Home
Data Principal Rights Management (DPRM)

RBI Draft & DPDP Act: A Complete Guide to RBI Compliance for Banks and NBFCs Before July 2026

Date Published

picture1

With the Reserve Bank of India’s Draft Amendment Directions on Responsible Business Conduct coming into effect from July 1, 2026, institutions must re-evaluate how they market, sell, and govern financial products. At the same time, the DPDP Act, formally the Digital Personal Data Protection Act, 2025, is reshaping how personal data is collected, processed, and protected.

For compliance leaders, this is not just another regulatory update but rather a structural shift that brings together RBI compliance for banks, NBFCs, and the broader regulatory framework of corporate governance in India under a unified lens of transparency, consent, and accountability.

Here is what needs urgent attention before July 2026, according to this draft by the RBI: 

1. Explicit Consent

The RBI draft introduces a formal definition of “explicit consent,” closely aligned with the DPDP Act 2025. Under the Digital Personal Data Protection Act 2023 and draft rules 2025, consent must be free, specific, informed, unconditional, unambiguous, and supported by a clear affirmative action.

The RBI draft mirrors this standard but adds an interesting nuance, which is that consent is required for availing of services, not specifically for the use of personal data. This difference is not cosmetic; this implies that banks must carefully map their product architecture.

If a bank bundles multiple services or processing purposes under a single consent tick-box, it risks non-compliance under both the RBI draft and the DPDP Act. What these institutions can do now is separate consent flows for each product, service, and promotional activity. The usage of bundled consents is now ancient history. Now every consent must be granular and documented.

2. Promotional Communication  

The draft explicitly requires consent for receiving promotional messages, calls, or other commercial communications. This aligns directly with consent principles under the Digital Personal Data Protection Act 2025.

Many banks currently rely on implied consent through account opening forms or broad “terms and conditions.” That approach will not survive under this regulatory scrutiny.

Under the new regime:

  • Promotional alerts require explicit consent.
  • Unsubscribing must be as easy as subscribing.
  • Customers must have complete visibility into what they are signed up for.

For teams managing RBI compliance for banks and NBFCs, this means re-engineering marketing systems, CRM integrations, and call center scripts.

rbi compliance for banks

3. Dark Patterns

Perhaps the most significant consumer protection shift with this amendment is the formal recognition of “dark patterns.” The draft defines dark patterns as deceptive design practices that mislead or impair consumer choice. Some of these instances include making the “Accept” button brighter and more prominent than “Reject”, hiding opt-out links, and structuring interfaces to push users toward unintended decisions.

This is a direct design-level compliance requirement, thereby now making the  UI/UX teams compliance stakeholders. Under the regulatory framework of corporate governance in India, boards are expected to ensure fair treatment of customers. With dark patterns formally defined, misleading interface design may now be treated as a governance failure, not just a UX oversight.


What these institutions can do now is conduct a complete audit of digital journeys, mobile apps, consent banners, and onboarding flows. Redesign for symmetry for the accept and reject buttons must also be equally visible and simple.

4. Mis-Selling and Compulsory Bundling

The RBI draft defines mis-selling in detail, which includes selling unsuitable products, selling without explicit consent, compulsory bundling of another product, and providing misleading information. Compulsory bundling is now clearly defined as making one product conditional upon another unless it is voluntary or complementary.

For compliance heads, this intersects directly with corporate governance principles. The regulatory framework of corporate governance in India emphasizes fiduciary responsibility and transparency. A consent that exists only on paper, but not in spirit, will not withstand scrutiny.

Banks must ensure that suitability and appropriateness assessments are documented, consent is obtained separately for each product, and product eligibility logic is auditable.

5. Direct Selling Agents (DSAs)

The draft requires banks to ensure that DSAs and DMAs maintain privacy and follow compliance norms. However, it does not specify how banks must technically enforce this. This is a major operational challenge.

If a DSA collects consent improperly or engages in aggressive telemarketing without explicit opt-in, the liability sits with the bank. Under the DPDP Act, the Data Fiduciary bears responsibility for data processing, even when performed by a processor.

For effective RBI compliance for NBFCs and banks, the institutions must:

  • Maintain an updated public list of DSAs
  • Impose contractual privacy obligations
  • Monitor call recordings and marketing scripts
  • Maintain auditable consent logs

Governance is no longer limited to internal teams. It now extends to every third party in the distribution chain.

The DPDP Act 2023 places the burden of proof on the Data Fiduciary. If consent is challenged, the institution must demonstrate that a compliant notice was given, valid consent was obtained, consent was not bundled, and withdrawal was honored. The RBI draft reinforces this expectation by requiring documented and explicit consent.

This is where technology becomes critical. Consent must be timestamped, version-controlled, immutable, and linked to specific purposes and products.
Audit readiness is no longer optional. It is foundational to both RBI compliance for banks and DPDPA compliance.

7. Suitability and Appropriateness

The draft requires banks to assess suitability before marketing financial products. This involves analyzing risk-return attributes, customers’ age and income, financial literacy, and the risk tolerance of the customer.


Explicit consent alone does not cure an unsuitable sale. This aligns with governance expectations under India’s regulatory framework. Consent does not absolve fiduciary duty. If a product is unsuitable, selling it, even with consent, may qualify as mis-selling. Institutions must therefore:

  • Integrate suitability checks into digital workflows.
  • Maintain defensible scoring frameworks.
  • Ensure override mechanisms are logged and reviewed.

Conclusion

The convergence of the RBI draft and the DPDP Act signals a deeper regulatory philosophy. Compliance is no longer about policy documents. It is more about design, architecture, and governance culture.

For leaders responsible for RBI compliance for banks and NBFCs, this is the moment to shift from reactive patchwork to proactive governance transformation.

By July 2026, regulators will not be asking whether consent was collected. They will ask whether consent was meaningful, informed, and free from manipulation.

Banks that treat this as a design and governance reset, not just as a regulatory burden, will not only meet the requirements of the Digital Personal Data Protection Act 2025 but also strengthen customer trust in a rapidly evolving financial ecosystem. 

If you are also looking for a solution to sail through this DPDP maze, reach out to us at shivani@idfy.com. We would be more than happy to help.