Your Bank Cannot Trick You Anymore: RBI's New Rules on Dark Patterns and Mis-Selling
The RBI finalised landmark directions on June 15, 2026 that ban deceptive digital practices, make banks liable to refund you for mis-sold products, and require explicit consent before selling you anything. Here is what changed and what it means for you.
Have You Ever Been Here?
You go to your bank's app to pay a bill. On your way out, you see a pop-up offering a "free" insurance policy. There is a big green button that says "Activate Now" and a small, greyed-out link at the bottom that says "maybe later." You tap the green button quickly. Three months later, you notice a deduction you did not consciously agree to.
Or you visit a bank branch for a home loan. The executive tells you that to get the loan at that interest rate, you also need to take their insurance product. You feel like you have no choice. You take it.
Or your bank app shows a countdown timer: "This offer expires in 04:32 minutes." You panic and click.
All three of these scenarios are now either banned outright or expose the bank to serious legal liability under the RBI's Responsible Business Conduct (Second Amendment) Directions, 2026, finalised on June 15, 2026 and effective from January 1, 2027.
What Are Dark Patterns and Why Does This Matter?
A dark pattern is a design trick built into an app or website that nudges you into doing something you did not actually intend to do. The term was coined by UX designer Harry Brignull in 2010 and has since become one of the most important concepts in consumer protection law globally.
In the financial world, dark patterns are particularly harmful because the products involved, insurance policies, loans, investment products, are complex and expensive. Being tricked into buying an unsuitable financial product does not just waste a few hundred rupees. It can mean paying premiums for years on a policy you never needed, locking money into an investment you did not understand, or taking on debt you did not plan for.
The RBI has now explicitly defined a dark pattern as "any practice or deceptive design pattern using user interface or user experience interactions on any platform that is designed to mislead or trick users to do something they originally did not intend or want to do, by subverting or impairing the consumer autonomy, decision making or choice."
The directions apply to commercial banks, NBFCs, housing finance companies, All India Financial Institutions including NABARD, EXIM Bank, NHB, and SIDBI, and rural and urban cooperative banks. Together, these cover almost every regulated financial institution that sells products to Indian consumers.
What Is Now Banned: The Five Biggest Changes
1. Dark Patterns Are Prohibited Outright
Banks and NBFCs must ensure their digital interfaces, apps, websites, and online journeys do not deploy any dark pattern. The RBI has issued an illustrative list of banned dark patterns specifically relevant to financial institutions.
False Urgency is banned. This includes countdown timers on apps for promotional offers, phrases like "Act Now", "Limited Time Only", or "Offer Ends Soon" designed to rush decisions, and notifications claiming charges will increase after a specific date to pressure sign-ups without comparison.
Subscription Traps are banned. Making it easy to subscribe but difficult to unsubscribe, hiding cancellation options, or creating multiple barriers between a customer and their exit from a product are all prohibited.
Drip Pricing is banned. Banks cannot reveal the full cost of a product only at the final step of a purchase journey. All fees, charges, interest rates, lock-in conditions, and exit penalties must be disclosed upfront, before consent is obtained.
Disguised Advertisements are banned. Promotional content must be clearly identified as such and cannot be designed to look like neutral information or editorial content.
Pre-ticked Boxes are banned. A customer cannot be deemed to have consented to a product or service because a box was already checked on their behalf. Consent must require an active, affirmative action.
Banks must subject their digital platforms to periodic user testing and internal audits specifically to identify and remove any dark pattern features. This is not a one-time compliance check. It is an ongoing obligation.
2. Compulsory Bundling Is Prohibited
This is the insurance-with-loan scenario. Banks are now prohibited from making the availability of one product conditional upon the customer also taking another product, whether it is the bank's own product or a third-party product.
You cannot be told that you must buy the bank's insurance policy to get the home loan at the advertised rate. You cannot be required to open a salary account to access the credit card offer. Each product must stand on its own and be offered and agreed to separately.
3. Explicit, Individual Consent Is Now Mandatory for Every Product
The era of blanket consents is over. Under the new framework, consent for each product or service must be obtained individually. Bundled consents, where a single tick box covers multiple products at once, are no longer valid.
Explicit consent is defined as "a specific, informed and unambiguous indication of an individual's choice, given through a statement or by a clear affirmative action." The bank must record and document that consent.
