Before 2018, here is what happened when a bank rejected your complaint. You complained to the bank's customer service department. The same department — or a colleague sitting two desks away — reviewed the rejection and upheld it. You then had two options: escalate to the RBI Ombudsman, or give up. Most people gave up. The RBI's Ombudsman offices, handling complaints from across the country, were overwhelmed. In the financial year 2021-22, the RBI Ombudsman received over 4 lakh complaints. The complaints that could have been resolved by the bank itself — if the bank had a genuinely independent second-level review — were clogging a system designed for cases that banks could not resolve.
The Internal Ombudsman framework was the RBI's solution. When the RBI first introduced the Internal Ombudsman Scheme in 2018 (The Reserve Bank introduces Internal Ombudsman Sch), it applied only to scheduled commercial banks. The Master Direction on Internal Ombudsman for Regulated Entities (RBI_MD_12586), issued December 29, 2023, consolidated and updated the earlier piecemeal schemes into a single framework covering banks, NBFCs, non-bank system participants, and credit information companies. In January 2026, the RBI extended the framework further with the Non-Bank PPI Issuers Internal Ombudsman Directions (RBI_MD_13275), bringing digital wallet providers under the same discipline.
Also in this series:
- How the RBI's Ombudsman Scheme Changed Customer Complaints Forever
- What Fair Practice Actually Means for Borrowers
The Problem the Internal Ombudsman Solves
The design flaw in India's banking complaint resolution system was architectural, not procedural. Banks had grievance redress departments. They had customer service committees. They had nodal officers liaising with the RBI Ombudsman. What they did not have was anyone within the bank who was both independent enough to overrule the customer service department and senior enough to be taken seriously by the business verticals that generated the complaints.
When a loan officer refused a restructuring request, the customer complained. The complaint went to the customer service team. The customer service team checked with the loan department — the same department that made the original decision. Unsurprisingly, the decision was upheld. The complaint was "rejected." The customer either accepted the rejection or filed with the RBI Ombudsman. The bank had performed a review that was structurally incapable of producing a different outcome.
The Internal Ombudsman breaks this loop by inserting an independent authority between the bank's internal grievance process and the RBI Ombudsman. The IO does not handle complaints directly from customers — customers still complain to the bank first. But every complaint that the bank's internal mechanism partly or wholly rejects must be automatically escalated to the Internal Ombudsman for review before the rejection is communicated to the customer.
The Master Direction is explicit about the purpose:
The Internal Ombudsman mechanism has been set up with a view to strengthen the Internal Grievance Redress system of the regulated entities.
The objective is to ensure proper and speedy resolution of customer complaints by enabling a review before their rejection by an apex-level authority within the regulated entity.
Who Must Appoint an Internal Ombudsman?
The 2023 Master Direction applies to four categories of regulated entities.
Banks with 10 or more banking outlets in India must appoint an IO. A "banking outlet" is defined as a fixed-point service delivery unit — manned by either the bank's staff or its business correspondent — where services of acceptance of deposits, encashment of cheques or cash withdrawal, or lending are provided for a minimum of 4 hours per day for at least 5 days per week. The 10-outlet threshold covers virtually all scheduled commercial banks and larger urban cooperative banks while exempting very small entities that could not sustain the cost of a dedicated ombudsman office.
Deposit-taking NBFCs with 10 or more branches must appoint an IO. Non-deposit taking NBFCs must have an asset size of Rs 5,000 crore and above, with public customer interface, to trigger the requirement. The asset size threshold targets the systemically significant NBFCs — the ones handling enough customer transactions to generate a meaningful volume of complaints.
Non-Bank System Participants — payment system operators like wallet providers and payment aggregators — with more than 1 crore prepaid payment instruments outstanding as on March 31, 2023, or thereafter, fall under the framework. Once the threshold is crossed, the requirement continues to apply even if the outstanding PPIs subsequently fall below the threshold. This ratchet mechanism prevents entities from gaming the system by temporarily reducing PPI issuance.
