Summary

  • The RBI's RBC (Second Amendment) Directions take effect January 1, 2027 — roughly four months before the DPDP obligations most BFSI teams are planning around.
  • They impose consent changes on banks and other REs, several stricter than DPDP.
  • Per-product consent, no pre-ticked boxes, unskippable T&Cs, a separate marketing opt-in, and one-year record retention.
  • Rather than treating the RBC Amendments and the DPDP Act as separate compliance projects, banks should build one consent infrastructure that meets both.
Close Button

RBI Moved Your DPDP Deadline: 9 Changes to Make Before Jan 1, 2027

Avisha Khatri

Product Content Strategist
July 9, 2026

Summary

  • The RBI's RBC (Second Amendment) Directions take effect January 1, 2027 — roughly four months before the DPDP obligations most BFSI teams are planning around.
  • They impose consent changes on banks and other REs, several stricter than DPDP.
  • Per-product consent, no pre-ticked boxes, unskippable T&Cs, a separate marketing opt-in, and one-year record retention.
  • Rather than treating the RBC Amendments and the DPDP Act as separate compliance projects, banks should build one consent infrastructure that meets both.

Summary

  • The RBI's RBC (Second Amendment) Directions take effect January 1, 2027 — roughly four months before the DPDP obligations most BFSI teams are planning around.
  • They impose consent changes on banks and other REs, several stricter than DPDP.
  • Per-product consent, no pre-ticked boxes, unskippable T&Cs, a separate marketing opt-in, and one-year record retention.
  • Rather than treating the RBC Amendments and the DPDP Act as separate compliance projects, banks should build one consent infrastructure that meets both.

Most compliance teams in the BFSI Industry have May 13, 2027 circled on their calendars. That's when the Digital Personal Data Protection Act's obligations kick in.

Here's the problem: for consent, a large part of that work is now due four and a half months earlier.

On June 15, 2026, the RBI released the Responsible Business Conduct (Second Amendment) Directions, 2026 (RBC Amendments). They apply to banks, NBFCs, payments banks, housing finance companies and cooperative banks — and take effect on January 1, 2027.

Here's what changes operationally, and what you need to build before January 1.

Why this matters for DPDP readiness

The RBC Amendments and the DPDP Act regulate different things. RBC governs consent for products and services, what a customer agrees to buy or subscribe to. DPDP governs consent to process personal data.

So, on the face of it, the RBC amendments should have no relevance for DPDP compliance.

But when you look at an actual banking journey, you realize the two are intertwined very tightly.

The moment a customer taps “I agree” on a loan application, they are consenting to a product and to the processing of their data - all in one action.

More specifically, these RBC amendments lay down very specific requirements around consent (sound familiar?) - some of which are identical to DPDP requirements, some of which are stricter than DPDP requirements.

1. Capture consent separately for every product or service (Paras 85G and 85Q)

Today, when a customer applies for, say, a home loan - they also sign up for a term insurance policy, a general insurance policy etc. all in one flow - with one checkbox. Under the RBC Amendments, this is now banned.

What needs to happen now under the RBC Amendments is:

  • The digital form or interface must show each financial product separately - clearly demarcated along with nature of product (e.g “ABC Bank Superloan | loan”)
  • The customer must be able to consent to each product separately - you can't have a common “I agree” or “I accept” box
  • Consent must be captured in one of 4 ways - a signed declaration (physical or electronic), OTP based approval, digitally recorded confirmation or a consent embedded in a clearly demarcated section of the agreement

2. Set the default consent choice to “No” (Para 85I)

Companies often “pre-tick” boxes in digital forms. This is a dark pattern that tries to “nudge” customers into agreeing.

From Jan 1, 2027, this practice is banned under the RBC.

Instead, the default state of every consent choice must be “No” / “I do not agree”.

The RBC specifically wants the customer to make an active choice and take an active action in order to accept anything.

