An Overview of Digital Lending Guidelines

author Sheena Ogra , Himanshu Ojha

calender September 21, 2022

An Overview of Digital Lending Guidelines

Recently, the Reserve Bank of India (“RBI”) issued Guidelines on Digital Lending (“Guidelines”)[1]. The Guidelines have come amidst concerns of data privacy breaches, unethical business practices, and mis-selling to vulnerable customers by digital lenders. The Guidelines apply from the date of the circular to existing customers who wish to take fresh loans and to new customers. 


Digital lending has benefited greatly from technological developments. Digital lenders provide cash injections to individuals. The demand for online loans has increased massively in recent years.  However, a wide range of issues has arisen because of increased reliance on third-party lending service providers. The digital lending space is not big enough to threaten financial stability, but its rapid expansion raises serious concerns. 

Against this backdrop, the RBI constituted a Working Group on Digital Lending (“Working Group”)[2] on January 13, 2021. After receiving the recommendations of the Working Group, RBI issued these Guidelines. 

Guidelines on Digital Lending

The Working Group had recommended the classification of digital lenders into three categories:

  • Entities that are regulated by RBI and permitted to carry out lending operations
  • Entities that are authorized to carry out lending by other regulatory/statutory provisions and are not regulated by RBI
  • Entities that are lending without any statutory/regulatory approval

The Guidelines apply to the first category, Regulated Entities (“REs”). The outsourcing arrangements made by REs in no way diminish their obligations. The REs must ensure that Lending Service Providers (“LSPs”), Digital Lending Apps (“DLAs”), and DLAs of LSPs comply with the Guidelines. Lending Service Providers are agents of REs who carry out one or more of their lending functions. The lending functions include pricing support, customer acquisition, monitoring, servicing, recovery of loans, among other things. DLAs facilitate digital lending transactions with mobile and web-based applications. They include apps of the REs as well as of LSPs. 

The REs are given until November 30, 2022, to ensure that all existing digital loans as on the date of the Guidelines are in compliance with these Guidelines. 

1. Consumer Protection and Conduct Requirements

In a bid to increase transparency and prevent operational grey areas, REs have to ensure that loan disbursals are made directly to the borrower’s bank account. Exceptions are provided in cases where the disbursal is made because of (a) a co-lending transaction which is an arrangement with the joint contribution of a credit facility along with risk and reward sharing; a statutory or regulatory mandate; and loan disbursals that are for specific end-use. The exemption for specific end-use help in facilitating Buy Now Pay Later (“BNPL”) models as they allow REs/LSPs/DLAs to disburse the loan amount directly to the merchant. 

All loan servicing, repayments, etc. must be done through the REs bank account without any pool or pass-through account of a third party. 

2. Key Fact Statement

REs must prepare a Key Fact Statement (“KFS”) and provide it to the borrower before execution of the loan contract. The KFS must have all the necessary information including details of the Annual Percentage Rate (“APR”) which is the Effective Annualized Rate that is charged to the borrower; the recovery mechanism; details of the grievance redressal officer; and the cooling-off period. 

3. Cooling Off Period

REs have to provide a cooling period which is an exit window provided to the borrower by which they can repay the digital loan along with the proportionate APR without penalty. For digital loan tenures of seven days or more, the cooling off period shall be a minimum of three days and for digital loans with tenure of fewer than seven days, the cooling off period shall not be less than one day. Even after this period, the pre-payment option should be allowed. 

4. Fees/Charges

REs must ensure that the fees, charges, etc. paid to the LSPs are paid by them and not charged to the borrower. Furthermore, any charges or penal interest shall be levied based on the outstanding loan amount. The KFS must contain the rate of annualised penalty charges. 

5. Digitally Signed Documents

All documents signed using a digital signature including loan product summary, KFS, sanction letter, privacy policies, etc. must be provided to the borrower via SMS/email. In addition to this, REs have to ensure that they publish a list of their DLAs, LSPs, and the DLAs of LSPs on their website. 

6. List of LSPs and Product Information

To increase transparency and safeguard borrowers’ interests, REs along with their LSPs, DLAs, or DLAs of LSPs, must provide all details of the product such as APR, product features, etc. at the time of sign-up and onboarding. Furthermore, REs have to ensure that DLAs have links to REs websites where borrowers can access detailed information about loan products, privacy policies, the link to RBI’s complaint portal (Sachet)[3], etc. 

