (on set up, maintenance, and upgradation) along with availability of funds for the proposed facility over the next five financial years. Further, the report shall also include the details of cost-benefit analysis, third-party technology service providers (if any), technology proposed to be adopted, and availability of skilled personnel to manage the operations / oversee the outsourcing partners’ operations.

e) A satisfactory track record of regulatory compliance including with cyber security guidelines and a sound internal control system. This shall be assessed through the following:

1. A Gap Assessment and Internal Controls Adequacy (GAICA) report with respect to the technological controls prescribed in Para 8 of these directions. The report shall be certified by (third party) CERT-In empanelled auditor(s).

2. Absence of any major adverse observations in the Information Security (IS) Audit reports for the last two financial years.

3. Inputs of the supervisory authority of the bank.

7.2 All approvals under this MD will be granted for all types of digital banking channels. However, if a bank has the approval for a particular digital banking channel (like mobile banking) before the date of applicability of this MD, it shall require prior approval for launching any other digital banking channel.

Chapter – III
Guidelines on Technological Issues in Digital Banking

8. The following instructions (as updated from time to time) shall be applicable for banks offering digital banking services as per the table appended below:

Table – I

Note: It is reiterated that extensions as indicated in the fourth column above shall apply only to banks offering services over digital banking channels.

Chapter IV
General Guidelines

All banks, regardless of type of facility, shall comply with the directions contained in this chapter on a continuous basis for their digital banking services.

9. Compliance

Banks shall ensure continuous adherence to the following in conduct of their digital banking operations:

1. The provisions (as amended from time to time) of the Information Technology Act, 2000, Digital Personal Data Protection Act, 2023, and other legal requirements. The jurisdiction of legal settlement would be within India.

2. For transfer of funds from the accounts of customers using digital banking for delivery in cash to the recipients, conditions stipulated in the circulars dated July 24, 2024 on ‘Domestic Money Transfer – Review of Framework’ and dated October 05, 2011 on ‘Domestic Money Transfer- Relaxations’ as issued and updated from time to time by the Department of Payment and Settlement Systems (DPSS), Reserve Bank.

3. Instructions issued by the Reserve Bank on ‘Customer Services Provided by Banks’ and other authorities on provision of banking facilities to persons with disabilities.

4. FEMA 1999 and applicable instructions issued by the Reserve Bank.

5. Relevant instructions issued by the DPSS under the Payment and Settlement Systems (PSS) Act, 2007.

6. The instructions/Directions on KYC/AML/CFT issued and as updated by RBI from time to time.

10. Customer Conduct and Other Instructions

10.1 Banks shall obtain explicit consent from the customer for providing digital banking services which may be duly recorded/documented. It shall also be clearly indicated that SMS/email alerts will be sent to the mobile number/email of the customer registered with the bank for operations, both financial and non-financial, in their account(s).

10.2 Multiple channels for registration of these services may be provided to minimize the need for branch visits and application processing time.

10.3 For registration, banks shall provide the terms and conditions in clear and simple language (preferably in English, Hindi, and the local language) which is easily comprehensible to the customer. These shall provide details of charges (if any) to be levied under specific circumstances, timeframe and process to initiate stop-payment instructions, helpdesk details, grievance redress, and risks, responsibilities, and liabilities of customers.

10.4 Banks shall comply with the guidelines on customer protection including limiting of liability in unauthorised electronic banking transactions^1&2 (as updated from time to time), sending of alerts (through SMS, email, etc.), and ensure that the terms and conditions provided to customers are compliant with the instructions.

10.5 Banks shall not make it mandatory for the customer to opt for any digital banking channel to avail any other facility like debit cards. While it may be more convenient for the customer to opt for some services together (for example, virtual access to card controls), the choice to apply for digital banking facilities shall lie solely with the customer. However, it is clarified that banks can continue to obtain and record mobile numbers of customers to send transaction alerts and other purposes in line with KYC requirements at the time of opening the accounts.

10.6. Banks shall put in place appropriate risk mitigation measures in accordance with their policies like transaction limit (per transaction, daily, weekly, monthly), transaction velocity limit, fraud checks, etc. depending on their risk perception. It is clarified that wherever specific requirements have been prescribed by the Reserve Bank or payment system operators (for example, NPCI, Card networks like VISA, Mastercard, etc.), the stricter requirements of the two shall be applicable. Banks shall ensure continuous compliance with instructions issued by DPSS under the Payment and Settlement Systems Act, 2007 in this regard as updated from time to time.

10.7. Banks offering mobile banking service (other than through mobile applications) must ensure that customers across mobile network operators can avail of the service, i.e., the service shall be network independent.

10.8. Banks shall put in place risk-based transaction monitoring and surveillance mechanism. Study of customer transaction behaviour pattern and monitoring unusual transactions or obtaining prior confirmation from customers for outlier transactions may be incorporated in the systems in accordance with the Fraud Risk Management Policy of the bank.

10.9 Third-party products and services, including those of promoter groups or bank group entities (subsidiaries/joint ventures/associates), shall not be displayed on banks’ digital banking channels except as specifically permitted by the Reserve Bank from time to time in terms of the paragraphs 18 and 19 of the Master Direction- Reserve Bank of India (Financial Services provided by Banks) Directions, 2016 dated May 26, 2016, circular on ‘Establishment of Digital Banking Units (DBUs)’ dated April 07, 2022, applicable instructions on ‘Branch Authorisation’, and other related instructions, as updated from time to time.

Chapter – V
Exemptions, Interpretations and Repeal

11. Exemptions

The Reserve Bank may, if it considers necessary for avoiding any hardship or for any other just and sufficient reason, grant extension of time to comply with or exempt any regulated entity, from all or any of the provisions of these Directions either generally or for any specified period, subject to such conditions as the Reserve Bank may impose.

12. Interpretations

For the purpose of giving effect to the provisions of these Directions, the Reserve Bank may, if it considers necessary, issue necessary clarifications in respect of any matter covered herein, and the interpretation of any provision of these Directions given by the Reserve Bank shall be final and binding on all the parties concerned.

13. Repeal Provisions

13.1 With the issue of these directions, the instructions/guidelines contained in the following circulars, issued by the Reserve Bank stand repealed.

13.2 All approvals/acknowledgements given under the above Circulars shall be deemed as given under these Directions. Further, all the repealed Circulars are deemed to have been in force during the relevant periods, prior to the coming into effect of these Directions.