Fintech Deep Dive — Friday | June 19, 2026

Theme: Policy & Regulation

This week has been one of the most consequential for Indian fintech regulation in 2026. The RBI dropped a regulatory triple-bomb on June 15 alone: a sweeping anti-mis-selling framework with an explicit dark-pattern ban, a consolidated payment system authorisation master direction introducing perpetual approvals, and an ongoing governance consolidation exercise. Combined with a landmark e-mandate framework issued in April that continues to reshape recurring payments, and a wave of IPO filings that signal maturing regulatory compliance in the sector, this week’s deep dive covers five major regulatory stories.

1. RBI Bans Compulsory Bundling and Dark Patterns in Financial Product Sales

Date: June 15, 2026 | Press Release: 2026-2027/460 | Effective: January 1, 2027

The RBI issued comprehensive Amendment Directions on Advertising, Marketing and Sale of Financial Products and Services by Regulated Entities, spanning 17 parallel notifications covering every category of regulated entity — from commercial banks and NBFCs to co-operative banks and housing finance companies. The framework was first announced in February 2026, with draft directions published for consultation, and the final version was issued on June 15 with a six-month implementation runway.

What Changed

Compulsory bundling is now legally defined and banned. The RBI defines “compulsory bundling” as the practice of making the availment of one product or service conditional upon purchasing another — whether the bank’s own or a third-party product. If insurance is mandatory with a home loan (as Finance Minister Nirmala Sitharaman herself questioned), the customer must still have the option to buy it from any provider, not just the bank’s preferred partner.

Eleven dark patterns are explicitly prohibited. In what is arguably the most detailed dark-pattern ban in global financial regulation, the RBI named and defined 11 specific practices:

• False urgency — countdown timers, “Offer Ends Soon” tricks
• Basket sneaking — adding hidden charges at checkout
• Confirm shaming — guilt or fear to push products
• Forced action — requiring signups for unrelated services
• Subscription trap — hiding cancellation options
• Interface interference — steering users with visual design tricks
• Bait and switch — delivering a different product than advertised
• Drip pricing — hiding fees until late in the process
• Disguised advertisement — masking ads as content
• Nagging — repeated prompts despite prior rejection
• Trick wording — vague language, double negatives in consent forms

Explicit consent is now the gold standard. Banks must obtain “specific, informed and unambiguous” consent — no pre-ticked boxes, no silence as consent. Default consent must be “No.” Consent may be obtained through physical/digital signatures, OTP-based approval, digitally recorded confirmations, or clearly demarcated consent sections.

Mis-selling liability is shifted. A product can still be deemed mis-sold even if the customer consented, if it is not suitable for their profile. Banks must assess product characteristics (complexity, risk-return, fees, horizon) against customer characteristics (age, income, financial literacy, risk tolerance). Banks must seek customer feedback within 30 days of sale. If mis-selling is found, full refund plus compensation is mandatory.

Analysis

This is arguably the most consumer-protection-heavy regulation the RBI has ever issued for product distribution. A LocalCircles survey found that 57% of respondents encountered basket sneaking on banking platforms, 51% experienced forced action, and 46% faced nagging — suggesting these were endemic practices, not edge cases.

The six-month lead time is notably generous, suggesting the RBI expects significant system and process changes across the banking ecosystem. For fintechs distributing third-party products (insurance, mutual funds) through bank partnerships, the compliance implications are particularly acute — the entire agency/referral model is now governed by tighter Undertaking of Financial Services Directions issued simultaneously.

Sources:

• RBI Press Release 2026-2027/460
• CorpLawUpdates — Full Analysis
• MediaNama — Dark Patterns Breakdown

2. RBI Overhauls Payment System Authorisation with Perpetual Approvals

Date: June 15, 2026 | Legal Basis: Payment and Settlement Systems Act, 2007

On the same day as the anti-mis-selling framework, the RBI issued Master Directions on Authorisation to Operate a Payment System — the foundational authorisation framework governing how entities get (and keep) permission to run payment systems in India.

Key Changes

Perpetual authorisation for new applicants. For the first time, new payment system operators will receive perpetual validity on their Certificate of Authorisation, replacing the previous system of time-limited approvals requiring periodic renewal. This is a significant structural shift: payment systems are now treated as infrastructure (like telecom licences) rather than activities needing periodic re-approval.

Existing operators get perpetual on renewal. Currently authorised PSOs may receive perpetual validity upon renewal, subject to compliance and absence of supervisory concerns. Those not meeting the bar get one-year renewals until they come into compliance.

