Have you ever tried to close a pop-up on your bank’s app only to find yourself on the personal loan page? Or signed up for a credit card easily, then spent 20 minutes trying to figure out how to cancel it? Or felt vaguely guilty clicking “No, I don’t want to protect my account” on a screen nudging you to buy insurance?
If any of that sounds familiar, you have been on the receiving end of what the Reserve Bank of India now officially calls a dark pattern.
On June 15, 2026, the issued the Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Second Amendment Directions, 2026. Buried inside the notification, in Annex IIA, is one of the most detailed and plain-spoken documents any Indian financial regulator has produced.
It lists on customers, with real-world illustrations for each one drawn directly from banking practice.
The directions come into force on January 1, 2027. Banks and their Direct Selling Agents (DSAs) must audit all their digital interfaces for these practices and remove them before that date.
The RBI defines a dark pattern as “any practice or deceptive design pattern using user interface or user experience interactions on any platform that is designed to mislead or trick users to do something they originally did not intend or want to do, by subverting or impairing the consumer autonomy, decision making or choice, amounting to misleading advertisement or unfair trade practice or violation of consumer rights.”
In plain English: if a bank’s app is designed to confuse you into buying something, that design is now illegal. Here is the full list.
You have seen this one everywhere. A countdown timer on a loan offer. A banner that says “Offer Ends Soon” or “Act Now”. A message from your bank saying your pre-approved personal loan is available at a special interest rate that will go up if you do not take it today.
The RBI’s notification calls all of this out directly, listing as an illustration: “Offering pre-approved loans at attractive interest rates and luring the customer that the interest rate of the loan is likely to rise if the offer is not availed.”
The notification also flags: “Using phrases like ‘Act Now’, ‘Hurry’, ‘Limited Time Only’, or ‘Offer Ends Soon’ in communications, thereby, inducing a sense of urgency, leading customers to act faster than they might otherwise.”
None of it is banned because such offers cannot exist. It is banned because the urgency is manufactured. From January 2027, a bank cannot use artificial time pressure to push you into a financial decision.
This is when something gets added to your purchase without you ever choosing it.
The RBI’s notification describes it as: “Inclusion of additional items such as products or services, payments to charity or donation at the time of checkout from a platform, without the consent of the user, such that the total amount payable by the user is more than the amount payable for the product or service chosen by the user.”
The banking illustration the RBI gives is very specific: “Selecting additional products or services by default, on behalf of the customer, for example, adding protection against online fraud or loan protection insurance by default during the loan application process.”
If you have ever reached the end of a loan application and noticed a box already ticked for insurance you did not ask for, that is basket sneaking. It is now prohibited.
This is the one that makes you feel like a fool for saying no.
The RBI defines confirm shaming as using “a phrase, video, audio or any other means to create a sense of fear or shame or ridicule or guilt in the mind of the user so as to nudge the user to act in a certain way.”
The notification lists three illustrations from banking practice. When a customer tries to unsubscribe from marketing emails, they may see: “Are you sure you want to miss out on exclusive offers and updates?” with the opt-out button reading: “No, I prefer to stay uninformed about great deals.”
If a customer decides not to add fraud protection, the screen might say: “No, I don’t want extra security for my account.”
If a customer declines a premium account upgrade, the rejection button might read: “No thanks, I don’t want extra security and benefits.”
All three are now banned. The opt-out button on any banking interface must say what the customer is actually doing, not what the bank wants them to feel about doing it.
This is when you cannot do what you came to do without first doing something else entirely.
The RBI defines forced action as: “Forcing a user into taking an action that would require the user to buy an additional product or subscribe or sign up for an unrelated service or share personal information in order to buy or subscribe to the product or service originally intended by the user.”
The most specific illustration in the notification is one many mobile banking users will recognise: “Displaying pop-up advertisements for own or third-party products or services in digital channels which cannot be closed without redirection to the concerned products or services.
For example, pop-up after logging in to mobile banking which leads to personal loan section even if user clicks on the exit or closure button of the pop-up.”
The notification also flags apps that demand access to your contact list, camera, or location as a condition for completing registration, unless such access is genuinely required by regulatory rules and that reason is clearly disclosed.
Easy in, impossible out.
The RBI’s notification defines a subscription trap as any process that makes “cancellation of a paid subscription impossible or a complex and lengthy process”, or that hides the cancellation option, or that forces a user to provide payment details for a supposedly free subscription, or that makes cancellation instructions “ambiguous, latent, confusing, cumbersome.”
The banking illustration is direct: “Making it easy for customers to sign up for a product or service, for example a credit card or insurance product, but making the procedure for cancelling the same significantly cumbersome like not providing a direct link for cancellation, keeping the cancellation option in complex navigation requiring multiple confirmation steps.”
From January 2027, cancelling a banking product must be as simple as signing up for it.
