RBI Digital Lending Guidelines — Regulatory Framework Explainer

TL;DR for founders

If your app helps a bank or NBFC give someone a loan — you acquire the customer, collect KYC, underwrite, disburse, collect EMIs, or do recovery calls — you are a "Lending Service Provider" or a "Digital Lending App" under the Reserve Bank of India (Digital Lending) Directions, 2025. Money must move directly between the lender's bank account and the borrower's bank account — never via your escrow. You must show the borrower a Key Fact Statement before the loan closes, give them a minimum 1-day cooling-off to exit, cap any default-loss-guarantee you offer the lender at 5% of the portfolio, store data only in India, and run an Indian-resident grievance officer. The 2025 Directions took effect on 8 May 2025 and consolidate three earlier circulars.

What the Digital Lending framework says

The Reserve Bank of India (Digital Lending) Directions, 2025 ('Digital Lending Directions 2025'), notified on 8 May 2025 as RBI/2025-26/36 DOR.STR.REC.19/21.07.001/2025-26, are the governing instrument for every digital-lending arrangement in India. The Directions consolidate and supersede three prior instruments:

The 2025 Directions are structured in six chapters: Chapter I (Preliminary and Definitions), Chapter II (RE–LSP Arrangements), Chapter III (Conduct and Customer Protection), Chapter IV (Technology and Data), Chapter V (Credit Reporting and DLA Directory), and Chapter VI (Default Loss Guarantee). Most provisions took effect immediately; paragraph 6 (multi-lender LSP arrangements) came into effect on 1 November 2025 and paragraph 17 (DLA directory reporting) on 15 June 2025.

The originating policy document is the Report of the Working Group on Digital Lending including Lending through Online Platforms and Mobile Apps dated 18 November 2021, chaired by Mr Jayant Kumar Dash, Executive Director, Reserve Bank of India. The Working Group identified three categories of digital lending players and recommended the three-layer regulatory framework that the 2025 Directions now operationalise.

The three-layer framework

The RBI classifies digital-lending actors into three layers. Regulatory reach varies by layer.

The 2025 Directions retain the Working Group's core policy decision that only Layer 1 entities (with Layer 2 support) may originate consumer credit.

Who is bound

Every Layer-1 RE and, by flow-through contractual obligation, every Layer-2 LSP/DLA that works with a Layer-1 RE. In practice this covers:

• Scheduled Commercial Banks — 12 public sector banks, 21 private sector banks, 43 foreign banks and the 11 Small Finance Banks as of the RBI's 31 March 2024 list of banks
• Primary (Urban) Co-operative Banks — 1,472 as of the RBI's 2024 Trend and Progress report
• State Co-operative Banks — 34 entities
• Non-Banking Financial Companies — approximately 9,400 NBFCs holding a Certificate of Registration (including Housing Finance Companies under NHB oversight)
• All LSPs working for any of the above — no separate RBI registration but subject to the RE's due-diligence obligations
• Every DLA used by any of the above — must be listed on the RE's website and, from 15 June 2025, in the DLA Directory under paragraph 17 of the 2025 Directions

Foreign-incorporated fintechs that wish to operate as an LSP must work through an Indian RE. Direct cross-border digital lending to Indian consumers is not permitted under the 2025 Directions and is separately restricted under the Foreign Exchange Management (Borrowing or Lending) Regulations, 2018.

Core requirements

The Digital Lending Directions 2025 preserve and extend seven core requirements from the 2 September 2022 Guidelines. Practitioners advising a fintech client should treat these as the non-negotiable spine:

1. Direct-to-borrower disbursement. All loan disbursals and repayments must occur directly between the RE's bank account and the borrower's bank account. No pass-through, no LSP escrow, no pool account. The only exception is a direct credit to a specified vendor under the loan agreement. This is the single most-enforced provision: multiple LSP-linked supervisory actions since 2023 have turned on this paragraph.
2. Key Fact Statement ('KFS'). Every digital loan must be preceded by a standardised KFS — issued in a prescribed format under Circular DOR.STR.REC.13/13.03.00/2024-25 and the 2025 consolidation — disclosing the Annual Percentage Rate ('APR') inclusive of all costs (processing, verification, maintenance, credit cost), repayment schedule, penal charges and the cooling-off terms. The KFS must be transmitted to the borrower automatically by email and SMS upon loan execution.
3. Cooling-off period. A minimum 1-day cooling-off must be offered (the RE's Board may prescribe longer periods for loans with tenors of 7 days or more). A borrower who exits within the cooling-off pays only the proportionate APR for the utilised days; a one-time processing fee may be retained if disclosed in the KFS.
4. No automatic credit-limit increase. Any increase in a borrower's credit limit requires fresh explicit consent. Auto-upgrades are prohibited. This reverses the pre-2022 industry practice of silent limit increases following repayment behaviour.
5. Need-based data collection. The LSP/DLA may collect only such borrower data as is necessary for the loan. Access to phone contacts, media library, location and telephony is prohibited except on a one-time, purpose-specific basis with explicit consent. Always-on access permissions are expressly prohibited — a direct response to the aggressive data-harvesting patterns that prompted the Working Group Report.
6. Grievance redressal with nodal officer. The RE and the customer-facing LSP must each designate a nodal grievance redressal officer resident in India. Timeline: 30 days to dispose of a grievance; thereafter the borrower may escalate to the RBI Integrated Ombudsman Scheme (RB-IOS) through the complaint management system at cms.rbi.org.in, or physically to the Centralised Receipt and Processing Centre, 4th Floor, Reserve Bank of India, Sector-17, Central Vista, Chandigarh – 160017.
7. Data localisation. Borrower data must be stored on servers located in India. Processing outside India is permitted only on a transient basis — data must be deleted from offshore servers and brought back to India within 24 hours of processing. This is the RBI's digital-lending specific localisation mandate and operates in addition to Section 16 DPDP Act and the RBI's Storage of Payment System Data Directive dated 6 April 2018.

Data privacy in digital lending

The Digital Lending Directions 2025 and the DPDP Act create a two-layer data-protection regime for the sector:

• Sectoral layer (Chapter IV, 2025 Directions): purpose-limited consent; opt-in for each permission; ability for the borrower to revoke consent and delete data; need-based access only; no always-on access to contacts, media, location, telephony.
• Cross-sectoral layer (DPDP Act): a digital lender is a "data fiduciary" under Section 2(i) DPDP Act. Obligations include Section 4 (lawful processing with notice and consent), Section 5 (notice requirements), Section 6 (nature of consent), Section 8 (duties of data fiduciary), Section 11 (rights of data principals — access, correction, erasure, grievance) and Section 16 (cross-border transfer restrictions).

Where a provision in the Digital Lending Directions 2025 is stricter than the DPDP Act (for example, the 24-hour offshore-data-return requirement), the stricter rule prevails because RBI's sectoral instrument is made under statutes preserved by Section 38(2) DPDP Act.

Loan recovery rules

Chapter III of the 2025 Directions extends the RBI Fair Practices Code to digital-lending recovery. Key obligations:

• Recovery agents must be disclosed in the loan agreement, trained and supervised by the RE
• No contact with borrowers outside 08:00–19:00 local time
• No harassment, no abusive language, no public shaming
• No contact with third-party contacts from the borrower's phone directory
• Board-approved Code of Conduct for recovery, published on the RE's website
• Grievance escalation to the nodal officer within 7 days of the complaint; 30-day disposition outer limit

Non-compliance exposes the RE to supervisory action under Section 35A of the Banking Regulation Act, 1949 or Section 45L of the Reserve Bank of India Act, 1934, as applicable; officers-in-default face proceedings under Section 46A Banking Regulation Act and officer-in-default liability.

