Dark Patterns, Customer Trust and the Future of Conduct Regulation

The Reserve Bank of India has progressively expanded and strengthened its oversight of business conduct across its regulated entities moving beyond fair practices, customer service and disclosures, to encompass suitability, outsourcing and digital lending in an increasingly technology-driven environment. 

The latest milestone is the Responsible Business Conduct (Second Amendment) Directions, 2026, issued on June 15, building on the framework introduced in November 2025 and refined in April 2026. Together, they consolidate scattered customer protection principles and establish 'responsible conduct' as a broader regulatory objective. The Directions signal a shift from traditional disclosure-based consumer protection towards a more outcome-oriented approach.

Their significance lies in shaping how products are designed, marketed, distributed and experienced by customers. Recognising that customer detriment often originates before a transaction is consummated, the regulatory focus shifts from transactions to behaviour, and from process adherence to institutional responsibility. The framework encompasses the entire customer interface since misleading advertisements, selective disclosures, exaggerated claims, aggressive cross-selling, and incentive-driven marketing practices can all distort customer choices. The emphasis, therefore, is now on whether customers have been treated fairly throughout the product lifecycle and is no longer confined to whether information has been provided.

The most distinctive, and arguably the most forward-looking, feature of the Directions is the explicit prohibition of deceptive digital design, or "dark patterns". These include manipulative interface designs and customer journeys that subtly influence behaviour through pre-selected options, hidden charges, default opt-ins, deceitful labels, interface nudging and similar practices. In effect, the Directions recognise that the underlying design of a digital interaction can itself become a source of conduct risk.

The instructions on dark patterns represent a significant shift in conduct risk from the conventional assumption that adequate disclosures enable customers to make informed decisions. In digital ecosystems, behavioural design, algorithmic optimisation and data analytics can exploit biases, information asymmetry and customer inertia to shape outcomes without overt coercion. Financial institutions today can analyse how customers respond to prompts, interfaces, recommendations and incentives, creating what may be termed a form of cognitive asymmetry that can transform consent into a procedural formality while preserving the appearance of customer autonomy.

Engineered Choice
The motive behind such practices is to improve, among other things, conversion rates, cross-selling opportunities, customer retention and revenue. They also monetise information gaps and public vulnerabilities, encouraging inappropriate and unsuitable conduct, eroding trust and undermining the integrity of customer relationships. The resulting harm extends beyond individual customers to institutional reputation, market discipline and confidence in the overall financial system. In such a scenario, regulation needs to govern machine-mediated interactions with the same rigour traditionally applied to human conduct.

The Directions seek to protect something more fundamental than routine compliance. They seek to preserve customer agency and the integrity of choice by embedding explicit and informed consent, strengthening market discipline and ensuring that competition does not come at the expense of consumer welfare. Responsibility for fair outcomes must rest primarily with regulated entities with technology remaining an instrument of service rather than manipulation. In that sense, RBI is extending the perimeter of conduct regulation beyond products and disclosures to the architecture of decision-making itself.

The challenge lies in translating the articulated principles into practice. 

Conduct failures are often hidden within routine customer interfaces and behaviour, making them difficult to detect. Effective implementation, therefore, requires that conduct move from the periphery of compliance to the core of institutional decision-making across the organisation, including its operations, systems, controls, and processes. From being a regulatory obligation, responsible conduct will need to evolve into a source of competitive differentiation and long-term franchise value.

Conduct risk must therefore be embedded within enterprise-wide risk management, internal audit and performance frameworks. This necessitates a reassessment of how products are designed and delivered, with particular attention to customer journeys, digital interfaces, incentives and third-party arrangements. 

Traditional controls must be complemented by customer-outcome reviews, transaction analytics and complaint intelligence to identify emerging concerns before they crystallise into customer detriment. Compliance itself must evolve from periodic certification to continuous monitoring supported by early-warning indicators and independent validation.

Supervision and Accountability
Effective implementation will also require a corresponding transformation in supervisory capabilities. Conventional inspections, audits and reporting frameworks are unlikely to fully capture conduct failures embedded within digital ecosystems and behavioural interfaces. 

Supervisory approaches will need to become more data-driven and multidisciplinary, drawing on behavioural indicators and customer-outcome metrics while combining prudential oversight with expertise in behavioural science, digital design and artificial intelligence. Equally important will be the ability to identify emerging gaps and breaches early, and to respond with speed, consistency and credibility.

Ultimately, the effectiveness of the Directions will depend less on regulatory prescriptions and more on whether a culture of responsible conduct permeates financial institutions, particularly given the past experience of existing RBI conduct protocols. Customer awareness, education and financial literacy will be equally critical. The methods behind manipulation and unfair dealing will continue to evolve with technology and innovation. Informed and vigilant customers will be far more likely to question, seek clarification and safeguard themselves against unfair treatment.

Regulation, however, cannot substitute for institutional character. Supervisory resources, both within the regulator and regulated entities, are finite and must be deployed strategically. Sustainable compliance emerges when doing the right thing becomes an organisational instinct rather than a routine obligation. 

The ultimate objective of regulation should be to create foundations that encourage institutions, as far as possible, to self-regulate through the highest standards of governance, accountability and professional responsibility. At the same time, deliberate misconduct or persistent negligence must attract swift and proportionate supervisory action, including enforcement capable of creating credible deterrence.

The Directions, therefore, are not merely about preventing misconduct. They are about preserving the trust and integrity of customer relationships which remain the most important and irreplaceable resources in financial intermediation.