Recent developments in India's corporate & commercial laws - April 2026

RBI explores safeguards in digital payments to curb frauds

RBI’s discussion paper on digital payment frauds

The Reserve Bank of India (RBI) has released a discussion paper inviting stakeholder comments on proposed measures to curb digital payments fraud by May 8, 2026.

India’s digital payments ecosystem has expanded exponentially, with transaction volumes rising nearly 38-fold over the past decade. However, this growth has been accompanied by a sharp rise in fraud, particularly Authorised Push Payment (APP) fraud, in which users themselves initiate transactions under deception. Reported cases have surged from 2.6 lakh in 2021 to 28 lakh in 2025, involving approximately INR 22,931 crore. Unlike system breaches, APP frauds rely on social engineering, impersonation, and psychological manipulation, making them difficult to detect and nearly impossible to reverse in real-time payment systems such as Unified Payments Interface (UPI), Immediate Payment Service (IMPS), National Electronic Funds Transfer (NEFT), and Real-Time Gross Settlement (RTGS).

Against this backdrop, as post-transaction remedies remain limited, the RBI is exploring regulatory interventions that deliberately introduce friction into an otherwise instantaneous payments ecosystem. Accordingly, the RBI’s regulatory approach is pivoting towards:

• Pre-transaction intervention, by creating time buffers for user reconsideration.
• Risk-based authentication, particularly for high-value or high-risk transactions.
• User empowerment, through configurable controls and safeguards.

Key proposed safeguards

• ‘Lagged’ credit for high-value transactions: The RBI proposes a mandatory one-hour delay for APP transactions above INR 10,000, applied at the payer’s end. During this window, customers may cancel transactions, and banks may flag suspicious activity. The objective is to introduce a ‘cooling-off’ period that relieves the psychological pressure exerted by fraudsters and enables intervention at the critical early stage of fraud.
• ‘Trusted person’ authentication for vulnerable users: For individuals aged 70+ and persons with disabilities, an additional authentication layer is proposed for transactions above INR 50,000. A designated ‘trusted person’ would act as a secondary approver, mitigating risks arising from coercion or impersonation-based fraud, which disproportionately affect vulnerable segments.
• Restricting credits to low-verification accounts: To curb the use of mule accounts in fraud chains, the RBI proposes capping annual credit limits (indicatively INR 25 lakh) for accounts that lack enhanced due diligence. Credits exceeding this threshold would be treated as ‘shadow funds’ until verified. This aims to strengthen KYC-linked monitoring and disrupt fund layering mechanisms commonly used in fraud schemes.
• Customer-controlled safeguards: The RBI also proposes enabling customers to enable/disable specific payment channels, set transaction limits, and activate a ‘kill switch’ to block all digital transactions instantly.

The discussion paper recognises the importance of introducing strategic friction in a frictionless digital economy, marking a notable shift in policy from ensuring secure systems to addressing behavioural vulnerabilities. However, the proposals also raise critical implementation and policy questions, particularly around user convenience, system costs, and the potential dilution of the core principle of instant payments. The challenge for regulators will lie in calibrating these safeguards to ensure that security enhancements do not undermine the efficiency and accessibility that have driven India’s success in digital payments.

The Corporate Laws (Amendment) Bill, 2026

A modernised framework for corporate regulation

Based on the recommendations of the Company Law Committee Report, 2022 and subsequent regulatory consultations, the Corporate Laws (Amendment) Bill, 2026 (Bill) has been introduced to amend the Companies Act, 2013 and the Limited Liability Partnership (LLP) Act, 2008.

