RBI Consent Rules for BFSI: Advisory 3/2026 and the July 1 Business Conduct Directions
The RBI Business Conduct Directions on consent took effect July 1, 2026. What banks and NBFCs must already have in place, alongside Advisory 3/2026.
On This Page
RBI Moved on Consent Ahead of the DPDP Deadline
Banks and Non-Banking Financial Companies had a date on the calendar before the DPDP Act 2023 is fully enforceable in May 2027. That date has arrived. The Reserve Bank of India advanced its consent expectations through two separate instruments. One is supervisory guidance in circulation since March. The other is binding and now operative: the Responsible Business Conduct Amendment Directions were notified in May 2026 and took effect July 1, 2026.
The distinction between the two still matters. One is the expectation an inspector measures you against. The other is binding direction that is now in force. This guide separates them and sets out the position a Board must be able to report against both.
What RBI Already Expects: Advisory No. 3/2026
RBI Advisory No. 3/2026, issued by the Department of Supervision on March 25, 2026, is real and in circulation. It followed a thematic study across supervised entities and reads as supervisory best practice rather than a binding direction. It directs regulated entities toward three things:
- Centralized consent management. The requirement, as rendered in KPMG’s published analysis of the Advisory: a unified platform that captures, tracks, and updates customer consent consistently, and in an auditable manner.
- Automated data discovery. Tooling to find and classify personal data across systems rather than relying on manual inventory.
- Board-level accountability. Data protection treated as a standing Board agenda item, not a project owned three layers down.
The Advisory is guidance, not a penalty provision. Its weight comes from what it signals. It is the supervisory expectation banks and NBFCs are now measured against during inspection. The answer “we are evaluating our options” is not a position against that expectation.
In Force Since July 1: The Business Conduct Directions
The second instrument is the RBI Responsible Business Conduct Amendment Directions for commercial banks. Issued in draft in early 2026 for public comment, the amendments were notified as final in May 2026 and are in force since July 1, 2026. The parallel NBFC Responsible Business Conduct Directions, issued in November 2025, were already in force, and their consent and dark-pattern amendments carry the same July 1, 2026 effective date.
Since July 1, the Directions require:
- Per-product explicit consent. Consent must be specific, informed, auditable, withdrawable, and given through affirmative action, for each product separately, including third-party products.
- A ban on bundled and pre-ticked consent and on dark patterns in digital interfaces. The single-checkbox practice that covers everything at once no longer satisfies the standard.
- Customer control with an auditable trail. Customers must be able to view, modify, and withdraw consents, with a digital record that survives supervisory review.
The framing has changed twice since the draft circulated. First it became a notified direction with a fixed date. Now the date has passed. An institution without per-product, auditable consent capture is not preparing for an obligation. It is operating in breach of one.
Why the Pressure Concentrated in This Window
Two unrelated events landed in the same window for BFSI compliance teams. The July 1 effective date of the Directions is one. The other is commercial: a competing compliance platform’s free enrollment period ended June 30, 2026, after which new customers face a list price near ₹50 lakh per year. Organizations that onboarded for free face a migration decision in the same weeks the Directions took effect. The two pressures point at the same action: put real consent infrastructure in place now.
The Two-Instrument Gap Analysis
Use this framework to position your institution against both instruments. The left column is what RBI expects under the Advisory. The middle column is what the Directions have required since July 1. The right column is the readiness action that satisfies both.
| Consent area | RBI expects (Advisory 3/2026) | Directions require (since July 1, 2026) | Readiness action |
|---|---|---|---|
| Consent capture | Centralized consent mechanism | Affirmative, auditable consent per interaction | Single consent record of truth, timestamped and retrievable |
| Bundled consent | Move away from blanket consent | Explicit ban on bundled and pre-ticked consent | Replace the single checkbox with per-purpose capture |
| Per-product consent | Implied by centralization | Separate consent for each product | Map products to purposes, capture consent per purpose |
| Customer control | Track and update consent | Real-time view, modify, withdraw dashboard | Customer-facing consent dashboard with audit trail |
| Data discovery | Automated discovery and classification | Supports the consent and audit obligations | Automated personal-data inventory across systems |
| Accountability | Board-level data protection agenda | Auditable digital trail for supervisory review | Board-ready readiness report, generated not assembled |
The pattern is consistent across both instruments. The institution that holds a centralized consent record and per-product consent architecture is ready for both.
What BFSI Should Do Now
- Brief the Board on both instruments. Advisory 3/2026 is the supervisory expectation in force since March. The Business Conduct Directions bind since July 1. They are two reporting lines, not one blurred deadline.
- Inventory consent capture. Identify every point where customer consent is collected and whether it is per-product or bundled. Bundled consent is the first thing both instruments target, and since July 1 it is a directions breach, not a best-practice gap.
- Stand up a single consent record. Centralization is the one expectation common to the Advisory and the Directions. It is the single move that satisfies the most obligations at once.
- Document the readiness position. An inspector or a Board reporting cycle needs a documented, verifiable answer, not an in-progress consultant engagement.
The retention and erasure conflict that NBFCs face under RBI and PMLA mandates sits alongside this. For that dimension, see NBFC DPDP compliance and the Compliance Vault approach to statutory retention versus DPDP erasure.
Get Your Position Scored
The fastest way to know where your institution sits against these consent expectations is to score it. Run the free DPDP Gap Assessment. It returns a compliance score and a report you can take into a Board reporting cycle, mapped to the obligations above. For a documented, examination-ready position, see the NBFC readiness page.
Know where you stand on DPDP compliance
Run the free Compliance Vault Assessment for a gap report scored against your DPDP Act 2023 obligations, work through the 26-point compliance checklist, or model your penalty exposure.
Enforcement milestones, rule notifications, and deadline analysis.
One email when it matters, no more.
Resources
Continue Reading
Related DPDP Act 2023 guidance from the ConsentOS knowledge base.
NBFC DPDP Compliance: RBI KYC Retention and PMLA Overrides in India
How NBFCs reconcile DPDP Act 2023 with RBI KYC retention, PMLA record-keeping, CIBIL consent and FIU-IND reporting. Legal Obligation Override explained.
11 min read
Regulatory UpdatesWhat Is the DPDP Act 2023? Guide for Indian Business Compliance
India's Digital Personal Data Protection Act 2023 decoded: 7 obligations for every Data Fiduciary, 8 rights for Data Principals, penalties up to ₹250 crore.
6 min read
Consent ManagementDPDP Consent Manager Registration: Who Needs It and How to Apply
Most companies do not need to register. Who does, the 13 November 2026 deadline, the Rs 2 crore net worth test, and what Sections 6(7) to 6(9) require.
12 min read