NATIONAL 

1. Supreme Court recognises ‘Right to Digital Access’ as Fundamental Right[1]

In Pragya Prasun & Ors. v. Union of India & Ors. the Supreme Court held that inaccessible digital KYC systems violate the right to life under Article 21 of the Constitution of India and the regulations for persons with disabilities. In this matter, petitioner being persons with disabilities, were unable to complete mandatory KYC due to biometric and visual-based verification systems that excluded them from accessing essential services such as banking and telecommunications. The apex Court ruled that digital access is now integral to the right to dignity and autonomy and that failure to ensure accessibility constitutes exclusion and discrimination. It stressed the duty of public and private entities to provide ‘reasonable accommodation’ under the RPwD Act and comply with accessibility standards under the Web Content Accessibility Guidelines and the Guidelines for Indian Government Websites.

The Court issued detailed directions to ensure digital KYC is made inclusive. These include appointing nodal officers for accessibility compliance, conducting periodic accessibility audits, accepting thumb impressions and alternatives to blinking for live verification, enabling paper-based KYC as an alternative, capturing disability data in customer records, and ensuring all websites and applications comply with national accessibility standards. To give effect, RBI is directed to amend the Master Directions – KYC Directions, 2016 to incorporate inclusive verification methods, promote awareness, and ensure KYC interoperability through the Central KYC Registry. It also called for establishing accessible grievance redressal systems, helplines, and human-led review of rejected KYC applications. Disability sensitisation training for staff was made mandatory, along with strict compliance monitoring by the RBI.

2. SEBI to include ‘Persons with Disability’ under KYC Purview[2]

On May 23, 2025, following the judgement of Supreme Court as mentioned above, SEBI issued circular on Accessibility and Inclusiveness of Digital KYC to Persons with Disabilities (“Circular”), directing all registered intermediaries, stock exchanges, association of mutual fund, portfolio managers and Bombay Stock Exchange administration to ensure that the digital KYC process is accessible to persons with disabilities. For clarification purposes SEBI released a revised FAQ[3] related to the Circular on the opening of accounts by persons with disabilities. The FAQ clarifies that persons with disabilities, not being a minor and those who are of sound mind, can independently open accounts. In case of minors with disabilities, intermediaries may rely on a guardianship certificate issued by local level committee under the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999.

The Circular permits digital KYC through accessible technologies and mandates assistance for video verification. To verify ‘liveliness’ the intermediary may use various factors such as live facial gestures, nodding of head, real time video recording etc. Thumb impressions are acceptable for e-signatures if properly documented. Both the person and guardian must comply with standard KYC norms, and intermediaries may source consent-based data from the Central KYC Registry. Accordingly, in case of rejection of KYC application due to accessibility related challenges, the principal officer will be responsible foe review and approval on case-to-case basis.

This move to mandate accessibility in digital KYC processes for persons with disabilities is a progressive and much-needed step toward inclusive finance. By enabling account opening through assistive technologies, flexible verification methods, and case-by-case reviews, the Circular acknowledges the practical challenges faced by persons with disabilities in engaging with digital systems. This initiative aligns with the Supreme Court order as mentioned above and also with meaningfully with the spirit of the DPDP Act, 2023, which explicitly recognizes the rights and dignity of persons with disabilities in the context of data processing. Financial access must be inclusive by design—not an afterthought—and SEBI’s framework sets a valuable precedent for other regulators such as RBI.

3. RBI issues Stricter Digital Lending Norms[4]

On May 8, 2025, the RBI notified the Digital Lending Directions, 2025 (the “Directions”) superseding the earlier Guidelines on Digital Lending dated September 02, 2022 to further strengthen oversight of digital lending platforms and protect borrowers. The Directions expand applicability to All-India Financial Institutions and mandate that multi-lender platforms disclose fair, comparable loan terms without using deceptive design practices. Further, enhanced consent norms now require clear, prior, purpose-specific approval for data use, with borrowers given control over revocation, third-party sharing, and deletion. Additionally, Digital Lending Applications (“DLA”) are barred from accessing contacts, call logs, or media, and all data must reside on Indian servers with strict repatriation timeline of 24 hours. Disbursals and repayments must be made directly between borrowers and regulated entities—bypassing intermediaries—with cash recovery allowed only under defined conditions for delinquent loans. The regulated entities must maintain publicly accessible disclosures and complaint mechanisms across their digital platforms, remaining fully accountable for grievance redressal.

All DLAs, including those of third-party Lending Service Providers are required to be registered with the RBI’s Centralised Information Management System portal by June 15, 2025, with compliance certified by the Chief Compliance Officer.

4. CERT-In issues Advisory to Strengthen Cyber Defences for Businesses[5]

On May 10, 2025, CERT-In issued an advisory titled Essential Measures for Industry for Safeguarding Business Operations Against Cyber Security Threats (“Advisory”). The Advisory urges businesses to strengthen cybersecurity defences considering increasing incidents of ransomware, data breaches, and disruptions to digital infrastructure. The Advisory recommends urgent implementation of several protective measures, including timely patching of software and firmware, hardening of systems and networks, securing remote access infrastructure, enforcing multi-factor authentication, and encrypting sensitive data. It also provides for businesses to segment networks, review firewall configurations, monitor critical logs, and test incident response and recovery plans. CERT-In has further stressed the importance of continuous employee awareness, secure cloud configurations, and regular backups stored offline. Companies must also report cyber incidents promptly as per CERT-In framework and stay updated with CERT-In threat alerts.

