RBI final rules curb mis-selling, ban dark patterns 2027

What RBI announced and why it matters

The Reserve Bank of India (RBI) on Monday issued final guidelines governing the advertising, marketing and sale of financial products by banks and non-bank lenders. The directions are aimed at strengthening customer protection, curbing mis-selling practices, and improving accountability across banks, their agents, and third-party product providers. RBI said the framework adopts a principle-based and channel-agnostic approach, meaning the responsibilities apply across in-branch, tele-calling, and digital journeys. The rules also specifically address the use of deceptive digital design practices, commonly referred to as dark patterns. A clear implementation timeline has been set, with the directions coming into effect on January 1, 2027.

Timeline: from draft norms to final directions

In February, RBI’s draft guidelines introduced a formal definition of mis-selling and proposed stronger guardrails for product sales. The draft required banks to set up a comprehensive, board-approved policy covering suitability assessments, customer feedback mechanisms, and compensation mechanisms. On Monday, the regulator issued final amendment directions for regulated entities, including banks and non-bank lenders, and clarified operational expectations around consent, disclosures, and oversight of outsourced channels. The regulator also reiterated that implementation will begin on January 1, 2027, providing a definitive compliance date for affected institutions.

How RBI defines mis-selling under the new framework

RBI’s final directions treat a sale as mis-selling if it falls into defined categories linked to customer suitability, disclosures, and consent. The definition covers products that are unsuitable for a customer’s profile at the time of sale, sales made with misleading, incomplete or inaccurate information, and sales completed without explicit customer consent. It also includes compulsory bundling, where one product is made conditional on buying another. RBI added that even if consent exists, selling an unsuitable product may still be treated as mis-selling.

Explicit consent: separate, recorded, and unambiguous

A central feature of the framework is the requirement for explicit, recorded consent for every product sold, including third-party products distributed by banks. RBI defined explicit consent as a specific, informed, and unambiguous indication of agreement that must be recorded by the bank. Consent for multiple products cannot be clubbed and must be obtained separately for each product. RBI-listed illustrative modes include signed declarations (physical or electronic), OTP-based approvals, digitally recorded confirmations, and consent captured in a clearly demarcated section of an agreement for the product and service.

Digital journeys: no pre-ticked boxes and no dark patterns

RBI prohibited banks and their agents from using dark patterns in banking apps, websites, and digital sales journeys. These are deceptive design practices that can manipulate customer choices or impair informed decision-making, such as steering users into add-on products they did not intend to buy. The directions also state that digital interfaces must ensure consent cannot be granted without customers being exposed to applicable terms and conditions. The default consent option must be “No” or “I do not agree,” tightening controls over pre-selected checkboxes and similar mechanisms.

Suitability and disclosures before a sale

Before selling a financial product or service, banks will be required to assess suitability and appropriateness for individual customers. RBI said lenders must determine whether a product is appropriate based on factors such as age, income, financial literacy, and risk tolerance. Banks must also follow product-specific suitability requirements prescribed by sector regulators such as SEBI, IRDAI, or PFRDA where applicable. Prior to obtaining consent, banks must prominently disclose key product features, including interest rates, fees and charges, financial commitments, risks, lock-in periods, and exit conditions and penalties. Where regulators have prescribed standard disclosure formats such as Key Facts Statements (KFS) or Most Important Terms and Conditions (MITC), banks must use those formats.

Bundling rules: what is banned and what is permitted

The directions introduce a definition of compulsory bundling, referring to situations where a bank makes the availability of one product or service conditional upon purchase of another product or service. Banks have been prohibited from compulsorily bundling any third-party product or service with their own products. RBI allowed a narrow operational exception where a third-party product such as insurance is required as a risk mitigant, but customers must have the freedom to purchase it from any provider of their choice. RBI also clarified that voluntary product packages and complimentary offerings without additional cost will not be treated as compulsory bundling.

Oversight of DSAs, DMAs, and outsourced sales channels

RBI brought direct selling agents (DSAs), direct marketing agents (DMAs), loan service providers, and other outsourced sales channels within a formal regulatory framework. Banks will be responsible for advertising, marketing and sale of financial products undertaken directly or through agents or outsourced arrangements. The framework requires banks to conduct due diligence before and after engagement, establish training requirements, monitor compliance, undertake inspections and audits, and define disciplinary actions for violations. Banks must also publish and regularly update a list of empanelled DSAs and DMAs on their websites. And sales agents or representatives operating within bank premises must be clearly distinguishable from bank employees through visible identification.

Marketing communications: consent-based and time-bound

The new rules limit how promotional communications can be sent. Banks will only be allowed to send promotional communications if customers have explicitly consented to receive them. Sales calls and visits can generally be made only between 9 a.m. and 7 p.m., unless customers specifically authorise communication outside those hours. RBI also barred sales personnel from making false commitments or misleading customers, reinforcing the core standard that product information must be correct, complete, and accurate.

Refunds, compensation, and record-keeping obligations

The directions mandate strong customer remedies when mis-selling is proven. RBI said the framework requires full refunds and compensation in cases where mis-selling is established, and that consent alone does not shield the bank if the product was unsuitable. On record keeping, RBI stated that irrespective of how consent is obtained, regulated entities must store consent records securely and be able to rely on them to demonstrate that consent was obtained properly. Banks will also be required to preserve consent records until one year after the contractual relationship for the product ends. RBI also said banks must establish mechanisms to obtain customer feedback within 30 days of sale of a financial product or service.

Key requirements at a glance

What this means for banks, NBFCs, and customers

For regulated entities, the framework increases end-to-end accountability for how financial products are positioned, explained, and sold, including through outsourced channels. It places operational emphasis on verifiable consent capture, controlled digital design, and documented suitability assessment. For customers, the rules are designed to reduce forced add-ons, clarify disclosures, and strengthen remedies when products are mis-sold. RBI has also made it clear that governance and compliance responsibilities sit with the regulated entity, even when third parties are involved in distribution.

Conclusion

RBI’s final directions tighten the rules around product suitability, disclosures, consent, and digital conduct, while extending oversight to DSAs, DMAs, and other outsourced sales channels. The framework also formally targets compulsory bundling and dark patterns in digital journeys, alongside explicit requirements on consent and record retention. With an effective date of January 1, 2027, banks and non-bank lenders now have a defined window to align policies, systems, and agent management practices to the new standards.