The Reserve Bank of India (RBI) recently released the draft amendments to Responsible Business Conduct guidelines for banks and NBFCs (Proposed Guidelines) which is proposed to be effective from 1 July 2026. Buried within the Proposed Guidelines is a granular explicit consent framework mirroring the Digital Personal Data Protection Act, 2023 (DPDPA) and triggering compliance nearly a year before DPDPA’s implementation.
RBI’s Consent Framework
RBI's trajectory on customer consents for sale of financial products and services has primed the financial ecosystem, making the Proposed Guidelines’ consent mandate no surprise. Amongst the measures adopted by the RBI, mandating explicit, auditable borrower consents for data collection / processing and third-party data sharing under the digital lending Guidelines and the outsourcing guidelines have been the most explicit of the requirements so far. The Proposed Guidelines now embed explicit consent requirements centrally for sale of financial products and also their marketing and distribution. Under the Proposed Guidelines, consent needs to be specific, informed, auditable, withdrawable, and provided through an affirmative action, specifically prohibiting bundled and pre-ticked consents.
DPDPA Interplay
RBI's "explicit consent" definition echoes DPDPA's unambiguous, auditable, withdrawable consent standards and adds granularity through its per-product consent construct. Banks and NBFCs must provide customers with access to real-time dashboards to view, modify and withdraw consents easily. This requirement aligns with DPDPA's notice, ease of withdrawal, record keeping and deletion obligations.
Understanding the Operational Impact
The operational impact of the consent requirements on banks and NBFCs is profound, necessitating a reengineering of customer onboarding, marketing and data management processes. The guidelines extend beyond explicit consent requirements to ensure holistic data privacy compliance and curb mis-selling practices such as user interface-based dark patterns, aligning with DPDPA while addressing RBI's concerns over mis-selling of financial products.
Many current practices regarding marketing and selling of financial products and services are based on bundled, implied, or pre-ticked consents. Existing practices such as single checkboxes covering multiple products or assumed opt-ins from transactional relationships would now have to shift to granular, per-product explicit affirmative actions, with pre-consent term reviews and auditable digital trails. This demands backend consent engines for real-time dashboards, seamless withdrawal mechanisms and user interface audits to eliminate dark patterns, potentially increasing customer onboarding journey steps.
Third-Party Product Economics
The new consent architecture will also require a review of product economics. Cross-selling and third-party distribution models that relied on bundled journeys and assumed opt-ins will face lower take rates once every product and service is subject to a distinct, well explained consent event. Business heads will need to revisit revenue assumptions from ancillary product tie ups and redesign customer journeys so that uptake is driven by suitability and clarity rather than default inclusion.
Big Impetus to Consumer Confidence
These proposed consent requirements deliver substantial benefits to customers by restoring agency over personal data. Customers will no longer encounter bundled consents that obscure secondary product sales, such as loans paired with insurance, or pre-ticked boxes implying agreement. These actions would be substituted by clear, separate affirmative actions for each offering, ensuring fully informed choices.
Ultimately, customers gain auditable control, reduced spam and compensation eligibility for lapses, fostering trust in an ecosystem historically marred by consent fatigue, mis-selling and predatory outreach.
Navigating the New Consent Era
The RBI is accepting comments on these proposed guidelines until 4 March 2026. Banks and NBFCs can explore strategic collaborations with consent managers for scalable verification, engage legal consultants for legacy system retrofits, and submit targeted feedback to the RBI on phased implementation or clarifications on "existing customers." Proactive training for sales teams, mock regulatory inspections, and monitoring online industry discourse will mitigate operational disruptions while positioning them as compliance leaders in the evolving RBI-DPDPA landscape.
