Rbi's New Banking Rules (april 2026): Compliance Guide for Indian Banks & Corporates

Last reviewed: 4 May 2026

Executive Summary, RBI New Banking Rules 2026 India

The Reserve Bank of India’s April 2026 regulatory package represents the most sweeping single-month compliance event for Indian banks and corporates in recent memory. Spanning mandatory Additional Factor of Authentication (AFA) for every digital payment channel, a restructured digital fraud compensation framework, revised ATM and cash-withdrawal protocols, tightened loan-recovery conduct rules, a new NBFC registration category, and concurrent tax-reporting obligations under the Finance Bill 2026, the package demands immediate, coordinated action from compliance officers, in-house counsel, treasury teams and board-level governance committees. This guide translates each directive into concrete operational steps, ownership assignments and a 90-day implementation plan designed for bank CCOs, CFOs and corporate general counsel navigating the April 2026 RBI rules.

Top six immediate obligations:

1. Two-Factor / AFA mandate for all digital payments, effective 1 April 2026 per RBI directions on payment and settlement systems.
2. Digital fraud compensation framework, banks and PSPs must implement revised customer-liability limits, accelerated dispute timelines and proactive reporting.
3. ATM and cash-withdrawal rule changes, updated free-transaction thresholds, interchange structures and customer-notice requirements.
4. Loan recovery conduct rules, revised code of conduct for recovery agents, mandatory training certification and grievance-escalation protocols.
5. NBFC registration and exemption changes, a new registration category and a one-time compliance window for small NBFCs, as outlined in RBI’s revised borrowing and lending framework.
6. Finance Bill 2026 tax-reporting obligations, enhanced TDS/TCS thresholds and digital-transaction reporting that interact directly with banking operations.

What Changed: Overview of the April 2026 RBI Rules

The April 2026 package consolidates several RBI master directions, circulars and the Finance Bill 2026 into a single compliance wave. Below is a concise statutory summary organised by subject matter. Compliance teams should cross-reference each item against the primary texts cited in the sources section of this guide.

Digital Payments, Two-Factor Authentication (AFA)

The RBI’s updated directions on payment and settlement systems now mandate Additional Factor of Authentication for all customer-initiated digital payment transactions without exception. The requirement, effective 1 April 2026, extends AFA from its earlier application on card-not-present transactions to the full spectrum of UPI, mobile wallets, net-banking, QR-code payments and merchant-initiated recurring mandates above the RBI-specified threshold. Banks, payment service providers (PSPs) and wallet issuers must ensure that no digital transaction completes without a second authentication factor, whether OTP, biometric, device-binding or an RBI-approved equivalent. The practical effect is that payment processors and acquirers need to update their technology stacks and vendor SLAs before the effective date, and merchants relying on frictionless checkout flows must integrate AFA-compliant payment gateways.

Digital Fraud Compensation Framework

A companion direction establishes a structured digital fraud compensation regime. Under the framework, customer zero-liability protection applies where an unauthorised transaction is reported within the prescribed window and the customer has not been negligent. Banks and PSPs bear the burden of demonstrating customer negligence before declining compensation. Dispute-resolution timelines have been shortened, and institutions must now submit quarterly fraud-compensation reports to the RBI’s Department of Payment and Settlement Systems. Industry observers expect this framework to generate significant operational process changes in banks’ fraud-management and customer-service departments.

ATM and Cash-Withdrawal Updates

Revised ATM interchange and free-transaction rules adjust the number of complimentary cross-bank ATM withdrawals and the per-transaction interchange fee payable between issuing and acquiring banks. Customer notification obligations have been tightened: banks must display the revised fee structure prominently at ATM terminals, on mobile apps and in monthly statements. Cash-withdrawal limits and reporting thresholds, particularly relevant to anti-money laundering compliance, remain governed by existing Prevention of Money Laundering Act (PMLA) rules, but the operational interplay between ATM-level limits and the new digital banking rules India 2026 requires coordinated system updates.

Loan Recovery and Conduct Rules

The RBI’s directions on loan recovery conduct, effective April 2026, tighten the regulatory framework governing outsourced recovery agents. Banks and NBFCs must now ensure that every recovery agent holds a valid training-and-certification credential issued under an RBI-recognised programme. Time-of-day contact restrictions have been clarified, grievance-escalation channels must be communicated to borrowers in writing before any recovery action begins, and the use of coercive or abusive practices carries explicit supervisory consequences. These loan recovery rules 2026 apply equally to in-house recovery teams and third-party agencies.

