An analysis of the Reserve Bank of India (Non-Banking Financial Companies – Responsible Business Conduct) Second Amendment Directions, 2026 [RBI/2026-27/123; DOR.MCS.REC.No.102/01-01-039/2026-27] dated June 15, 2026, effective January 1, 2027.

1. A story that the regulator has finally answered

A sixty-year-old woman walks into her bank branch to make a routine deposit. A relationship employee recognises her, strikes up a friendly conversation, and within minutes is “helping” her with an insurance product. A stack of forms is placed in front of her. She signs where she is told to sign. Nobody reads the documents to her; nobody asks what she earns, what she already owns, or what she is trying to achieve. She leaves believing she has been looked after.

Months later the insurer calls: her bank balance is too low and last year’s premium has bounced. She returns to the branch. The employee has been transferred. Only now does she learn what she actually bought — a term life insurance policy carrying an annual premium of ₹1,00,000 payable for ten years. She is sixty. She has a daughter of marriageable age. A pure term plan — which pays out only on death and builds no cash value — is close to the least suitable product imaginable for her circumstances. When she approaches the insurer, she is told the policy was signed by her, there is no provision for roll-back, and the premium already paid will not be refunded.

Until now, the honest answer we could give her was uncomfortable: a signature is treated as consent, and consent is treated as the end of the conversation. The product was sold, the documents were executed, and the regulatory architecture offered her very little.

That answer is changing. The RBI’s Second Amendment Directions, 2026 on Responsible Business Conduct do something the Indian regulatory framework has rarely done so explicitly that they say, in effect, that a signature obtained without suitability, without disclosure and without genuine understanding is not a defence; it can itself be mis-selling.

A word on regulatory overlap

The facts above involve a bank selling a third-party insurance product, which engages the banking conduct framework and IRDAI’s rules — not, strictly, these NBFC Directions. We have deliberately kept the story as it happened, because its value here is illustrative: it is the archetypal mis-selling fact pattern that regulators across the financial sector are converging to address.

The conduct is policed on three overlapping fronts:

• For NBFCs — by the new Chapter IIIA inserted by these very Directions (the subject of this article);
• For banks — by RBI’s master directions and fair-practices framework governing the sale of third-party products at branches; and
• For the insurance product itself — by IRDAI’s regulations on suitability, free-look and intermediary conduct.

The amendment we analyse below tells us precisely what an NBFC must do so that this story never reaches its bitter ending. Read the case as a mirror: every failure in it now has a named obligation on the other side.

2. The definitions that change everything

Compliance officers should start here, because the amendment’s force lies in five new or sharpened definitions in paragraph 6. They convert vague expectations into enforceable standards.

“Mis-selling” is now defined, not merely deprecated. The sale of any financial product or service — own or third-party — is mis-selling where it is:

1. neither suitable nor appropriate to the customer’s profile assessed at the time of sale — notwithstanding her explicit consent;
2. made without correct or complete information, or on misleading information;
3. made without the customer’s explicit consent;
4. effected through compulsory bundling of another product with the one requested; or
5. anything else a financial-sector regulator labels as mis-selling.

The single most important words in the entire amendment are in limb (i): notwithstanding her / his explicit consent. This is the regulator’s direct answer to “but she signed it.” A signature on an unsuitable product does not cure the mis-selling — it is mis-selling.

“Explicit consent” means a specific, informed and unambiguous indication of choice, given through a duly recorded statement or clear affirmative action. A pre-ticked box, a buried clause, or a signature obtained while the customer’s attention is elsewhere is, by definition, not explicit consent.

“Compulsory bundling”: making one product conditional on taking another is named and, in the third-party context, largely prohibited.

“Dark pattern”: deceptive interface or design that subverts the customer’s autonomy or choice is imported wholesale into NBFC regulation, with eleven illustrated species set out in the new Annex III (false urgency, basket sneaking, confirm shaming, forced action, subscription traps, interface interference, bait-and-switch, drip pricing, disguised advertisements, nagging and trick wording).

“DSA / DMA, DSA/DMA sub-agent and TPPS”: the people and products at the point of sale are now defined and pulled squarely inside the NBFC’s accountability, irrespective of the contractual label used (Loan Service Provider, etc.). An NBFC can no longer disown conduct by pointing at an agent’s job title.

3. Mapping the case study to the new obligations

The most useful exercise for a client is to take a real failure and show, line by line, which provision now prevents it. Here is our customer’s experience set against Chapter IIIA (read as if an NBFC, rather than a bank, had distributed the policy):

4. The compliance architecture, walked through

4.1 Policy and governance (101A–101B)

Every covered NBFC must adopt a board-approved comprehensive policy for advertising, marketing and sale of own and third-party products. The policy must cover, at minimum, the criteria for determining suitability and appropriateness, a feedback mechanism, and customer compensation for mis-selling. Where DSAs/DMAs are used, the policy must additionally address their eligibility, pre- and post-engagement due diligence, sub-agent training, permitted functions, performance standards, audit, and penal action for non-compliance. 

Practical takeaway: this is not a tweak to an existing fair-practices code (‘FPC’) and NBFCs, selling third-party products, will need a new, standalone policy document.

4.2 Engagement and visibility of DSAs/DMAs (101C–101F)

The NBFC must publish and maintain on its website an up-to-date list of all DSAs/DMAs (type, address, engagement period, products handled), updated within seven calendar days of any change. Employees and sub-agents selling regulated products must hold any qualification/certification the relevant regulator prescribes. Any sub-agent or TPPS representative physically present in NBFC premises must be visibly distinguishable from employees, with clear “on-person” identification — a direct strike at the “friendly bank employee” ambiguity in our story. A Code of Conduct for sales and marketing must bind employees, DSAs/DMAs, sub-agents and TPPS representatives alike, be backed by written undertakings, carry contractual penal provisions, and be displayed on the website.

4.3 Consent — the heart of the regime (101G–101I)

Products may be sold only with explicit consent, captured through a signed declaration, OTP, recorded confirmation, or a clearly demarcated consent section. Where one form covers multiple products, each must be separately enumerated and the customer must be able to choose only what they want. Crucially, consent flows must be designed so the customer cannot consent without passing through the terms and conditions, and the default choice must be “No / I do not agree.” Consent records must be preserved until one year after the contract ends. Pre-ticked, all-in-one consent forms are now non-compliant by design.

Practical takeaway: In case the customer is illiterate (i.e. not able to read and write), then financial companies need to find out some path to establish that an informed decision and consent is obtained from such customers. Further, consent must be followed by making disclosure of the MITC and KFS of the products being sold to customers.  

4.4 Advertising and marketing conduct (101J–101O)

An NBFC must never present a third-party product as its own and must clarify its role. Promotional material must be clear, factual and disclose interest rates and charges. Promotional communications require prior explicit opt-in, with easy unsubscribe and respect for “Do Not Disturb.” Sales staff and agents must make upfront disclosure, communicate terms, contact customers only between 09:00 and 19:00 absent specific request, respect privacy, not visit homes/offices without consent, and must not mislead or coerce or make false commitments. Agents may not misrepresent themselves as NBFC employees.

4.5 Suitability, documentation and prevention of mis-selling (101P–101X)

Beyond the suitability test in 101P, the NBFC must use product-specific application forms that name the product’s nature and features (101Q), provide documents in a comprehensible language (101R), acknowledge applications (101S), and hand over the signed agreement (101T). On prevention: no incentive structures that encourage mis-selling and no commissions from TPPS providers to staff (101U); no compulsory bundling of third-party products and where a third-party product is genuinely needed as a risk mitigant, the customer must be free to buy it from any provider (101V); no funding the purchase out of a sanctioned loan without explicit consent (101W); and no dark patterns, with mandatory user-testing and periodic internal audit of interfaces, plus adherence to the CCPA’s Dark Patterns Guidelines, 2023 (101X, read with Annex III).