Prohibited practices

The 2025 Directions expressly prohibit:

• LSP charging the borrower any fee separately from those disclosed in the KFS
• Routing of disbursement or repayment through an LSP account
• Automatic increase of credit limits without explicit borrower consent
• Always-on access to contacts, media, location or telephony on the borrower's device
• Cross-selling of insurance or third-party products without explicit separate consent
• Advertising digital-lending services that are not tied to a Regulated Entity (Layer-3 DLAs)

Default Loss Guarantee framework

Chapter VI of the 2025 Directions codifies the Default Loss Guarantee ('DLG') regime originally introduced by the 8 June 2023 circular. Key features:

• 5% cap. Total DLG cover on any outstanding portfolio shall not exceed 5% of the disbursed amount of that portfolio. The 5% is a hard ceiling — not a target.
• Static portfolio. The portfolio covered by a DLG is frozen at execution; no fresh loans can be added to a DLG-covered pool. Portfolio additions must be covered by a fresh DLG contract.
• Permissible DLG providers. Only an entity incorporated as a company under the Companies Act, 2013 or an LLP under the Limited Liability Partnership Act, 2008 can provide DLG to a Regulated Entity. Individual guarantors are prohibited.
• Invocation window. DLG must be invocable within 120 days of default classification.
• Disclosure. The RE must disclose the DLG arrangement in its financial statements and in its risk-management disclosures.
• Synthetic securitisation interaction. Where the DLG structure rises to the level of a credit-enhanced synthetic securitisation, the Master Direction – Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021 applies. The interaction is complex and warrants separate structuring advice.

DLA directory and app-store whitelisting

Paragraph 17 of the Digital Lending Directions 2025 (effective 15 June 2025) requires every RE to register each DLA it uses in the DLA Directory maintained by the RBI. Simultaneously, MeitY and the RBI have coordinated with Apple App Store and Google Play Store on a whitelisting policy: apps not on the RBI's DLA Directory or not linked to a registered RE are not permitted to list in the "Finance" category for India. This is the operational chokepoint for eliminating Layer-3 (unauthorised) DLAs — the 2023–2024 round of app-store removals followed this model.

Interaction with other regulatory regimes

The Digital Lending Directions 2025 interact with five adjacent regimes. Practitioners structuring a digital-lending product must map each:

• DPDP Act, 2023 — as above. Section 8 duties and Section 16 cross-border rules apply; sectoral rules supplement.
• CERT-In Directions 2022 (28 April 2022) — Direction No. (ii) requires 6-hour incident reporting. A borrower-data breach in a digital-lending product triggers both the CERT-In filing and DPDP Section 8(6) notification; see the companion playbook cert-in-6-hour-incident-reporting.
• Consumer Protection (E-Commerce) Rules, 2020 — these Rules, notified under the Consumer Protection Act, 2019, apply to e-commerce entities and include provisions on misleading advertisements, grievance redressal and consumer remedies. A DLA that facilitates credit attached to an e-commerce transaction engages both regimes.
• SEBI regime — mutual-fund-linked lending, margin financing and employee-stock-option financing engage SEBI's master circular on Lending by Mutual Funds (16 July 2024) and the SEBI (Stock Brokers) Regulations, 1992. The RBI Digital Lending Directions 2025 do not displace the SEBI rules.
• MCA disclosures — a corporate borrower's digital-lending drawdowns must be reflected in its financial statements under the Companies (Accounts) Rules, 2014; non-disclosure engages officer-in-default liability under Section 134(8) Companies Act, 2013.

Practical implications — advising a digital-lending client

For general counsel and fintech founders structuring an LSP partnership in 2026, the 2025 Directions produce six concrete workflow items. This section is 100% original Veritect analysis:

