If you have ever gone to your bank for a home loan and come back with an insurance policy you did not ask for, or downloaded a banking app only to find yourself trapped in a pop-up for a personal loan, the squarely at stopping that from happening.
The RBI on June 15, 2026, issued the Reserve Bank of India (Commercial Banks — Responsible Business Conduct) Second Amendment Directions, 2026. The directions apply to all commercial banks. There are different sets of guidelines for small finance banks, payments banks, regional rural banks, and local area banks.
They come into force on January 1, 2027, giving banks roughly six and a half months to get their houses in order.
Mis-selling is when a bank sells you a financial product that is wrong for you, or sells it to you in a way that is unfair or deceptive.
The RBI has now given this a formal legal definition for the first time under this framework. According to the notification, mis-selling covers five specific situations:
The consequence is significant. If mis-selling is established, the bank must refund the full amount paid by the customer and also compensate for any loss suffered. Customers can file a complaint within 30 days of receiving a signed copy of their agreement with the bank.
One of the most common complaints India Today has received from readers over the years is about , from the bank’s own tied-up partner, as a condition for getting a home loan or a personal loan approved.
The RBI has now put a formal ban on this practice, calling it compulsory bundling.
The notification defines compulsory bundling as making the , whether it is the bank’s own product or a third-party product. This is now prohibited.
There is a nuance here. If the bank genuinely requires insurance as a risk safeguard on a loan, say, a home loan protection plan — it can still ask for it. But the customer must be free to buy that insurance from any provider of their choice, not just the bank’s preferred partner.
Voluntary packages, where a customer freely chooses to bundle products, or where an additional product is provided free of charge, are still permitted.
Until now, “consent” in Indian banking was often a formality — a signature buried in fine print, a pre-ticked box on a form, or a catch-all clause that said something like “I agree to receive offers from the bank and its partners.”
The RBI has shut all of that down.
Under the new directions, a bank can only offer or sell a product — its own or a third party’s — if the customer has given explicit, recorded consent for that specific product. Consent for one product cannot be treated as consent for another. A customer who agrees to a personal loan cannot automatically be sent insurance promotions on that basis. Each product and each purpose needs its own separate, clear opt-in.
Importantly, the notification states that the default setting on any digital consent screen must be ‘No’ or ‘I do not agree’. The burden of saying yes must come from the customer, not from inertia.
Banks must also keep all consent records for at least one year after the contractual relationship ends.
When getting a customer’s consent, banks must prominently disclose key features of the product — fees, charges, interest rate, risks, lock-in period, and exit penalties — in a way that actually draws the customer’s attention to them.
A large part of aggressive financial product selling in India happens not through bank employees but through Direct Selling Agents (DSAs) and Direct Marketing Agents (DMAs), commission-based agents who work on behalf of banks and often operate at the front lines of customer acquisition.
The RBI’s new directions bring them directly under the regulatory framework for the first time.
Banks must now:
Agents can only contact customers between 9 AM and 7 PM. They cannot visit a customer’s home or office without explicit consent. They cannot represent themselves as bank employees.
They cannot make false commitments on the bank’s behalf. And if they violate the Code of Conduct, the agreement between the bank and the DSA must specify the disciplinary action that will follow.
Before selling any complex financial product to an individual customer, the bank must now assess whether the product is actually right for that person. The assessment must weigh the customer’s age, income, financial literacy, and risk tolerance against the product’s risk profile, fees, tenure, and complexity.
The notification also requires that product documents must be available in the regional language or a language the customer understands — a provision that matters most for customers in semi-urban and rural branches, who have historically been the most vulnerable to pressure selling.
Separate application forms must be used for each product in physical mode. In digital mode, each product must have its own dedicated section and its own separate explicit consent.
After every sale, banks must seek feedback from the customer within 30 days — through call-backs or surveys conducted by a team that had no role in making the sale. The findings must feed into a half-yearly report used to review and improve sales policies.
The notification’s most detailed section is its Annex IIA, which lists 11 specific digital tricks. The RBI calls them dark patterns, that banks and their agents are now prohibited from using in any app, website, or user interface. The RBI has given concrete, real-world illustrations for each one.
