The New “Active Consent” Regime For Digital Banking

Introduction

The Reserve Bank of India’s Master Direction on Digital Banking Channels Authorisation, 2025, effective from January 1, 2026, introduces a deliberate regulatory correction to entrenched digital on-boarding practices in the banking sector. For several years, digital banking facilities were routinely activated as a default feature of account opening, with customers often being enrolled into mobile or internet banking through standardised forms or bundled consents, without a conscious exercise of choice. In many cases, this activation occurred as a matter of institutional convenience rather than customer preference, blurring the line between essential banking services and optional digital channels.

This regulatory shift reflects a broader object to ensure that access to technology-driven convenience does not come at the cost of transparency or consumer protection.

The Shift To Explicit Consent

Direction 10.5 draws a firm line between core banking services and digital access channels. While banks may continue to offer bundled products for convenience, the RBI has made it explicit that the decision to avail digital banking must rest entirely with the customer. Consent for digital banking must therefore be obtained separately and recorded distinctly from the general account opening authorisation. Banks can no longer deny access to basic facilities, such as physical debit cards or branch services, merely because a customer does not wish to activate mobile or internet banking. This effectively ends the practice of default digital activation.

Operational Compliance Requirements

The Directions also impose targeted operational obligations. Under Direction 10.6, certain mobile banking services, particularly SMS-based facilities, must be network independent and function irrespective of the customer’s telecom service provider. Direction 10.7 requires banks to deploy risk-based transaction monitoring systems capable of identifying unusual or high-risk transactions. Where a transaction falls outside the customer’s normal usage pattern, prior confirmation must be obtained before processing, adding a further layer of customer protection.

Compliance and Liability Considerations

From a compliance standpoint, the long-standing practice of relying on a single, omnibus signature or generic click-through authorisation to cover both account opening and activation of multiple digital banking channels will no longer meet regulatory expectations. Under the new directions, consent must be specific and traceable to the particular digital service chosen and enabled. In the absence of clear service-specific consent, banks are likely to face significant challenges in countering claims arising from unauthorised digital transactions, phishing and fraud related losses, or misuse of electronic banking channels. Thus, consent documentation, time-stamped records, system logs, and audit trails will assume central importance, not only during RBI inspections but also in consumer disputes and litigation. From a governance perspective, banks must therefore treat consent capture and retention as a legal risk management function, rather than a mere procedural formality.

Conclusion

The Master Direction represent a move towards clearer consent standards and more disciplined digital banking governance. Banks must now audit and review their account opening forms and internal processes to ensure that digital banking is enabled only after explicit customer authorisation has been done, which reduces regulatory risk while reinforcing customer choice in digital banking operations.