India’s Reserve Bank tightens the regulatory framework for digital lending apps

Thursday 10 November 2022

N Raja Sujith
Majmudar & Partners, Bangalore, Karnataka

Akil Hirani
Majmudar & Partners, Bangalore, Karnataka


Over the past few years, digital lending apps (DLAs) have greatly aided both business users and retail customers in India. However, with the increase in the number of DLAs and other credit delivery apps, there has been a rise in lending fraud and malpractice. To curb this increase and to strengthen supervision of DLAs, the Reserve Bank of India (RBI) established a Working Group on 'digital lending including lending through online platforms and mobile apps' ('WGDL') last year. Based on input received from WGDL, the RBI released a regulatory framework to cover RBI regulated entities (REs), namely, commercial banks, non-banking financial companies (including housing finance companies) and co-operative banks. On 2 September 2022, the RBI issued official guidelines to implement the recommendations of the WGDL; and gave REs until 30 November 2022 to put in place adequate systems and processes to ensure that all of their digital loans are in compliance with these new guidelines.

In this article, we discuss the significant changes brought about by the new regulations and their impact on the Fintech sector in India.

Key changes

Funds flow: It is now proposed that all loan disbursals and repayments must be executed only between the bank account of the borrower and the RE without any pass-through or pool account of a lending service provider (LSP) or other third-party. As such, only an RBI regulated RE will be allowed to handle loan transactions and not a LSP.

Payments: All charges payable to the LSP will have to be paid by the RE and not by the borrower. In addition, a borrower will be allowed to exit a loan taken digitally during a cooling off or look-up period by paying the principal and the prescribed annual percentage rate without any penalty.

Transparency: All REs must provide to each borrower a key fact statement, which must include all relevant data relating to the loan, penal interest applicable and so on, before executing the transaction. Additionally, an automatic increase in the borrower’s credit limit without explicit consent is not permitted. REs must prominently publish on their website a complete list of their DLAs and LSPs, and they must ensure that their DLAs and LSPs do not store any personal information (including biometric data) of the borrowers, except basic data.

Data protection: Any data collected by a DLA should be need based and have a clear audit trail. Moreover, data can be collected only with the explicit prior consent of the borrower, and the borrower must be given an option to accept or deny consent for the use of any specific data, including an option to revoke previously granted consent and/or to direct the DLA/LSP to delete data.

Reporting: Any lending sourced through a DLA and all new digital lending products involving short-term credit or deferred payments extended by the RE over a merchant platform is required to be reported to Credit Information Companies irrespective of the nature or tenor of the loan.

Grievance redressal: All LSPs must have a suitable nodal grievance redressal officer to deal with digital lending-related complaints. If any complaint lodged by a borrower is not resolved within the stipulated period (currently 30 days), the borrower can lodge a complaint under the Reserve Bank – Integrated Ombudsman Scheme (RB-IOS).

Other recommendations: Regulations that are, currently, under discussion include: (1) establishing a self-regulatory organisation (SRO) to oversee the functioning of REs and LSPs, and to maintain a list of non-compliant entities; (2) the first loss default guarantee model, which gives credit protection to REs up to a mutually agreed percentage of the first loss or consumer default on a transaction; and (3) the setting up of a Digital India Trust Agency (DIGITA) to ensure that borrowers only use authorised DLAs and to curb unauthorised DLAs/entities.


The new guidelines, which have stricter compliance requirements, will help in making the digital lending ecosystem more transparent and function more efficiently. Further, the regulations relating to limits on customer personal data storage and use by third-parties are in line with global data protection standards. 

Although the RBI’s new guidelines are customer friendly, they will change the dynamics for Fintech companies in India, as all third-parties and unregulated entities have been deemed to be mere agents of regulated entities without any ability to process customer data, carry out predictive analyses and so on. The new rules may lead to a clean-up of the digital lending ecosystem in India with some LSPs having to rethink their business models.