Key changes

• Expansion of the definition of a ‘small company’: Enhanced upper limits for the thresholds for paid-up capital (INR 10 crore to 20 crore) and turnover (INR 100 crore to 200 crore), extending the benefit of reduced compliance requirements to a larger base of companies.
• Relaxation of compliance requirements: Measures such as reduced additional filing fees, extended timelines for charge registration, simplified board meeting requirements, and event-based disclosure of director interests aim to lower compliance burden.
• Recognition of modern compensation instruments: Statutory recognition of share-linked instruments such as Stock Appreciation Rights (SARs) and Restricted Stock Units (RSUs), aligning company law with contemporary compensation practices.
• Liberalisation of buy-back framework: Flexibility to undertake up to two buy-backs in a financial year, potential increase in permissible limits for specified classes, and removal of affidavit requirements for solvency declarations.
• Rationalisation of Corporate Social Responsibility (CSR) framework: Increase in the net profit threshold (INR 5 crore to 10 crore) for CSR applicability, extension of timelines for transfer of unspent CSR funds, higher threshold for CSR committee constitution, and enabling exemptions for prescribed classes.
• Strengthening of audit and governance framework: Enhanced board disclosures regarding auditor observations and audit committee decisions, along with tighter restrictions on auditors providing non-audit services, including post-tenure cooling-off requirements.
• Expansion and empowerment of National Financial Reporting Authority (NFRA): Transformation of NFRA into a more robust regulator with rule-making powers, enhanced enforcement authority, mandatory auditor reporting, and limited scope for judicial intervention in its proceedings.
• Enhanced director accountability: Introduction of continuous independence requirements for independent directors, ‘fit and proper’ criteria, expanded disqualification grounds, and restrictions on board appointments where shareholders have rejected candidates.
• Digitalisation of corporate processes: Formal recognition of virtual and hybrid Annual General Meetings (AGMs) / Extraordinary General Meetings (EGMs), mandatory periodic physical AGMs, and wider adoption of electronic communication as a valid mode of service, enhancing accessibility and operational efficiency.
• Facilitation of faster exits: Expanded eligibility for strike-off, shift of restoration jurisdiction to Regional Directors, and streamlined liquidation processes.
• Streamlining of mergers and restructuring: The introduction of single National Company Law Tribunal (NCLT) bench jurisdiction for schemes, reduced approval thresholds for fast-track mergers, and the removal of certain procedural filings in demergers are poised to significantly reduce transaction timelines and regulatory bottlenecks.
• Trust-based regulatory approach: Replacement of notarised affidavits with self-declarations, reduced dependence on mandatory professional certification, and mandatory dormancy requirements for inactive companies.
• Extension of valuation framework: Applicability of valuation provisions to LLPs and centralisation of valuation oversight under a specialised regulatory authority.
• Decriminalisation and enforcement reforms: Reclassification of several offences as civil penalties, introduction of adjudication and settlement mechanisms, structured penalty recovery framework, and revised thresholds for fraud-related offences.
• International Financial Services Centre (IFSC)-related reforms: Permission for companies and LLPs in IFSCs to maintain capital and financial records in foreign currency, enhancing cross-border competitiveness.

The Bill reflects a deliberate shift towards a more facilitative and modern corporate law framework, balancing ease of doing business with strengthened governance standards. While the Bill introduces several progressive reforms, certain areas warrant closer consideration:

• Several provisions in the Bill are enabling in nature and depend on future rule-making, which introduces a degree of uncertainty regarding their eventual implementation.
• The expanded powers of regulatory authorities such as NFRA and the Central Government, particularly in relation to rule-making and enforcement, may require careful calibration to avoid interpretational inconsistencies.
• Further clarity may also be needed on the practical application of new concepts such as ‘fit and proper’ criteria for directors and the scope of exemptions under the CSR framework.
• Although decriminalisation is a positive step, the effectiveness of the revised enforcement regime will depend on the robustness of adjudication mechanisms and the adequacy of monetary penalties in ensuring compliance.

Insolvency and Bankruptcy Code (Amendment) Act, 2026

Insolvency framework reset for speed and efficiency

The Insolvency and Bankruptcy Code (Amendment) Act, 2026 (Amendment) comprehensively recalibrates the insolvency framework, seeking to address the structural challenges, particularly delays in resolution, value erosion of distressed assets, and increasing burden on adjudicatory forums that have impacted the Corporate Insolvency Resolution Process (CIRP).

