Online Exclusive: Dark Patterns

Using dark patterns can do much more than erode consumer trust in a brand or service; it can also be illegal. Legislation throughout the European Union and the UK contains global restrictions on using dark patterns. The Competition and Markets Authority, the Advertising Standards Authority, the European Commission, and the Consumer Protection Cooperation Network, among others, have recently focused on these tactics.

In the U.S., the Dodd-Frank Wall Street Reform and Consumer Protection Act and Section 5 of the Federal Trade Commission Act Section 5 prohibit the use of unfair, deceptive, or abusive acts or practices in or affecting commerce. Also, 19 states have data privacy laws that address dark patterns directly. In one 2023 case, video game publisher Epic Games Inc. was fined $245 million by the FTC for using dark patterns to deter users from canceling or requesting refunds for certain in-game charges.

With high financial stakes, this is certainly a risk worth being aware of for any business that utilizes an online marketing strategy. Internal audit functions should take note.

Deceptive Financial Services Practices

In an age where user access to financial services is closely tied to websites and digital apps, the risk of design tactics trending toward dark patterns is high. Common dark pattern strategies include:

• Forced continuity. Payment schemes (such as free trials) that change suddenly.
• The “roach motel.” Services or subscriptions that are easy to sign up for but incredibly difficult to cancel or leave without charges.
• Growth hacking through spamming. The use of marketing emails to the point that they become spam.
• “Sneak into basket.” When an item appears in a checkout basket suddenly without your consent.
• Disguised ads. Ads are designed to look like content navigation.
• Obscured pricing. Deliberately obscuring prices makes comparisons difficult. One common design tactic is “dopamine design,” which incorporates psychology into user experience (UX) design philosophies — from bright colors and images to the receiving of “rewards” — to generate particular, continual responses. Even if deception was unintended, the consequences could be severe for consumers and the institution.

Consider the following dark pattern scenarios in financial services:

• A banking app that tracks user patterns nudges users who only want to check their balance into signing up for a “limited-time offer.” 
• A customer who wishes to close an account must navigate a complex web of screens and instructions, when originally opening an account took seconds.
• After opening a free account, customers must pay several hidden fees buried in the fine print.
• A financial institution automatically defaults to requiring users to share personal data with third-party affiliates, without clearly explaining an opt-out process.
• A credit card company may trick a customer signing up for paperless billing into signing up for marketing emails or paid services.
• A user opening an account may have add-on services, such as fraud protection or account management services automatically included by default, not knowing that each service carries an additional charge.

In recent years, dark patterns have become a focus for financial regulators. In 2024, the U.S. Federal Trade Commission launched a civil investigation against digital banking and financial services company Dave Inc. Investigators alleged the company deceptively claimed to provide cash advances of “up to $500 with no hidden fees” and added a tip to the total cash advance cost.

In January, the U.S. Consumer Financial Protection Bureau filed a lawsuit against Capital One for allegedly deceiving customers out of over $2 billion in interest, despite marketing materials claiming their “360 Savings” account offered the best rates possible. Capital One later introduced a new service offering better rates without notifying existing account holders. While the lawsuit was later dropped, it still serves as a warning of the potential penalties financial institutions can face if dark patterns are not properly addressed.

Dark Patterns in the Audit Universe

The risk of dark patterns exists in a unique place that blends elements of marketing, legal compliance, and IT. While a single internal auditor may be familiar with some of these elements, they may lack expertise in all areas needed to address this risk.  

Andy Cook, Director of Standards and Professional Guidance at The IIA focusing on the financial services sector, says internal auditors facing this challenge should familiarize themselves with the risk and its potential forms. Next, they should identify subject matter experts — either within the organization or through outsourcing — who can provide insights and support. These experts’ input, Cook says, can be invaluable in several different phases of the audit, including,

The Risk Assessment. Identifying dark patterns in a UX design might include reviewing customer journeys, marketing practices, and user interface designs — such as button placements, color schemes, and prompt language — to identify points of concern. This review might require using heatmaps or analytics tools and the aid of a technical or design expert.

Data Gathering. Data relevant to dark patterns will include quantitative (such as user engagement and conversion rates) and qualitative (such as user feedback and complaints) data. Additional help may be necessary to access and analyze this data, which could be substantial. Cook says data analytics tools designed for this task are highly recommended if not strictly required.

Policies and Procedure Reviews. A dark pattern audit should examine the organization’s policies, procedures, and guidelines regarding experience design and marketing practices. Any review will require the aid of those with experience in this field.

Compliance Checks. As regulations surrounding dark patterns become more defined, auditors should collaborate with the legal team to ensure thorough compliance checks. These checks should cover relevant regulations, ethical standards, legal requirements, transparency, and user consent.

Continuous Monitoring. Internal audit should collaborate with relevant stakeholders to ensure the organization has a continuous monitoring process. This process should evaluate user interfaces for emerging dark patterns, ensuring adaptability as technology and design evolve.

Bringing Patterns to Light

While it may seem obvious that a financial institution should avoid deceptive practices, the line between clever, effective UX design and dark patterns is not always clear. As automation and artificial intelligence become critical elements in digital design, it can easily fall into underhanded, manipulated practices prioritizing productivity over ethics.

As the organization’s main assurance provider against risk, internal audit represents the final check on these practices to ensure human judgment is not lost in the great technological race. Some things, like a commitment to ethical standards, no machine will ever fully replicate.