All Credit Information Companies — the four CICs operating in India (CIBIL, Equifax, Experian, CRIF High Mark) — must appoint an IO regardless of size, given the volume of consumer complaints related to credit scores and reports. The NBFC Responsible Business Conduct Directions (RBI_MD_12942) provide the parallel customer protection standards that NBFCs must follow alongside the IO framework.
Any entity reaching these thresholds after the Direction's issuance gets 6 months to establish the IO framework. The RBI can also direct any regulated entity to appoint an IO if satisfied that it is in the public interest to do so.
The Independence Architecture
The most carefully constructed provisions in the Direction deal with independence. An Internal Ombudsman who reports to the people whose decisions are being reviewed is useless. The Master Direction builds independence through multiple reinforcing provisions.
Who can be appointed? The IO must be a retired or serving officer in the rank equivalent to General Manager of another bank, financial sector regulatory body, NBSP, NBFC, or CIC, with minimum 7 years of experience in banking, non-banking finance, regulation, supervision, payment systems, credit information, or consumer protection. The word "another" is critical — the IO cannot be someone who currently works for or previously worked for the appointing entity or its related parties.
Reporting structure. The IO reports administratively to the Competent Authority — the Executive Director in charge of customer service for banks, or the MD/CEO for NBFCs and others. But the IO reports functionally to the Board of the regulated entity. This dual reporting structure ensures the IO has operational support from management (office space, staff, IT systems) but answers to the Board on the substance of decisions.
Tenure protection. The IO's appointment is contractual, with a fixed term of not less than 3 years but not exceeding 5 years. The IO is not eligible for reappointment or extension in the same entity — this prevents the regulated entity from using tenure renewal as leverage. Removal before the contracted term requires explicit approval from the Reserve Bank of India. If a vacancy arises due to death, resignation, or incapacitation, the entity must inform the RBI within 10 working days and appoint a replacement within 3 months.
Emoluments protection. The Customer Service Committee of the Board determines the IO's compensation, which must be appropriate to the stature and position of the IO at the apex of the grievance redress mechanism. Once determined, the emoluments cannot be changed during the IO's tenure, because allowing mid-tenure compensation adjustments would give the regulated entity a lever to reward favourable decisions and punish unfavourable ones.
Separation from nodal officer. The Principal Nodal Officer or Nodal Officer liaising with the RBI Ombudsman's office cannot act as IO or Deputy IO, or vice versa, even during temporary absence. The two roles must remain distinct — one interfaces with the regulator, the other reviews internal decisions.
How the Complaint Flow Works
The operational mechanics are precisely specified. The regulated entity must formulate a Standard Operating Procedure approved by the Board's Customer Service and Protection Committee and establish a fully automated Complaints Management Software. The critical requirement: all complaints that are partly or wholly rejected by the entity's internal grievance redress mechanism must be auto-escalated to the IO within 20 days of receipt. This is not discretionary — the escalation is automatic, built into the software, and not dependent on any human decision to refer the complaint.
The IO and the regulated entity must ensure that the final decision is communicated to the complainant within 30 days from the date of receipt of the complaint by the regulated entity. This 30-day clock starts when the complaint is received, not when it reaches the IO — creating pressure on the entity's internal teams to process complaints quickly enough to leave adequate time for IO review.
The IO must have read-only access to the entity's Complaint Management Software, enabling real-time visibility into all complaints — including those still being processed by the internal mechanism. The IO also gets read-only access to the RBI's own Complaints Management System, enabling tracking of cases forwarded by the RBI Ombudsman, decisions thereon, and appellate authority decisions.
The IO examines complaints based on records available with the regulated entity, documents submitted by the complainant, and comments or clarifications from the entity. The IO can seek additional information from the complainant through the entity. Each case must have a "reasoned decision" on record. Meetings with the entity's functionaries are permitted, and all records and documents sought by the IO must be furnished without undue delay.
