The issuance of Advisory No. 3/2026 by the Reserve Bank of India on March 25, 2026, establishes a comprehensive framework for Supervised Entities to enhance their data security protocols within an increasingly digital financial environment. This advisory was developed following a thematic study conducted in 2025 by the Cyber Security and IT Risk Group, Department of Supervision, which examined the security of customer data across multiple categories of financial institutions.
The guidance arrives during a critical transition for the Indian legal system, as the Digital Personal Data Protection Act, 2023 (DPDPA) is scheduled for full enforcement by May 13, 2027. For financial institutions, managing the intersection of sectoral banking regulations and horizontal data privacy laws is no longer a peripheral technical concern but a central board-level responsibility that dictates institutional trust and operational continuity.
Legislative Foundations of Data Privacy in India
The legal framework governing data protection in India has undergone a fundamental shift from the Information Technology Act, 2000 to the Digital Personal Data Protection Act, 2023. Historically, the management of personal data was regulated through Section 43A and Section 72A of the IT Act, which provided a limited right to compensation for the improper disclosure of personal information.
These provisions were supplemented by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI). However, these standards proved insufficient as financial operations became increasingly digitized, leaving customer information vulnerable to evolving security threats and exploitation.
The DPDPA 2023 effectively repeals the existing patchwork of data protection rules, including the 2011 SPDI Rules, and introduces a uniform, rights-based regime. This new law applies to the processing of digital personal data within India, whether collected online or collected offline and subsequently digitized.
It also extends extraterritorial jurisdiction to any processing outside India if it is related to the offering of goods or services to individuals within the country. The Act classifies organizations as Data Fiduciaries, who determine the purpose and means of data processing, and recognizes individuals as Data Principals, granting them enforceable rights over their personal information.
Complementing the primary Act are the Digital Personal Data Protection Rules, 2025, which were notified on November 13, 2025, to provide the operational clarity required for implementation. These rules establish foundational provisions for the Data Protection Board of India and outline the requirements for specialized entities such as Consent Managers.
For the banking and financial services sector, these laws operate alongside the Reserve Bank of India Master Directions on IT Governance of 2024, creating a dual layer of compliance where entities must satisfy both sectoral security standards and general privacy obligations.
Governance and Board-Level Accountability
The RBI Advisory 3/2026 is unambiguous in stating that data protection must be treated as a board-level responsibility rather than a subordinate IT function. Supervised Entities are required to establish a clear governance structure where policies, standards, and frameworks related to customer data security, privacy, and third-party risk are formally approved by the board or a designated committee. To maintain effective oversight, these policies must be reviewed periodically to ensure they remain relevant to the changing risk environment and technological developments.
The guidance suggests that customer data security and privacy should be a standing agenda item for the board or a designated board-level committee to review the organization’s risk posture on a quarterly or semi-annual basis. This review should include a detailed examination of key security incidents, remediation progress, and the overall effectiveness of the data protection framework.
By integrating these issues into the highest governance levels, the advisory ensures that leadership maintains direct accountability for data protection failures, which are increasingly viewed as governance failures rather than mere operational issues.
To operationalize this accountability, Supervised Entities are encouraged to use a RACI matrix, identifying those who are Responsible, Accountable, Consulted, and Informed to clearly document responsibilities across the organization. This matrix should cover all critical functions, including data governance, protection, monitoring, incident handling, and remediation.
Furthermore, clear roles and reporting lines must be established for specialized positions such as the Chief Information Security Officer and the Data Protection Officer. Cross-functional oversight is also recommended through a steering committee comprising representatives from business, technology, legal, compliance, and information security departments to periodically oversee the data governance environment.
Data Lifecycle: Collection, Classification, and Consent
Under the DPDPA 2023, personal data processing requires explicit consent that is free, specific, informed, and unambiguous. The RBI Advisory recommends implementing centralized consent management platforms to track and manage these permissions across all channels consistently.
Furthermore, entities must employ automated tools for data tagging and classification across on-premises and cloud environments based on sensitivity levels. Comprehensive mapping of end-to-end data flows is required to identify all repositories and strengthen downstream security controls.
Technical Controls and Access Management
Ensuring the security of customer data requires strong cryptographic standards for data at rest and in transit, supported by Hardware Security Modules for key management. Organizations must deploy multi-layered Data Leakage Prevention solutions at all exit points, including endpoints, email, and network boundaries.
Access management is secured through encrypted VPN tunnels, Virtual Desktop Infrastructure restrictions, and Mobile Device Management solutions that allow for remote wipe capabilities. Real-time monitoring via a 24×7 Security Operations Center is essential for detecting unauthorized access or unusual changes to customer data.
Third-Party Risk and Incident Response
Given the reliance on outsourcing, the RBI Advisory emphasizes rigorous vendor due diligence and the inclusion of DPDPA-aligned security clauses in all contracts. Supervised Entities must share only the minimum data necessary for a defined purpose and prohibit third parties from storing sensitive data in plain text.
A structured Incident Response Framework is required for rapid detection and escalation of breaches, with mandatory reporting to the RBI within six hours and to the Data Protection Board within 72 hours. Regular cyber drills involving third-party partners help identify blind spots and improve coordination under stress.
Digital Fraud Safeguards and Strategic Implications
In March 2026, the RBI formally issued a framework for digital fraud safeguards, with phased milestones set for April 1 and July 1, 2026. These rules fundamentally redefine the responsibilities of banks and UPI apps in preventing and responding to digital payment fraud. One of the most significant changes is the introduction of a maximum compensation of INR 25,000 per incident for unauthorized transactions if the bank fails to detect or prevent the fraud and the user reports it within the prescribed window.
A mandatory “kill-switch” must now be provided by every bank and UPI app, allowing users to instantly suspend all outgoing transactions through a single button accessible within three taps from the app’s home screen. For high-value transactions above a certain threshold to new beneficiaries, banks must implement a mandatory processing delay to allow users time to reverse suspicious transactions.
Furthermore, the framework mandates the end of OTP-only authentication for high-risk transactions, requiring banks to implement device binding, behavioral biometrics, or a second independent channel to reduce the risk of SIM-swap fraud.
These rules also address the issue of “mule accounts” by setting a hard transaction ceiling of INR 25 lakh per month for flagged accounts and requiring automatic flagging after three unusual inflows. Banks must now share fraud patterns and flagged identifiers on a centralized RBI platform in real-time to prevent fraudsters from moving between different financial institutions.
A strict 24-hour service level agreement is enforced for fraud response, requiring banks to acknowledge complaints within one hour and provide a resolution or interim credit within 24 hours. These safeguards represent a shift toward greater institutional accountability for the security of the digital payment ecosystem, reinforcing the data protection principles outlined in the RBI Advisory and the DPDPA.
Conclusion
The regulatory landscape of 2026 moves data protection from an operational technicality to a core strategic imperative. By integrating the governance standards of the RBI Advisory with the legal mandates of the DPDPA 2023, financial institutions can build a resilient ecosystem that protects customer interests and satisfies multi-layered compliance obligations. As India approaches full DPDPA enforcement in 2027, establishing these best practices is essential for maintaining institutional trust in a privacy-conscious digital economy.
Strengthening safeguards around financial data aligns closely with the RBI Directions, 2025 on Digital Payment Authentication, which reinforce secure authentication standards within the broader framework of customer data protection in the Indian financial sector.
