India’s banking regulator, the Reserve Bank of India (RBI), has issued its final guidelines for digital banking channels. 

Under the new RBI digital banking guidelines, banks are required to record or document the explicit consent of customers before providing digital banking services. 

The guidelines specifically state that banks cannot make it mandatory for customers to opt for any digital banking channel to access facilities such as debit cards. 

Banks must implement appropriate risk mitigation measures according to their internal policies based on their risk perception. 

The measures may include setting transaction limits per transaction, daily, weekly, and monthly limits, as well as transaction velocity limits and fraud checks. 

RBI, in its statement, said: “While it may be more convenient for the customer to opt for some services together (for example, virtual access to card controls), the choice to apply for digital banking facilities shall lie solely with the customer. 

“However, it is clarified that banks can continue to obtain and record mobile numbers of customers to send transaction alerts and other purposes in line with KYC requirements at the time of opening the accounts.” 

“It is clarified that wherever specific requirements have been prescribed by the Reserve Bank or payment system operators (for example, NPCI, Card networks like VISA, Mastercard, etc.), the stricter requirements of the two shall be applicable.” 

Banks providing mobile banking services through channels other than mobile applications must ensure that these services are accessible to customers regardless of their mobile network operator. In other words, the mobile banking service should function independently of the customer’s network provider. 

The guidelines also mandate that banks implement transaction monitoring and surveillance systems based on risk assessment. 

Display of third-party products and services on banks’ digital banking channels is being restricted unless specifically permitted by the regulator. 

Banks are instructed to clearly communicate to customers that SMS and email alerts will be sent to the mobile number or email registered with the bank for all account operations, both financial and non-financial. 

The RBI has further directed banks to comply with existing guidelines on customer protection and ensure that the terms and conditions meet regulatory requirements. 

In a separate development, RBI has imposed a Rs91m ($1m) penalty on HDFC Bank for breaches of the Banking Regulation Act and RBI guidelines. 

According to the regulator, the bank used multiple loan benchmarks, non-permissible subsidiary business, and outsourced the function of determining compliance with KYC norms of certain customers. 

The penalty follows RBI’s supervisory evaluation and review of the bank’s responses to show-cause notices.