1. False Urgency — countdown timers on loan offers, or phrases like “Act Now”, “Hurry”, or “Offer Ends Soon” used to panic a customer into signing up before comparing other options. Also includes advertising a pre-approved loan at an attractive rate with the suggestion that the rate will rise if not availed quickly.
2. Basket Sneaking — adding loan protection insurance or fraud cover by default during a loan application, so the customer pays for something they never consciously chose.
3. Confirm Shaming — making the opt-out button say something like “No, I don’t want extra security for my account”, to make the customer feel irresponsible for declining.
4. Forced Action — pop-ups on mobile banking apps that redirect the user to a personal loan page even when they click the close button.
5. Subscription Trap — easy sign-up for a product like a credit card or insurance plan, but a deliberately complicated, hard-to-find cancellation process.
6. Interface Interference — displaying the bank’s preferred option in bright colours or bold fonts; burying the account closure option deep in navigation; or setting the default consent to “Yes” in any menu.
7. Bait and Switch — advertising a low interest rate and charging a higher one at the point of application; or offering a lifetime-free credit card without disclosing the minimum transaction conditions required.
8. Drip Pricing — not revealing processing fees or other charges upfront, so the customer only sees the full cost after they have committed.
9. Disguised Advertisement — push notifications that look like urgent account alerts but are actually promotional messages for new products or services.
10. Nagging — repeatedly asking a customer to enable non-essential cookies or provide data permissions even after they have already said no.
11. Trick Wording — using confusing double negatives on consent checkboxes, such as “Uncheck this box if you do not want to receive offers”, to make customers accidentally opt in.
Banks and their DSAs must conduct periodic internal audits of all their digital interfaces to identify and remove these practices.
The RBI’s notification does not arrive from nowhere. The has been building for years, and the alarm has been raised at the highest levels of both the government and the central bank.
Finance Minister Nirmala Sitharaman had said at the SBI Banking and Economics Conclave: “Sale of insurance by banks has raised concerns of instances of mis-selling, and I would say this has contributed indirectly to the cost of borrowing for the customers.
So banks will have to look at this, look at their core banking activities, and not burden customers with insurances they don’t require.”
As recently as February this year, addressing reporters after a post-Budget meeting with the RBI Central Board, Sitharaman went further, saying under the Bharatiya Nyaya Sanhita (BNS).
She pointed out that banks were pushing insurance on customers who already had adequate cover, and that the problem had fallen awkwardly “between two stools” — with neither the RBI nor Irdai taking clear ownership of the issue.
IRDAI Chairman Debasish Panda, speaking at the same SBI conclave, said the bank channel was a useful one “but of late, a lot of ills have crept into the system” and called for restoring customer confidence in financial product distribution.
India Today has been tracking this issue closely.
Our reporting has documented how bank relationship managers routinely pitched unit-linked insurance plans to customers who walked in for fixed deposits, how borrowers were told insurance was mandatory for loan approval, and how senior citizens, who pay higher mortality charges on insurance-cum-investment products, were among the most frequently targeted.
The RBI’s new directions are the most comprehensive regulatory response to these practices yet.
From the new year, a bank customer going in for a home loan cannot be legally
A relationship manager pitching a ULIP to someone who came in for a fixed deposit is engaging in a practice that must now be backed by a recorded suitability assessment and explicit consent. Any agent who calls after 7 PM, visits your home without permission, or uses a pop-up designed to trap you into a personal loan product is in violation of RBI directions — and the bank is responsible for it.
The RBI has also stated in the notification that a bank cannot fund the purchase of any product — its own or a third party’s — using a loan sanctioned to the customer, without that customer’s explicit consent.
A companion notification — the RBI (Commercial Banks — Undertaking of Financial Services) Third Amendment Directions, 2026 — is being issued separately to deal with the agency and referral business framework.
Banks now have until December 31 to put in place comprehensive policies, codes of conduct for all sales staff and agents, website disclosures, digital consent architecture, suitability assessment processes, feedback mechanisms, and audit systems for dark patterns.
The rules are clear. Whether they change what actually happens at the branch counter — or on your phone screen at 10 PM — is the test that lies ahead.