The Binding Nature of IO Decisions
The Direction leaves no ambiguity on this point:
The decision of Internal Ombudsman shall be binding on the regulated entity, except in cases where the regulated entity has obtained approval for disagreeing with such decision.
The IO's decision is binding on the regulated entity — with one carefully constructed escape valve. Where the IO overrules the entity's rejection of a complaint, the entity can disagree only with the approval of the Competent Authority (ED for banks, MD/CEO for others). If the entity disagrees, it must communicate this to the complainant within 7 days of receiving the IO's decision, explicitly stating that the IO ruled in the complainant's favour but the entity has disagreed with approval of the Competent Authority.
All such cases — where the entity overrides the IO — must be reviewed quarterly by the Customer Service Committee of the Board or the Board itself. This Board-level review creates accountability: if the entity is routinely overriding its own IO, the Board must confront that pattern. The RBI's Consumer Education and Protection Department may also review these cases when the aggrieved complainant subsequently approaches the RBI Ombudsman, using them to assess the effectiveness of the entity's internal grievance redress mechanism.
Where the IO upholds the entity's rejection, the reply to the complainant must explicitly state that the complaint has been examined by the IO and for the stated reasons the entity's decision has been upheld. Where the complaint is fully or partly rejected even after IO examination, the entity must advise the complainant — as part of the reply — that recourse is available to the RBI Ombudsman, along with complete contact details including the physical address of the Centralised Receipt and Processing Centre in Chandigarh and the URL of the online complaints portal at cms.rbi.org.in.
The 2026 Extension to PPI Issuers
The January 14, 2026 Direction on Non-Bank PPI Issuers (RBI_MD_13275) extends the IO framework to digital wallet providers — PhonePe, Paytm, Amazon Pay, and other non-bank prepaid payment instrument issuers with more than 1 crore PPIs outstanding as on March 31, 2025, or thereafter.
The 2025 press release announcing the extension (RBI issues Reserve Bank of India (Internal Ombudsm) confirmed the RBI's intent to bring all significant consumer-facing entities under the IO framework. The need was obvious. Digital wallets generate millions of customer complaints — failed transactions, delayed refunds, unauthorised debits, KYC-related account freezes — but had no structured internal review mechanism before the complainant could approach the RBI Ombudsman. The volume of digital payment complaints filed with the RBI Ombudsman had been rising year-on-year, driven by the explosive growth in UPI and wallet transactions.
The 2026 Direction mirrors the 2023 framework structurally but adapts it to PPI issuers. The IO must be a retired or serving officer equivalent to a General Manager rank in a regulated entity under the IO framework or a financial sector regulatory body, with minimum 7 years of experience. The IO must not have been previously or presently employed by the PPI issuer or its holding, associate, or subsidiary companies.
A notable provision: a person may work as IO in more than one regulated entity simultaneously, at the discretion of the entities concerned and with Board approval. This acknowledges that the pool of qualified candidates with 7+ years of financial sector experience at the GM level is limited, and smaller PPI issuers may not individually generate enough complaint volume to require a full-time dedicated IO.
The tenure provisions are stricter than the 2023 framework in one respect: the total tenure (including extension or reappointment) cannot exceed 5 years. The minimum is 3 years. To avoid vacancies, the PPI issuer must begin the recruitment process at least 3 months before the incumbent's term expires and ensure a reasonable overlap between outgoing and incoming IOs.
The Board of the PPI issuer must determine at least once a year the number of IOs and Deputy IOs needed, with due regard to volume and complexity of complaints, ensuring the IO gets sufficient time to apply principles of fairness, equity, and natural justice. This annual review requirement prevents the appointment from becoming a static checkbox — as complaint volumes change, the IO capacity must adjust.
What the IO Cannot Do
The framework is carefully bounded. The IO does not handle complaints received directly from customers or the public — only those already examined and rejected by the entity's internal mechanism. This preserves the first-level grievance process and prevents the IO from becoming a parallel complaints department.
