What this edition covers:
This month, we track regulatory shifts changing how fintech products are built, sold and governed:
- Main Course 1 | Dark patterns in BFSI: RBI, IRDAI and SEBI are moving against manipulative design. Fintechs need to redesign UI/UX around user agency to avoid regulatory action.
- Main Course 2 | NRI KYC: India wants more NRI capital, but onboarding friction is getting in the way. The solution is to make NRI KYC fully digital without weakening verification.
- Dessert | AI in finance: As AI shapes credit, fraud, pricing and customer interactions, RBI has proposed its first model risk framework. Regulated entities need to prepare for model validation, oversight over third-party AI models and board accountability.
- Mints | Quick bites: Other key fintech regulatory developments from the last month.
Introduction
Fintech apps have trained us to expect ease. One tap to borrow. One swipe to invest. One click to insure.
That ease has been transformative. A loan, an insurance policy or an investment product is no longer locked behind a branch visit or a stack of paperwork. It can reach a student in a small town, a gig worker between jobs, a farmer looking for credit, or an elderly user paying her electricity bill online.
But the same design that makes finance accessible can also make it slippery.
A button can be made more prominent than it should be. An add-on can be pre-selected. A consent can be bundled with three other consents. A ‘limited period’ offer can rush a user into a loan. A cancellation option can be buried so deep that giving up feels easier than opting out. None of this looks like traditional mis-selling. There is no pushy agent. No misleading phone call. No forged signature. Just a screen that quietly tilts the choice.
Such design choices are what regulators now call ‘dark patterns’. The Central Consumer Protection Authority (CCPA) Guidelines for Prevention and Regulation of Dark Patterns, 2023 define them as deceptive UI practices built to mislead or trick users into doing something they never intended, chipping away at their autonomy and their ability to decide for themselves.
For a while, these tactics sat in the grey zone between smart growth and unfair design. That grey zone is now closing. The RBI and IRDAI are making clear that interface design can have regulatory consequences. SEBI is not far behind. In this month’s first Main Course, we look at how dark pattern rules are entering financial regulation, and why fintechs now need to audit not just their policies, but every button, banner, checkbox and consent screen.
Main Course 1 ๐ฅ
Watching the Sun Set on Dark Patterns in BFSI
What the RBI, IRDAI and SEBI’s new dark pattern rules mean for financial service user interfaces
In June 2026, the RBI amended its Responsible Business Conduct Directions to restrict the use of dark patterns in financial services interfaces. The changes kick in from 1 January 2027. The RBI now requires banks and their agents to ensure that their user interfaces do not deploy dark patterns. These interfaces must also undergo user testing and periodic internal audit to identify unfair features, including dark patterns.
Other financial services regulators have also taken similar actions. In April 2026, IRDAI asked its regulated entities to self-assess the presence of dark patterns on their platforms. It has also partnered with the Institute of Public Auditors of India to monitor dark patterns across the insurance industry. SEBI is moving in the same direction too. In its June 2026 consultation paper on a Common Advertisement Code for specified SEBI-regulated entities, it proposed an express prohibition on dark patterns as part of a broader effort to consolidate and modernise its advertising framework.
The sectoral regulators refer to the CCPA’s Guidelines for Prevention and Regulation of Dark Patterns, 2023 in their guidelines and rely on it to define dark patterns. These guidelines gave statutory shape to the idea of dark patterns by treating them as misleading advertisements or unfair trade practices.
Enforcement has also started to pick up. The CCPA issued notices to BookMyShow after it allegedly auto-added Re. 1 per ticket as a contribution to an NGO through a pre-ticked option. It treated this as ‘basket sneaking’. In an order against McAfee, the CCPA objected to a subscription-renewal flow that framed the choice as ‘Renew Now’ versus ‘Accept Risk’ – turning a simple ‘no’ into an act of recklessness. In an order against PhysicsWallah, it found a pre-ticked Rs. 10 donation at checkout, emotionally loaded donation messaging, and ‘free’ courses that demanded personal information in exchange. PhysicsWallah was fined Rs.5 lakh and McAfee Rs. 1 lakh.
For a financial services company, a dark pattern can now draw action not just from the CCPA, but also from the respective sectoral regulators.