With data breaches and ransomware attacks on the rise across sectors, the Advisory is a crucial reminder to keep the IT infrastructure protected. By reinforcing foundational security practices—like patch management, network segmentation, multi-factor authentication, and offline backups—the Advisory serves as a timely reminder that cyber resilience must be proactive. In an era of heightened digital interdependence, businesses cannot afford security lapses. Strengthening cyber hygiene and readiness is no longer optional—it is central to operational continuity and regulatory compliance.

5. ‘e-Zero FIR’ Pilot Project launched to Fast-Track Cybercrime Investigations[6]

On May 19, 2025, the Ministry of Home Affairs launched the ‘e-Zero FIR’ initiative through the I4C as a pilot project in Delhi. The initiative aims to fast-track registration of FIRs in cyber financial fraud cases by integrating digital complaint systems with Bharatiya Nagarik Suraksha Sanhita (“BNSS”). The threshold requirement includes complaints involving losses above INR 10 lakh filed through the National Cybercrime Reporting Portal (“NCRP”) or via Cybercrime helpline by dialling 1930 will automatically be converted into Zero FIRs by the e-Crime Police Station, Delhi. These FIRs will then be routed to the appropriate local police station. Complainants must visit the cybercrime police station within three days to convert the Zero FIR into a regular FIR.

The process leverages integration between NCRP, Delhi Police’s e-FIR system, and the National Crime Records Bureau’s Crime and Criminal Tracking Network & Systems. It is anchored in Section 173(1)(ii) of the BNSS, which allows for electronic registration of FIRs regardless of territorial jurisdiction. The initiative is designed to address delays in FIR registration, facilitate faster recovery of defrauded funds, and improve accountability in cybercrime enforcement. It is also expected to be expanded to other States and Union Territories following the how the pilot project works out.

6. Maharashtra flags Risks related to Ghibli Content[7]

The Maharashtra Police Cyber Crime Cell has issued an advisory (“Advisory”) cautioning against the use of generative AI tools to create or share artwork that mimics the unique visual style of renowned animation house Studio Ghibli Inc. (“Studio”) The Advisory raises red flags over potential copyright infringement and unauthorised data use under Indian law. According to the Advisory, reproducing Studio’s iconic characters, animation style, or background elements without permission—whether for personal use, public sharing, or commercial gain—could violate the Copyright Act, 1957. It further warns that training AI models using content scraped from films or promotional material may infringe the rights of original creators. Legal risks are heightened if such AI-generated content is monetised, made public, or reused—especially when based on datasets lacking proper licenses. This could also breach the terms of digital platforms and clash with India’s evolving ethical standards for AI and cybersecurity.

The Advisory also spotlights concerns around consent, data protection, and fair use, urging developers and users of generative AI to conduct due diligence and build safeguards into their systems. As India moves toward clearer regulation of AI, this serves as a timely reminder that creativity powered by AI must respect the boundaries of law and original expression.

7. Allahabad High Court: Social Media ‘liking’ is not transmitting Obscene Content[8]

The Court clarified that simply ‘liking’ a post on social media does not amount to publishing or transmitting obscene content under Section 67 of the IT Act. The ruling came in the case of Imran Kazi v. State of U.P. and Anr. where criminal proceedings had been initiated against the applicant for allegedly liking an objectionable post. The Court held that for Section 67 to apply, the person must have either actively published i.e., posted the content or transmitted it i.e., shared, forwarded, or circulated it in some form. Since the applicant had only liked the post and did not create, post, or share it, the Court found no basis for prosecution. It further reiterated that the said provision is applicable only to material that is explicitly lascivious or intended to corrupt or deprave viewers—not merely provocative or controversial in nature. As a result, the Court quashed the case, emphasizing that liking a post is not the same as promoting or distributing its content under the law.

8. RBI to introduce Framework for Ethical Use of AI[9]

RBI, in its Annual Report for 2024–25, has announced that it is in the process of formulating a dedicated framework to govern the ethical and responsible use of AI and Machine Learning by banks and other regulated entities. The initiative is aimed at ensuring that AI deployments uphold principles of transparency, fairness, and accountability. This follows the RBI’s earlier move in December 2024 to constitute an expert committee to develop the Framework for Responsible and Ethical Enablement of AI (FREE-AI)[10]. The committee has been tasked with examining the use of AI in financial services and recommending guardrails to address risks such as bias, lack of explainability, and misuse of personal data.

AI is rapidly becoming embedded in core banking functions—from loan underwriting and customer service to risk detection and marketing. As banks increasingly rely on data-driven models, the upcoming framework will be a crucial step in ensuring these technologies are used responsibly. Coupled with the obligations under the DPDP Act, this framework will directly impact how banks design, audit, and govern their AI systems. The forthcoming framework is likely to serve as a key convergence point between technological innovation, and regulatory oversight.