The Reserve Bank of India (RBI) issued the Responsible Business Conduct (Second Amendment) Directions, 2026 on 15 June 2026, materially revising the framework for distribution of financial products with heavy emphasis on consent architecture. Consent is now expected to be a distribution control and accountability mechanism for regulated entities. For fintechs, banks, NBFCs, loan service providers, digital marketplaces and embedded finance platforms, the key issue is how this architecture interacts with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules, 2025, particularly given the RBI directions take effect on 1 January 2027 and the DPDP framework becomes operational from 13 May 2027.
Two Consent Regimes
The DPDP Act permits processing of digital personal data for a lawful purpose based on consent or specified legitimate uses. Under the DPDP Act, consent must be free, specific, informed, unconditional, unambiguous and indicated by clear affirmative action. Data Fiduciaries must give notice of data proposed to be processed, processing purpose, data principal rights and grievance redressal mechanisms. The RBI directions similarly define “explicit consent” as a specific, informed and unambiguous indication of choice, given through a documented statement or clear affirmative action.
Why DPDP Consent Does Not Satisfy RBI’s Standard
The overlap does not alter the distinct object of each regime. The DPDP framework governs collection, use, sharing, retention and erasure of personal data. The RBI directions govern the fair offering and sale of financial products. DPDP consent for a cross-sell campaign will not, by itself, satisfy the RBI requirement for explicit consent to offer or sell the relevant product. Lawful data processing will not cure breaches arising from unsuitability, bundling, inadequate disclosure or manipulative interface design.
Cross-Sell Requires Product-Level Consent
The distinction becomes most significant in cross-selling. Under the RBI directions, own and third-party financial products may be sold only with explicit consent. A single form covering multiple products must identify each product separately, permitting the customer to select only desired products. Digital forms must distinguish each product through a dedicated section with separate explicit consent. An omnibus consent for “offers from partners” or “financial products” is unlikely to satisfy the RBI standard, even if it supports specified processing purposes under the DPDP Act.
Product Disclosure Must Sit Alongside Privacy Notice
The RBI directions require substantive product disclosure alongside consent. Regulated entities must prominently disclose key product features including fees, charges, interest rates, risks, financial commitments, lock-in conditions, exit terms and penalties. Prescribed formats such as Key Facts Statements must be used where applicable. On the other hand, the DPDP Act consent notice requirements are narrower, concerning personal data and purpose, not product economics or suitability risk. Regulated entities will therefore need both a DPDP-compliant privacy notice and consent mechanism, and an RBI-compliant product consent and disclosure mechanism.
User Interface and Dark Patterns as Conduct Risk
The RBI directions regulate the interface through which consent is obtained. Consent cannot be granted unless the customer has reviewed applicable terms, and the default option must be “No” or “I do not agree.” Dark patterns including basket sneaking, forced action, interface interference, trick wording, subscription traps and nagging—are prohibited. These requirements affect app-based journeys, pre-selected options, bundled insurance and pop-up prompts. The RBI directions thus convert affirmative consent into prescriptive user-interface standards, also affecting how entities evidence consent and address customer grievances.
Withdrawal, Evidence and Recordkeeping
The DPDP Act provides data principals the right to withdraw consent with ease comparable to giving it, subject to continued processing where authorised by law. The RBI directions require simple unsubscribe processes for promotional communications and preservation of product consent records until one year after cessation of the contractual arrangement. Recordkeeping is central to defending the validity of the product-distribution journey.
Consent Does Not Cure Misselling
Explicit consent under the RBI directions does not operate as a regulatory safe harbor. Misselling includes sale of an unsuitable product notwithstanding explicit consent. Regulated entities must assess suitability by reference to product features, risk-return attributes, time horizon, complexity and fees, measured against customer profile factors such as age, income, financial literacy and risk tolerance. The DPDP Act does not regulate financial suitability of products such as loan protection policies, mutual funds or pension products.
What Financial Services Distributors Should Reassess
For fintech and financial services businesses, consent design should be treated as a cross-functional legal and compliance control, sequenced against the 1 January 2027 RBI timeline and the 13 May 2027 DPDP timeline. The same customer journey may need to satisfy DPDP notice and consent standards, RBI product consent standards, prescribed disclosures, dark-pattern restrictions, suitability assessments, opt-in and opt-out rules, and evidence retention obligations. Each touchpoint should be assessed by reference to the data being processed, the financial decision presented, the interface used and the evidence retained.