Key amendments

• Creditor-Initiated Insolvency Resolution Process (CIIRP)
• CIIRP under Chapter IV-A enables a financial creditor (from a notified class) to trigger CIIRP after a default, with 51% approval of that creditor class without approaching the Adjudicating Authority.
• The corporate debtor gets 30 days to respond before the resolution professional is appointed. The process must be completed within 150 days, extendable by 45 days with 66% approval of the Committee of Creditors (CoC).
• This marks a shift towards a debtor-in-possession model and is expected to significantly reduce delays at the admission stage.
• Cross-border insolvency: The insertion of Section 240C empowers the Central Government to notify a cross-border insolvency framework, facilitating cooperation with foreign jurisdictions and enabling recovery of overseas assets.
• Codification of the ‘clean slate’ principle: The Amendment introduces Sections 31(5) and 31(6) to clarify that, upon approval of a resolution plan, all claims against the corporate debtor stand extinguished unless specifically preserved in the plan. Importantly, this does not impact rights against promoters or guarantors, thereby balancing finality with accountability.
• Flexibility in plan implementation: Amendments to Section 31(1) allow phased approval of the resolution plan, wherein the manner of distribution may be approved within 30 days of the approval of the implementation of the plan. This is aimed at expediting execution and preventing value erosion.
• Pre-packaged insolvency: The approval threshold for initiating pre-packaged insolvency under Sections 54A(2)(e) and 54A(3) has been reduced from 66% to 51%, improving accessibility.
• Appeal timelines: Additionally, Section 61(6) mandates that the National Company Law Appellate Tribunal (NCLAT) dispose of appeals within 3 months, reinforcing a time-bound framework.
• Streamlined liquidation and exit mechanisms: Section 54(2A) enables the direct dissolution of a corporate debtor without full liquidation. Additionally, Section 59(5A) permits the withdrawal of voluntary liquidation proceedings, subject to certain conditions.
• Integration of guarantor assets
• Section 28A now enables creditors to transfer assets of personal or corporate guarantors already under their possession, as part of the corporate debtor’s resolution plan, with prior approval of the CoC.
• Where the guarantor is undergoing insolvency or liquidation, additional approvals are required, and the proceeds form part of the guarantor’s estate.
• Such transfers grant the buyer full ownership rights, and the proceeds are adjusted against the guarantor’s debt, with any surplus payable to the guarantor.
• Reinstatement mechanisms
• The insertion of Section 33(1A) allows the revival of CIRP upon the failure of a resolution plan or the expiry of timelines, providing an additional 120-day window.
• Further, amendments to Section 33(4) permit reinstatement of CIRP in cases of contravention of an approved plan.
• Moratorium and withdrawal framework: The amendments to Section 33 extend moratorium protections into liquidation, while changes to Section 12A allow withdrawal of CIRP applications (under Sections 7, 9, or 10) only with 90% CoC approval – it cannot be done before the CoC constitution or after the first invitation for resolution plans is issued.
• Group insolvency: The Central Government can introduce a framework for group insolvency, applicable where multiple corporate debtors within the same group undergo insolvency proceedings, including aspects of procedural coordination, a common NCLT bench, coordinated CoC, and even a common insolvency professional.

Refinement of the Minimum Public Shareholding framework

Securities Contracts (Regulation) Amendment Rules, 2026

The Securities Contracts (Regulation) Act, 1957 (SCRA) is the fundamental statute governing the listing and trading of securities on recognised stock exchanges in India, primarily through the Securities Contracts (Regulation) Rules, 1957 (SCRR), which prescribes the operational mechanics of listing, including the conditions under which securities may be offered to and held by the public.

Historically, Rule 19(2)(b) of the SCRR mandated that an applicant seeking listing of its securities on a recognised stock exchange must offer and allot at least 25% of each class or kind of securities to the public through an offer document.

On March 13, 2026, the Ministry of Finance, Department of Economic Affairs, issued the Securities Contracts (Regulation) Amendment Rules, 2026, amending Rule 19(2)(b) of the SCRR. This notification introduces a scale-based framework for Minimum Public Offer (MPO) requirements during Initial Public Offerings (IPOs), and extends timelines for achieving the statutory 25% Minimum Public Shareholding (MPS), specifically targeting large issuers to ease compliance burdens while ensuring retail investor liquidity.

