Our Expert in India
The April 2026 package of RBI banking rules India’s financial institutions must now comply with represents the most significant overhaul of digital-payment and consumer-protection obligations in over a decade. Effective 1 April 2026, the Reserve Bank of India has mandated two-factor authentication (AFA) for all digital payments, introduced a digital fraud compensation framework that shifts liability timelines sharply in favour of customers, and issued the Digital Banking Channels Authorisation Directions requiring real-time transaction alerts and enhanced monitoring. Separately, the Banking Laws (Amendment) Act, 2025 has expanded the RBI’s supervisory toolkit, while digital lending platforms face an operational compliance demonstration deadline of 30 June 2026.
This article provides a prioritised, lawyer-authored compliance checklist, with sample contract clauses, entity-specific action plans and key deadlines, for in-house counsel, compliance officers and senior product leaders at banks, fintechs and NBFCs.
If you are responsible for compliance at a regulated entity, start with these eight immediate RBI compliance steps before reading the detailed guidance below:
The April 2026 regulatory package is not a single circular but a coordinated set of RBI notifications, directions and legislative amendments. Together, they reshape how banks and fintechs authenticate payments, handle fraud losses, monitor digital channels and register new lending entities. Below is a concise legal overview of each pillar.
The RBI’s Additional Factor of Authentication (AFA) directions now apply to every category of digital payment transaction processed in India, including card-not-present transactions, UPI payments, net-banking transfers and wallet-based transactions. The key technical requirement is that at least two independent authentication factors must be used, and at least one must be dynamic, generated uniquely for each transaction. Acceptable factor combinations include knowledge-based (PIN, password), possession-based (device binding, hardware token) and inherence-based (biometric) elements. All domestic card payments must pass through two independent verification steps; cardholders may authenticate using a PIN combined with an OTP or biometric confirmation.
The RBI has explicitly stated that the entity initiating the payment, whether a bank, PSP or fintech, bears primary responsibility for ensuring AFA is in place before processing the transaction.
A new framework governs how customers are compensated when digital-payment fraud occurs. The framework establishes tiered liability depending on whether the fraud resulted from a bank/PSP system breach, third-party negligence or customer negligence. Where the loss arises from a bank or PSP-side failure, the institution must compensate the customer in full. Customers are required to report unauthorised transactions within a prescribed window to remain eligible for full compensation. Institutions must issue provisional credits while investigations are underway.
These directions mandate that banks deliver real-time transaction alerts to customers as a condition of operating digital-banking channels. They also require enhanced transaction-monitoring capabilities, including anomaly detection and velocity checks, and impose minimum standards for session management, encryption and channel-level access controls.
The RBI has introduced a new registration category for certain NBFCs engaged in digital lending. All digital lending platforms must functionally demonstrate compliance by 30 June 2026, meaning systems, disclosures and grievance-redressal mechanisms must be operationally live, not merely documented.
The Banking Laws (Amendment) Act, 2025, which received Presidential assent in late 2025, expanded the RBI’s powers to impose penalties, conduct special audits and direct supervised entities to take corrective action. Industry observers expect the Finance Bill 2026, if enacted in its current form, to introduce further changes to loan-recovery conduct obligations and prepayment clauses. As at 17 May 2026, the Finance Bill’s final passage status should be verified independently before reliance.
The RBI new rules 2026 apply to all scheduled commercial banks (including foreign banks operating in India), payments banks, small finance banks, payment system providers (PSPs) licensed under the Payment and Settlement Systems Act, 2007, NBFCs (including those in the new digital-lending registration category) and fintech companies operating as business correspondents, payment aggregators or lending service providers. Cooperative banks and regional rural banks are covered to the extent they offer digital-payment channels.
The principal legal instruments include RBI notifications published on the RBI Rules & Notifications portal, the PIB press release on the Banking Laws (Amendment) Act, 2025, and the Digital Banking Channels Authorisation Directions. The AFA mandate and fraud compensation framework took effect on 1 April 2026. The digital lending operational demonstration deadline is 30 June 2026.
