Hammurabi & Solomon Partners | View firm profile
On 8 May 2025 the Reserve Bank of India issued the Reserve Bank of India (Digital Lending) Directions, 2025, a single rule-book that repeals and folds into itself every digital-lending circular since 2022, including the default-loss-guarantee (DLG) FAQ and the outsourcing norms for Lending Service Providers (LSPs).
By unifying the regime, the RBI seeks to eliminate overlaps in definitions, tighten accountability and rebuild borrower confidence. This endeavour addresses the concerns arising from a series of mis-selling and data-privacy/digital scandals. Based on the recommendations of working group on digital lending, RBI has attempted to consolidate the existing regulations/instructions while incorporating few new measures such as LSP’s partnering with multiple regulated entities (RE’s) and creating a directory of digital lending app for credibility and public awareness. Addressing the concerns of unbridled engagement of third parties, breach of data privacy, unfair business conduct, charging of exorbitant interest rates, unethical recovery practices, the directions are aimed at enhancement of accountability and customer trust. The said directions came into forced on 8th May, 2025 itself, whereas the multi-lender LSP arrangements and Digital Lending Apps shall come into force on 1st November, 2025 and 15th June, 2025 respectively.
Wider Perimeter and demarcated Roles: The Directions apply to all commercial banks, co-operative banks, NBFCs (including HFCs) and All-India Financial Institutions whenever they use a digital channel, whether their own or that of an LSP. “Digital lending,” “DLA” (digital-lending app), “LSP” and “DLG” now carry harmonized definitions, while a new category, multi-lender LSP arrangements, brings aggregator platforms explicitly inside the supervisory net. The terminology of ‘Digital Lending Apps/Platforms (DLAs)’ has been provided an exhaustive definition covering under its ambit all such mobile and/or web based applications with user interface facilitating digital lending services. Furthermore, Lending Service Provider (LSP) covers under its ambit an agent of RE as well, thereby furthering the scope of accountability and applicability. The inclusive definitions are well received by the industry stakeholders, minimizing the scope of interpretation and subsequent confusion.
Stricter Due Diligence of Lending Service Providers (LSPs): Before outsourcing any part of the credit life-cycle, regulated entities (REs) must maintain a live register of all LSPs, assess each provider’s technical strength, data-protection posture and past conduct, and repeat the fit-and-proper test annually. Contracts must spell out roles, recovery conduct and audit rights; the RE remains “fully responsible and liable” for every act of its agent. The directions have further explicitly laid down that any such outsourcing agreement executed between RE with and LSP shall not immune the RE of its statutory and regulatory duties.
In case where LSP has agreements with multiple RE’s for digital lending, LSP has to provide a digital view of the loan offers matching the borrower’s request, further the details of unmatched lenders shall also be disclosed. A consistent approach for similarly placed borrowers shall also be complied with and any such mechanism adopted shall be properly documented to ensure fairness and transparency. Any such usage of dark patterns/deceptive measures to misguide and mislead borrowers into opting of a particular loan offer is strictly prohibited. However, data depicting ranks of loan offers based on pre-disclosed metric available on public platform shall not be construed as promotion of a particular product.
Customer-Protection Upgrades and Transparency: Borrowers receive a digitally signed Key Fact Statement showing the Annual Percentage Rate, all fees and a minimum cooling-off window (one day for very short loans, three days for tenors above a week) during which they may exit by paying only proportionate interest and a disclosed processing fee. Disbursal must flow straight to the borrower’s account and repayments straight back to the RE, blocking any LSP pass-through except for recovery of delinquent loans. Nodal grievance officers of both RE and LSP must be named on every DLA, with links to RBI’s Central Management System (CMS) and Sachet portals. Further, in case of loan defaults, the borrower must be apprised in advance in case any recovery agent is authorized to approach the borrower in advance through email/SMS.
Additionally, the borrower shall be provided with an opportunity to exit the digital loan by ensuing the payment to the principal and the proportionate Annual Percentage Range (APR) without any penalty during an initial cooling off period, as prescribed in the loan policy. However, even if the customer is willing to exit during the cooling off period, on –time processing fee may be retained by the RE subject to the fact that the same must be disclosed in KFS.
Technology and Data Requirement: The directions have laid down the mandatory procedure of seeking consent from the borrowers before collecting any data by their DLA/LSP, however further recommending to desist from seeking any mobile phone resources such as media/contact list/call logs. Further, the borrower shall be well apprised of the purpose before obtaining their consent and in case of subsequent dissemination of personal information shall be subject to borrower’s explicit consent again.
The RE is further mandated to ensure that LSP engaged with them do not indulge in storage of any data except for the basic minimal data. Any usage/storage of biometrics shall be done in accordance of the applicable statutory guidelines. The directions have further made it mandatory for the RE and LSP’s to have a comprehensive privacy policy and details of any third party employed to collect personal information through DLA to be disclosed in the policy and that such policy shall be made publicly available on the website of RE and LSP to ensure informed consent, accountability and transparency.
