RBI Finalizes Consumer Protection Framework with Stricter Norms
The Reserve Bank of India (RBI) has finalized its consumer protection framework under responsible business conduct guidelines, tightening rules on mis-selling, deceptive digital practices, and unauthorized bundling. The central bank has shifted to a prescriptive regime, imposing strict consent-capture and interface-design protocols to close gaps left in the draft released on February 11.
Strict Consent and Interface Requirements
According to the framework, banks must capture explicit consent via verifiable modes such as signed physical or electronic declarations, OTP approvals, recorded confirmations, or clearly demarcated agreement clauses. Interfaces must default to 'No' or 'I do not agree', forcing customers to consciously opt in. Banks are also required to disclose key product terms upfront, including interest rates, fees, risks, lock-in periods, and exit penalties.
Ban on Bundled Consent and Dark Patterns
The central bank has barred bundled consent, mandating that each product be presented in a separate module to enable selective choice. Banks must retain consent records for one year after the contract ends to aid dispute audits. The framework reaffirms a ban on forced bundling and dark patterns such as basket sneaking, subscription traps, confirm shaming, and drip pricing. Examples of prohibited messages include: 'Are you sure you want to miss out on exclusive offers and updates?' or 'No, I prefer to stay uninformed about great deals,' which imply opting out is unwise.
Expanded Agent Scope and Data Access Rules
The framework widens the scope of agents to cover all sourcing entities, including business correspondents and loan service providers, and extends to sub-agents at the customer interface. Banks must publish and update empanelled-agent directories within seven days, listing identity, location, and permitted products. On data access, the RBI eased rules: seeking device data such as location, camera, or contacts will not count as a dark pattern if mandated for compliance and transparently disclosed. The rules also allow voluntary or zero-cost bundles.
Effective Date and Complaint Mechanism
According to the RBI, consent must be active, specific, and separately captured, with interfaces built for informed choice. The framework takes effect on January 1, 2027, after the RBI granted a six-month extension for system upgrades. Customers can file mis-selling complaints within regulator-set timelines or within 30 days of receiving signed agreements.