What fintechs should do now
Surface-level disclaimers or changes will not be enough. Fintechs need to build customer autonomy into the product and the journey, not bolt it on at the end. The starting point should be a full UI/UX audit of every customer journey where money, consent, data or product selection is involved. That includes onboarding, loan applications, credit card issuance, insurance cross-sell, payment flows, subscription renewals, autopay mandates, promotional opt-ins, cancellations and grievance redressal journeys.
- Remove false urgency: Do not use fake countdown timers, ‘hurry’ banners or ‘offer ending soon’ nudges to push a user into taking a loan, card, insurance add-on or cashback-linked product. If an offer genuinely expires on a date, say so plainly. Do not manufacture pressure where none exists.
- Remove pre-selected choices: A loan protection cover should not auto-add itself to a loan journey. A donation, subscription, paid alert, card-protection service or insurance add-on should not sit pre-ticked in the cart. Keep add-ons unselected. Disclose the price upfront. Take separate and explicit consent.
- Rewrite manipulative copy: ‘No, I don’t care about protecting my family’ is confirm shaming. So is ‘Accept Risk’ for a user who simply wants to decline insurance renewal. A lender selling loan insurance should say ‘Add insurance’ and ‘Continue without insurance’. A payment app selling protection should say ‘Add protection’ and ‘Skip’. Neutral language is the new baseline.
- Eliminate forced action: A customer should not have to share unnecessary data, sign up for an unrelated service, or buy an add-on just to get the service they would want. For PSOs and payment apps, this means no forced promotional consent, no unnecessary data capture, and no add-on prompts wedged into basic payment flows.
- Make exit as easy as entry: If a user can sign up online, they should be able to unsubscribe, cancel, opt out or close a feature in a convenient manner online too. Do not route them through call centres, repeated nudges or a maze of screens. Auto-renewal should follow only from a clear opt-in.
- Fix interface interference: Do not make the option favourable to the platform brighter, bigger or easier to click while hiding the user-protective option in dull text or deep navigation. Account closure, data deletion, opt-out and cancellation choices should be easy to find.
- Avoid bait and switch: If a loan is advertised at a low interest rate, the eligibility conditions and actual applicable rate should be clear before the user applies. If a credit card is advertised as lifetime free, any minimum-spend or annual-fee waiver condition should be disclosed upfront. Cashback and reward campaigns should not hide key conditions in fine print.
- Label advertisements as advertisements: Push notifications, in-app banners or customer testimonials should not pretend to be urgent account alerts, neutral recommendations or user-generated content if they are actually promotional. Manufactured testimonials also risk being treated as disguised advertisements.
- Stop nagging: If a user says no to promotional communication, non-essential cookies, an upgrade or a cross-sell, respect that choice. Repeated pop-ups and mandatory dialogue boxes can turn persuasion into pressure.
- Remove trick wording: Avoid double negatives and confusing choices such as ‘Uncheck this box if you do not want to receive offers’ or ‘Disable data sharing: Enable/Disable’. Buttons should say what they mean. The user should not need a lawyer to understand a toggle.
Finally, fintechs must create evidence, keep screenshots of approved journeys, maintain a screen inventory, and run periodic UI audits. They must test flows with real users. Financial service providers must review loan service provider, direct sales and marketing agent and fintech-partner journeys as closely as their own. They must also build a dark-patterns checklist into every product release. This will help fintechs and BFSI companies build a compliance trail.
Main Course 2 ๐
The KYC wall between India and NRI investments
The challenge with NRI onboarding, and the remote KYC reforms SEBI and the Finance Ministry are now considering.
India wants more NRI investments in its markets. But the onboarding rails are not keeping up. Recent reports indicate that the growth rate of NRI investments in India has slowed down. The market intermediaries list cumbersome NRI KYC as a leading reason. The irony is clear. India has built one of the world’s best digital finance stacks for residents. But for Indians living abroad, investing back home can still mean Indian SIM dependence, physical document notarisation, repeated document checks and broken digital journeys.
