In quest for the right framework for DGPSI-Banks, it has been necessary to take a deep look at the current regulatory directions from RBI to Banks. Let us restrict ourselves today to the post digital regulatory era in Banking.
After ITA 2000 was enacted, RBI came up with the recommendations on Internet Banking following the trend setting S R Mittal Group recommendations. Subsequently in 2008 after the amendments of ITA, RBI followed up with the Information security guidelines recommended by the G Gopalkrishna Committee reports. Subsequently the Cyber Security framework 2016 was notified. We have discussed most of these developments in Naavi.org.
After DPDPA 2023 came into existence, RBI came up with the “Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices”. Recently RBI has come up with the draft AI guidelines 2026. (Comments are open upto 24th July) These were guidelines which could have incorporated the guiding principles of DPDPA 2023.
RBI has however preferred to restrict its focus in these guidelines to “Information Security” and tried to avoid conflict with the DPDPA.
The AI guidelines however do make a reference to protection of consumer interests without going into details.
In the master direction, there are specific provisions about “Explicit Consent”, “Dark patterns”, “Avoidance of compulsory bundling”, “Total loss compensation for mis selling”. These are directly related to the Consent Rules of DPDPA 2023 and also to the Consumer Protection Act 2019.
DGPSI-Bank as a framework therefore needs to factor in these guidelines. Accordingly the following become guidelines for implementation of DGPSI-Banks.
- The single, pre-ticked “I agree to all terms and conditions” checkbox is officially non-compliant. There needs to be a centralized and highly specific consent management mechanism.
- Regulated entities must obtain standalone, affirmative consent for every individual financial product or service sold, including third-party offerings
- Digital interfaces must automatically default to “No” or “I do not agree.” Users must explicitly choose to opt-in via active physical or electronic steps (e.g., OTP confirmations or digitally recorded validations).
- Financial institutions are required to build a centralized, timestamped consent trail that can survive rigorous supervisory review and must be retained for at least one year after the contract terminates.
- Product managers and UX designers are now directly linked to regulatory compliance. RBI has banned manipulative user interfaces that trick consumers into unintended financial commitments such as Basket sneaking, Confirm shaming and Forced actions & subscription traps (under consumer protection act, 13 different practices have been notified as dark pattern practices for which criminal punishments may be given)
- The common banking practice of making a core product conditional on buying an auxiliary product (e.g., refusing a home loan unless the borrower purchases life insurance from their joint-venture insurance partner) is banned.
- Lenders can specify the type of risk mitigation needed, but the customer retains absolute freedom to choose the third-party provider
- Bank and NBFC employees are prohibited from directly or indirectly receiving direct commissions or kickback incentives from third-party service providers
- Institutions must actively seek customer feedback within 30 days of a sale to verify the customer truly understood the product’s risks and lock-in conditions.
- If mis-selling or un-consented bundling is established, the institution is legally mandated to refund the entire amount paid and compensate for any financial loss.
- Regulatory liability now fully extends to Direct Selling Agents (DSAs), Direct Marketing Agents (DMAs), sub-agents, and Third-Party Product Service (TPPS) representatives.
- Any third-party agent operating within bank premises must wear clear, distinct on-person identification to ensure customers do not mistake them for core bank employees
These guidelines become part of DGPSI-Banks under the provisions of Consent Management, Data Processor management and other policies.
As regards the AI guidelines, incorporation of human oversight, Kill switch etc are already part of the DGPSI-AI framework and it gets integrated to DGPSI-Banks also.
Naavi









