The Reserve Bank of India (RBI) has issued the final Digital Banking Channels Authorisation Directions, 2025, consolidating and updating prior instructions governing internet and mobile banking services. Applicable to all banks in India, these directions aim to facilitate sustainable growth of digital banking while mitigating operational and cybersecurity risks. Key updates include clarifying definitions of digital banking channels, transactional banking, and cross-institutional service capabilities, while emphasizing that UPI, CBDC, and mobile wallets fall under existing regulations. Banks must enable public-facing IT infrastructure to handle IPv6 traffic and maintain minimum CRAR/net worth thresholds to ensure resilience. Prior approval is no longer required for launching additional digital channels if a bank already operates one. The directions also strengthen accessibility standards, customer consent requirements, and risk-based transaction monitoring, while restricting display of third-party products on digital platforms unless explicitly permitted. Feedback from stakeholders was considered, with selective modifications incorporated to balance innovation, security, and regulatory compliance.
RESERVE BANK OF INDIA
RBI issues Reserve Bank of India (Digital Banking Channels Authorisation) Directions, 2025
The Reserve Bank of India had issued draft Master Directions on Digital Banking Channels Authorisation, 2025 on July 21, 2025, seeking feedback from banks and other stakeholders. The Reserve Bank has issued instructions from time-to-time governing internet and mobile banking services offered by various categories of banks. These services have evolved significantly since issue of the initial guidelines, as new and innovative digital channels have come into use. The objective of the Master Directions is to facilitate sustainable growth of digital banking services, by consolidating and updating the existing instructions on use of digital channels for providing banking services.
Feedback received on the draft has been examined and consequent modifications have been suitably incorporated in the final Directions. Statement on the feedback received for the draft Master Directions is provided in the Annex. The final instructions are being issued today.
Press Release: 2025-2026/1589
(Brij Raj)
Chief General Manager
Statement on the feedback received for draft Master Direction (MD)
Subject: Digital Banking Channels Authorisation Directions, 2025 1.
Chapter I – Preliminary
a) Para 3 – As per the proposed directions, the provisions shall apply to all banks authorised to operate in India (commercial banks and cooperative banks).
Feedback: Suggestions were received to explicitly include/exempt FinTechs under the MD and also to bring NBFCs under its ambit.
RBI Comments: Not considered as the suggestions are outside the scope of this regulation. The para clearly specifies that these Directions are applicable to banks. However, if the banks outsource certain activities to third parties/FinTechs, they shall ensure that the services provided by their outsourced partners be governed by the extant instructions applicable to those products or services, in all respect.
b) Para 4.1 (a) – “Digital Banking Channels refer to modes provided by the banks over web sites (i.e., internet banking), mobile phones (i.e., mobile banking) or other digital channels through electronic devices/equipment for the execution of financial, banking and other transactions as required for digital banking services which involve significant level of process automation and cross-institutional service capabilities.”
Feedback: Sought clarity on the definition especially the term -‘cross institutional service capabilities’, applicability on UPI/CBDC/mobile wallets, etc., digital touch points maintained by the banks and APIs between banks and third-party platforms.
RBI comments: Accepted. Para 4.1 (a) has been revised to provide more clarity. Further, it is clarified that while UPI and CBDC are payment systems, mobile wallets are pre-paid payment instruments. APIs are connections and not the channels themselves. The banks are responsible to ensure compliance on part of such informational assets or digital products in line with extant RBI guidelines including the customer grievance redressal.
c) Para 4.1 (b) & (c) – “Internet banking – Digital banking channel offered by a bank to its customers for managing their accounts and accessing its services over the internet (including web browser-based applications but excluding mobile applications); Mobile Banking – Digital banking channel offered by a bank to its customers for managing their accounts and accessing its services using mobile applications, unstructured supplementary service data (USSD), and short message service (SMS).”
Feedback: The feedback sought addition of conversational AI (Chatbots) as well as a specific internet/app-based messaging service under these definitions.
RBI comments: Not considered as these are already covered. Standalone conversational AI and standalone internet-based messaging service are not separate digital banking channels, but part of either internet banking or mobile banking channel.
d) Para 4.1 (e) – “Transactional Banking facility – A feature of digital banking channels through which all fund-based or non-fund-based banking services can be provided.”
Feedback: The feedback highlighted that in banking parlance, ‘non-fund based’ term refers to LC, BGs, etc., hence, alternate definition may be provided.
RBI comments: Accepted. Para 4.1 (e) has been revised.
2. Chapter II – Prudential Requirements
a) Para 7.1 (a): – “Full implementation of CBS and public facing IT infrastructure being enabled to handle Internet Protocol Version 6 (IPv6) traffic.”