The following bank compliance India checklist is organised by functional owner and recommended timeline. Each item should be treated as a discrete workstream with board-level visibility.
| Action | Responsible Function | Recommended Timeline |
|---|---|---|
| Prepare board memo on April 2026 regulatory changes; assign compliance ownership | Chief Compliance Officer / Legal | Immediate (if not already done) |
| Map all digital-payment flows and identify AFA gaps | Head, Digital Banking / Technology | Within 30 days of 1 April 2026 |
| Update customer T&Cs, consent language and privacy notices | Legal / Product | Within 45 days |
| Draft and approve fraud compensation policy with escalation matrix | Legal / Operations / Risk | Within 30 days |
| Audit all vendor and PSP contracts; negotiate indemnity and SLA amendments | Legal / Procurement | Within 60 days |
| Update KYC and account-freeze SOPs to meet RBI notice/re-activation requirements | Compliance / Branch Operations | Within 30 days |
| Implement regulatory reporting logs and mandatory notification templates | Compliance / IT | Within 45 days |
| Complete AFA testing, produce attestation evidence for RBI / auditors | Technology / Internal Audit | Within 60 days |
The Chief Compliance Officer should prepare a concise board memo covering: (a) a summary of each April 2026 rule change, (b) the bank’s current compliance posture and identified gaps, (c) a proposed remediation plan with owners and deadlines, and (d) the financial and regulatory-risk implications of non-compliance. The board should formally approve the remediation plan and receive quarterly progress updates until all items are closed.
Every digital-payment channel, mobile banking, internet banking, card transactions, UPI and any white-label or co-branded products, must be mapped against the two-factor authentication requirement. Where a flow currently relies on a single static factor (e.g., a PIN alone without a dynamic OTP or biometric), the product team must design, test and deploy a compliant second factor. Authentication flows for recurring payments and e-mandates need particular attention, as industry observers expect the RBI to scrutinise these during its next cycle of thematic inspections.
Account opening documentation, digital-channel terms and conditions, and product-specific agreements must be updated to disclose: the authentication methods in use, the customer’s obligation to report fraud within the prescribed window, the bank’s liability and compensation commitments, and the dispute-resolution and Ombudsman escalation path. Banks should obtain affirmative customer consent for dynamic authentication methods, particularly where biometric data is collected.
Banks may restrict account access where a customer fails to complete periodic KYC re-verification, but must follow prescribed notice periods and offer clear re-activation procedures. A bank cannot freeze an account for KYC non-compliance without first issuing written notice, providing a reasonable cure period and documenting the steps taken. Updated SOPs should specify the notice format, the minimum cure period, the escalation path for disputed freezes, and the process for immediate re-activation upon KYC completion.
Banks must maintain comprehensive transaction logs (including authentication method, timestamp, device identifiers and outcome) for a minimum retention period consistent with RBI directions. Fraud incidents must be reported to the RBI within mandated timelines, and periodic compliance filings, including AFA attestation certificates, should be prepared in a regulator-ready format.
Fintechs and NBFCs face a distinct set of challenges under the RBI new rules 2026 because they often depend on partner banks and PSPs for settlement, KYC infrastructure and payment-channel access. The fintech compliance checklist below addresses these dependencies directly.
Begin by documenting every partner relationship, sponsor banks, payment aggregators, card networks, UPI infrastructure providers and third-party KYC vendors. For each relationship, identify which party is contractually responsible for implementing AFA, maintaining transaction logs and compensating fraud losses. Where contracts are silent or ambiguous, flag them for immediate renegotiation.
Fintechs that control the customer-facing authentication experience (e.g., payments apps, wallets, digital-lending platforms) must implement two-factor authentication directly. Acceptable design options include:
Legal sign-off is required before any new authentication method goes live, particularly where biometric data processing triggers obligations under the Digital Personal Data Protection Act, 2023.
Fintech customer agreements must be updated to include: clear disclosure of authentication methods, the customer’s fraud-reporting obligations and timelines, the fintech’s liability and compensation commitments, data-processing purposes for authentication data, and the escalation path to the RBI Ombudsman. Consent must be affirmative, pre-ticked boxes or bundled consents are unlikely to satisfy RBI expectations.
Fintechs must establish internal fraud-detection capabilities (or procure them from a vendor) that include transaction-velocity monitoring, anomaly detection and geo-location checks. When fraud occurs, the fintech must: notify the affected customer promptly, provide a provisional credit where the fraud was not caused by customer negligence, conduct an internal investigation within the prescribed SLA, and report findings to the partner bank and regulator. Maintaining technical proof of compromise, server logs, authentication records, IP and device data, is critical both for regulatory compliance and for any subsequent contractual indemnity claims against partners.
Fintechs should audit every material vendor contract to ensure it includes: pass-through indemnities that mirror the fintech’s liability to customers, liability caps that reflect the digital fraud compensation framework, audit provisions granting the fintech (and the RBI) access to transaction logs and security records, and data-processing clauses consistent with the Digital Personal Data Protection Act. Where existing contracts lack these provisions, issue amendment requests immediately and escalate to senior management if vendors resist.
