- with readers working within the Oil & Gas, Utilities and Law Firm industries
- within International Law, Energy and Natural Resources and Criminal Law topic(s)
- Introduction:
The digital lending sector in India has witnessed an explosive growth in the past few years. The borrowers can now conveniently apply for loans on mobile apps and websites, getting approval and disbursal within minutes. This new-age rapid digital lending process may seem like a boon to many borrowers, however, it has led to an increase in the instances of privacy violation, imposition of hidden charges, adoption of aggressive recovery methods, and rise in fraudulent or unauthorized lending apps.1
To address and regulate these concerns, the Reserve Bank of India ("RBI") recently notified the Digital Lending Directions on 08th May 2025 ("Directions").2 These Directions provide a comprehensive regulatory framework aiming to balance innovation with consumer protection and provide systemic stability to promote digital lending. The objective of these newly notified Directions is to enhance transparency and safeguard borrowers' interests by establishing clear guidelines on data collection, storage, and usage. The Directions also consider the role of third-party involvement, where unregulated entities often act as the primary interface with borrowers, despite not being directly regulated by the banking regulations.
- Scope and Applicability:
The Directions are applicable to all the Commercial and Co-operative Banks, Non-Banking Financial Companies ("NBFC") (including Housing Finance Companies), and all Financial Institutions engaged in digital lending activities, as well as Lending Service Providers ("LSPs") which typically comprise of fintech startups that partner with Regulated Entities ("REs") to provide loan and recovery services. The Directions are further applicable to all Digital Lending Apps ("DLAs"), including mobile or web applications used by borrowers to apply for and manage digital loans.3
This broad scope of applicability ensures that regardless of whether a borrower approaches a large private bank's mobile app or a specialised fintech platform, they will enjoy the same level of protection and transparency.
- Key Provisions and Regulatory Requirements:
Due Diligence
One of the most significant changes introduced by the Directions is the imposition of a mandatory due diligence requirement. REs can no longer enter into partnerships or other arrangements with LSPs without conducting thorough research and background checks. The Directions require REs to evaluate prospective LSP partners on multiple parameters, including their technical capabilities, data protection and privacy policies, and their track record in customer dealings before engaging their services. This due diligence obligation is not limited to the stage of partnership, but extends throughout the duration of the partnership as REs are required to conduct periodic reviews of their LSP to ensure continued compliance with the contractual terms,4 thereby enhancing overall accountability of REs towards their borrowers.
Special emphasis is placed on recovery practices which are usually the subject of the most serious complaints from consumers. The Directions impose a duty on REs to instruct the LSPs, acting as recovery agents, to strictly adhere to the applicable RBI guidelines on recovery. Parallelly, the framework ensures that REs remain fully liable for all acts and omissions of their LSP partners, thereby creating a strong regulatory incentive for exercising due diligence not only in selecting partners but also in supervising their activities thereafter.
Transparency
Another common grievance raised by the borrowers is regarding lack of transparency, particularly the absence of clear and comparable information regarding loan terms and conditions. In this regard, the RBI has issued specific directions to ensure that borrowers are adequately informed and are not "blindsided" by hidden charges or ambiguous loan terms. Lending platforms and/or DLAs are now mandated to clearly to present all available loan options in a clear and consolidated manner, so that the borrower can compare and make an informed decision. This measure is intended to prevent lending platforms from concealing material information in fine print or using complex language that obscures the actual cost of borrowing.
Lenders are now required to explicitly disclose key loan details, including the name of the lender, the annual percentage rate ("APR"), the total processing fee, and any other hidden applicable charges as may be applicable. Further, REs must provide a Key Fact Statement ("KFS"),5 which serves to summarise the loan offer in simple and comprehensible language, clearly indicating the monthly instalment amount, total credit cost, and any applicable penalties, including those arising from early closure.6 The main objective of KFS is to facilitate borrowers to compare offers and make an informed decision.7
The Directions further stipulate that upon approval of a loan, the sanctioned amount is directly transferred in the borrower's bank account and not through any third-party interference such as e-wallet or an intermediary account.8 This safeguard is aimed at preventing potential fraud and ensuring that the borrowers receive the full disbursed amount without any unauthorized deduction by the intermediaries.
Additionally, the Directions further stipulate that if a borrower is offered a higher credit limit, the platform is prohibited from unilaterally enhancing the EMI amount. Any such modification must be based on the borrower's explicit consent and a proper assessment of their repayment capacity.
Pre-payment Option
The Directions also introduce a 'cooling-off period'9, which allows a borrower to exit a digital loan within a prescribed initial window by repaying the principal amount along with the proportionate APR. No penalty can be charged for such an exit, though the RE may retain a reasonable one-time processing fee, provided the same is disclosed upfront in the KFS. While the specific duration of the cooling-off period is to be decided by the RE's Board under its loan policy, the Directions mandate that it shall not be shorter than one day. Borrowers who choose to continue with the loan beyond this cooling-off period will retain the right to prepay the loan in line with existing RBI guidelines.
