
RBI's New Amendment Directions: What They Mean for DPDP Readiness for Financial Institutions and Insurers
On June 15, 2026, the Reserve Bank of India (RBI) issued the Responsible Business Conduct (Second Amendment) Directions, 2026, introducing stringent requirements around customer communications across customer consent, product disclosures, promotional communications, record retention, and responsible selling practices. These amendments are designed not only to enhance transparency and customer awareness but also to strengthen another critical focus, which is the responsible governance of customer data.
With key provisions taking effect from January 1, 2027, enterprises have a defined window to strengthen their governance frameworks.
For banks, NBFCs, payment banks, housing finance companies, cooperative banks, and insurers this isn't simply another regulatory notification; it signals a shift from compliance as a periodic exercise to governance by design, where every customer interaction must be transparent, consent-driven, auditable, and accountable.
The latest RBI mandate emphasizes that the customer must make an informed choice, receive the necessary disclosures, and explicitly agree to the interaction. At the same time, the Digital Personal Data Protection (DPDP) Act is redefining how organizations collect, process, store, and use personal data.
Viewed independently, the RBI's RBC Directions and the DPDP Act address different regulatory objectives. Together, however, they establish a common governance framework centred on customer trust, transparency, accountability, and verifiable consent.
Let's explore how the RBI's latest amendment strengthens consent governance and why its requirements closely align with the principles of the DPDP Act.
- Consent is No Longer a One-Size-Fits-All
The RBI's amendment requires financial institutions to obtain explicit customer acceptance for financial products and maintain evidence that the customer has provided consent. The amendment requires banks to obtain consent separately for every financial product or service offered to a customer.
- Avoid Dark Patterns
The RBI's new amendment explicitly discourages deceptive sales practices and dark patterns that influence customer decisions.
These include practices such as pre-selected consent boxes, confirm shaming, false urgency, drip pricing, and trick wording. The future belongs to transparent customer journeys, not persuasive interface design.
- Marketing Consent Must Be Separate from Promotional Consent
One of the amendment's most significant changes concerns promotional communications. Companies may send promotional messages about their own or third-party financial products only if the customer has explicitly consented to receive such communications. Under the RBI directions, service communications and marketing communications must be governed separately.
- Maintain Audit Readiness
The amendment also requires banks to preserve consent records and related documentation until one year after the contractual relationship for the product or service has ended. Audit readiness is no longer an annual compliance activity. It must be built into every customer interaction.
These expectations closely resemble DPDP's accountability framework, where organizations are expected to demonstrate lawful processing and maintain records that support compliance. A centralized audit trail is no longer just an operational convenience. It's becoming a regulatory necessity.
The Bigger Shift: Unified Governance by Design
Enterprises are now expected to govern every stage of the customer journey; from consent collection and product disclosures to promotional communications and record retention, with far greater transparency and accountability.
Rather than addressing RBI compliance and DPDP separately, enterprises have the opportunity to build a unified governance framework that satisfies both. Complying with the RBC Amendments will make DPDP compliance easier down the line.
The In10s Unified DPDP Governance Platform, helps financial institutions and insurers alike address these requirements through a single governance layer.
Get in touch with In10s to discover how you can strengthen your end-to-end governance framework.