Digital lending platforms must achieve operational compliance, not merely documented policies, but functioning systems, live disclosures and operational grievance-redressal mechanisms, by 30 June 2026. NBFCs applying for the new digital-lending registration category must file their applications and supporting documentation in advance of this deadline. Sandbox attestation reports, penetration-test results and compliance certificates should be prepared and kept regulator-ready.
Partner banks and PSPs will increasingly require fintechs to produce compliance evidence, including AFA implementation certificates, fraud-response playbooks, transaction-log samples and data-security audit reports, as a condition of continued partnership. Fintechs should designate a compliance liaison and maintain a standing evidence package that can be updated and shared on short notice.
The April 2026 changes make vendor and PSP contract management a front-line compliance activity. Below are sample clause structures for key provisions. These are illustrative and should be adapted to the specific commercial relationship after independent legal review.
Banks should resist vendor attempts to cap indemnity obligations at a fixed monetary amount where the underlying exposure, fraud losses across the portfolio, is uncapped. Fintechs, conversely, should negotiate for proportional liability linked to fault, and insist on a right to conduct their own investigation before accepting indemnity claims. All parties should ensure that audit-rights clauses extend to sub-processors and fourth-party providers, as the RBI’s examination scope increasingly covers the full outsourcing chain.
The digital fraud compensation framework establishes a structured process for handling unauthorised-transaction claims. Understanding its operational mechanics is essential for meeting the RBI banking rules India imposes on all regulated entities.
Where the fraud results from a bank, PSP or system-level breach, the institution bears full liability regardless of whether the customer reported it promptly. Where the fraud involves third-party exploitation (phishing, social engineering) and the customer reports it within the prescribed window, the institution must issue a provisional credit while investigating. Where the customer’s own negligence (e.g., sharing OTPs) caused the loss, the customer bears liability, but the institution must still investigate and communicate its findings.
Industry observers expect the RBI to treat delayed or non-compliant compensation as a serious supervisory concern, potentially triggering penalties under the enhanced enforcement powers granted by the Banking Laws (Amendment) Act, 2025.
| Key Date | Milestone |
|---|---|
| 1 April 2026 | AFA mandate, fraud compensation framework and Digital Banking Channels Authorisation Directions take effect |
| 30 June 2026 | Digital lending platforms must operationally demonstrate compliance (live systems, disclosures and grievance mechanisms) |
| 1 April 2027 | Expected Credit Loss (ECL) provisioning framework takes effect for banks (deferred from earlier date) |
| Obligation / Rule | Banks (What to Do) | Fintechs & NBFCs (What to Do) |
|---|---|---|
| AFA (two-factor authentication) | Implement dynamic second factor for all digital payments; update T&Cs; attest to regulator | Implement AFA in customer-facing flows; integrate with partner bank/PSP; update consent and UI |
| Fraud compensation framework | Primary payer if loss results from bank/PSP fault; maintain logs; compensate per RBI timelines | Compensate if loss results from fintech negligence or product failure; maintain proof; offer provisional credit |
| Real-time transaction alerts | Implement and maintain real-time SMS/push alerts for all digital transactions | Ensure partner bank alerts are not suppressed; supplement with in-app notifications |
| Reporting and audits | Maintain comprehensive logs; make periodic regulatory filings; enable RBI access | Prepare evidence packages for partners; support audits; provide logs and attestation certificates |
| Digital lending operational readiness | Ensure lending partners meet 30 June 2026 deadline; audit partner compliance | Achieve operational compliance by 30 June 2026; file registration applications if applicable |
The breadth of the April 2026 RBI banking rules demands a structured response. First, issue a governance memo to the board summarising all changes, assigning owners and setting deadlines. Second, prioritise the top three product fixes, AFA gap remediation, real-time alert implementation and fraud-compensation workflow deployment. Third, launch a legal contracts workstream to audit and amend all vendor, PSP and aggregator agreements using the sample clauses and negotiation principles outlined above. Early and decisive action will reduce regulatory risk, protect customers and position your institution favourably for the RBI’s anticipated supervisory reviews.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Debashree Dutta at Vritti Law Partners, a member of the Global Law Experts network.
posted 9 minutes ago
posted 10 minutes ago
posted 34 minutes ago
posted 35 minutes ago
posted 58 minutes ago
posted 1 hour ago
posted 1 hour ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message