The Digital Lending Directions: Strengthening Oversight In India’s Fintech Ecosystem

Introduction

On May 8, 2025, the Reserve Bank of India (RBI) issued the Reserve Bank of India (Digital Lending) Directions, 20251 (“Directions”). The Directions Develops a governing structure for digital lending of Regulated Entities (REs) which comprises of commercial banks, co-operative banks, non-banking financial companies (NBFCs), housing finance companies, and All India Financial Institutions. Directions integrate existing circulars, guides, and known to be frequently asked questions (FAQs) while adding new policies on disclosure, data privacy, and operational responsibility. The new policies seek to promote clarity, protect the borrower’s right, and ensure soundness in the system amid escalating risks in the digital lending infrastructure. Further, most of the Directions came into force immediately while provisions on multi lender arrangements become effective from November 1, 2025, and Reporting of Digital Lending Apps (DLAs) from June 15, 2025.

About the Guidelines

The latest Directions issued by the Reserve Bank of India (RBI) seeks to address digital credit transactions eliminates loopholes within the Extant Guidelines for the ‘Credit Information Companies (Regulation) Act and Rules’ from 2022. In addition, as with all directions, the RBI has expanded the scope of application to all Regulated Entities (REs) engaging in digital lending, including but not limited to banks, NBFCs, cooperative banks, and now, for the first time, All India Financial Institutions (AIFIs). The RBI’s approach aims to cover entities that outsource digital lending for regulatory purposes by including Lending Service Providers (LSPs), expanding the regulatory framework to ensure surveillance on even peripheral lending activities.

Unlike other forms of credit, digital lending spans the entire life of the loan, including, but not limited to, underwriting, disbursal, and servicing, all of which take place over the internet or mobile applications. Including LSPs within the umbrella of the directive, irrespective of initial misconceptions, is extremely important due to the prevalence of subcontracting of primary lending functions. Functioning as a broker between REs and borrowers, LSPs now come under tighter control, thus mandating any contact between REs and LSPs to be based on a contract in writing. Such contracts shall define roles, responsibilities, rights, and remedies shifts legal theory from outcome particularism towards something more useful and precise.

One of the most transformative impacts imposed by the Directions is the complete accountability placed on REs for the activities of their LSPs. Such a model encourages greater self-governance and forces REs to devise extensive systems for meta-monitoring LSPs, audit loan portfolios, and deal with breaches of contracts, laws, regulations, or other defined controls. Due diligence is no longer a mere mnemonic checklist but rather a matter of compliance and action. Technological competence, ethical business practices, and legality of LSPs business are required to be screened by REs prior to contracting them.

Significantly, learner borrower protection forms part of the Directions through the KFS which must be issued to every borrower by law. These disclosures are now standardized to include fundamental loan information such as the sanctioned amount, interest rate, tenure, allowable fees, grievance redressal contact information, and the lender’s data privacy policy. KFS documentation enables decision making and ensures they are consumer friendly and recover best practice standards in International Consumer Finance Transparency. In addition, the inclusion of a cooling off period which is set by the board of the RE but shall not be less than one day, allows the RE to monitor borrower behavior and limits the potential for rushed decisions and forced financial commitments.

In a marked departure from earlier practices, the Directions mandate that all disbursal and repayment transactions be executed directly between the RE and the borrower, eliminating intermediary fund flows through LSPs or other agents. This streamlines the transaction process, reduces the risk of misappropriation, and enhances borrower confidence in the system. Furthermore, borrowers now have direct access to the RBI’s Complaint Management System (CMS), providing a centralized avenue for dispute resolution and grievance redressal.

Another area of reform lies in data governance. The Directions adopt a principle-based approach, stipulating that only data essential for credit underwriting may be collected, and even this must be backed by explicit, granular borrower consent. Borrowers have the right to withdraw consent at any time and request deletion of their data. Digital Lending Apps (DLAs) are categorically prohibited from accessing intrusive device resources such as contact lists, call logs, or storage, except for a one-time KYC event approved by the borrower. In addition, all borrower data must be stored on servers located within India, and any data processed abroad must be deleted within 24 hours of processing. These stipulations reflect a strong emphasis on privacy, transparency, and digital sovereignty. Critically, the capture or storage of biometric data is banned altogether, reinforcing the RBI’s stance against excessive surveillance.

A particularly forward-looking provision is the regulation of loan marketplaces and multi-lender platforms. From November 1, 2025, such platforms are required to display all loan offers matching a borrower’s profile in a neutral, non-preferential interface. Each offer must include the name of the RE, loan amount, tenure, annual percentage rate (APR), total charges, and a link to the relevant KFS. This standardization facilitates comparability and prevents manipulation through biased ranking algorithms or user interface tricks. Platforms must also document and disclose their loan matching algorithms, and any preferential presentation of products is expressly prohibited. These measures are designed to curtail the influence of back-end commercial arrangements that may skew borrower choices and distort market dynamics.

In line with tightening oversight, the Directions also introduce a new compliance and reporting framework. By June 15, 2025, all DLAs operated by REs or their LSPs must be reported through the RBI’s Centralised Information Management System (CIMS) portal. This requirement is backed by a certification obligation, whereby Chief Compliance Officers (CCOs) or designated officials must attest to the accuracy of reported data, the accessibility of borrower disclosures, the existence of grievance mechanisms, and full adherence to data privacy rules. This creates a structured compliance trail and brings the accountability directly to the senior management of regulated entities.

Importantly, the Directions exclude EMI-based credit card programs, recognizing the unique characteristics of revolving credit facilities. The RBI has also opted for a staggered rollout of certain obligations, particularly those involving technical and operational changes such as multi-lender platform compliance and DLA reporting. This transitional arrangement offers REs and LSPs sufficient time to recalibrate internal systems and align with the new requirements without disrupting ongoing operations.

From a practical standpoint, the Directions necessitate significant changes across the digital lending ecosystem. Fintech LSPs will need to overhaul user interfaces, update data management protocols, and revise contractual agreements with REs. Meanwhile, REs must consider augmenting their compliance teams and investing in new technology tools for real-time portfolio monitoring and data reporting. Legal and risk teams must revisit standard operating procedures and refresh due diligence checklists to comply with the evolved framework.

The Directions also open new avenues for third-party service providers. Firms specializing in compliance audits, legal documentation, IT risk management, and regulatory technology (RegTech) can assist REs and LSPs in implementing these changes effectively. As regulatory expectations grow more granular and outcome-focused, such partnerships could become integral to the long-term viability of digital lending operations.

Conclusion

The RBI’s Digital Lending Directions, 2025 incorporate existing regulatory gaps while adding new ones to ensure that compliance fosters a constructive culture in the digital lending space. With applicability to all REs and LSPs, the Directions guarantee that digital interfaces are permitted to function within the ecosystem framework of traditional banking. Mandatory disclosures and borrower safeguards in addition to data governance policies bolster the market while spanning volumes of data. RE accountability on the outsourcing of services and multi lender platform openness receive attention on new risks associated with the growing fintech ecosystem. The demand for certifying documents alongside reporting strengthens compliance burden while increasing oversight.