The Reserve Bank of India (RBI) has finalised its consumer protection framework under responsible business conduct guidelines, tightening rules on mis-selling, deceptive digital practices and unauthorised bundling, according to a report by Business Today. The directions impose a strict consent-capture and interface-design protocol, closing gaps left in the February 11 draft.
New Consent-Capture Protocol
Under the framework, banks must capture explicit consent via verifiable modes such as signed physical or electronic declarations, OTP approvals, recorded confirmations, or clearly demarcated agreement clauses, according to the RBI. Interfaces must default to 'No' or 'I do not agree', forcing a conscious opt-in. Banks must disclose key product terms upfront, including interest, fees, risks, lock-ins, and exit penalties.
Ban on Bundling and Dark Patterns
The central bank has barred bundled consent. According to the directions, banks must present each product in a separate module, enabling selective choice. The framework reaffirms a ban on forced bundling and dark patterns such as basket sneaking, subscription traps, confirm shaming, and drip pricing. Prohibited messages include: "Are you sure you want to miss out on exclusive offers and updates?" or "No, I prefer to stay uninformed about great deals," implying opting out is unwise. Consent must be active, specific and separately captured, with interfaces built for informed choice.
| Provision | Requirement |
|---|---|
| Consent Capture | Verifiable modes: signed declarations, OTP, recorded confirmations, clearly demarcated clauses |
| Interface Default | Default to 'No' or 'I do not agree' |
| Product Disclosure | Upfront disclosure of interest, fees, risks, lock-ins, exit penalties |
| Bundling | Separate modules; no bundled consent |
| Agent Scope | Covers all sourcing entities, including business correspondents, loan service providers, and sub-agents |
| Data Access | Device data (location, camera, contacts) not a dark pattern if mandated for compliance and transparent |
| Dark Patterns Prohibited | Basket sneaking, subscription traps, confirm shaming, drip pricing |
| Complaint Timeline | Within regulator-set timelines or 30 days of receiving signed agreements |
Expanded Agent Coverage and Data Access
The framework widens agent scope. According to the directions, direct selling and marketing agents now cover all sourcing entities, including business correspondents and loan service providers, and extend to sub-agents at the customer interface. Banks must publish and update empanelled-agent directories within seven days, listing identity, location, and permitted products.
On data access, the RBI eased rules: seeking device data such as location, camera, or contacts will not count as a dark pattern if mandated for compliance and transparently disclosed. The rules also allow voluntary or zero-cost bundles.
Record Retention and Complaints
Banks must retain consent records for one year after contract end to aid dispute audits. Customers can file mis-selling complaints within regulator-set timelines or within 30 days of receiving signed agreements.
Implementation Timeline
The framework takes effect on January 1, 2027, after the RBI granted a six-month extension for system upgrades. The central bank said the directions impose a prescriptive regime to ensure informed consumer choice and curtail deceptive practices.
For finance executives and treasury professionals, these norms represent a significant compliance shift for all lenders, including those involved in trade finance and corporate lending. The strict consent-capture requirements and agent transparency mandates will require system upgrades and operational changes, potentially increasing cost of capital as banks invest in compliance infrastructure. However, the framework also reduces litigation risk by providing clear guidelines on permissible practices, ultimately strengthening the integrity of India's financial system.
Sources:
