The digital lending ecosystem in India has undergone a seismic shift with the Reserve Bank of India (RBI) upgrading its regulatory framework from suggestive guidelines to binding Digital Lending Directions, 2025. This transition marks a move towards formal, enforceable compliance—especially significant for regulated entities (REs), non-banking financial companies (NBFCs), and fintech lending startups using digital lending apps (DLAs). These Directions are not issued in isolation. They exist alongside India's evolving data privacy and technology laws, such as the Information Technology Act, 2000, the SPDI Rules of 2011, and most recently, the Digital Personal Data Protection Act, 2023 (DPDP Act). For compliance heads, CTOs, and legal counsels of fintechs, understanding how these frameworks intersect is critical for ensuring lawful digital lending operations in India.
RBI's Digital Lending Directions: Statutory Backing and Intent
Unlike the older guidelines that were advisory in nature, the 2025 Directions are issued under Section 45L of the RBI Act, 1934 and carry statutory force. This signals clear regulatory intent to enforce non-negotiable standards around:
- Lending Service Provider (LSP) accountability
- Customer consent and data use
- First Loss Default Guarantee (FLDG) arrangements
- Data privacy and cybersecurity
The Directions bring legal enforceability to what were once best practices, particularly for digital-first lending operations. The move also aligns India's fintech regulatory landscape with the growing emphasis on user data rights and cybersecurity compliance.
Data Collection, Consent, and Purpose Limitation
A core feature of the RBI Directions is the stringent requirement for free, specific, informed, and auditable consent before any personal data can be collected via DLAs. The Directions prohibit access to call logs, media files, or contact lists. One-time access to camera or location data for KYC is permitted, but only with explicit consent.
This approach mirrors key elements of the SPDI Rules under the Information Technology Act, which also mandate written consent before collecting sensitive personal data or information. The rules require data collectors to inform individuals about the nature and purpose of data being collected.
The DPDP Act, 2023 further reinforces this, stating in Sections 4–6 that personal data processing must be based on clear, unambiguous consent or fall under predefined "legitimate use" categories. Consent cannot be bundled, coercive, or implied. This reinforces the RBI's position that borrowers must be empowered to make informed choices.
Borrower Data Rights: Revocation, Correction, and Deletion
Borrowers now have the statutory right to revoke consent, restrict third-party data sharing, and demand data deletion. These rights are central to the RBI's consumer protection goals and are clearly defined in the Directions.
Similar rights are granted under Rule 5 of the SPDI Rules, which permits withdrawal of consent and data correction, albeit with the caveat that service providers may refuse to offer services post-withdrawal.
The DPDP Act is more robust. Section 6(4) mandates that revocation of consent must be as simple as its granting. Under Section 8(7), personal data must be deleted if the purpose for its collection no longer exists or consent has been withdrawn. Data principals also have rights to obtain processing summaries and demand correction or erasure of data.
Privacy Policy Requirements and Transparency Obligations
The RBI mandates that REs and LSPs must publish privacy policies that:
- Clearly identify what data is collected
- Specify third parties with whom data is shared
- State the purpose of data use
- Be easily accessible via DLAs and websites
This aligns with Rule 4 of the SPDI Rules, which requires body corporates to maintain and publish detailed privacy policies. Likewise, Section 5 of the DPDP Act obligates that consent requests be accompanied by a notice explaining the nature and purpose of data collection. The direction towards transparency-by-design reflects a key global data governance trend and is now an enforceable standard for Indian fintechs.
Data Storage and Localisation Norms
One of the most significant obligations in the RBI Directions is data localisation. All borrower data must be stored exclusively on Indian servers. If data is processed overseas, it must be deleted from the foreign server and repatriated to India within 24 hours. Biometric data collection is categorically prohibited unless legally mandated.
In contrast, SPDI Rules under Rule 7 allow for international transfers of sensitive data if the recipient ensures equivalent protection. The DPDP Act, however, does not impose blanket localisation but permits cross-border transfers to countries notified by the Indian government.
This creates a unique compliance pressure: fintechs must simultaneously adhere to RBI's hard localisation for borrower data, even if broader data privacy laws permit conditional exports.
Cybersecurity and Technology Standards
Under the RBI Directions, REs and LSPs must comply with prescribed cybersecurity standards, including those from the RBI and other sector regulators. This includes:
- Secure storage
- Role-based access control
- Regular cybersecurity audits
These provisions are backed by the SPDI Rules, which require reasonable security practices such as adherence to ISO/IEC 27001 standards. Similarly, Section 8 of the DPDP Act mandates security safeguards and breach notification.
Draft DPDP Rules, 2025 also require measures like encryption, system access control, and secure audit logs. Together, these standards aim to reduce system-level vulnerabilities and increase institutional accountability in fintech.
Liability and Legal Accountability of REs and LSPs
A defining aspect of the RBI Directions is that regulated entities cannot outsource accountability. Even if customer data is handled by an LSP, the RE is ultimately responsible for:
- Consent management
- Data breaches
- Policy disclosures
- Grievance redressal
This is mirrored in SPDI Rules, which hold body corporates responsible for third-party actions. They must designate a Grievance Officer to resolve user complaints within 30 days.
The DPDP Act also adopts a similar framework. Data Fiduciaries are required to:
- Ensure data accuracy and relevance
- Impose contractual obligations on processors
- Take full accountability for breach or misuse
Thus, fintechs must establish robust oversight mechanisms and contractual safeguards with their third-party vendors.
Conclusion: Building a Compliant and Resilient Digital Lending Ecosystem in India
The RBI Digital Lending Directions, 2025 represent a watershed moment in India's regulatory journey toward safe, ethical, and compliant digital lending practices. With India's digital economy expanding and fintech innovation surging, the alignment between sector-specific regulations and national data protection laws is more critical than ever.
For fintech founders, compliance officers, and in-house legal teams, the key takeaway is this: compliance must be holistic. RBI's Directions cannot be followed in isolation. They must be read in conjunction with obligations under the SPDI Rules and the DPDP Act. This includes:
- Consent architecture design
- Real-time audit logs and cybersecurity protocols
- User rights management systems
- Vendor risk assessments
- Privacy policy disclosures
Failure to harmonise these frameworks can expose firms to not only regulatory penalties but reputational damage and legal liability.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