Key changes

• Revised MPO thresholds across post-issue capital slabs

• These timelines extend to all companies listed before the Rules’ commencement.
• Stock exchanges retain the authority to impose fines or penalties for pre-commencement non-compliance.
• Companies with outstanding Superior Voting Rights (SVR) shares must list those shares simultaneously alongside the ordinary equity shares being offered to the public in the IPO. This is consistent with the framework for differential voting rights under the Securities and Exchange Board of India (Issue of Capital and Disclosure Requirements) Regulations and prevents a structurally fractured listing that could disadvantage public investors.
• For companies seeking listing on IFSCs, an MPO of 10% will apply irrespective of the post-issue share capital of such a company, reflecting the wholesale nature of IFSC markets and their distinct investor profile.

The amendment represents a carefully calibrated overhaul of India's IPO architecture under Rule 19(2)(b) of the SCRR. The 6-tier framework preserves the 25% MPS as a non-negotiable long-run target while intelligently gradating the initial dilution obligation and MPS compliance timeline according to issuer size, ensuring that the regulatory framework is as fit for an INR 500 crore SME as it is for an INR 10 lakh crore enterprise seeking to access the public markets.

Classification of dues in liquidation v. CIRP

Distinguishing insolvency costs from liquidation expenses

The National Company Law Tribunal, Mumbai Bench, recently held that maintenance dues and property tax accruing during liquidation, even in respect of assets attached by enforcement authorities, may qualify as liquidation costs under the Insolvency and Bankruptcy Code, 2016 (Code), provided such expenses are necessary for preserving and protecting the liquidation estate. However, dues arising during the Corporate Insolvency Resolution Process (CIRP) cannot be retrospectively classified as insolvency resolution process costs unless they satisfy statutory requirements, including approval by the Committee of Creditors.¹

Kohinoor City Office Towers Industrial Estate & Premises Co-operative Society Ltd, a cooperative society managing the premises in which the corporate debtor owned certain commercial units, filed an application seeking priority payment of outstanding maintenance dues and property tax. The corporate debtor’s assets had been attached by the Enforcement Directorate (ED) under the Prevention of Money Laundering Act, 2002, prior to insolvency proceedings and were later released to the liquidator.

The applicant had initially filed claims for maintenance dues, a portion of which was admitted by the liquidator as operational debt. Subsequently, it contended that dues arising during the CIRP period were wrongly classified and ought to be treated as CIRP costs, and further, dues accruing during the ED attachment period should be treated as liquidation costs payable in priority.

The Tribunal partly allowed the application. On the issue of CIRP costs, it held that merely because dues arise during the CIRP period does not automatically qualify them as such costs. Under Section 5(13) of the Code read with Regulation 31 of the Insolvency and Bankruptcy Board of India (IBBI) (Insolvency Resolution Process for Corporate Persons) Regulations, 2016, such costs must be directly related to the insolvency process and approved by the Committee of Creditors. In the absence of such approval, and given that the applicant had not raised the claim during CIRP, the dues could not be reclassified.

However, the Tribunal took a different view regarding liquidation costs. It held that maintenance charges and property taxes are essential for preserving the value and marketability of assets forming part of the liquidation estate. Non-payment could impair asset value and hinder realisation, thereby prejudicing stakeholders. Accordingly, such expenses fall within the ambit of liquidation cost under Regulation 2(1)(ea) of the IBBI (Liquidation Process) Regulations, 2016, which includes costs incurred for preserving and protecting assets.

Importantly, the Tribunal clarified that attachment under the Prevention of Money Laundering Act does not divest ownership of the property; it merely restricts its transfer. Since the properties were not confiscated, they continued to vest in the corporate debtor and formed part of the liquidation estate. Consequently, the liquidator remained responsible for their preservation, including payment of necessary dues.