1. Partnership-deck redesign. The RE should now hold a sign-off on every material customer-touchpoint the LSP/DLA controls — login, KYC, underwriting rules, KFS generation, repayment UI, recovery scripts, and the DLG structure. Drafting the sign-off matrix upfront saves 6–8 weeks of post-launch remediation.
2. KFS as a product primitive, not a document. Treat the KFS as a structured JSON payload surfaced in the borrower UI before loan execution — not a PDF emailed after. Automated email/SMS delivery (mandated by paragraph 8 of the 2025 Directions) is the audit trail; the user-facing KFS is the customer-protection artefact. Build both.
3. Disbursal plumbing. Direct RE-to-borrower disbursal forces a redesign of the settlement stack. A virtual-account architecture that credits the RE's pooled account and sweeps to the borrower in real time can preserve LSP user-experience without breaching paragraph 3. Structure it in advance of go-live; retrofitting a pool-account product is expensive.
4. DLG documentation. Where a DLG is offered, the contract must be drafted by an Indian-qualified lawyer and must explicitly state (i) the static portfolio identifier, (ii) the 5% cap computation, (iii) the 120-day invocation window, (iv) any cash collateral deposited, (v) the RE's accounting treatment and (vi) the tax treatment in both hands. Absent these, the DLG may be re-characterised as a credit enhancement and attract securitisation treatment.
5. Grievance SOP with evidence discipline. Every grievance response must include a reasoned, written outcome. Preserve the borrower's consent logs (for Chapter IV / DPDP purposes), the KFS served, and the action-log of every auto-communication (SMS, email, IVR). If the grievance escalates to RB-IOS, the evidence file is the defence.
6. P2P overlay. If the product involves any peer-to-peer matching layer, map the P2P Directions 2017 prohibitions — no credit enhancement (even 5%-capped DLG is arguably credit enhancement in P2P), no promise of assured return, no FX-denominated lending — against the Digital Lending Directions 2025 customer-protection layer. The two are additive, not alternative.

Enforcement and penalties

Non-compliance with the Digital Lending Directions 2025 attracts:

• Supervisory directions under Section 35A Banking Regulation Act, 1949 (for banks) or Section 45L Reserve Bank of India Act, 1934 (for NBFCs) — suspension, cease-and-desist, portfolio run-off;
• Monetary penalty — under Section 46 Banking Regulation Act or the Reserve Bank of India (Penalty for Contravention or Default) Directions;
• Cancellation of Certificate of Registration for an NBFC (Section 45-IA Reserve Bank of India Act, 1934);
• Officer-in-default liability — Section 46A Banking Regulation Act, 1949; Section 58B Reserve Bank of India Act, 1934;
• App-store delisting via the RBI-MeitY coordination;
• Consumer remedy — Ombudsman relief under the Integrated Ombudsman Scheme, 2021 up to ₹20 lakh;
• Criminal liability — for Layer-3 DLAs, prosecution under the Banning of Unregulated Deposit Schemes Act, 2019 and the Bharatiya Nyaya Sanhita, 2023 depending on the facts.

Founder checklist

• Confirm your layer — are you a Layer-2 LSP/DLA tied to an RE? If Layer 3, stop and repartner. Target closure within 30 days.
• Wire the KFS into the product — structured JSON, auto-email, auto-SMS. Deliver before loan execution, not after.
• Re-architect disbursal to RE-to-borrower direct — no LSP pool account; budget 6–8 weeks of engineering if legacy infrastructure exists.
• If you offer a DLG, cap at 5% of disbursed portfolio, freeze the pool, and document the 120-day invocation.
• Localise data — India-resident servers; 24-hour offshore-return policy; map Section 16 DPDP Act cross-border restrictions.
• Appoint an India-resident grievance officer and publish contact on every page of the DLA.

FAQ

Am I a Digital Lending App (DLA) and therefore in scope of the RBI Digital Lending Directions, 2025?

Chapter I of the Reserve Bank of India (Digital Lending) Directions, 2025 ('Digital Lending Directions 2025') defines a Digital Lending App / Platform ('DLA') as any mobile or web application — standalone or integrated into a larger product — that facilitates digital lending services of a Regulated Entity ('RE') or a Lending Service Provider ('LSP'). If your platform performs any of customer acquisition, underwriting, loan approval, disbursement, repayment, servicing or recovery for a commercial bank, co-operative bank or NBFC, you are a DLA. A pure credit-comparison aggregator that does not process the loan is not a DLA but may be captured as an LSP if it performs services on behalf of the RE.

Is passing loan money through an LSP's escrow or pool account legal?