The problem is that India’s digital KYC stack was built around a resident Indian user. Aadhaar, DigiLocker, e-sign and video KYC work well when the customer is physically in India and has an active Indian SIM. For NRIs living abroad, Indian SIMs may be inactive or expensive to maintain. DigiLocker access may become difficult without an Indian number. Aadhaar e-sign may not work for NRIs who do not have Aadhaar or cannot access the mobile number linked to it. Video KYC rules also create hurdles. SEBI’s video KYC framework requires the customer’s geolocation to be in India for fresh onboarding. This makes it difficult for NRIs living abroad to complete KYC remotely.
The other missing piece is portability. A completed NRI KYC should not have to be repeated each time the investor approaches a new broker, mutual fund house or platform. CKYCR was meant to solve this problem. But differences across regulators, gaps in verification standards and limited interoperability between databases continue to create a need for repeat checks.
If an NRI can invest in global markets in minutes, but must courier documents, arrange notarisation, keep an Indian SIM active and redo KYC across intermediaries to invest in India, they are less likely to choose India as an investment destination. The answer is to design remote KYC processes customised for non-resident users.
In December 2025, SEBI relaxed geo-tagging requirements for NRI re-KYC. That relaxation should extend to fresh onboarding too, at least for NRIs in lower-risk jurisdictions. The live location captured during video KYC should be allowed to match the country in the NRI’s overseas address proof, instead of requiring physical presence in India. India should also allow Aadhaar to be linked to international mobile numbers and permit OTP delivery on those numbers. For e-sign, NRIs should have a compliant alternative to Aadhaar e-sign, along with recognition of foreign electronic signatures from major NRI jurisdictions. Regulators must also work together to enable portability of NRI KYC records.
The solution is not to dilute KYC norms. It is to design bespoke remote KYC processes for NRIs and foreign residents. The Government and SEBI are reportedly already working towards these reforms. The hope is that most of these changes are reflected in the final rules.
Dessert ๐ฐ
RBI releases its first rulebook for AI in finance
The RBI’s draft model risk management guidance is a sound framework, but validation of third-party AI models needs a risk-based approach.
The RBI’s draft Guidance on Regulatory Principles for Model Risk Management, released in June 2026 with comments due by 24 July 2026, is a good first step towards governing AI models in financial services. These models now shape credit decisions, fraud checks, pricing, collections, and customer interactions. When they fail, customers can be denied credit, charged unfairly, or misled by automated interfaces. Therefore, now, the RBI is asking regulated entities to maintain model inventories, tier models by risk, validate them independently, build board oversight, and stay accountable for third-party models.
This is also how AI regulation is likely to develop while India waits for a central law. Sectoral regulators will move first where the risks are immediate. Data regulation followed a similar path. Long before the Digital Personal Data Protection Act, 2023, the RBI, SEBI and IRDAI were shaping how data was collected, stored and shared in their sectors.
Some parts of the framework may, however, be hard to implement. The draft expects regulated entities to independently validate third-party models, obtain technical documentation, and secure audit rights. This is sensible in principle, but difficult in practice. Many advanced AI models deployed in India are foreign-built, proprietary and opaque. Vendors rarely disclose training data, model weights, or internal architecture. Audit rights may also reveal a vendor’s governance process, but not the nuances of the model itself. Smaller regulated entities may find it even harder to comply with this norm. They have limited bargaining power with global vendors and may not have the capacity to meaningfully test frontier models.
The solution is not to dilute the framework, but to refine it. Two changes would help. First, phased implementation, so that gaps surface before hard deadlines apply. Second, intensive scrutiny should be reserved for high-risk third-party models. A credit-underwriting engine deserves deep validation. A customer service chatbot may not need the same treatment. The draft’s own risk tiering logic already points in this direction. Following it through would let the rules do their job without freezing adoption.
For regulated entities, the draft is also a cue to start early. Vendor contracts take time to renegotiate, and documentation, audit and exit provisions are far easier to secure before a model goes into production than after. Mapping existing models against the draft’s risk tiers now will show where the gaps are, and there is still time to shape the proposed framework itself by sharing feedback with RBI.
Mints ๐
๐ณ RBI issues master directions on payment system authorisation: The RBI has issued Master Directions on Authorisation to Operate a Payment System. It consolidates existing rules on who can apply for authorisation, minimum net worth requirements, fit-and-proper criteria for promoters and management, perpetual validity of authorisations, cooling-off periods, and the treatment of investments from FATF non-compliant jurisdictions.