The decision underscores the distinction between the mechanism for classification as CIRP costs and liquidation costs, reiterating that Committee of Creditors’ approval is essential for the former, while the latter is guided by the necessity of preserving the liquidation estate. It also clarifies that statutory attachments do not absolve the liquidator of obligations toward asset maintenance, reinforcing the overarching objective of value maximisation under the Code.

SEBI mandates sharper disclosures for a more informed IPO market

SEBI (Issue of Capital and Disclosure Requirements) (Amendment) Regulations, 2026

The Securities and Exchange Board of India (SEBI) has amended the Issue of Capital and Disclosure Requirements Regulations, 2018 (ICDR Regulations), to streamline the disclosure framework governing public issues for investors (Amendment). Under the pre-Amendment position, while an abridged prospectus was required to be filed at the Red Herring Prospectus (RHP) stage, there was no corresponding obligation to file a draft abridged prospectus at the time of filing the draft offer document with SEBI, nor was any standardised format prescribed for the document's content beyond the Schedule VI template that existed at the time. The Amendment addresses both these gaps.

Key changes

• Flexibility in lock-in requirements: The existing Regulation 17 of the ICDR Regulations mandated a 6- month lock-in on the entire pre-issue share capital held by non-promoter shareholders (other than those specifically exempt) in a company undertaking an IPO, calculated from the date of allotment. Under the amendment, in situations where such a lock-in cannot be imposed on pre-issue share capital, the concerned shares may instead be marked as ‘non-transferable’ by the depositories upon instructions from the issuer. This shifts the compliance obligation from a paper-based ‘lock-in undertaking’ to a system-level restriction within the depository, making it harder to circumvent and easier to audit, while accommodating the operational realities of modern electronic markets.
• Abridged prospectus: To improve accessibility of information for prospective investors, issuers are now mandated to file the draft abridged prospectus alongside the draft offer document at the Draft RHP (DRHP) stage under Regulations 25(2), 26(1) and 59C (9A) of the ICDR Regulations, in addition to the pre-existing requirement of filing the abridged prospectus alongside the offer document at the RHP stage. Additionally, both the draft and final abridged prospectus must be made available on the issuer’s website alongside the corresponding offer documents. Secondly, the issuer is now required to ensure that the application form includes a QR code providing access to the RHP, abridged prospectus, and the price band advertisement.
• Disclosures to make under the offer document: SEBI has amended Schedule VI of the ICDR Regulations and has revised the disclosures that are to be made under the offer document. The 'Offer Document Summary', previously required as a disclosure under Clause 4 of Part A of Schedule VI of the offer document, has been omitted. In its place, the issuer is now required to provide, under Part 6, a summary of contingent liabilities and related party transactions.

The primary benefit of this is the reduction of information barriers for retail investors. In India, a full prospectus typically has 400-600 pages, and the requirement of maintaining a word limit for the abridged document has resulted in issuers having to focus on the most important information. For instance, under Schedule VI, Annexure 1, the word limit for ‘Summary of the Primary Business’ has been limited to 500 words, ‘Summary of the industry’ has been limited to 250 words, and details regarding ‘Promoters’ and ‘Objects of issue’ have been limited to 100 words.

Third-party asset protection in insolvency resolution

Manoj Chandrakant Jagirdar v. Sanghvi Land Developers Pvt Ltd

The National Company Law Tribunal, Mumbai Bench, recently held that a liquidator cannot assume control over or include a property in the liquidation estate merely because it is reflected in the records of the corporate debtor, where credible material indicates that the asset may belong to a third party. In such cases, the Tribunal may protect possession pending adjudication of title by a competent forum, while limiting the liquidator’s powers to assets demonstrably owned by the corporate debtor. ²

Manoj Chandrakant Jagirdar, claiming ownership of a commercial unit in a redevelopment project undertaken by Sanghvi Land Developers Pvt Ltd, filed an application seeking exclusion of the said shop from the liquidation estate and challenging an eviction notice issued by the liquidator. The applicant relied on a development agreement, a memorandum of understanding, and allotment and possession letters to assert that the unit had been allotted to him in partial discharge of the developer’s obligations.