NBFC Registration and Lending Framework Changes

As part of its revised borrowing and lending framework, the RBI has introduced a new NBFC registration category and exempted certain small NBFCs from registration and reserve-fund requirements subject to prescribed asset-size thresholds. The one-time compliance window allows eligible entities to regularise their status. Industry commentary notes that this rationalisation is intended to reduce the regulatory burden on micro-NBFCs while simultaneously strengthening oversight of systemically significant non-bank lenders.

Who Is in Scope: Entities and Thresholds Under the RBI New Banking Rules 2026

The April 2026 RBI rules do not apply uniformly to every financial-sector participant. The table below maps each obligation to the entity types that must act.

Compliance officers should note that the RBI’s enforcement perimeter now explicitly includes third-party technology service providers where they perform regulated payment-processing functions on behalf of a regulated entity. Early indications suggest the RBI intends to treat technology vendors as extensions of the regulated institution for supervisory purposes.

Immediate Legal and Operational Obligations for Banks

This section provides the core bank compliance checklist India practitioners need to implement in response to the April 2026 RBI rules. Each subsection identifies the obligation, the internal team accountable and the deliverables required.

Authentication and Payments Systems Changes, 2FA Implementation

Banks’ IT and digital-payments teams must conduct an end-to-end audit of every customer-facing payment channel to confirm AFA compliance. The audit should cover:

• UPI and mobile-banking apps. Confirm device-binding plus OTP or biometric authentication is active for all transaction types, including peer-to-peer transfers and merchant payments.
• Net-banking and bill-payment portals. Verify that session-level and transaction-level authentication meet the two-factor standard.
• Card-present and QR-code transactions. Assess whether PIN-on-glass, biometric or device-level authentication satisfies the AFA requirement for contactless transactions above the RBI-specified contactless threshold.
• Recurring mandates (e-NACH, auto-debit). For mandates above the RBI-prescribed limit, ensure AFA is triggered at execution; mandates below the limit must still satisfy the first-registration AFA requirement.
• Vendor and PSP contracts. Amend SLAs with payment-gateway providers, card networks and acquirers to allocate AFA-compliance responsibilities and specify liability for authentication failures.

The practical effect of these digital banking rules India 2026 is that any bank relying on legacy single-factor flows, or on vendor-managed flows that have not been updated, faces immediate supervisory risk.

Fraud Compensation: Customer Liability and Settlement Process

Under the digital fraud compensation RBI framework, banks must revise their internal fraud-dispute workflows to meet shorter resolution timelines. Key process changes include:

• Intake and acknowledgement. Disputes must be acknowledged within the timeframe prescribed in the RBI direction, with a unique tracking reference communicated to the customer.
• Investigation and determination. The bank bears the evidential burden of proving customer negligence; absent such proof, zero-liability compensation applies.
• Settlement. Provisional credit to the customer’s account must occur within the RBI’s stipulated settlement period pending final determination.
• Quarterly reporting. Aggregate fraud-compensation data must be reported to the RBI’s Department of Payment and Settlement Systems in the prescribed format.

Banks should update their Customer Compensation Policy to incorporate the revised liability matrix and ensure that customer-facing staff and call-centre agents are trained on the new process.

ATM and Cash Handling, Reporting and AML Interplay

Operational teams managing ATM networks, cash-management vendors and branch cash counters must implement the revised interchange and free-transaction structures. The ATM withdrawal limits 2026 India rules require:

• Updated ATM screen displays reflecting the revised fee schedule and remaining free transactions per cycle.
• Coordination with cash-management vendors to adjust cassette configurations and replenishment schedules where withdrawal patterns change.
• Alignment of ATM transaction-monitoring systems with PMLA cash-transaction reporting thresholds, particularly for high-value single-day withdrawals.

Branches and ATM custodians should receive revised operating procedures within the first 30 days of the effective date.

Loan Recovery Conduct and Revised Agent Oversight

The loan recovery rules 2026 impose direct obligations on banks’ collections and recovery functions:

• Agent certification. Every recovery agent, in-house or outsourced, must hold a current training certificate from an RBI-recognised programme before initiating borrower contact.
• Communication protocols. Written notice of the assigned agent’s identity, authorisation and the borrower’s grievance-escalation channel must precede any recovery activity.
• Contact-hour restrictions. Recovery calls and visits may occur only within the RBI-prescribed hours; violations are subject to supervisory action.
• Vendor contracts. Existing recovery-agent agreements must be amended to incorporate the revised conduct code, training requirements and indemnity clauses for non-compliance.

