India’s digital lending ecosystem has expanded rapidly, driven by instant app-based credit, embedded finance models, and growing collaboration between fintech platforms and regulated lenders. This scale-up, while positive for financial inclusion, has also surfaced recurring concerns around opaque pricing, disproportionate data collection, and coercive recovery practices, issues that prompted the Reserve Bank of India (RBI) to strengthen supervisory oversight.
To address these risks, the RBI had earlier introduced the Guidelines on Digital Lending, 2022 (“2022 Guidelines”). Although these guidelines established the first formal guardrails for online lending, the pace of technological innovation and the emergence of complex digital lending models created regulatory gaps that required a more comprehensive framework.
Recognising this need, the RBI has now issued the RBI (Digital Lending) Directions, 2025[1] (“2025 Directions”), which repeal and replace the 2022 Guidelines. The 2025 Directions provide a unified rule-based regime aimed at enhancing transparency, standardising operational practices, safeguarding borrower data, and ensuring that Regulated Entities remain fully accountable for the conduct of their third-party partners.
The following sections examine the scope, operational requirements, and sectoral implications of the 2025 Directions.
Scope & Regulatory Perimeter
The 2025 Directions establish a clearly defined regulatory perimeter by specifying the entities to which these Directions apply and by articulating the scope of “digital lending.” Under Para 3 of the2025 Directions, the 2025 Directions apply exclusively to Regulated Entities (REs), namely: (i) all Commercial Banks; (ii) all Primary (Urban), State and Central Co-operative Banks; (iii) all Non-Banking Financial Companies, including Housing Finance Companies; and (iv) all All-India Financial Institutions. Fintech entities, Digital Lending Apps (DLAs) and Lending Service Providers (LSPs) are not directly regulated; however, they fall within the operational perimeter to the extent that they perform functions on behalf of an RE under the outsourcing framework.
The definition of “Digital Lending” in Para 4(iii) of the 2025 Directions covers any ‘remote and automated lending process’ enabled by digital technologies across the lending lifecycle, including customer acquisition, credit assessment, loan approval, disbursement, recovery and associated customer service. The definition is intentionally broad and does not require the lending journey to be fully digital; any lending activity of an RE involving digital facilitation is captured.
DLAs are defined in Para 4(iv) of the 2025 Directions as mobile or web-based applications of the RE or of an LSP engaged by the RE. LSPs, defined under Para 4(v) of the 2025 Directions, are agents of the RE who perform one or more digital lending functions such as onboarding, underwriting, servicing, monitoring or recovery.
Crucially, Para 5(vii) 2025 Directions reiterates that outsourcing does not dilute the RE’s regulatory responsibility. Accordingly, any digital lending activity undertaken by an LSP or DLA forms part of the RE’s regulated perimeter.
Lending & Operational Standards
Building on the definition of digital lending and the regulatory perimeter outlined under Paras 3 and 4 of the 2025 Directions, the 2025 Directions impose a set of conduct and operational requirements that govern how Regulated Entities (REs) must design, deliver and service digital loans. These standards aim to ensure responsible credit delivery, borrower protection and uniformity across digital lending channels.
1. Creditworthiness Assessment
Under Para 7 of the 2025 Directions, REs must undertake a documented assessment of the borrower’s economic profile at minimum capturing age, occupation and income details. Automatic enhancement of credit limits is prohibited unless expressly requested, evaluated and recorded.
2. Mandatory Disclosures to Borrowers
As mandated in Para 8 of the 2025 Directions, REs must issue a Key Fact Statement (KFS) in accordance with the KFS Circular dated April 15, 2024. Digitally signed copies of the KFS, sanction letter, terms and conditions, account statements and applicable privacy policies must automatically be delivered to the borrower. REs must maintain an updated public website listing all digital lending products, DLAs, LSPs and grievance redressal channels. Borrowers must also be informed of authorised recovery agents prior to contact.
3. Loan Disbursal, Servicing and Repayment
In line with Para 9 of the 2025 Directions, loan disbursals must flow directly into the borrower’s bank account, subject only to narrowly defined exceptions. Repayments must be made directly to the RE, without using any third-party or LSP pass-through accounts. Fees payable to LSPs cannot be charged to borrowers. Cash recoveries are permitted only for delinquencies and must be reflected on the same day.
4. Cooling Off Period
Under Para 10 of the 2025 Directions, borrowers must be offered an explicit right to exit the loan during a Board-approved cooling-off period (minimum one day). A reasonable processing fee may be retained if disclosed upfront.
5. Grievance Redressal
Pursuant to Para 11 of the 2025 Directions, both the RE and any interfacing LSP must appoint nodal grievance redressal officers. Complaint facilities must be available on the RE’s website and the DLA. The RE retains full responsibility for grievance resolution, and unsatisfied borrowers may escalate matters under the RBI’s Integrated Ombudsman Scheme via the CMS portal.
Data Governance, Privacy & Customer Protection
Building on the operational standards, the 2025 Directionsintroduce a comprehensive framework governing data practices, privacy safeguards and customer protection norms for all digital lending activities undertaken by REs and their LSPs. These requirements ensure responsible handling of borrower information and promote a transparent and fair digital lending environment.