On-tap applications via RBI portal. Authorisation is available on a continuous, on-tap basis — no more waiting for specific windows. Applications must meet capital requirements, net-worth norms verified by statutory auditor certificates, and “fit and proper” criteria covering integrity, financial soundness, and regulatory compliance for entities, promoters, and promoter groups.

FATF grey-list restrictions. New investors from Financial Action Task Force non-compliant jurisdictions cannot acquire significant influence in PSOs, and aggregate fresh investments from such jurisdictions must stay below 20% of voting power. This is a direct response to concerns about money laundering and regulatory arbitrage through opaque ownership structures.

One-year cooling-off period for entities whose authorisation is revoked, not renewed, voluntarily surrendered, or rejected — they cannot reapply for 12 months.

Analysis

The shift to perpetual authorisation is a strong signal that the RBI views well-regulated payment systems as essential infrastructure rather than activities requiring perpetual regulatory supervision through periodic renewals. It will reduce compliance costs for operators and provide greater certainty for investors.

However, the perpetual model comes with a catch — the RBI can always impose conditions, and supervisory concerns can still trigger enforcement. This is the “trust but verify” approach: reduce administrative burden, increase substantive oversight.

For fintech startups seeking payment system licences, the on-tap model and perpetual validity are a major improvement in the ease of doing business. But the FATF restrictions and fit-and-proper criteria remain significant gatekeepers.

Sources:

• Business Standard — Full Coverage
• CNBC TV18 — Analysis
• TaxGuru — Legal Summary

3. E-Mandate Framework 2026: The Consolidation of Recurring Payment Rules

Issued: April 21, 2026 | Circular No: RBI/DPSS/2026-27/396 | Status: In effect

While issued in April, the e-mandate framework continues to reverberate through the fintech ecosystem and intersects with this week’s regulatory activity. The framework consolidated eight separate circulars issued between 2019 and 2024 into a single, technology-neutral code governing all recurring digital payments.

What It Does

Single framework, all instruments. The 2026 Framework applies uniformly to cards, UPI, and prepaid payment instruments (PPIs), covering both domestic and cross-border recurring payments. The technology-agnostic approach means it will apply to future payment rails as well.

Four pillars of consumer control:

1. Registration and Authentication — E-mandates must be registered after successful Additional Factor Authentication (AFA), with the mandate’s validity period clearly communicated.
2. Transaction Limits and AFA Thresholds — Codified tiered AFA thresholds based on transaction value, calibrated to risk.
3. Pre and Post-Debit Notifications — Issuers must send pre-transaction notifications at least 24 hours before each debit, including merchant name, amount, date/time, mandate reference, and reason. Post-debit confirmations are also mandated.
4. Dispute Resolution and Opt-Out — Customers can pause, modify, or cancel mandates at any time. Clear dispute-resolution expectations are set for issuers and payment system providers.

The Fraud Context

The framework was driven by an alarming increase in digital payment fraud: approximately 28 lakh fraud cases totalling ₹22,931 crore were reported in 2025, compared to just 2.6 lakh cases worth ₹551 crore in 2021 — a tenfold increase in volume and fortyfold in value over four years. The RBI acknowledged that “a typical fraud through digital payments may not involve technical compromise of systems, but mostly through manipulation of users through social engineering, coercion, or impersonation.”

The February 2026 Discussion Paper on digital payment safety proposed additional measures — a one-hour wait for first payments to new beneficiaries, “trusted person” approval for customers aged 70+, and a “kill switch” to instantly block all outgoing digital transactions. These proposals remain under consideration and could become binding later this year.

Analysis

For fintechs built on subscription models — OTT platforms, SaaS, insurance premiums, SIPs — the e-mandate framework is the regulatory backbone of their business. The standardisation is welcome, but the compliance engineering required to meet the 24-hour pre-debit notification requirement across multiple payment instruments is non-trivial.

The framework also strengthens the RBI’s position that customer control is paramount in recurring payments, even when customers have explicitly signed up. The “anytime cancel” provision means fintechs need robust mandate lifecycle management systems.

Sources:

• Mondaq/Khaitan & Co — Legal Analysis
• KPMG India — Framework Summary (PDF)
• RBI Discussion Paper on Digital Payment Safety

4. RBI Proposes Governance Consolidation for Banks and NBFCs

Date: June 10–11, 2026 | Status: Draft — Open for Public Comments

In a separate but related move, the RBI issued draft Governance Directions proposing to harmonise and consolidate instructions on control and assurance functions (compliance, risk management, and internal audit) across all regulated entities. This is part of the broader “consolidation exercise” announced in the RBI’s April 2026 developmental policy statement.