KYC, Periodic Refresh and Record-Keeping Updates

Although the April 2026 package does not overhaul the KYC master direction, the new reporting and compensation obligations create supplementary record-keeping demands. Compliance teams should ensure that customer-identification data supporting fraud-dispute determinations is retained for the prescribed period and is accessible for RBI inspection.

Immediate Legal and Operational Obligations for Corporates and Treasuries

The April 2026 RBI rules are not addressed solely to banks. Corporates operating as large merchants, payment initiators or borrowers face distinct compliance tasks shaped by the interaction of the RBI package with the Finance Bill 2026 India.

Merchant Onboarding and Contract Changes

Corporates that accept digital payments, whether through e-commerce platforms, point-of-sale terminals or subscription billing, must verify that their payment-gateway and acquirer contracts have been updated to reflect AFA-compliant transaction flows. Specifically, merchants should:

• Request written confirmation from their PSP or payment aggregator that the gateway supports the mandated two-factor authentication across all channels.
• Review and update their merchant agreements to allocate liability for failed authentication, chargebacks arising from AFA non-compliance and data-breach notification obligations.
• Test checkout flows end-to-end to confirm that the additional authentication step does not cause transaction abandonment rates to exceed acceptable thresholds, and implement fallback mechanisms where permitted.

Treasury and ERP Transaction Flows, 2FA Integration

Corporate treasury teams initiating bulk payments via host-to-host banking channels, RTGS, NEFT or UPI corporate modules must verify that their ERP-to-bank integration supports AFA at the transaction-initiation point. Key actions include:

• Coordinating with the bank’s transaction-banking team to confirm that the corporate’s payment-initiation API or file-upload channel triggers AFA in compliance with the digital banking rules India 2026.
• Updating maker-checker workflows in the ERP system to accommodate the additional authentication layer without disrupting payment-processing cycles.
• Documenting the AFA-compliance status of each payment channel in the company’s internal controls matrix for audit purposes.

Tax Reporting Changes Under Finance Bill and Income Tax Rules 2026

The Finance Bill 2026 introduced revised TDS and TCS thresholds for specified financial transactions. Under the Income Tax Rules 2026, banks and corporates must now report additional categories of high-value digital transactions to the Income Tax Department. For corporates, the practical effect includes expanded Form 26AS reconciliation obligations and potential adjustments to advance-tax calculations where TCS credits are now available against digital-payment volumes. Treasury and tax teams should update their reporting calendars and confirm that banking partners can provide the transaction-level data needed for statutory filings.

Bank Compliance Checklist India, 90-Day Implementation Plan

The following 30/60/90-day plan assigns ownership and deliverables for each compliance workstream arising from the RBI new banking rules 2026 India. Compliance officers should adapt the timeline to their institution’s governance calendar and existing project-management framework.

Days 1–30: Immediate Assessment and Gap Analysis

• IT / Digital Payments. Complete end-to-end AFA audit across all customer-facing payment channels. Identify non-compliant flows and issue remediation tickets.
• Compliance / Legal. Map every April 2026 RBI direction to existing internal policies. Prepare a gap-analysis report for the Board/Risk Management Committee.
• Operations / Branch Banking. Update ATM fee displays, branch notices and customer communication templates to reflect revised withdrawal rules.
• Collections / Recovery. Audit current recovery-agent roster for training-certification status. Suspend uncertified agents from active recovery until certification is obtained.
• Treasury / Finance. Confirm with banking partners that payment-initiation channels support AFA. Begin reconciliation-readiness assessment for Finance Bill 2026 reporting.

Days 31–60: Policy Updates, Vendor Amendments and Training

• Compliance / Legal. Draft and circulate revised Digital Payments Policy, Fraud Compensation Policy and Recovery Agent Code of Conduct for internal review and Board approval.
• Procurement / Legal. Issue contract amendments to all PSPs, payment gateways, ATM operators and recovery-agent vendors incorporating the new regulatory requirements.
• HR / Training. Roll out mandatory training modules for customer-facing staff on the digital fraud compensation process, and for recovery agents on the revised conduct code.
• IT. Deploy AFA-compliant payment flows to production. Conduct end-to-end testing with card networks, UPI infrastructure and wallet partners.

Days 61–90: Governance Sign-Off, Reporting and Monitoring

• Board / Risk Management Committee. Approve revised policies and note the compliance status report. Pass a board resolution confirming the institution’s compliance posture.
• Compliance. Submit the first quarterly fraud-compensation report to the RBI. Establish ongoing monitoring dashboards for AFA failure rates, dispute volumes and recovery-agent conduct incidents.
• Internal Audit. Schedule a targeted review of the April 2026 compliance programme for the next audit cycle.
• Treasury / Tax. Complete first-month reconciliation of Finance Bill 2026 reporting data with banking partners. File any revised TDS/TCS returns as required under the Income Tax Rules 2026.

