Published Paper Details:

Digital banking in India has moved from a peripheral channel of service delivery to the centre of banking operations, driven by the Reserve Bank of India's layered regulatory model, the public digital infrastructure created around UPI, Aadhaar and consent-based data sharing, and the growing expectations of customers for frictionless, remote and real-time financial services. At the core of this expansion lies a complex regulatory architecture anchored in the "Reserve Bank of India Act, 1934", the "Banking Regulation Act, 1949", the "Payment and Settlement Systems Act, 2007" and a wide array of master directions, guidelines and FAQs issued by the RBI's supervisory departments, especially for digital lending, payment aggregation, IT outsourcing and KYC. These regulatory instruments, read together with the "Digital Personal Data Protection Act, 2023" that classifies banks as data fiduciaries and with the CERT-In Directions of 28 April 2022 that compel six-hour reporting of cyber incidents, generate a web of concurrent, often overlapping obligations for banks, NBFCs and their fintech partners. Digital onboarding remains a critical risk zone because lenders depend on non-face-to-face identification, assisted V-CIP, Aadhaar-based e-KYC through regulated KUA/Sub-KUA arrangements, and large-scale outsourcing of KYC processing, which heightens exposure to fraud, data breach and impersonation. The RBI's Digital Lending Guidelines of 2 September 2022, the subsequent DLG/FLDG circular of 8 June 2023 and the 2025 tightening on provisioning for fintech-backed guarantees have tried to ring fence balance sheet lending and make credit intermediation traceable, yet frictions persist in loan disbursement flows, in disclosure of annualised cost to borrowers, in segregation of LSP accounts, and in recovery practices that operate on digital channels. Cybersecurity and data governance have acquired sharper contours because the DPDP Act requires purpose limitation, consent logs and breach notification to the Data Protection Board, while CERT-In insists on domestic log storage and rapid incident reporting, and the RBI's 2023 IT Outsourcing Directions insist that supervisory access must survive even multi layered subcontracting. Customer protection sits in the middle of these regimes because customers transact on UPI, cards, wallets and aggregator led checkouts without always dealing directly with a bank, so allocation of liability for failed, delayed or fraudulent transactions must be inferred from RBI's PA directions, NPCI rule books and the BNS/BSA provisions on electronic records and fraud. The enforcement trajectory from 2022 to 2025 shows the RBI becoming more intrusive, extending PA supervision to offline transactions, tightening merchant due diligence, imposing capital and fit-and-proper criteria on non-bank intermediaries, and repeatedly reminding regulated entities that outsourcing of KYC, IT or collections does not outsource responsibility. The reform roadmap therefore lies in clearer statutory anchoring of RBI's digital directions under the PSS Act, harmonising DPDP consent artefacts with the mature AA framework, creating interoperable reporting rails between RBI and CERT-In, and writing sectoral rules that allow proportionate KYC for low value accounts while preserving audit assured traceability for higher risk products.