Data Protection and Privacy Policy
In line with prevailing data protection laws, NBFCs and other REs can now collect only the essential borrower information, that too with the borrower's explicit consent.10 REs are mandated to have clear policies specifying the nature of data collected, the period for which it will be stored, and the protocols for secured deletion in the event of data breaches.11 Notably, the collection or storage of biometric data, which has previously been a major source of privacy concerns, is now strictly prohibited, except for one-time Know Your Customer ("KYC") requirements permitted by law. Borrowers are also entitled to revoke consent, request data deletion, or refuse sharing of their information with third parties.
Further, REs must ensure that all customer data is stored on servers located in India.12 If any processing is carried out overseas, the data must be deleted from foreign servers and repatriated to India within 24 hours. The responsibility for safeguarding borrower information, including data handled by LSPs, rests squarely with the RE.
Cap on Default Loss Guarantee by LSPs
Many banks partner with fintechs or LSPs to share risk through a Default Loss Guarantee ("DLG"). To regulate these risk-sharing arrangements, the Directions impose a cap on the DLG extended by LSPs or fintech partners. Under this framework, the fintech's guarantee is capped at 5% of the total loan pool covered. In the event of borrower default, the lender has up to 120 days to invoke the guarantee,13 beyond which the fintech or LSP has no obligation to make payment. By setting these limits, the RBI aims to ensure that risk-sharing mechanisms do not result in reckless or imprudent lending practices.
Grievance Redressal Mechanism
Under the Directions, the RBI has further introduced a structured Grievance Redressal Mechanism to handle complaints arising out of digital lending transactions. Every RE and LSP having a borrower interface must appoint a designated nodal grievance redressal officer, with their contact details clearly displayed on websites and mobile applications. In cases where a borrower's complaint remains unresolved for over 30 days, the borrower can escalate the same through the RBI's Complaint Management System ("CMS") for appropriate redressal.14
- Advantages and Impact of the Directions:
The primary beneficiaries of these Directions are borrowers availing digital lending services. With stronger transparency requirements, borrowers can now have access to clear, accurate, and comparable information regarding loan facilites. Such access to information is particularly crucial in a market where complex financial offerings can easily overwhelm consumers. Additionally, the enhanced regulatory safeguards on data collection, storage, and transfer protect borrowers' financial information and substantially reduce the risk of misuse. The mandatory Grievance Redressal Mechanism further ensures that borrowers have a clear, accessible, and structured avenue to seek redress in the event of any grievance. Collectively, these measures reflect the RBI's objective of enhancing transparency and protecting borrowers from potential vulnerabilities inherent in digital lending.
Insofar as REs are concerned, while the Directions impose higher compliance obligations upon them, at the same time provides greater operational clarity by consolidated guidelines. Furthermore, by holding REs fully accountable for the conduct of their LSPs, the framework promotes prudent and selective partnerships selection and stronger vendor management. In turn, LSPs are required to adhere to higher standards of data protection, customer service, and operational transparency, thereby improving service quality and minimizing borrower complaints.
- Conclusion:
In essence, the Directions introduce multiple layers of borrower protection, ranging from enhanced data privacy safeguards and structured grievance redressal mechanism to a mandatory cooling-off period, and restrictions on unilateral credit limit enhancements. These measures are designed to curb the risks of over-indebtedness while building borrower confidence in digital lending.15 By establishing a uniform regulatory framework applicable to banks, NBFCs, fintech entities, and LSPs, the RBI has taken a significant step towards promoting transparency, accountability, and sustainable growth in the digital lending ecosystem.
Footnotes
1 Satyam Mishra, RBI Tightens Digital Lending Norms To Safeguard Borrowers Clean Up Fintech, Business World (May. 10, 2025), https://www.businessworld.in/article/rbi-tightens-digital-lending-norms-to-safeguard-borrowers-clean-up-fintech-556282.
2 Reserve Bank of India, Digital Lending Directions, RBI/2025-26/36 (Issued on May 08, 2025). ("RBI Directions").
3 Aditi Rana, RBI Notifies Digital Lending Directions, India Law Portal (May. 13, 2025), https://www.indialaw.in/blog/civil/rbi-notifies-digital-lending-directions/.
4 RBI Directions, Para 5, supra at 2.
5 Reserve Bank of India, Key Facts Statement (KFS) for Loans & Advances, RBI/2024-25/18 (Issued on April 15, 2024).
6 Editor, RBI Shapes the Future of Digital Lending, 2025, SCC Times (May. 14, 2025), https://www.scconline.com/blog/post/2025/05/14/rbi-digital-lending-directions-legal-news/.
7 Editor, RBI Shapes the Future of Digital Lending, 2025, SCC Times (May. 14, 2025), https://www.scconline.com/blog/post/2025/05/14/rbi-digital-lending-directions-legal-news/.
8 RBI Directions, Direction 9, supra at 2.
9 RBI Directions, Para 10, supra at 2.
10 RBI Directions, Para 12, supra at 2.
11 RBI Directions, Para 13, supra at 2.
12 Ibid.
13 RBI Directions, Para 26, supra at 2.
14 Reserve Bank of India, Complaint Management System, https://cms.rbi.org.in/cms/indexpage.html#eng.
15 Isha Malik, RBI Digital Lending Guidelines 2025: A Comprehensive Guide for NBFCs, Linkedin (May. 16, 2025), https://www.linkedin.com/pulse/rbi-digital-lending-guidelines-2025-comprehensive-guide-cs-isha-malik-hbnyc/.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