๐๏ธ RBI recognises Sahamati as SRO for account aggregator ecosystem: The RBI has recognised Sahamati Foundation as the Self-Regulatory Organisation (SRO) for the Account Aggregator (AA) ecosystem. The decision follows RBI’s review of Sahamati’s application under its framework for recognising SROs for the AA ecosystem, which was issued in March 2025.
๐ช NPCI unveils Drunix to support blockchain and tokenisation ecosystems: The National Payments Corporation of India (NPCI) has rolled out Drunix, an open-source blockchain platform, to help companies build and scale tokenisation platforms, digital asset ecosystems and multi-organisation networks. Drunix enables blockchain deployment at scale and is engineered for enterprise and public infrastructure adoption.
๐ค NPCI is piloting AI to catch UPI fraud in real time: NPCI has launched a federated AI model with nearly a dozen banks to spot suspicious transactions, assign risk scores locally, and alert or freeze transfers before stolen money is layered across mule accounts. The system is designed to compress fraud detection from hours or days to seconds while keeping customer data with individual banks. It can also warn banks or customers when an account shows the classic pattern of rapid, abnormal money movement.
๐ช NPCI enhances per-transaction limit for biometric transaction authentication on UPI: The NPCI has enhanced the per-transaction limit for on-device biometric authentication via fingerprint, face, etc. in UPI, from INR 5,000 to INR 10,000 effective 7 August 2026. Issuer banks, PSPs and UPI TPAPs have been asked to ensure adequate customer communication regarding the updated limit.
๐ NPCI developing unified interface for Autopay tracking: NPCI is developing a unified application interface that will allow all UPI third-party apps — PhonePe, Google Pay, Paytm, and others — to display a user's complete list of e-mandates in a single view, making it easier to track recurring payments like OTT subscriptions, EMIs, and insurance premiums. Though this API will enable visibility of mandates on the third-party apps, any changes or cancellations will still require users to navigate back to the original app where the mandate was booked.
๐ก๏ธ RBI forms Q-SAFE expert committee for quantum tech preparedness: The RBI has constituted an eight-member expert committee to examine the impact of quantum computing on the financial sector. Headed by IIT Madras Professor Dr. Anil Prabhakar, the Quantum Secure and Adaptive Financial Ecosystem (Q-SAFE) panel will evaluate systemic vulnerabilities and assess industry preparedness regarding quantum-safe cryptography.
๐ Major stockbrokers secure GIFT City licences for international investing: Indian stockbrokers Groww, Zerodha, Angel One and Upstox have secured licences from the International Financial Services Centres Authority (IFSCA) to offer international equity investing through GIFT City. Groww and Upstox have received Global Access Provider licences, while Zerodha and Angel One have been authorised as broker-dealers. The approvals will allow these platforms to offer access to overseas stocks, including U.S. equities, to Indian retail investors through the Liberalised Remittance Scheme.
๐งช PFRDA launches regulatory sandbox: The Pension Fund Regulatory and Development Authority (PFRDA) has launched a regulatory sandbox framework that will allow eligible entities to test innovative pension products in a controlled environment before wider deployment. Both registered intermediaries and unregistered fintech entities can apply, though the latter face stricter conditions.
๐ค IRDAI constitutes Working Group on AI: IRDAI has constituted a seven-member Working Group on Artificial Intelligence (WG-AI), chaired by Prof. Sandeep K. Shukla (IIIT Hyderabad), to assess AI adoption, risks, governance, and resilience across the insurance sector. The working group is comprised of functionaries from the ReBIT, CERT-In, IRDAI and number of insurers. The group will recommend frameworks on ethical and explainable AI, cybersecurity, audits, stress testing, and capacity building, while reviewing global regulatory approaches and safeguarding policyholder interests and data. It will submit its recommendations within three months.
About FinTales
FinTales is Ikigai Law’s monthly fintech and digital economy newsletter. It tracks the regulatory shifts shaping India’s fintech ecosystem, from payments, digital lending, KYC, wealth-tech, insur-tech, AI in finance and data governance to product strategy, financial innovation and policy reform.
Author credits: This edition is authored by Astha Srivastava and Sidharth Chamarty, with inputs from Aparajita Srivastava.
Image credits: AI-generated
For any queries, reach out to us at contact@ikigailaw.com