Feedback: Feedback solicited Relaxation/Phased implementation with IPv6 requirements since migration to the same might require several months.
RBI Comments: Not Accepted. The MD does not mandate complete migration to IPv6, it only stipulates that public facing IT infrastructure should be enabled to handle IPv6 traffic. The stipulation is already applicable to Cooperative banks and RRBs since 2015 and the same has been extended to all banks to have a harmonised regulatory framework.
b) Para 7.1 (b) & (c): – “Compliance with minimum regulatory CRAR requirement & Net worth as per minimum regulatory requirement or ₹50 crore, whichever is higher, as on March 31st of the immediately preceding financial year”
Feedback: Feedback sought either removal or reduction in the minimum net worth requirement of ₹50 crore as well as lowering of CRAR requirement.
RBI Comments: Not Accepted. Digital banking channels expose banks to significant additional operational risks, especially the cyber security risks, and mitigation of the same would require continued upgradation of security systems as also adequate financial bandwidth to bear losses, if any, arising out of security breach/es. Therefore, retaining a threshold capital/financial strength is considered indispensable. Further, the CRAR prescribed is already the regulatory minima.
c) Para 7.2 : “All approvals under this MD will be granted for all types of digital banking channels. However, if a bank has the approval for a particular digital banking channel (like mobile banking) before the date of applicability of this MD, it shall require prior approval for launching any other digital banking channel.”.
Feedback: Feedback sought post-facto/removal of prior RBI approval requirement for additional digital banking channels.
RBI Comments: Accepted. Prior approval requirement removed for any additional channels as the bank providing one digital channel is expected to have appropriate wherewithal including the cyber security framework for extending another channel with similar risks.
3. Chapter IV – General Guidelines
a) Para 9 (III): “Instructions issued by the Reserve Bank on ‘Customer Services Provided by Banks’ and other authorities on provision of banking facilities to persons with disabilities.“
Feedback: Feedback suggested explicit reference to “Accessibility Standards in Banking Sector” as notified by the Ministry of Finance, Government of India on February 02, 2024.
RBI comments: Accepted. Para revised accordingly.
b) Para 10.1: “Banks shall obtain explicit consent from the customer for providing digital banking services which may be duly recorded/documented. It shall also be clearly indicated that SMS/email alerts will be sent to the mobile number/email of the customer registered with the bank for operations, both financial and non-financial, in their account(s).”
Feedback: Feedback suggested that existing bank customers may be provided the facility to opt out or de-register from availing digital banking channels as well as notifications.
RBI comments: Deregistering from notifications not considered as regulations governing mandatory notifications are outside the scope of these regulations.
c) Para 10.8: “Banks shall put in place risk-based transaction monitoring and surveillance mechanism. Study of customer transaction behaviour pattern and monitoring unusual transactions or obtaining prior confirmation from customers for outlier transactions may be incorporated in the systems in accordance with the Fraud Risk Management Policy of the bank.”
Feedback: Feedback highlighted difficulties in implementing prior confirmation clause for outlier transactions.
RBI comments: Not Considered. However, the point has been deleted as the issues emanating from the outlier transactions are governed by the MD on Fraud Risk Management.
d) Para 10.9: “Third-party products and services, including those of promoter groups or bank group entities (subsidiaries/joint ventures/associates), shall not be displayed on banks’ digital banking channels except as specifically permitted by the Reserve Bank from time to time in terms of the paragraphs 18 and 19 of the Master Direction – Reserve Bank of India (Financial Services provided by Banks) Directions, 2016 dated May 26, 2016, circular on ‘Establishment of Digital Banking Units (DBUs)’ dated April 07, 2022, applicable instructions on ‘Branch Authorisation’, and other related instructions, as updated from time to time.”
Feedback: Feedback suggested that banks may be allowed to display/advertise various products/services including those approved by the respective sectoral regulators, flagship government schemes or offered in partnership with FinTechs on their respective digital properties. Other suggestions included allowing links to various statutory bodies, display of Card Value Proposition, apparent benefit to banks and customers from such an arrangement and grandfathering of existing displays.
RBI comments: Presently Para 10.8. Partially Accepted. Feedback on the said para was extensively discussed during the post feedback meetings held with the Regulated Entities. Accordingly, taking a considered view along with an objective to ensure safety and to maintain hygiene in the financial transactions undertaken by the customers, it has been decided that post customer login, the banks shall display only those products which are specifically permitted for a bank to deal in. It may be clarified here that only those products and services which are allowed to be offered to a customer through a branch customer interface (viz. banking products, flagship Government Schemes, financial third- party products for which a bank has distribution arrangement, etc.) may be available for a customer to view post login.
