BT Explainer: How RBI plans to stop product mis-selling, deceptive digital practices by lenders

Ever thought you were mis-sold a product by your bank or made to buy an additional service? Well, now your explicit consent will be required for a bank to sell a product or service to you. 

The Reserve Bank of India has now tightened rules on such instances of mis-selling or unauthorised bundling, deceptive digital practices among other things. These directions will come into effect from January 1, 2027.

Explicit Consent 

Under RBI's Commercial Banks Responsible Business Conduct - Second Amendment Directions, banks will now need to get explicit consent through modes such as signed declarations, agreement clauses and OTP approvals.

"A bank shall ensure that products/services, whether own or third-party, are offered/sold to a customer only with her/his explicit consent, which may be obtained either through a signed declaration (either physically or electronically), OTP based approval, digitally recorded confirmation, consent embedded in a clearly demarcated section of the agreement for the product/service, etc," the central bank has said. 

Additionally, while obtaining consent from a customer for more than one product or service on a single form, each product or service will have to be clearly enumerated and the customer will have the option to choose only the desired product or service. 

MUST READ | RBI's 2013 playbook brought in $34 bn. Can the latest scheme do it again?

Also, the bank will have to store the consent and related records of a product or service sold by it till one year from the date of cessation of the contractual agreement.

The process flow for obtaining consent through any user interface will have to be designed in such a way that consent cannot be granted by the user without going through the applicable terms and conditions, if any, as per the RBI directions. 

"The default choice for the customer to give consent shall be ‘No’/‘I do not agree’." 

Product Bundling 

Separately, it has been made clear that a bank won't be able to compulsorily bundle third party products with its own products or services. 

MUST READ | BT Explainer: RBI tightens lending norms for REITs -- what has changed and why does it matter?

If the sale of the bank’s own product or service is contingent on purchase of a third party product as a risk mitigant, then the customer will have to be now provided the option to purchase the same. 

Dark Patterns 

A bank and its direct selling agents will have to ensure that their user interfaces do not deploy any dark pattern. 

Instances of dark patterns include, falsely stating or implying the sense of urgency or scarcity so as to mislead a user into making an immediate purchase or taking an immediate action, which may lead to a purchase, or offering pre-approved loans at attractive interest rates and luring the customer that the interest rate of the loan is likely to rise if the offer is not availed. 

DON'T MISS | Got cash at home? Here's the truth about the 'RBI paper note ban' claim

Data Access

Access to data is another aspect that these guidelines cover. 

Many times a lender may request access to personal data like contact list, camera, data storage, location, etc. without which the registration for the bank’s services cannot be completed or an application use may be restricted. The RBI has said that if such request is made to ensure compliance with regulatory instructions and the same has been transparently disclosed to the customer, it will not be construed as a forced action. 

The new directions also crack down on several other practices like drip pricing, a practice where elements of pricing are not revealed up front or are revealed only post confirmation of payment; subscription trap, where cancellation of a subscription may be hidden or the process made complex; forced action, where a user is forced to buy an additional product or subscribe to an unrelated service among other things.