RBI Consent Rules for BFSI: Advisory 3/2026 and the July 1 Business Conduct Directions

RBI Is Moving on Consent Ahead of the DPDP Deadline

Banks and Non-Banking Financial Companies have a date on the calendar before the DPDP Act 2023 is fully enforceable in May 2027. That date is July 1, 2026. The Reserve Bank of India has advanced its consent expectations through two separate instruments. One is supervisory guidance already in circulation. The other is now final: the Responsible Business Conduct Amendment Directions were notified in May 2026 and take effect July 1, 2026.

The distinction between the two still matters. One is the expectation an inspector measures you against. The other is binding direction with a fixed effective date. This guide separates them and sets out the readiness position a Board can report against both.

What RBI Already Expects: Advisory No. 3/2026

RBI Advisory No. 3/2026, issued by the Department of Supervision on March 25, 2026, is real and in circulation. It followed a thematic study across supervised entities and reads as supervisory best practice rather than a binding direction. It directs regulated entities toward three things:

• Centralized consent management. The requirement, as rendered in KPMG’s published analysis of the Advisory: a unified platform that captures, tracks, and updates customer consent consistently, and in an auditable manner.
• Automated data discovery. Tooling to find and classify personal data across systems rather than relying on manual inventory.
• Board-level accountability. Data protection treated as a standing Board agenda item, not a project owned three layers down.

The Advisory is guidance, not a penalty provision. Its weight comes from what it signals. It is the supervisory expectation banks and NBFCs are now measured against during inspection. The answer “we are evaluating our options” is not a position against that expectation.

What Takes Effect July 1: The Business Conduct Directions

The second instrument is the RBI Responsible Business Conduct Amendment Directions for commercial banks. Issued in draft in early 2026 for public comment, the amendments were notified as final in May 2026 with an effective date of July 1, 2026. The parallel NBFC Responsible Business Conduct Directions, issued in November 2025, are already in force, and their consent and dark-pattern amendments carry the same July 1, 2026 effective date.

From July 1, the Directions require:

• Per-product explicit consent. Consent must be specific, informed, auditable, withdrawable, and given through affirmative action, for each product separately, including third-party products.
• A ban on bundled and pre-ticked consent and on dark patterns in digital interfaces. The single-checkbox practice that covers everything at once no longer satisfies the standard.
• Customer control with an auditable trail. Customers must be able to view, modify, and withdraw consents, with a digital record that survives supervisory review.

The framing has changed since the draft circulated. This is no longer “get ahead of a proposal.” It is a notified direction with a fixed date, and the procurement and implementation lead time for consent infrastructure is now counted against it.

Why the Timing Concentrates in Late June

Two unrelated events land in the same window for BFSI compliance teams. The July 1 effective date of the Directions is one. The other is commercial: a competing compliance platform’s free tier ends June 30, 2026, after which it reverts to a list price near ₹50 lakh per year. Organizations that onboarded for free face a migration decision in the same weeks the Directions take effect. The two pressures point at the same action: put real consent infrastructure in place now.

The Two-Instrument Gap Analysis

Use this framework to position your institution against both instruments. The left column is what RBI expects today under the Advisory. The middle column is what the Directions require from July 1. The right column is the readiness action that satisfies both.

Consent area	RBI expects now (Advisory 3/2026)	Directions require (July 1, 2026)	Readiness action
Consent capture	Centralized consent mechanism	Affirmative, auditable consent per interaction	Single consent record of truth, timestamped and retrievable
Bundled consent	Move away from blanket consent	Explicit ban on bundled and pre-ticked consent	Replace the single checkbox with per-purpose capture
Per-product consent	Implied by centralization	Separate consent for each product	Map products to purposes, capture consent per purpose
Customer control	Track and update consent	Real-time view, modify, withdraw dashboard	Customer-facing consent dashboard with audit trail
Data discovery	Automated discovery and classification	Supports the consent and audit obligations	Automated personal-data inventory across systems
Accountability	Board-level data protection agenda	Auditable digital trail for supervisory review	Board-ready readiness report, generated not assembled

The pattern is consistent across both instruments. The institution that holds a centralized consent record and per-product consent architecture is ready for both.

What BFSI Should Do Before July 1

1. Brief the Board on both instruments. Advisory 3/2026 is the supervisory expectation already in force. The Business Conduct Directions are notified and bind from July 1. They are two reporting lines, not one blurred deadline.
2. Inventory consent capture. Identify every point where customer consent is collected and whether it is per-product or bundled. Bundled consent is the first thing both instruments target, and from July 1 it is a directions breach, not a best-practice gap.
3. Stand up a single consent record. Centralization is the one expectation common to the Advisory and the Directions. It is the highest-leverage move.
4. Document the readiness position. An inspector or a Board reporting cycle needs a documented, verifiable answer, not an in-progress consultant engagement.

The retention and erasure conflict that NBFCs face under RBI and PMLA mandates sits alongside this. For that dimension, see NBFC DPDP compliance and the Compliance Vault approach to statutory retention versus DPDP erasure.

Get Your Position Scored

The fastest way to know where your institution sits against these consent expectations is to score it. Run the free DPDP Gap Assessment. It returns a compliance score and a report you can take into a Board reporting cycle, mapped to the obligations above. For a documented, examination-ready position, see the NBFC readiness page.