What Are the RBI’s New Guidelines for Digital Lending in India?

Posted by Written by Naina Bhardwaj Reading Time: 5 minutes

The Reserve Bank of India (RBI) recently announced a new regulatory framework for digital lenders in India – to be implemented with immediate effect. As per the new guidelines, digital lending businesses can only be carried out by entities regulated by the central bank or those permitted under law. The RBI’s intervention comes following the concerns over credit delivery through digital lending methods in India and addresses sticky issues like unchecked involvement of third parties, mis-selling breach of data privacy, unfair business conduct, charging exorbitant interest rates, and unethical recovery practices.


In its bid to alleviate concerns arising from credit delivery through digital lending methods, the Reserve Bank of India (RBI) has introduced a regulatory framework for digital lending platforms. Through the guidelines released on August 10, 2022, the RBI has tightened rules by specifying that the lending business can only be carried out by entities regulated by the central bank or those permitted under Indian law.

The primary objective of the new norms is to address concerns related to unrestrained engagement of third parties, mis-selling breach of data privacy, unfair business conduct, charging of exorbitant interest rates, and unethical recovery practices.

It must be noted that the RBI had constituted a Working Group on “Digital lending including lending through online platforms and mobile apps” in January, 2021 and this new regulatory framework has been proposed by the same. While some recommendations made under the framework have been accepted for immediate implementation, there are others which have been given in-principle approval but need further investigation. Some recommendations have been put on hold, awaiting a wider stakeholder engagement.

Who are digital lenders?

The RBI has categorized digital lenders into three groups:

  • Entities which are regulated by the RBI and are permitted to carry out lending business.
  • Entities which are authorized to carry out lending as per other statutory or regulatory provisions but not regulated by RBI.
  • Entities lending outside the purview of any statutory or regulatory provisions.

Which category of digital lenders have to comply with the new regulatory framework?

The new regulatory framework focuses on the digital lending ecosystem of RBI’s Regulated Entities (REs), and the Lending Service Providers (LSPs) engaged by them to extend various permissible credit facilitation services.

For entities that are authorized to carry out lending based on other statutory or regulatory provisions but are not regulated by the RBI, the concerned regulator may consider formulating or enacting appropriate rules and regulations on digital lending based on the recommendations of the RBI’s Working Group.

For unregulated entities, the Working Group has suggested specific legislative and institutional interventions for consideration by the Central Government to curb the illegitimate lending activity being carried out by such entities.

What are the new regulations for eligible digital lenders in India?

Recommendations for immediate implementation

Customer protection and conduct requirements

  • REs must ensure that all loan servicing, repayment, etc., shall be executed directly in their bank account without any pass-through account/ pool account of any third party. The disbursements shall always be made into the bank account of the borrower.
  • For borrowers who only have a prepaid payment instruments (PPI) account, and not a bank account, loans can be disbursed fully in KYC compliant PPIs.
  • REs must ensure that any fees, etc. payable to LSPs is paid directly by them (REs) and are not charged by LSP to the borrower directly.
  • All-inclusive cost of digital loans as an Annual Percentage Rate (APR) must be disclosed upfront by REs.
  • REs shall ensure that they and the LSPs engaged by them shall have a suitable nodal grievance redressal officer to deal with FinTech/ digital lending related complaints/ issues raised by the borrowers.
  • If any complaint lodged by the borrower is not resolved by the RE within the stipulated period (currently 30 days), they can file a complaint over the Complaint Management System (CMS) portal or other prescribed modes under the Reserve Bank- Integrated Ombudsman Scheme (RB-IOS).
  • REs must provide a Key Fact Statement (KFS) to the borrower in standardized format for all digital lending products. Any fees, etc., which is not mentioned in the KFS cannot be charged by the REs to the borrower at any stage during the term of the loan. The KFS shall contain the following:
    • Details of APR
    • Terms and conditions of recovery mechanism
    • Details of grievance redressal officer designated specifically to deal with digital lending or fintech related matter
    • Cooling off or lock up period
  • Prohibition on automatic increases in credit limits except with customer’s explicit consent.
  • REs must publish the list of LSPs and Digital Lending Applications (DLAs) engaged by them along with the details of the activities for which they have been engaged, on their website.
  • REs must conduct enhanced due diligence process before entering into a partnership with an LSP for digital lending, taking into account its technical abilities, data privacy policies and storage systems, and other prerequisites.
  • The responsibility regarding data privacy and security of the customer’s personal information will rest with the REs. They must ensure that LSPs engaged by them do not store personal information of borrowers except for some basic minimal data like name, address, etc. which may be required for operational tasks.

Technology and data requirements

  • Any data collection by DLAs should be need-based and must be undertaken with prior and explicit consent of the borrower. Such data must also be auditable, as and when required. DLAs are required to refrain from accessing mobile phone resources, such as file and media, contact list, call logs, telephony functions, etc. A one-time access can be requested for camera, microphone, location, or any other facility necessary for the purpose of on-boarding/ KYC requirements – only with the explicit consent of the borrower.
  • The recommendations suggest that the borrower must be provided with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect their personal data and if required, make the app delete or forget the data.
  • The recommendations also require REs to ensure that the DLAs have a comprehensive privacy policy in place, equipped with regulations to handle breaches. Further, the details of third parties that are allowed to collect personal information through the DLA shall also be disclosed in the privacy policy.
  • REs must ensure that all data is stored in servers located within India while ensuring compliance with statutory and regulatory obligations.

Regulatory framework

  • REs must ensure that any lending done through DLAs is reported to Credit Information Company (CICs) irrespective of its nature.
  • REs must also be accountable for reporting any new digital lending products over a merchant platform (like short term, unsecured/ secured credits or deferred payments etc.) to the credit bureaus.

Recommendations with in-principle approval, awaiting further examination

Customer protection and conduct requirements

  • Each access or enquiry of credit information by any RE or LSP from CIC shall be conveyed to the borrower through email or SMS.
  • Financial literacy must also include digital banking.

Technology and data requirements

  • Banks must monitor accounts regularly operated from a different or overseas IP address, which is not consistent with the KYC profile of the account holder.
  • RBI will prescribe baseline technology standards for DLAs including:
    • Secure application logic, which includes, technical specifications of the DLA to ensure security of applications running on mobile phones, proper authentication, input validation, clear access rules, measures to ensure protection of sensitive data, etc.
    • Keeping auditable log of every action that user performs along with their IP address and device information
    • Monitoring of transactions being undertaken through DLA
    • Multi-step approval for critical activities undertaken on the DLA
  • REs must ensure that the algorithm used for underwriting is based on extensive, accurate and diverse data to rule out any prejudices.

Regulatory framework


About Us

India Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in Delhi and Mumbai. Readers may write to india@dezshira.com for more support on doing business in in India.

We also maintain offices or have alliance partners assisting foreign investors in Indonesia, Singapore, Vietnam, Philippines, Malaysia, Thailand, Italy, Germany, and the United States, in addition to practices in Bangladesh and Russia.