1. Data Collection, Usage and Consent Requirements
Under Para 12 of the 2025 Directions, data collection by DLAs of REs and LSPs must be strictly need-based and supported by prior, explicit consent with an audit trail. DLAs are prohibited from accessing mobile phone resources such as files, media, contacts, call logs or telephony functions. One-time access to camera, microphone or location is permitted solely for onboarding or KYC purposes, with explicit consent. Borrowers must be able to deny consent for specific data categories, restrict third-party sharing, revoke earlier consent and request data deletion. The purpose of data collection must be disclosed at every stage, and personal information cannot be shared without explicit consent unless legally required.
2. Data Storage, Retention and Privacy Controls
Para 13 of the 2025 Directions restricts LSPs to storing only minimal basic data (name, address and contact details), while REs remain fully accountable for data privacy and security. REs must define retention periods, destruction protocols, and breach-response mechanisms. Biometric data cannot be stored unless permitted by law. All data must be stored exclusively in India; where processed overseas, it must be deleted and repatriated within 24 hours. Under Para 14 of the 2025 Directions, REs and LSPs must maintain a publicly available privacy policy disclosing third parties authorised to collect data.
3. Technology, Security and Platform Requirements
As mandated in Para 15 of the 2025 Directions, REs and LSPs must comply with RBI-specified cybersecurity standards and evolving technology requirements, ensuring that DLAs operate within secure and compliant digital environments.
4. Customer Protection, Transparency and Grievance Rights
Customer-facing protections under the 2025 Directions reinforce fairness and transparency. REs must provide mandatory disclosures, including KFS, sanction letters, terms and privacy policies, and inform borrowers of authorised recovery agents before contact. REs and interfacing LSPs must appoint nodal grievance redressal officers, maintain complaint facilities on their websites and DLAs, and ensure that grievance resolution remains the responsibility of the RE. Escalation to the RBI’s Integrated Ombudsman Scheme via the CMS portal is available where complaints remain unresolved after 30 days (Para 11 of the 2025 Directions).
Governance & Oversight Requirements
Following the data governance and customer protection standards, the 2025 Directionsreinforce a governance framework centred on the RE. The Directions make clear that digital lending, even when operationalised through third-party platforms, remains an RE-anchored activity with non-delegable regulatory responsibilities.
1. RE’s Non-Delegable Responsibility
Under Para 5(vii) of the 2025 Directions, outsourcing arrangements do not dilute or shift obligations. The RE remains fully responsible and liable for all acts and omissions of its Lending Service Providers (LSPs) and Digital Lending Apps (DLAs), regardless of the extent of delegation.
2. Due Diligence and Contracting Requirement
As mandated in Para 5(i)–(v) of the 2025 Directions, every RE–LSP engagement must be governed by a formal agreement defining roles, rights and obligations. REs must conduct enhanced due diligence of LSPs, assessing technical capability, data-handling practices, fairness in borrower conduct and regulatory compliance history. Periodic reviews of LSP performance are compulsory, supported by monitoring mechanisms for portfolios originated through LSPs. Where LSPs act as recovery agents, REs must ensure compliance with RBI’s recovery-agent instructions.
3. Oversight in Multi-Lender LSP Model
In multi-lender arrangements, each RE must ensure that the LSP provides a neutral, unbiased digital loan-offer view, uses a consistent documented matching mechanism, displays all required loan parameters (including APR, tenor, repayment obligation and KFS link), and avoids dark or deceptive patterns.
4. Reporting and Certification Requirements
Under Para 17 of the 2025 Directions, REs must report all DLAs used by them or their LSPs on the CIMS portal, with the Chief Compliance Officer certifying correctness, compliance and required website disclosures.
Impact on Fintech Companies and the Road Ahead
The 2025 Directions materially alter the operating landscape for fintech companies. While fintechs remain outside the direct regulatory ambit, their functional freedom is significantly narrowed because REs must now ensure strict compliance by all Lending Service Providers (LSPs) and Digital Lending Apps (DLAs) acting on their behalf.
1. Clearer and Narrower Role
Under Para 4(iv)–(v) of the 2025 Directions, fintechs, whether as DLAs or LSPs, may perform only those digital lending functions expressly authorised by an RE. They cannot position themselves as lenders, influence loan approval, or control fund flows, given the strict disbursal and repayment requirements in Para 9 of the 2025 Directions. The recognition that even an RE may act as an LSP reinforces RBI’s functional approach, limiting fintech activities to RE-delegated tasks.
2. Heightened Compliance Burden via RE Oversight
The 2025 Directions impose extensive compliance expectations on fintechs through RE-level responsibility. REs must conduct enhanced due diligence (Para 5(ii) of the 2025 Directions), monitor performance, enforce contractual obligations (Para 5(i) of the 2025 Directions), and ensure fintech compliance with:
a. need-based, consent-driven data practices (Para 12);
b. minimal data storage and India-only storage with 24-hour repatriation (Para 13);
c. comprehensive privacy policy obligations (Para 14);
d. cybersecurity and technology standards (Para 15);
e. borrower-facing disclosure requirements (Para 8(iv)).
3. Marketplace Neutrality and Interface Redesign
Fintechs operating multi-lender DLAs face new neutrality requirements (Para 6 of the 2025 Directions): unbiased offer display, consistent matching logic, mandatory listing of unmatched lenders, and a ban on dark patterns. These changes require substantial interface and algorithmic redesign.
4. Strategic Outlook
The 2025 Directions move the ecosystem toward compliance-anchored, partnership-driven digital lending. Fintech competitiveness will increasingly depend on technological robustness, transparent borrower interfaces, and the ability to serve as trusted digital infrastructure providers to REs.
[1] https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12848&Mode=0#9