4.6 Feedback and compensation — the customer’s new remedy (101Y–101Z)

This is the part that would have rescued the woman in our story. The NBFC must run a feedback mechanism within 30 days of every sale i.e. random call-backs or surveys by a team independent of sales to confirm the customer actually understood the product and its risks, with half-yearly review of findings feeding back into product design. And the remedy has teeth: a customer may complain of mis-selling within the regulator-specified timeline, or within 30 days of receiving the signed agreement where none is specified. Where mis-selling is established, the NBFC must refund the entire amount paid, cancel the sale, and compensate the customer for any resulting loss. The “no roll-back, no refund” wall our customer hit is, for NBFC-distributed products, dismantled.

Practical takeaway: In case the customer establishes that the product was mis-sold to him then how would the insurance company deal with this situation, since once the premium is paid, the insurance company is not liable to payback to the insured person. In such a situation, NBFC is liable to pay to the customer not only the premium so paid but also the compensation amount. NBFC is not only liable towards the customer but also towards the insurance company that lost its future premium of that customer and may liable to refund the commission if any paid to that NBFC.      

An action checklist before January 1, 2027

For client NBFCs, we would sequence the work as follows:

1. Gap-assess existing fair-practices, outsourcing and sales policies against Chapter IIIA, and draft a board-approved Advertising, Marketing & Sale Policy covering suitability criteria, feedback and a mis-selling compensation policy.
2. Design and document a suitability/appropriateness framework (data capture, scoring, audit trail) for all non-“suitable-for-all” products.
3. Re-engineer consent — default-“No”, per-product enumeration, mandatory T&C walkthrough, OTP/recorded capture, and one-year-post-contract record retention.
4. Rebuild application forms and disclosures — product-specific forms, KFS/MITC where prescribed, language accessibility, acknowledgements and signed-copy delivery.
5. Clean up the DSA/DMA chain — website list with 7-day refresh, certification verification, on-person ID, Code of Conduct with undertakings and contractual penalties.
6. Strip mis-selling incentives — remove volume-linked pressure and any TPPS-to-staff commissions; end compulsory bundling; ensure loan-funded purchases require explicit consent.
7. Audit interfaces for dark patterns against Annex III and the CCPA Guidelines, 2023; institute user-testing and periodic internal audit.
8. Stand up an independent feedback and grievance function for 30-day post-sale verification and half-yearly reporting.
9. Map overlapping regulators (TRAI/DoT, SEBI, IRDAI, PFRDA) for each product line and align contracts with TPPS providers accordingly.
10. Train every employee, agent and sub-agent on the new Code of Conduct and obtain undertakings.

Conclusion

The woman in our story was failed not by the absence of her signature but by the presence of it — treated as the end of every question instead of the beginning of a duty of care. The RBI’s Second Amendment Directions, 2026 rewrite that logic for NBFCs. By defining mis-selling, by insisting that suitability survives consent, by demanding informed, default-off consent, by owning the agent chain, and above all by attaching a refund-and-compensation remedy to established mis-selling, the regulator has built a regime designed to catch precisely the harm that, until now, slipped through.

For NBFCs, the message is unambiguous: the cost of an unsuitable sale is no longer borne only by the customer. For advisers and compliance teams, the months to January 1, 2027 are best spent turning Chapter IIIA from a circular into a working set of policies, systems, contracts and habits — so that the next sixty-year-old who walks in to make a deposit walks out with nothing she did not knowingly choose.

This article is prepared for general information and awareness. It is not legal advice. NBFCs should obtain specific advice on the application of the Reserve Bank of India (NBFC – Responsible Business Conduct) Second Amendment Directions, 2026 to their particular products, channels and arrangements.