Key Proposals

Standardised CRO/CCO/HIA framework. The draft provides unified instructions for Chief Risk Officers, Chief Compliance Officers, and Heads of Internal Audit — covering appointment conditions, eligibility criteria, reporting lines, and functional independence. Notably, specific minimum experience years and age limits (previously 15 years’ experience and age 55 for CCOs) are removed in favour of “adequate domain knowledge and relevant experience commensurate with the size, complexity, and risk profile of the bank” as determined by internal policy.

Employer-employee relationship mandatory. Consultants, advisors, or part-time individuals cannot hold these designations — they must be on the rolls or have a contractual employer-employee relationship.

Group-level oversight optional. Banks that are part of a group with multiple financial entities may appoint a Group CRO and Group CCO for coordination, though this is not mandatory.

Periodic external review required. Risk management, compliance QAIP, and internal audit functions must undergo periodic external review for benchmarking. For NBFCs, this is limited to risk management for NBFC-UL entities only.

“Comply or explain” for foreign banks. Foreign banks may deviate from requirements by submitting reasonable explanations with prior approval — a pragmatic concession for banks operating under different home-country governance structures.

Quarterly board meetings without senior management — a new requirement to ensure independent board oversight of control functions.

Dual-hatting ambiguity. Notably, the draft does not explicitly prohibit the same person from holding both CCO/CRO and HIA roles, though it requires independence and conflict-free operation. Legal commentators have flagged this as potentially problematic since internal audit is expected to independently evaluate risk management and compliance.

Analysis

This consolidation is part of a pattern — the RBI is moving from circulars scattered across decades to codified, unified directions. For the NBFC sector in particular, which has seen 150+ registration cancellations in May 2026 alone, these governance requirements signal that the era of light-touch regulation is definitively over.

The removal of rigid eligibility criteria in favour of internal policy-determined standards gives banks flexibility but shifts accountability to boards — which will need to defend those policies to supervisors.

Sources:

• Vinod Kothari Consultants — Draft Analysis (Banks)
• Vinod Kothari Consultants — Draft Analysis (NBFCs)
• TaxGuru — Summary

5. Mega Fintech IPO Week: NSE and Razorpay Signal Regulatory Maturity

Dates: June 17–18, 2026

While not a regulatory action per se, this week’s IPO filings from two of India’s most important financial infrastructure companies have significant regulatory implications.

NSE Files DRHP

The National Stock Exchange filed its Draft Red Herring Prospectus for an initial public offering, offering up to 148.9 million equity shares through a 100% offer for sale. NSE commands 93% of India’s cash market, nearly 100% of equity futures trading, and approximately 75% of equity options trading. The filing comes years after a prolonged regulatory and governance review process.

Razorpay Files Confidential DRHP

Fintech unicorn Razorpay filed its draft IPO papers through the confidential pre-filing route, targeting a raise of up to $600 million (approximately ₹5,000 crore). If successful, this would rank among the largest fintech IPOs in India. Razorpay processes payments for millions of businesses across India and has been a cornerstone of the digital payments infrastructure.

Regulatory Implications

Both filings signal that India’s regulatory framework has matured to the point where both a legacy exchange (NSE) and a new-age fintech (Razorpay) can pursue public listings with confidence. The NSE’s filing, in particular, represents the culmination of years of co-broking and governance concerns that had delayed its IPO plans.

For the broader fintech ecosystem, Razorpay’s IPO path will be watched closely as a template for other fintech unicorns (PhonePe, CRED, Groww) considering public markets. The confidential filing route suggests the company is being prudent about competitive disclosure, a trend the SEBI framework now accommodates.

UPI-Enabled Credit at Finnext Summit

At the ETBFSI 5th Finnext Summit 2026, industry leaders discussed UPI-enabled credit as the next frontier for MSME lending, emphasising that scaling depends on NBFC access and disciplined underwriting. Pine Labs also launched P3P (Pine Labs Payment Protocol), India’s first autonomous agentic payment protocol on UPI — allowing AI agents to make payments without human MPIN intervention. While still early, this represents the regulatory frontier: when machines can autonomously transact, consent and authentication frameworks will need to evolve further.

Sources:

• NSE DRHP (BSE Filing)
• CNBC — NSE IPO Coverage
• Elets BFSI — Razorpay IPO
• ETBFSI — UPI-Enabled Credit Summit

This Week’s Regulatory Scorecard

Published by Cashless Consumer — tracking India’s digital public infrastructure and fintech ecosystem.