RBI issues fresh guidelines for digital lending

The Reserve Bank of India (RBI) has issued directions for digital lending aimed at regulating digital lending activities by all regulated entities (REs), including banks, non-banking finance corporations (NBFCs), and cooperative banks. This comprehensive overhaul of digital lending regulations is a proactive move by the RBI to curb malpractices, enhance transparency, and reinforce accountability within the fast-growing fintech lending space. It strengthens the rights of borrowers while holding regulated lenders and third-party platforms to higher standards of conduct and compliance.

“Certain concerns had emerged around the methods of designing, delivering and servicing digital credit products, which if not mitigated, may impact the borrower’s confidence in the digital lending ecosystem. The concerns primarily relate to unbridled engagement of third parties, mis-selling, breach of data privacy, unfair business conduct, charging of exorbitant interest rates, and unethical recovery practices,” RBI said in a statement.

“To address these concerns, pursuant to the recommendations made by the “Working Group on Digital Lending”, the Reserve Bank has, from time to time, issued guidelines to its regulated entities on digital lending. These directions consolidate the earlier instructions along with certain new measures for arrangements involving Lending Service Providers partnering with multiple regulated entities…” the RBI added.

The RBI defines digital lending as a fully online and automated process that uses digital tools to handle everything from finding customers and checking their creditworthiness to approving loans, sending funds, collecting repayments, and providing customer support. Digital Lending Apps (DLAs) are mobile or web-based applications that offer these services. These apps can either be run directly by regulated financial institutions (REs) or by Lending Service Providers (LSPs) working on their behalf. DLAs must follow RBI’s rules on outsourcing when they are operated by third parties.

An LSP is a third-party service provider or even another RE that assists in one or more steps of the digital lending process, like onboarding customers, evaluating credit, handling repayments, or managing recoveries, under the supervision of the RE and in line with RBI’s outsourcing regulations.

India’s central bank, as empowered by law, plays a central role in managing the nation’s credit framework to promote its overall economic well-being. As part of this responsibility, the RBI actively supports developing and adopting innovative financial systems, credit products, and delivery mechanisms. This is done to foster sustainable growth, uphold financial stability, and safeguard the interests of depositors and borrowers.

In recent years, the rapid rise of digital lending has raised several regulatory and consumer protection concerns. Issues such as excessive involvement of unregulated third parties, deceptive sales practices, violations of data privacy, unfair lending conditions, high interest charges, and aggressive recovery tactics have come to light. If left unchecked, these practices pose a risk to the credibility and trustworthiness of the digital lending environment.

To mitigate these risks and promote responsible lending practices, the RBI has issued several guidelines over time. These measures are based on the recommendations of the “Working Group on Digital Lending”, which examined and addressed challenges within the sector. The guidelines aim to provide greater oversight and regulatory clarity to the digital lending operations of RBI-regulated entities.

The new directions

According to the new RBI guidelines, all regulated financial institutions must collect key financial details from borrowers, such as their age, job, and income, before giving out any loans. This information helps assess the borrower’s ability to repay and must be recorded for future audits.

REs are not allowed to increase a borrower’s credit limit automatically. Any such increase must be requested by the borrower, reviewed by the RE, and properly documented.

Once a loan is approved, REs must send all important documents—like the Key Fact Statement (KFS), loan summary, approval letter, terms and conditions, account statements, and data privacy policies—to the borrower’s verified email or phone via SMS.

The RBI mandates that the regulated financial institutions must also maintain an up-to-date public website, clearly displaying information about their digital lending products, associated LSPs, customer service details, links to complaint portals, and privacy policies—all in one easy-to-find place.

If a borrower misses payments and a recovery agent is assigned (or replaced), the regulated entity must inform the borrower through email or SMS before the agent reaches out for loan recovery.

Cooling-off period

The RBI’s digital lending guidelines require digital lenders to offer a “cooling-off period,” allowing borrowers to cancel their loan without penalty. During this time, the borrower can exit the loan by repaying only the principal amount and the interest (APR) for the period used. This grace period must last at least one day, and the lender’s Board decides the exact duration as part of its loan policy.

If a borrower chooses to keep the loan after this period, they can still repay it early according to existing RBI rules.

Lenders (REs) may charge a reasonable one-time processing fee if a borrower cancels during the cooling-off period. If this fee applies, it must be clearly mentioned upfront in the Key Fact Statement (KFS).

To handle complaints, the RE and any Lending Service Provider interacting with the borrower must appoint a nodal grievance redressal officer to address digital lending issues. Their contact details must be clearly displayed on the websites of the RE, the LSP, the DLA, and also included in the KFS. Borrowers must be able to submit complaints directly through the app (DLA) and the official websites. However, the final responsibility for resolving complaints remains with the RE, even if an LSP is involved.

Data security

The RBI has set clear rules for collecting, using, or sharing borrower data. Lenders (REs) must ensure that their DLAs and those of their LSPs only collect data that is necessary and with the borrower’s clear and prior consent. This consent must be properly recorded for audit purposes. These apps must not access a borrower’s phone features like contacts, call logs, files, media, or telephony functions. However, one-time access to features like the camera, microphone, or location can be allowed only for things like Know Your Customer (KYC) verification—and only if the borrower gives explicit permission.

Borrowers must be given clear options to allow or deny the use of specific data, limit how their data is shared with third parties, revoke permission already granted, request the deletion or removal of their data from RE/LSP systems. At every stage of interaction, the purpose for collecting data must be explained to the borrower. A borrower’s explicit consent is required before any personal data is shared with third parties—unless it’s legally required by regulations or law.

The RBI guidelines also mandate that regulated entities (REs) must ensure that any Lending Service Providers they work with do not store borrowers’ personal data, except for a minimal set of basic information such as name, address, and contact details. This limited data can only be retained if it is essential for the services provided under the RE-LSP agreement.

The RE is fully responsible for the ongoing privacy and security of the customer’s personal data, even when handled by third parties. REs must also create and publicly share clear data storage policies that cover what type of customer data can be stored, how long the data can be retained, how the data can and cannot be used, guidelines for securely deleting the data, as well as steps to follow in case of a data breach.

RBI’s digital lending guidelines state that storing or collecting biometric data, like fingerprints or facial scans, is strictly prohibited for both REs and LSPs, unless permitted by law. Additionally, all customer data must be stored on servers located in India. If any data is processed outside the country, it must be removed from servers outside India, transferred back, and stored in India within 24 hours. These rules are designed to protect customer privacy and ensure the secure handling of personal data in digital lending processes.

Under RBI’s new guidelines, all regulated entities and lending service providers must have a clear and detailed privacy policy. This policy must follow all relevant laws, regulations, and RBI guidelines and be publicly available on their websites.

If any third parties are permitted to collect personal data through Digital Lending Apps, their details must be clearly mentioned in the privacy policy.

REs must also ensure that they and their LSPs follow RBI’s cybersecurity standards and any other technical and security requirements issued by authorized agencies. These measures help protect customer data and ensure secure digital lending practices.

Watch: Exploring use cases for blockchain in India