Governance: Policies, Board Reporting and Sample Resolutions

The April 2026 RBI rules require board-level awareness and formal governance sign-off. Compliance teams should prepare the following policy documents and board-resolution items:

• Revised Digital Payments Policy. Incorporate the AFA mandate, define permissible authentication methods, establish vendor-oversight standards and specify escalation procedures for authentication failures.
• Fraud Compensation Policy. Codify the zero-liability standard, investigation timelines, provisional-credit mechanisms and quarterly reporting obligations.
• Recovery Agent Code of Conduct. Embed training-certification requirements, contact-hour restrictions, borrower-notification protocols and disciplinary procedures for violations.
• Vendor and PSP Contract Standards. Establish a template addendum for all payment-technology and recovery-agent contracts reflecting the new regulatory requirements.

Sample board-resolution language: “RESOLVED THAT the Board hereby notes and approves the revised Digital Payments Policy, Fraud Compensation Policy and Recovery Agent Code of Conduct, each as tabled, incorporating the requirements of the RBI directions effective April 2026, and authorises the Chief Compliance Officer to implement the policies with immediate effect and to report compliance status to the Board/Risk Management Committee on a quarterly basis.”

Enforcement, Penalties and Supervisory Expectations

Non-compliance with the April 2026 RBI rules carries a graduated enforcement spectrum. The RBI retains the power to impose monetary penalties under Section 47A of the Banking Regulation Act, 1949, issue supervisory directions restricting specific business activities, and, in severe cases, initiate proceedings for cancellation of banking or NBFC licences. For digital-payment non-compliance specifically, the RBI may also direct the National Payments Corporation of India (NPCI) to suspend an institution’s access to UPI or IMPS infrastructure.

Beyond statutory penalties, institutions face significant reputational risk and potential consumer litigation under the Consumer Protection Act, 2019, where customers suffer financial loss due to a bank’s failure to implement the fraud-compensation framework. Industry observers expect the RBI to prioritise enforcement actions in the first two quarters following the effective date, given the high public visibility of the digital-payment and fraud-compensation rules.

Practical mitigation requires documented compliance, gap-analysis reports, board resolutions, training records and vendor-amendment confirmations, that can be produced promptly in response to a supervisory inspection or show-cause notice.

Key Dates and Comparative Timeline, RBI New Banking Rules 2026

The following table summarises the critical compliance dates and the entities that must act. Compliance teams should integrate these dates into their governance calendars and project-management trackers.

The convergence of RBI directions and Finance Bill 2026 provisions on the same effective date is deliberate: it reflects the regulator’s and Parliament’s coordinated expectation that the financial sector will treat these as a unified compliance event. Institutions that approach each obligation in isolation risk duplicating effort and missing the interdependencies between payment-system changes and tax-reporting obligations.

Conclusion and Next Steps

The RBI new banking rules 2026 India package, combined with the Finance Bill 2026, creates a single, high-stakes compliance event that demands coordinated action across technology, legal, operations, collections and finance teams. Institutions that treat each directive in isolation will waste resources and increase supervisory exposure. Those that adopt a unified 90-day implementation plan, anchored in board-level governance, vendor-contract discipline and rigorous documentation, will be positioned to satisfy the regulator, protect their customers and avoid enforcement consequences.

Compliance officers, in-house counsel and CFOs should begin the gap-analysis process immediately, prioritising AFA implementation and fraud-compensation workflow changes as the highest-risk items. For jurisdiction-specific guidance, including policy drafting, vendor-contract amendments and board-resolution preparation, consult a Banking & Finance practitioner through the Global Law Experts India lawyer directory.

Sources

1. Reserve Bank of India, Payment & Settlement System FAQs
2. Pine Labs, RBI New UPI Rules 2026
3. Bajaj Finserv, RBI New Digital Payment Rules April 2026
4. India Budget, Finance Bill 2026
5. Income Tax Department, Income Tax Rules 2026
6. Vinod Kothari, Consolidation of RBI Directions Ver 2.0
7. EY India, RBI Revised Borrowing and Lending Framework
8. Legal500, RBI Amendments 2026: NBFC Registration and Exemptions
9. NewsOnAir, RBI Exempts Small NBFCs from Registration and Reserve Fund Rules
10. Pine Labs, Operational Guidance