Specific categories are excluded: complaints related to corporate frauds or misappropriation (except where they result from deficiency in service), references that are essentially suggestions or challenge commercial decisions of the entity (though service deficiencies in commercially-decided cases remain valid), complaints relating to internal administration, HR, or staff pay, and complaints already pending in courts, consumer forums, or other dispute resolution fora.
However, the Direction contains a subtle provision: the regulated entity must forward all rejected or partially rejected complaints under the first two exclusion categories to the IO. The IO must examine them for inherent deficiency in service and decide independently whether the exclusion genuinely applies. The entity cannot unilaterally classify a complaint as "commercial decision" and bypass the IO — the IO makes that determination.
The IO cannot represent the regulated entity in legal proceedings before any court, forum, or authority. This restriction exists because any legal advocacy role would compromise the IO's neutrality — they are a reviewer of the entity's decisions, not its advocate.
Supervisory and Regulatory Oversight
The RBI does not simply create the IO framework and walk away. Customer service and grievance redress implementation, including compliance with the IO Direction, is part of the risk assessment and supervisory review undertaken by the Department of Supervision for banks, NBFCs, and CICs, and by the Department of Payment and Settlement Systems for NBSPs and PPI issuers.
The broader customer protection architecture — including the Responsible Business Conduct Directions for commercial banks (RBI_MD_13140) — reinforces the IO framework by mandating fair treatment standards that the IO can reference when reviewing complaints. The regulated entity must conduct an internal audit of IO implementation annually. The audit scope covers adequacy of infrastructure provided to the IO office, implementation of auto-escalation within 20 days, the IO's actions regarding complaint analysis, reports submitted to the RBI and the Board, and adherence to all prescribed timelines. Critically, the audit scope excludes assessment of the correctness of the IO's decisions — preserving decisional independence from the entity's own audit function.
Quarterly and annual reporting to the RBI's Consumer Education and Protection Department is mandatory. The reports, due by the 10th day of the month following the reporting period, capture complaint volumes, resolution patterns, IO decisions, and cases where the entity disagreed with the IO. Within 5 working days of appointing a new IO or Deputy IO, the entity must furnish their details — name, last positions held, date of appointment, term, professional profile, and contact details — to the RBI.
The Design Logic: Reducing Load Without Reducing Protection
The IO framework operates on a specific theory of complaint resolution: most complaints that reach the RBI Ombudsman should never have gotten there. They represent failures of internal review — cases where the bank's own grievance mechanism performed a superficial or conflicted review and rejected a complaint that a genuinely independent reviewer would have upheld.
By mandating an independent, senior-level review within the entity before the customer can escalate to the RBI, the framework creates a filter that should resolve a significant percentage of cases at the institutional level. For the customer, the protection is enhanced — they get an independent review without having to file an external complaint. For the RBI Ombudsman, the workload should decrease as banks begin resolving more complaints internally. For the bank itself, the IO generates data — complaint patterns, product-wise and geography-wise analysis, root cause identification — that can drive systemic improvements rather than case-by-case fire-fighting.
The extension to PPI issuers in 2026 signals the RBI's intention to apply this framework to every entity type that handles significant consumer volumes. The 1-crore PPI threshold captures the large wallet providers; as digital payment penetration continues growing, more entities will cross the threshold and come under the IO framework.
The progression from the 2018 Internal Ombudsman Scheme for banks, to the 2019 extension to NBSPs, to the 2021 extension to NBFCs, to the 2022 CIC Direction, to the 2023 consolidated Master Direction, to the 2026 PPI Direction, reflects a regulatory pattern: the RBI introduces a mechanism for the most prominent entity type, observes its effect, refines it, and progressively extends it to every category of regulated entity that deals with the public. The Internal Ombudsman is no longer an experiment. It is a permanent feature of India's financial consumer protection architecture.