3. Make terms and conditions un-skippable before consent (Para 85I)

The RBC Amendments mandate that the flow must make it impossible to give consent without first going through the terms and conditions.

This is already in place in a lot of netbanking apps - where the user has to scroll down to the bottom of a page before the “Proceed” or “Next” or “I agree” button becomes active.

4. Disclose fees/charges/interest rates etc. before you ask for consent (Para 85H)

Before consent is taken for any product or service, the bank must prominently disclose its key features: fees, charges, interest rate, risks, financial commitment, lock-in conditions, and exit terms including penalties.

Where a regulator has already prescribed a format like a Key Facts Statement (KFS), Most Important Terms and Conditions (MITC), and the like - this requirement would be satisfied.

5. Take a separate, explicit opt-in for promotional communication (Para 85L)

Product consent and marketing consent are now two different things.

Promotional communication and offers the bank's own or a third party's product can only go to customers who have given explicit consent to receive it.

A customer opening a savings account has consented to the account. You cannot assume that they have consented to SMS blasts about personal loans, credit card upgrades, or a partner insurer's new policy.

6. Make unsubscribing easy (Para 85M)

The process for unsubscribing from any services or promotional communication must be easy and simple.

Today, unfortunately, most product teams spend significant time, effort and talent on actively making cancellations hard.

This will now incur significant RBI penalties. Your product team incentives and mindset may need to change radically.

You can't boast about “butter smooth apps” while making unsubscribing a hellish experience.

7. Retain consent records for one year after the relationship ends (Para 85G)

Consent and related records must be stored until one year from the date the contractual relationship for that product or service ends.

A 20-year home loan means the consent record from origination must survive 21 years. The rule is per product - so a customer with four products has four different retention clocks.

If there are multiple regulations each setting a different timeline, then read them cumulatively.

8. Don't force one product on the back of another (Para 85V)

Going forward, REs cannot bundle the sale of a third-party product with one of its own.

There seems to be an exception for insurance products where the RBC permits bundling of third-party product if they act as a risk mitigant for the bank's own. However do not rely on this fully - because even here - the RBC mandates that the customer must be free to choose their own insurance provider if they want.

Essentially:

  • No bundled third party products. The customer must be given an active choice to purchase or not. If the customer gives explicit consent for a product then it can be packaged with the primary one.
  • Insurance products can be bundled - but the customer must be given a choice to opt out.

9. Post-sale communication and language obligations (Paras 85R, 85S and 85T)

There are 3 smaller communication-related obligations in the consent flow:

  • For third-party products, once you receive an application, you must send the customer an acknowledgement by SMS, email, or another secure medium confirming receipt and carrying a contact number for queries
  • On completing a sale, the signed terms and conditions or agreement must reach the customer, physically or by email as they prefer, delivered securely enough to keep their information confidential
  • All documents tied to the product, terms and conditions included, must be available in the regional language or a language the customer understands. For third-party products, follow whatever the relevant regulator has specified

January 1 Implementation Checklist

Everything above, turned into work. Split it across three streams and give each an owner.

0 / 16 done

Consent Journeys

Customer Experience

Governance & Records

Complying with the RBC Amendments will make DPDP compliance easier

Complying with the RBI Amendments won't automatically make a bank DPDP compliant. But they do require many of the same underlying capabilities: granular consent capture, affirmative choice, purpose-level records, easy withdrawal, and auditable consent trails.

Rather than approaching the RBC Amendments and the DPDP Act as two independent compliance exercises, banks should identify overlapping obligations - and build a common consent infrastructure to handle these.

The entire consent flow - from collection to records - can be integrated in your customer journeys in less than 2 weeks with Consentin. You can try Consentin for free.

This blog reflects our reading of the RBC (Second Amendment) Directions, 2026. It is not legal advice. You must consult with your legal, compliance, and risk teams before building new policies.

Get consent-ready before January 1, 2027

Book a Demo

Compliance Deadline:

0 weeks away