Internal Ombudsman &
Grievance Redress

What the RBI Internal Ombudsman Directions, 2026 require, who they apply to, and what RBI has actually penalised banks and NBFCs for under their internal grievance-redress mechanisms, in plain language, linked to the source.

How institutions stay audit-ready Read the requirements
Six entity-class Directions · 14 Jan 2026 Banks · NBFCs · SFBs · PBs · PPIs · CICs Last reviewed: Jun 2026
HomeCompliance IntelligenceInternal Ombudsman & Grievance Redress
At a glance
InstrumentIO Directions, 2026six entity-class directions
Issued / in force14 Jan 2026
Replaces2023 Master Directionrepealed
Escalation to IO20 days≥10 days where prescribed
Final decision30 daysto the complainant
FY25-26 actions here3banks & NBFCs (illustrative)
What the rule requires

The Internal Ombudsman, in plain terms

An independent, apex-level authority inside a regulated entity that reviews customer complaints the entity has already rejected, before the customer escalates to the RBI Ombudsman.

What it is

A second look, before the regulator's

The Internal Ombudsman (IO) does not take complaints directly from customers. Every complaint that an entity's internal grievance machinery partly or wholly rejects must be auto-escalated to the IO for an independent, reasoned decision, to catch service deficiencies in-house and reduce the volume reaching the RBI Ombudsman. The IO sits at the apex of the grievance-redress mechanism and reports functionally to the Board.

Does this apply to you?

Applicability, by entity class

  • Commercial banks with 10+ banking outlets in India (as on 31 Mar 2025). Excludes SFBs, Payments Banks and Local Area Banks.
  • NBFCs, deposit-taking with 10+ branches; non-deposit with asset size ₹5,000 cr+ and a public customer interface. Excludes HFCs, Core Investment Companies, IDF/Infrastructure Finance NBFCs, and NBFCs under insolvency.
  • Small Finance Banks and Payments Banks, each under their own 2026 Direction (10+ banking outlets).
  • Non-bank PPI issuers with more than 1 crore PPIs outstanding, and all Credit Information Companies, under their own 2026 Directions.
  • Newly cross a threshold? You have six months to put the framework in place.
The single 2023 Master Direction was repealed on 14 Jan 2026 and replaced by these six entity-class Directions. Existing IO appointments continue under the new directions.
Core obligations
Escalation

Board-approved SOP + auto-escalation

A Board-approved SOP and an automated complaints system that auto-escalates every partly/wholly rejected complaint to the IO within 20 days, or ≥10 days before any RBI/NPCI-prescribed deadline.

Turnaround

30-day final decision

The final decision must reach the complainant within 30 days of the entity first receiving the complaint.

Staff awareness

Disseminate across all offices

The entity must widely disseminate the IO guidelines among its staff across all branches and administrative offices when communicating the appointment.

Training

Use complaint analysis in training

Analysis of complaints handled by the IO, patterns, root causes, remedial measures, must feed into staff training and conferences.

Board oversight

Periodic Board reporting

The IO furnishes periodic reports to the Board committee handling customer service and supports its oversight of grievance redress.

RBI returns

Appointment notice & quarterly returns

Notify the IO/Dy-IO appointment to RBI's CEPD within 5 working days, and file the prescribed quarterly returns by the 15th of the month following the quarter.

Certain provisions of the 2026 Directions (clauses 7(2), 14(2) and 14(4)) must be complied with by 30 June 2026.
What RBI has penalised

The pattern across FY25-26

Across both banks and NBFCs, a recurring FY25-26 theme was shortcomings in how internal grievance-redress mechanisms connected to the Internal Ombudsman, complaints not escalated in time, or no system in place to escalate them at all. The actions below are drawn from the FACE compilation of RBI press releases.

Each entry states only the reason cited in the RBI press release. Where a penalty covered more than one issue, the amount shown is the total and is not attributable to any single reason.

NBFC · ICC27 Feb 2026
Mahindra & Mahindra Financial Services Ltd
₹11.5 Ltotal penalty
Cited reason (IO-related)
Did not ensure escalation of certain rejected complaints to the Internal Ombudsman within the prescribed time, and did not communicate the final decision to the complainant within the prescribed time in certain cases.
Multiple reasons
Bank · Private05 Dec 2025
Jammu & Kashmir Bank Ltd
₹99.3 Ltotal penalty
Cited reason (IO-related)
Certain complaints partly/wholly rejected by the internal grievance mechanism were not escalated to the Internal Ombudsman for a final decision.
Multiple reasons
NBFC · ICC26 Sep 2025
Muthoot FinCorp Ltd
₹2.7 Lpenalty
Cited reason (IO-related)
Did not establish a system of auto-escalation of complaints partly or wholly rejected by the internal grievance redress mechanism to its Internal Ombudsman.
Where the failures actually happen

Understanding the rule is step one.
Operationalising it is where penalties occur.

Most of these aren't comprehension gaps, the obligation was known. The breakdown is downstream: the procedure didn't reach every relevant person, wasn't acknowledged, or wasn't reviewed on cadence. Here's an honest split of what a policy distribution-and-attestation layer like PolicyCentral does and does not address.

PolicyCentral helps here

Distribute · attest · prove

The "did everyone get it, read it, and can you show an auditor" layer around the IO framework.

  • Push the Board-approved IO SOP to every relevant staff member across every branch and administrative office, with read receipts and digital acknowledgement.
  • Distribute complaint-pattern analysis and grievance-handling guidance as trackable training content.
  • Maintain a tamper-evident audit trail of who received, read and acknowledged the SOP and every update, the evidence a supervisory review asks for.
  • Version the SOP and re-push to unread staff with one click when the framework changes.
A different system handles this

What PolicyCentral is not

We're explicit about scope, these are jobs for grievance-workflow and case-management tooling, not a policy platform.

  • The automated complaints-management software that routes and auto-escalates rejected complaints to the IO.
  • Tracking the 30-day final-decision turnaround on individual complaints.
  • The IO's case adjudication and reasoned-decision recording itself.

Being clear about this is the point, sophisticated compliance teams trust a vendor that names its boundaries.

Go deeper

Full decode: IO Directions, 2026 (Commercial Banks)

Applicability, obligations & what changed

Full decode: IO Directions, 2026 (NBFC)

Thresholds, exclusions & obligations

Enforcement tracker

Filter all FY25-26 actions by reason & entity

IO reporting calendar

Quarterly & annual RBI due dates
Soon
For compliance & risk teams

Get the IO SOP & staff-dissemination checklist

A practical checklist covering what your Board-approved SOP should contain, who across your branch network needs to acknowledge it, and the audit-trail evidence to keep ready for a supervisory review.

Request the checklist
For CCOs, HR & InfoSec leaders

See SOP attestation tracked across every branch

PolicyCentral shows you, live and branch-by-branch, exactly who has read and acknowledged each policy and SOP, with a tamper-evident trail you can export for an RBI review. Walk through it on your own data.

Book a walkthrough
PolicyCentral.ai builds policy management software, not legal advice. These are plain-language summaries to help your teams understand what applies to them. Always verify against the original instrument on rbi.org.in and consult your compliance/legal team before acting.
PolicyGPT
AI-powered policy assistant

Hi! I'm PolicyGPT. Ask me anything about PolicyCentral.ai — features, security, compliance, pricing, or hosting.