India’s mis-selling problem is no longer being treated as a training lapse or “rogue agent” issue. The Union Finance Minister has publicly stated that mis-selling is an offence. Not a training failure, not a rogue agent problem — an offence, with institutional accountability attached and welcomed tighter Reserve Bank of India (RBI) guidance. RBI’s Responsible Business Conduct (RBC) amendments move the debate from disclosure to demonstrable customer choice, with a proposed effective date of July 1, 2026.

RBI Is Forcing Banks To Prove Customer Choice — Not Just Collect A Signature

The draft directions are explicit about what banks must change in sales, marketing, and digital journeys. But if banks treat this as another compliance checklist, they’ll miss the real shift. The compliance artefact isn’t the objective — the objective is proving the customer understood, opted in knowingly, and could opt out without friction.

The legislation demands:

  • Explicit, separate consent for each product. Consent for multiple products can’t be clubbed together. Banks should expect to provide evidence of product-by-product consent, not rely on one bundled acknowledgement.
  • No compulsory bundling. The draft addresses coercive cross-sell, including tying insurance or other add-ons to lending decisions. If a customer is taking a loan, they shouldn’t be forced into an insurance purchase to get it approved.
  • No dark patterns in digital flows. RBI explicitly targets deceptive UX patterns, and reporting highlights expectations for user testing and periodic audits of interfaces that nudge customers into unintended actions.
  • Refunds and compensation once mis-selling is established. The draft framework includes redress expectations, raising the operational cost of weak controls and poor evidence.

DPDP And AI Make Weak Consent Records A Scalable Liability

RBI’s draft directions land in a market where the Digital Personal Data Protection (DPDP) Act is already moving from legislation to operational enforcement in phases, after the rules were notified in November 2025. That matters because the hardest mis-selling disputes aren’t just about what was sold — they’re about how the customer was targeted, what data was used, whether consent was specific, and whether withdrawal was supported in practice, not just stated in policy.

Now add automation: Banks are steadily increasing digital targeting, personalization, and assisted onboarding. The more you automate, the more your consent records become your control plane. Regulators will follow the evidence trail, and digital systems create logs that are easier to audit than branch conversations.

The World Has Already Run This Experiment: We Know How It Ends

India isn’t writing new regulatory history. It’s reading a script already performed elsewhere — and the reviews are instructive.

Global precedents show why this isn’t theoretical. In the UK, PPI redress ran to £38.3 billion paid since January 2011 according to the FCA, and Lloyds alone has been cited around £21.9 billion in payouts. In Australia, Commonwealth Bank sold its troubled CommInsure life business to AIA for $3.8b after a scandal involving outdated medical definitions and claim handling that became part of the wider conduct reckoning, examined during the 2018 Hayne Royal Commission period. India doesn’t need to replicate every detail to replicate the outcome: Remediation becomes vastly more expensive than prevention once conduct failures scale.

The EU’s AI Act reinforces the direction of travel. For high-risk AI uses relevant to banking, such as creditworthiness and credit scoring, the compliance burden includes stronger expectations around data governance, transparency, and controls. That doesn’t map one-to-one to India, but it signals where supervisory scrutiny is headed when automated decisioning and personalization collide with consumer harm.

What Should Financial Services Leaders Do Before July 2026?

RBI’s draft directions turn mis-selling from a “did we disclose” debate into a “can we prove informed choice” test. Banks that modernize consent and sales evidence now will spend less on remediation later. And they’ll protect trust in a market where distribution economics still depend on cross-sell. To get ahead:

  • Rebuild consent as a system capability. Define product-level consent events, store them in tamper-evident logs, and make withdrawal as easy as opt-in across channels.
  • Debundle sales journeys end to end. Separate screens, separate disclosures, separate consent capture, and separate receipts, especially for loan-plus-insurance flows.
  • Run a dark pattern audit of digital funnels. Identify pre-ticked boxes, confusing defaults, hidden add-ons, and friction-heavy cancellation paths, then fix and document changes.
  • Tighten partner and agent governance. Ensure direct selling agents, direct market access, and bancassurance partners follow the same consent controls and evidence standards, and that responsibility is contractually and operationally unambiguous.
  • Assume AI will be audited. If automation influences targeting or product recommendations, treat consent provenance and data lineage as first-class controls, not afterthoughts.

Let’s Connect

How do you think about user confidence and trust in your experiences? If you’re a Forrester client and would like to discuss this topic further, set up a conversation with me here. You can also follow or connect with me on LinkedIn.