The Consent Deficit: RBI’s Draft RBC Directions Turn Mis-Selling Into A Proof Problem

The RBI’s draft Responsible Business Conduct (RBC) directions mark a decisive shift from superficial disclosure to demonstrable customer choice. By mandating product‑level consent, prohibiting forced bundling, and outlawing deceptive digital flows, regulators are forcing banks to embed consent into the core of sales architecture. This move dovetails with India’s Data Protection and Digital Personal Data Protection (DPDP) framework, which is moving from policy to enforcement, and signals that regulators will scrutinise not just what was sold but how data‑driven targeting was executed.

Digital transformation amplifies the stakes. As banks increasingly rely on AI‑powered recommendation engines and automated onboarding, consent records become the primary control plane for compliance. Tamper‑evident logs, granular consent timestamps, and clear withdrawal mechanisms will be essential audit artifacts. Global precedents—from the UK’s massive PPI redress to Australia’s insurance fallout—illustrate that remediation far outweighs preventive investment, especially when automated systems generate voluminous, traceable evidence that regulators can readily examine.

For financial‑service leaders, the path forward is clear: rebuild consent as a system capability, de‑bundle sales journeys, and conduct rigorous dark‑pattern audits across all digital channels. Strengthen partner governance to ensure third‑party agents meet the same evidence standards, and treat AI decision‑making as a regulated process with full data lineage. Acting now not only mitigates compliance risk ahead of the July 2026 deadline but also reinforces consumer trust, positioning banks as responsible innovators in a tightening regulatory landscape.