No. Paragraph 3 of the original Guidelines on Digital Lending dated 2 September 2022 (RBI/2022-23/111), carried forward into the Digital Lending Directions 2025, requires that "all loan servicing, repayment, etc., shall be executed by the borrower directly in the RE's bank account without any pass-through or pool account of the LSP or any third party". The only permitted exception is a disbursal to the borrower via the direct credit route or to a vendor specified under the loan agreement (e.g., a supply-chain lender paying a seller on the borrower's behalf). Any LSP pass-through account is a contravention that attracts supervisory action under the Banking Regulation Act, 1949 and the Reserve Bank of India Act, 1934.

What is the Default Loss Guarantee cap and how is it computed?

Chapter VI of the Digital Lending Directions 2025 caps Default Loss Guarantee ('DLG') cover at 5% of the disbursed amount of the relevant loan portfolio. The portfolio against which a DLG is provided must be "static" — once fixed, no fresh loans can be added to the DLG-covered pool; pool reductions occur only through repayment, write-off or charge-off. The DLG must be invocable within 120 days of default classification. These caps derive from the 8 June 2023 circular RBI/2023-24/41 DOR.CRE.REC.21/21.07.001/2023-24 and have been carried into the 2025 Directions without substantive change.

Does the Digital Lending framework permit cross-border disbursal or offshore servicing?

No. Data relating to borrowers must be stored on servers located in India. If data is processed outside India (e.g., by an offshore analytics vendor), the data must be deleted from the offshore servers and brought back to India within 24 hours of processing. This position sits alongside Section 16 of the Digital Personal Data Protection Act, 2023 ('DPDP Act'), which empowers the Central Government to restrict cross-border transfer. Cross-border loan disbursal itself engages a separate regime under the Foreign Exchange Management Act, 1999 and the relevant RBI master directions; the Digital Lending Directions 2025 do not displace that regime.

How does the Digital Lending framework interact with CERT-In Directions 2022 and the DPDP Act?

A digital lending breach triggers three parallel obligations. First, under Direction No. (ii) CERT-In Directions dated 28 April 2022, any unauthorised access, data breach or disruption must be reported to CERT-In within 6 hours of noticing. Second, under Section 8(6) DPDP Act, a personal-data breach must be notified to affected data principals and the Data Protection Board once the intake mechanism is operationalised. Third, under Chapter III / IV of the Digital Lending Directions 2025, the RE must notify borrowers of data-related incidents and pause the DLA until remediated. A single incident typically triggers all three; the cyber-incident runbook should treat CERT-In's 6-hour clock as the binding constraint.

Does the framework apply to peer-to-peer (P2P) lending platforms?

P2P lending is governed by a separate regime — the Master Directions — Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017 ('P2P Directions 2017'), as amended in 2024. P2P platforms are NBFC-P2P licensees in their own right, not LSPs of other REs. However, where a P2P platform operates through a DLA, the customer-protection provisions of the Digital Lending Directions 2025 (Key Fact Statement, cooling-off, grievance) apply by reference and are supplemented by the P2P-specific prohibitions in the P2P Directions 2017 — including the prohibition on credit enhancement and the ₹50 lakh aggregate lender-exposure cap.

Sources

• Reserve Bank of India (Digital Lending) Directions, 2025 — RBI/2025-26/36 DOR.STR.REC.19/21.07.001/2025-26, 8 May 2025: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12848&Mode=0
• Guidelines on Digital Lending (superseded) — RBI/2022-23/111, 2 September 2022: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12382&Mode=0
• Guidelines on Default Loss Guarantee in Digital Lending (superseded) — RBI/2023-24/41, 8 June 2023: https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12514&Mode=0
• Report of the Working Group on Digital Lending — 18 November 2021: https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=52679
• RBI Circular Index: https://www.rbi.org.in/Scripts/BS_CircularIndexDisplay.aspx
• Digital Personal Data Protection Act, 2023: https://www.indiacode.nic.in/handle/123456789/20937
• CERT-In Directions dated 28 April 2022: https://www.cert-in.org.in/
• RBI Integrated Ombudsman Scheme, 2021: https://cms.rbi.org.in/