The Tribunal partly allowed the application. It observed that while a registered conveyance was absent, the applicant’s entitlement flowed from a registered development agreement under which the corporate debtor was obligated to allot commercial area to the applicant. The memorandum of understanding, read with the allotment and possession letters, evidenced that a specific unit had been allotted and handed over to the applicant in partial fulfilment of that obligation.

Significantly, the Tribunal held that entries in society records or maintenance bills are not conclusive proof of ownership. Such records may reflect administrative convenience rather than legal title. In contrast, rights flowing from a registered development agreement, supported by contemporaneous allotment and possession documents, carry evidentiary weight.

The Tribunal emphasised that the Code does not permit taking control of third-party assets merely because they are in the possession of, or recorded in the name of, the corporate debtor. At the same time, the Tribunal refrained from conclusively determining title to the property, noting that disputes relating to ownership and competing claims, including pending litigation before the Small Causes Court, must be adjudicated by a competent forum.

New electricity rules tighten ownership, consumption, and compliance norms

Electricity (Amendment) Rules, 2026

In a significant policy move aimed at enhancing ease of doing business and ensuring regulatory clarity, the Ministry of Power has amended the Electricity Rules to strengthen the captive power framework in India. These amendments address long-standing ambiguities surrounding ownership, consumption thresholds, and compliance requirements for Captive Generating Plants (CGPs), while also seeking to streamline dispute resolution and enforcement.

A central feature of the amendment is the clarification of eligibility criteria for captive users. The revised Rules reaffirm that captive users must collectively hold a minimum of 26% ownership and consume at least 51% of the electricity generated on an annual basis. By tightening definitional clarity, the Government aims to curb the misuse of captive status by entities that previously structured arrangements to bypass open access charges.

Importantly, the amendments introduce a stricter requirement that electricity consumption must be proportionate to ownership share. This seeks to eliminate artificial arrangements where entities with minimal ownership claimed disproportionate consumption benefits, thereby distorting the intent of captive power provisions.

The revised framework also attempts to harmonise interpretation across states. Historically, inconsistent regulatory approaches by State Electricity Regulatory Commissions (SERCs) led to uncertainty and litigation. The new Rules provide a more standardised compliance structure, reducing scope for divergent interpretations.

To further enhance regulatory certainty, the amendments empower authorities to verify compliance and adjudicate disputes more efficiently. This is expected to reduce prolonged litigation and ensure the timely enforcement of captive status norms.

Key changes

• Ownership clarified: Ownership rules now explicitly include group structures. This ensures companies using modern corporate setups or Special Purpose Vehicles (SPVs) can still qualify as captive generators.
• Standard verification period: Captive status will be checked over the full financial year. For the first or last year of operation, verification applies only to the relevant portion.
• Verification authorities introduced
• States/UTs may appoint nodal agencies for intra-state verification.
• Inter-state cases will be handled by the National Load Despatch Centre (NLDC).
• A grievance redressal mechanism will handle disputes. 
• Flexibility for Association of Persons (AoP) (group captive) projects
• Users can draw power based on actual needs.
• Excess consumption by one user won’t disqualify the plant, but it won’t count as that user’s captive use (it still counts toward group totals).
• Users with at least 26% ownership can count all their consumption as captive.
• Group companies are treated as a single entity for consumption calculations.
• Surcharge treatment – Cross-Subsidy Surcharge (CSS) and Additional Surcharge (AS)
• No surcharge applies during verification if proper declarations are submitted.
• If the plant later fails captive criteria, surcharges must be paid with interest (carrying cost).
• Implementation timeline
• Key provisions (AoP rules, verification system, surcharge treatment) start from April 1, 2026.
• Other changes take effect immediately.

Compliance and strategic implications

• Businesses relying on captive power structures must reassess ownership and consumption models.
• Group captive arrangements, in particular, will face closer scrutiny.
• Non-compliance may result in loss of captive status and exposure to additional charges.