Critically, banks must design their digital journeys so customers cannot grant consent without first going through the applicable terms and conditions. A journey where clicking one button leads to a consent screen you can skip past does not satisfy this requirement.
The option to decline consent must be as visible and accessible as the option to accept. If acceptance is a large green button, refusal cannot be a tiny grey link at the bottom of the screen. Equal prominence is required.
4. Banks Are Now Financially Liable for Mis-Selling
This is the most powerful consumer protection change in the directions. If mis-selling of a financial product is established, the bank must refund the entire amount paid by the customer for that product. It must also compensate the customer for any loss arising from the mis-selling.
Mis-selling is defined as selling a product without explicit consent, without correct and complete information, or with misleading information. It also includes selling a product that is not suitable for the customer's profile.
The suitability requirement is new and significant. Banks must assess whether a product is appropriate for a customer before selling it, taking into account factors including the customer's age, income, financial literacy, and risk appetite. A bank cannot sell a complex derivative product to an elderly fixed income investor simply because the customer signed a consent form. Suitability is a separate and independent obligation from consent.
The bank must also seek feedback from the customer within 30 days of any product sale to assess whether they understood its features and associated risks. This is not optional customer service. It is a regulatory requirement.
5. Agents and DSAs Are Now Tightly Regulated
Direct Selling Agents and Direct Marketing Agents who sell financial products on behalf of banks are now directly covered by these directions. Banks are responsible for ensuring their DSAs and DMAs comply with the code of conduct prescribed by the bank.
Any DSA, DMA, or representative of a third-party product provider who is physically present in a bank's premises must be clearly distinguishable from bank employees through visible identification. A customer should never be uncertain about whether the person selling them a product is a bank employee or a commissioned agent.
Bank employees are prohibited from receiving any incentive, directly or indirectly, from a third-party product provider. This closes the loophole through which bank staff were effectively receiving kickbacks for selling insurance or investment products regardless of whether those products suited the customer.
Who Does This Apply To?
The directions cover commercial banks (excluding Small Finance Banks, Payment Banks, Regional Rural Banks, and Local Area Banks), NBFCs, housing finance companies, All India Financial Institutions, and rural and urban cooperative banks.
If you have a relationship with any of these institutions, these protections apply to you from January 1, 2027.
What Should You Do If You Have Been Mis-Sold a Product Before January 2027?
The new compensation mechanism applies to mis-selling established under the new framework from January 1, 2027 onwards. However, if you believe you were mis-sold a product before that date, existing remedies remain available. You can file a complaint with your bank's internal grievance mechanism, escalate to the Banking Ombudsman under the Integrated Ombudsman Scheme, or approach the CCPA or NCDRC for consumer protection remedies.
From January 1, 2027, the standard rises significantly. Banks have explicit obligations to refund and compensate. The burden of demonstrating that consent was properly obtained, that the product was suitable, and that all required disclosures were made shifts substantially to the bank.
The Global Context: India Is Catching Up Fast
The UK's Financial Conduct Authority has had Consumer Duty obligations in force since July 2023, requiring firms to deliver good outcomes for retail customers and explicitly prohibiting foreseeable harm including through design of digital journeys. The EU's MiFID II framework has required suitability assessments for investment products for years. Australia's ASIC has been enforcing design and distribution obligations since 2021.
India's RBI framework, effective January 2027, brings Indian financial consumer protection broadly in line with these global standards. For international banks and financial institutions operating in India, it requires a careful audit of Indian digital journeys and sales practices against a framework that is now genuinely comparable to what is required in their home jurisdictions.
The Bottom Line
If you are a bank customer, these directions work in your favour in three concrete ways from January 1, 2027. Your bank cannot use design tricks to push you into products you did not consciously choose. It cannot make one product conditional on buying another. And if it mis-sells you something, it must refund you in full and compensate you for your losses.
If you are a bank, NBFC, or financial institution, the compliance window is six months. Audit your digital interfaces for dark patterns. Review your bundling practices. Redesign your consent journeys. Train your DSAs. Update your suitability frameworks. And build the feedback and compensation mechanism before the deadline, not after the first complaint arrives.
This Blog is for general informational purposes and does not constitute legal advice. For guidance on RBI compliance, financial product regulation, or consumer protection matters, please contact our team.