Reporting of Credit Information and DLA’s: In compliance with the Credit Information Companies (CIC) (Regulation) Act, 2005 and related rules and regulations, the RE is obligated to report it to CCI’s any such lending done through their DLA’s and DLA’s of LSP’s. Further, any such extension of the structured digital lending products by RE involving short term/unsecure/secured credits or deferred payments, needs to be reported to CCI’s too by the RE.
One of the most significant and largely hailed provision is that of the mandate imposed upon the RE to ensure reporting of all DLAs deployed/ joined by them on the Centralized Information Management System (CIMS) portal of RBI in the requisite format provide[1]. The said information needs to be updated from time to time and further the Chief Compliance Officer of the RE/ other designated official by the Board of RE shall certify that the data submitted on the CIMS portal is correct. Further, the RBI shall not be responsible for verifying or validating the date submitted on CIMS, and any such concerns or grievances concerning DLA’s shall be dealt with by the RE directly. It is further clarified that any such inclusion of third party DLA’s deployed by RE as a part of such reporting, shall not be construed by the DLAs /entity that it’s conferring any registration, authorization or endorsement by the RBI. These provisions have amplified the extent of liability and accountability that falls on the RE and its related entities with a larger objective of securing the borrowers interest and trust.
Loss sharing arrangement in case of default: Through the said directions , it has been further explicitly clarified that RE can enter into DLG arrangements only with a LSP/other RE engaged as LSP and that such LSP providing DLG shall be incorporated as a Company under the Companies Act. In addition to the RE-LSP arrangement enumerated the said directions, the accountability is fastened upon the RE to conduct a through due-diligence concerning DLG provider, such as eligibility criteria of DLG provider, nature and extent of DLG cover, process of monitoring and reviewing the DLG arrangement among others. The directions further specifies the restrictions imposed on DLG arrangements, structure of DLG arrangements, forms of DLG, treatment of DLG for regulatory capital and disclosure requirements, wherein the RE has to ensure the compliance with the said directions.
Effective Dates and Compliance Window: All provisions except two took effect immediately on 8 May. The DLA directory requirement (para 17 on Reporting of DLAs to RBI) activates 15 June 2025, and the multi-lender rules (para 6 on RE-LSP arrangements involving multiple lenders) activate 1 November 2025. REs therefore have a six-month runway to cleanse outsourcing contracts, remodel systems to generate uniform KFS/APR disclosures and restructure any DLG that breaches the new cap.
Summary of Key Features:
a. The ambit and applicability of these directions have been diversified, fastening its applicability on all such regulated entities involved in the process of digital lending, to ensure the ethics and values governing the digital lending landscape are upheld in letter and spirit.
b. The accountability on RE has been amplified wherein any such subsequent contractual agreements involved in the digital lending process shall be backed by through due diligence, compliance of statutory and regulatory standards and consistent monitoring of loan portfolios.
c. The transparency aspect has been further widened wherein the borrowers shall have access to exclusive Key Fact Statement (KFS) ensuring clear loan terms, disclosures and repayment obligations.
d. The cooling off period further upholds the borrower’s right to exit the loan without any penalties subject to clear disclosures and one-time processing fee, if applicable.
e. The collection of any necessary data collected from borrowers are in strict compliance of the DPDP Act, 2023 wherein informed consent of the borrowers plays a key factor, however with an exclusive right to the borrower to revoke the consent. Any such data collected shall be stored within Indian Jurisdiction and in case of any external processing of data, the same shall be deleted within 24 hours. Hence, strict adherence to existing data protections laws and regulations have been imposed upon the RE’s and its related LSP’s.
f. The direction of mandatory reporting to of all DLA’s to RBI in a time bound manner is a key feature, ensuring that no such third party DLA’s shall misrepresent their association/authorization from RBI and the accountability to ensure the same falls on RE.
g. The present directions are in addition to the existing regulatory and statutory norms and RE shall ensure compliance of all such applicable laws. However, the former circulars/guidelines issued by RBI on Digital Lending stands repealed.
h. The regulation of multi-lender arrangements with strict deterrence to any such attempt on part of LSP to deceit the borrowers is a hailed and welcomed step, ensuring borrower friendly digital lending landscape aligning with the principle of dei sunt clietes (customer is king).
i. The concept of public directory of DLA’s ensuring every RE to upload related details on CIMS portal further assist consumers distinguish legitimate apps from frauds.
Conclusion:
By formalizing first-loss guarantees, increasing transparency requirements for loan aggregators, and granting borrowers the right to exit early, the Directions impose a manageable compliance burden in exchange for clearer risk distribution and enhanced reputational benefits. Fintech LSPs lacking strong capital backing or operational transparency may be driven toward consolidation, while well-regulated platforms are better positioned to scale within a structured and consumer-trust-centric framework. Overall, these Directions are a positive development, reinforcing the principle of caveat emptor and promoting greater economic stability and integrity in India’s digital lending ecosystem.
Authored by Mr. Jyoti Kumar Chaudhary, Senior Partner and Ms. Pranshu Singh, Senior Associate.
[1] Such reporting on CIMS shall be completed by 15th June, 2025 in a time bound manner.