The amendments mark a decisive step toward plugging regulatory gaps in India’s captive power ecosystem. They are likely to strengthen investor confidence by ensuring a transparent and predictable regulatory regime. For stakeholders, the focus must now shift to recalibrating operational structures to align with the revised legal framework, while leveraging the greater certainty that these reforms aim to provide.

RBI outlines a lifecycle approach for safeguarding customer data

RBI’s Advisory on best practices relating to customer data protection

Based on a 2025 thematic study on the security of customer data within financial systems across multiple categories of supervised entities, the Reserve Bank of India (RBI) has issued an Advisory on best practices for customer data protection applicable to regulated entities.

The Advisory does not introduce binding requirements but consolidates observed industry practices into a structured framework intended to strengthen data protection controls. It is positioned as an illustrative guidance that entities may adopt in line with their risk profile, business model, and operational environment.

Key changes

• Governance and oversight mechanisms: Emphasis on formalised governance structures, including board-level oversight, periodic policy review, and clearly defined accountability across business, technology, and compliance functions.
• Data classification and consent management: Implementation of automated data classification systems and centralised mechanisms to capture, manage, and audit customer consent across channels.
• Comprehensive data inventory and mapping: Requirement for systematic identification, classification, and mapping of customer data across on-premise systems, cloud infrastructure, and third-party environments.
• Enhanced data security controls: Adoption of b encryption standards, secure key management systems, and multi-layered data leakage prevention solutions to protect sensitive information.
• Access management and endpoint security: Strengthening of remote access protocols, deployment of endpoint and mobile device controls, and implementation of real-time access monitoring and alert systems.
• Third-party risk management framework: Detailed due diligence requirements for vendors, contractual safeguards, continuous monitoring of third-party access to data, and mandatory reporting of data breaches.
• Incident response and recovery protocols: Establishment of structured frameworks for incident detection, escalation, response, and recovery, supported by periodic simulation exercises and defined communication strategies.
• Data retention and destruction practices: Standardisation of data retention policies, periodic review of stored data, and implementation of secure deletion and destruction processes with traceable audit trails.
• Customer grievance and transparency mechanisms: Strengthening of complaint tracking systems, multi-channel grievance redressal frameworks, and enhanced customer communication regarding data-related issues.
• Audit and testing requirements: Expansion of audit scope to include customer data protection controls, vulnerability assessments, penetration testing, and centralised logging mechanisms.
• Emerging technology risk management: Governance frameworks for the use of Application Programming Interfaces (APIs), artificial intelligence, and digital platforms, coupled with continuous monitoring and risk mitigation measures.
• Cloud security framework: Establishment of cloud-specific security baselines, improved visibility into cloud environments, and clarity on shared responsibilities between entities and service providers.
• Continuous monitoring and real-time oversight: Deployment of integrated monitoring systems and 24x7 surveillance mechanisms to detect and respond to data-related threats.

The Advisory establishes a unified reference for customer data protection by bringing together governance, security, and operational expectations into a cohesive framework. Its lifecycle-based approach – from data collection and classification through retention and disposal – supports ber resilience against breaches while reinforcing transparency, communication, and grievance mechanisms that help build customer trust. It also signals a broader regulatory shift toward proactive, risk-oriented oversight, with an emphasis on continuous monitoring and robust internal controls.

At the same time, its principles-based nature, while flexible, may lead to varying interpretations across institutions and pose implementation challenges, especially for smaller entities with limited resources. The lack of phased guidance or prioritisation could further complicate adoption, particularly where advanced technological capabilities are implied. Additional clarity may be needed on alignment with existing RBI requirements and upcoming data protection laws, including areas like outsourcing, cloud usage, and cross-border data handling. Despite being non-binding, the Advisory is likely to shape future supervisory expectations, making early alignment a prudent step for regulated entities.

Footnotes:

¹ Kohinoor City Office Towers Industrial Estate & Premises Co-op Society Ltd v. Santanu T Ray, C.P (IB) No. 2096 of 2019 (NCLT, Mumbai)

² CP(IB) No. 7 of 2023 (NCLT Mumbai)