Reserve Bank of India

Introduction

On 8th May, 2025, the Reserve Bank of India (Digital Lending) Directions, 2025 have been introduced by the Reserve Bank of India (RBI), to bring greater transparency, accountability, and customer protection in the rapidly evolving digital lending ecosystem. This framework outlines operational norms, due diligence requirements, disclosures to borrowers, grievance redressal mechanisms, data protection mandates, and specific provisions related to Default Loss Guarantee (DLG) arrangements.

The rapid growth of digital lending in India has led to concerns over consumer protection, data privacy, transparency, and the operations of unregulated entities. Incidents of high interest rates, unethical recovery practices, and misuse of customer data have underscored the need for a clear regulatory framework. Therefore, these Directions are intended to safeguard the interests of borrowers, enhance the credibility of the digital lending ecosystem, and mitigate risks arising from unregulated lending practices.

These Directions shall come into force with immediate effect, except for specific provisions which shall take effect from June 15, 2025, and November 1, 2025, respectively.

Scope and Applicability

These Directions applies to a wide range of Regulated Entities (REs) ass under:

• Commercial Banks
• All-India Financial Institutions
• Urban, State, and Central Co-operative Banks
• NBFC’s including Housing Finance Companies

Core Terminology

KEY PROVISIONS

• RE-LSP Arrangements and Consumer Protection Requirements:
  • Due Diligence Requirements for LSP
    • Formal agreements between REs & LSPs.
    • Conduct due diligence and ongoing monitoring.
    • Ensure LSPs comply with RBI guidelines.
    • REs remains fully responsible for all actions of LSPs
  • Disclosures to Borrowers
    • Send digitally signed documents via email/SMS after contract to borrowers.
    • Maintain an updated website with product, LSP, grievance, and policy details.
    • Share recovery agent details before contact.
  • Loan Disbursal, Servicing and Repayment
    • Loan disbursal must be made directly into the borrower’s bank account.
    • Repayments must go to RE’s account only.
    • LSP fees paid by RE, not the borrower.
    • Cash recovery (for delinquent loans) allowed if credited same day. LSP fees for such recovery should be paid directly by the RE.
  • Grievance Redressal
    • Designate Nodal Grievance Redressal Officers to deal with digital lending compliants/ issues raised by borrower.
    • Display contact details of such officer on websites of RE, LSP and DLA as well as in KFS.
    • Borrower may lodge compliant on RBI’s CMS portal or send physical compliant if his compliant is not satisfactorily resolved or response is not received within 30 days.
• Loss Allocation Framework in Event of Default
  • REs may enter DLG arrangements only with LSPs or other REs acting as LSPs, which must be a company incorporated under the Companies Act, 2013.
  • Formulate Board-approved policy before entering into any DLG arrangement, covering DLG provider’s eligibility, process of monitoring, and fees.
  • RE shall accept DLG in the form of cash, fixed deposit with lien in its favor, or bank guarantee.
  • DLG cover must be limited to a maximum of 5% of the total disbursed amount of the specified loan portfolio.
  • DLG must be invoked within 120 days of default unless repaid.
  • Publish monthly portfolio-wise DLG details on the website within 7 working days of month-end.
• Technology and Data Requirements
  • 1 Data must be collected with explicit borrower consent.
  • 2 Borrowers can deny/revoke consent, restrict sharing, and request data deletion.
  • 3 Borrower’s explicit consent is required before sharing personal data with third parties.
  • 4 RE and LSP must publish a transparent privacy policy.
  • 5 RE must publish clear data storage policies, including retention, usage limits, deletion protocols, and breach handling.
  • 6 All data must be stored on servers in India and if processed abroad, deleted and restored in India within 24 hours.
  • 7 RE and LSP must follow RBI’s technology and cybersecurity standards.
• Mandatory Reporting Requirements:
  • REs must report all DLAs (own or of LSPs, exclusive or shared) on RBI’s CIMS portal, by June 15, 2025.
  • Such list is to be updated on CIMS portal.
  • Certifying accuracy of DLA data on CIMS portal by Chief Compliance Officer or Board-designated official.

Repeal of Earlier Circulars/Directions:

With the issuance of these Directions, the instructions/guidelines contained in the following circulars stands repealed:

Probable Impact on Stakeholders

Conclusion

These Directions mark a significant step towards strengthening the regulatory framework governing digital lending in India. By ensuring transparency, accountability, and consumer protection, these Directions aim to foster responsible lending practices while supporting innovation in credit delivery. Regulated Entities are expected to align their operations with these guidelines in letter and spirit, ensuring that borrowers’ interests are safeguarded and systemic integrity is maintained in the digital lending ecosystem.

Abbreviations:

• RE – Regulated Entity
• DLG – Default Loss Guarantee
• LSP – Lending Service Provider
• DLA – Digital Lending App
• KFS – Key Fact Statement
• CIMS – Centralised Information Management System.

Disclaimer

The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.