The Reserve Bank of India’s new year regulatory package is landing with more force than most banks anticipated. Three major changes go live today, and if you’re wondering why your relationship manager has been sending panicked emails since December 20th, this is why.

First up is the revised digital lending framework. The days of fintech platforms routing loans through shadow bank partnerships with minimal oversight are done. Every digital lending arrangement now requires explicit customer consent for data sharing, mandatory cooling-off periods for small-ticket loans under ₹50,000, and complete transparency on interest rate calculations. The RBI’s tired of seeing effective APRs hidden behind processing fees and unclear repayment schedules.

What’s interesting here is the 15-day cooling-off period. Borrowers can cancel any digital loan under ₹50,000 within 15 days without penalty if they can prove they didn’t understand the terms. Banks are scrambling to update their loan management systems because the refund process needs to be automated. Manual processing won’t cut it when you’re dealing with thousands of micro-loans daily.

The second change hits account aggregators hard. The framework that was supposed to revolutionise open banking in India is getting stricter consent protocols. Customers now need to re-authenticate data sharing permissions every 90 days instead of the previous annual review. Financial institutions can’t assume ongoing consent anymore.

This matters because account aggregator adoption was finally picking up steam. Small NBFCs were using aggregated bank statement data to assess creditworthiness for borrowers without formal income proof. Now they’ll need to rebuild their customer journeys to handle quarterly re-consent flows. The friction is real.

Third is the risk weight adjustment for unsecured personal loans. The RBI’s increasing risk weights from 100% to 125% for personal loans over ₹15 lakh that aren’t tied to specific assets. Banks need to hold more capital against these exposures, which means either higher interest rates for borrowers or reduced lending in this segment.

The math here is straightforward. If you’re a bank with ₹10,000 crore in high-value personal loans, you now need an additional ₹200 crore in capital to maintain the same capital adequacy ratio. That capital could’ve been deployed elsewhere or returned to shareholders. Expect personal loan rates above ₹15 lakh to creep up by 50-75 basis points over the next quarter.

What’s driving this regulatory tightening is the RBI’s concern about asset quality deterioration. Gross NPAs in the unsecured lending segment touched 2.8% in September 2025, up from 1.9% a year earlier. The central bank is pre-emptively forcing banks to build buffers before this becomes a systemic issue.

For customers, the impact varies. If you’re taking small digital loans, you’ll get better disclosure and protection. If you’re borrowing larger amounts for consumption rather than assets, you’ll pay more. The middle ground is muddled.

Banks are adapting by shifting focus. Several private sector banks are already pivoting toward secured lending products—loan against securities, loan against property, gold loans. These carry lower risk weights and better recovery rates. Some institutions are exploring partnerships with companies like Team400 to build smarter credit assessment models that can identify lower-risk borrowers within the high-ticket personal loan segment, potentially offsetting some of the capital requirement impact.

The digital lending changes will hit fintech lenders harder than traditional banks. Many fintech business models relied on quick disbursals and minimal friction. Adding cooling-off periods and enhanced disclosures slows everything down. Some platforms are considering pivoting away from small-ticket lending entirely, focusing instead on higher-value loans where the regulatory overhead is proportionally smaller.

Account aggregator changes create an interesting dynamic. On one hand, they add friction to user experience. On the other, they might actually increase trust in the system. Indian consumers are rightly cautious about sharing financial data, and knowing that consent expires every 90 days could make more people willing to try account aggregator-based services.

The broader pattern here is the RBI moving from principles-based regulation toward more prescriptive rules. The experiment with light-touch regulation for digital finance didn’t work as hoped. Too many players interpreted “innovation-friendly” as “anything goes.” Now we’re seeing the pendulum swing back.

For anyone working in Indian banking or fintech, January 1st, 2026 isn’t just another day. It’s a reset. Compliance teams are working overtime, product managers are revising roadmaps, and legal departments are updating hundreds of customer-facing documents. The regulatory landscape just shifted, and it’ll take months to see who adapts successfully and who doesn’t.