This is the design trick you probably never noticed because it was designed to be invisible.
The RBI defines interface interference as a design element that “highlights certain specific information and obscures other relevant information relative to the other information, to misdirect a user from taking an action as desired.”
The notification lists three specific illustrations. First: “Displaying the preferable option for the bank in bright colours or bold fonts on website or mobile app.” Second: “Default choice for consent being ‘Yes’ in various menu options on website or mobile app.” Third: “Embedding information related to options on how to close account, delete personal data, etc., deep in the user interface rather than being made easily accessible.”
In other words, if a bank’s app makes “Accept All” big, green, and prominent, while making “Decline” small and grey, that visual choice is now a regulatory violation.
You were promised one thing. You got another.
The RBI defines bait and switch as “the practice of advertising a particular outcome based on the user’s action but deceptively serving an alternate outcome.”
The notification gives four illustrations. The first is one of the most common complaints in Indian banking: “Advertising a lower interest rate initially and charging a higher interest rate at the time of actually applying for a loan, at times accompanied by non-disclosure of processing fees and other charges upfront.”
The second is about savings accounts: “Advertising a higher interest rate in savings accounts, without specifying the requirement of minimum balance for the same.”
The third covers rewards: “Nudging customers to make more number of transactions to receive cashbacks or rewards, whereas the fine print imposes certain additional conditions for actually availing the cashback or rewards.”
The fourth is one many credit card holders have experienced: “Offering customers life-time free credit cards, without disclosing the condition of minimum value of transactions required or any other pre-condition for waiver of annual fee.”
This is when the full cost is never shown to you until it is too late to back out.
The RBI defines drip pricing as a practice where “elements of prices are not revealed upfront or are revealed surreptitiously within the user experience”, or where the price is revealed only after the purchase is confirmed, or where a product is advertised as free without disclosing that continued use requires additional payment.
The banking illustration the RBI gives is blunt: “Not revealing processing fees and other charges upfront.”
If you have ever reached the final screen of a loan application only to see a processing fee you were never told about earlier, that is drip pricing. It is now prohibited from the point of first disclosure.
This is when a promotion is dressed up to look like an important alert.
The RBI defines disguised advertisement as “posing, masking advertisements as other types of content such as user generated content or news articles or false advertisements, which are designed to blend in with the rest of an interface in order to trick customers into clicking on them.”
The illustrations in the notification are precise. First: “Sending push notifications through mobile application or emails that appear to be urgent account alerts or important updates but, in effect, are advertisements for new services or promotions, such as ‘Important: Your account might benefit from this new feature!’.”
Second: “When searching for specific features or services on website or mobile application, showing products or services beneficial to the bank at the top of the results.”
If a notification badge on your bank app made you think something was wrong with your account and it turned out to be a personal loan offer, that is disguised advertisement.
This is simply being pestered repeatedly after you have already said no.
The RBI defines nagging as a practice “due to which a user is disrupted and annoyed by repeated and persistent interactions, in the form of requests, information, options, or interruptions, to effectuate a transaction and make some commercial gains, unless specifically permitted by the user.”
The illustrations: “Repeatedly asking the customer to enable non-essential cookies on website or mobile application despite the customer having refused earlier.” And: “Inserting multiple dialogue boxes, for example for seeking reviews, and asking the customer to mandatorily select an option before allowing him or her to leave the application or website.”
From January 2027, a bank cannot keep asking you the same question after you have answered it.
This is the double negative in the consent checkbox that makes you agree to something you meant to refuse.
The RBI defines trick wording as “deliberate use of confusing or vague language like confusing wording, double negatives, or other similar tricks, in order to misguide or misdirect a user from taking desired action or leading consumer to take a specific response or action.”
The notification gives two illustrations. First: “Using confusing double negatives to trick users into opting for promotional emails or additional services, for example, a checkbox that says, ‘Uncheck this box if you do not want to receive offers’.”
Second: “When adjusting privacy settings, a question like, ‘Do you want to disable data sharing?’ with options ‘Enable’ and ‘Disable’ can be confusing, leading users to inadvertently enable data sharing.”
Both are now prohibited. Consent language in banking interfaces must be clear, direct, and unambiguous.
The RBI’s directions require banks and their DSAs to conduct periodic internal audits of all digital interfaces to identify and remove dark patterns. Banks must also adhere to the Guidelines for Prevention and Regulation of Dark Patterns, 2023, issued by the Central Consumer Protection Authority (CCPA).
If you believe your bank is using any of these practices after January 1, 2027, you can file a complaint with the bank’s grievance redressal officer. If the bank does not resolve it, you can escalate to the RBI Ombudsman.
The list the RBI has published is explicitly described in the notification as “illustrative”, meaning it is not exhaustive. The regulator has left room to add more practices to the list as new tactics emerge.
For now, eleven is a good start.