7. Grievance Redressal Mechanism

RBI has mandated the requirement of a nodal grievance redressal officer that deals specifically with complaints and issues related to digital lending. The details of the officer shall be displayed on the website of the REs, LSPs, and DLAs, and in the KFS. If a complaint to the grievance redressal officer is not resolved within 30 days (thirty), the complaint can be registered on the Complaint Management System (CMS) portal of RBI. Furthermore, on the websites of REs, LSPs, and DLAs, the facility for lodging complaints must be there. 

8. Requirements Before Engaging LSP

Before engaging an LSP, REs must conduct comprehensive due diligence to ascertain their technical ability, data privacy policy, fairness in conduct, and whether they can comply with the relevant laws and regulations. Furthermore, the REs have to review the operations of LSPs periodically. Lastly, REs must provide guidance to the LSPs on the recovery of loans and ensure that the LSPs are acting responsibly and that they are complying with the Circular on ‘Outsourcing of Financial Services – Responsibilities of regulated entities employing regulatory agents’[4].

9. Data Collection

The report of the Working Group noted that there have been many complaints where high-risk data is collected by the DLAs and used to harass the borrowers as well as their contacts. To address the issue, the RBI has directed that data collection by REs, LSPs, and DLAs must be need-based and with explicit consent before such data collection. Mobile phone data such as contacts, files, media, etc. must not be accessed. For KYC purposes, one-time permission for the microphone, camera, location, etc. can be taken. When obtaining consent, the borrower shall be disclosed the reasons for which it is being taken. 

The borrower must be given the option to deny the use of specific data, revoke consent, and restrict the disclosure of data to third parties. Not only that, but the borrowers must be given the option of deleting the data that the DLAs have. In case personal data needs to be shared with third parties, explicit consent shall be taken. 

10. Data Collection and Privacy Policy

LSPs or DLAs must store only minimal data, enough to carry out operations. REs are responsible for data privacy and security of the personal information of the customer. A clear and comprehensive data policy containing which data can be stored, restrictions on use, destruction protocol, etc. must be in place and disclosed on the website of the RE and on the apps. Along with the data policy, a comprehensive privacy policy containing details of the third party that can collect data shall be in place and available publicly. The data must be stored in servers that are in India and in compliance with the relevant laws and regulations. Lastly, REs must make sure that unless allowed by statutory guidelines, biometric data must not be collected or stored. 

REs must ensure that the LSPs and DLAs that are engaged by them have a comprehensive privacy policy that complies with the relevant laws, regulations, and guidelines. In order to access and collect the private information of the borrowers, the DLAs engaged by REs/LSPs must make the privacy policy publicly available. The privacy policy must contain the details of third parties that can collect personal information via DLAs. 

11. Reporting to Credit Information Companies (“CICs”)

Any lending done through LSPs, DLA, or DLAs of LSPs must reported to the CIC. Furthermore, the extension of digital lending products must be reported to the CIC. 

12. Restrictions on Loss Sharing Arrangements

The report of the Working Group discussed the risk posed by synthetic structures such as First Loss Default Guarantees (“FLDG”). It is an arrangement wherein the LSPs provide guarantees of up to a percentage on loans whereas an NBFC would advance the loan through the LSP. In this way, loans would stay on the balance sheet of the LSPs and it could inflate its books without maintaining regulatory capital. So, effectively, the LSPs were engaging in balance sheet lending while remaining outside regulation. 

RBI has advised adherence to the Master Direction – Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021 dated September 24, 2021[5]. The Master Direction prohibits synthetic securitisation. If the RBI makes the advisory mandatory, this will have the effect of not permitting REs to engage in synthetic securitisation like FLDG and transfer the risk on a pool of exposures, in part or in whole. 


Digital lending is set to grow exponentially in the future. As such, it became imperative for the RBI to issue Guidelines to safeguard consumer interests, prevent unethical business practices, and regularise the sector. However, the major concern about digital lending remains. As per RBI, there are 600 (six hundred) illegal digital lending apps[6] operating in India. RBI’s complaint portal – Sachet received 2562 (two thousand five hundred sixty-two) complaints between January 2020 to March 2021, most of them against illegal digital lending apps. RBI has not found a way to curb the rise of illegal digital lenders that prey on the vulnerabilities of borrowers by charging exorbitant rates and harassing borrowers on their failure to repay.  

[1] available at:

[2] Report of the Working Group on Digital Lending including Lending through Online Platforms and Mobile Apps, issued on November 18, 2021 available at:

[3] available at:

[4] Circular DOR.ORG.REC.65/21.04.158/2022-23, issued on August 12, 2022, available at:

[5] available at:

[6]  n 1, pg. 27

Blog Corporate Commercial


Post A Comment

Your email address will not be published *


Contact Us Now

Awards & Recognitions

Cookies Consent

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below. Read more...

Cookies Consent

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below. Read more...