Guidelines on Digital Lending: A way forward

Home     Articles      Guidelines on Digital Lending: A way forward

Guidelines on Digital Lending: A way forward

October 1, 2022


Since the global pandemic digital lending is one the most attractive innovations for both lenders and borrowers. It challenges the orthodox and physical method of lending as it has become one of the fastest-growing and accepted methods of lending. But, over the past 2 (two) years, this method of lending has also seen some major issues as the sector of digital lending is vastly unregulated and there is no operational framework to it. To address this issue, on January 13, 2021, a Working Group on ‘digital lending including lending through online platforms and mobile apps’ (“WGDL”) [1] was formed, and they recently published their report on the Reserve Bank of India (“RBI”) website. On August 10, 2022, via a Press Release [2] RBI highlighted the different issues as was founded by the WGDL. Some issues raised are as follows: the unbridled engagement of third parties, mis-selling, breach of data privacy, unfair business conduct, charging of exorbitant interest rates, and unethical recovery practices (“Highlighted Issues”). The Guidelines on Digital Lending (“Regulation”) [3], issued by the RBI on September 2, 2022, is one of the regulations passed by RBI based upon the report of the WGDL and the aforementioned Press Release.

The Regulation mentions in the depth the compliances to be followed by the Regulated Entities (“REs”) which is inclusive of Non-Banking Financial Companies (“NBFCs”). NBFCs, their respective Lender Service Providers (“LSP”) and the digital platforms such as mobile apps that the NBFCs and LSPs use, defined as Digital Lending App (“DLA”) have to mandatorily comply with this Regulation. As per the RBI, the Regulation is only applicable to ‘existing customers availing fresh loans’ and ‘new customers getting on-boarded’ and shall not apply to the loans that the REs have provided before the date on which the Regulation was notified (September 2, 2022). Additionally, a grace period till November 30, 2022, has been provided by RBI for ensuring that there shall be a smooth transition by the REs to implement all the relevant changes as per the Regulation.

The Regulation is divided into three different parts which are: ‘Customer and Conduct Requirements’, ‘Technology and Data Requirement’ and ‘Regulatory Framework’. Through this paper, we will discuss the key features introduced in each part of the Regulation and how they ensure the Highlighted Issues have been addressed.


This part of the Regulation is addressed to the REs exclusively and is inclusive of multiple guidelines which are to be mandatorily complied with by the REs to ensure customer protection from the various Highlighted Issues. As mentioned above, the current practices of the REs are of inadequate ethical and business standards. This has led to the multiple customers being subject to harassment of the REs and their LSPs. Some of the key introductions under this part are as follows:

Section 2 of the Regulation is the definitions clause and RBI has introduced the concept of Annual Percentage Rate (“APR”) by way of this section. APR is an all-inclusive cost and margin which includes the cost of funds, credit cost and operating cost, processing fee, verification charges, maintenance charges, etc. APR excludes contingent charges like penal charges, late payment charges and other ancillary charges. The all-inclusive nature of APR ensures that the borrowers are free from all forms of miscellaneous and arbitrary charges of the REs. Additionally, under Section 5.1 of the Regulation, APR shall be mandatorily shared with the customers under the Key Factor Statement (as has been defined below) which will ensure that there is complete transparency regarding all charges of the RE. 

Under sections 2.2 and 8 of the Regulation, a cooling-off or look-up period has been introduced which is provided to a borrower who wishes to exit his/her loan. During this period the borrower has a time period, as to be decided by the board of directors of the REs, to exit the digital loan by paying the principal amount along with the proportionate APR. Before such introduction, the REs and the LSPs have enforced a system of collection which is unappreciative of ethical business standards as it involves undue duress and manipulation on part of the RE and their LSP for recovery of loans. This time period is implemented to ensure that the borrowers take a decision regarding any loan availed by them free of duress and manipulation.

Another important introduction is the Key Fact Statement (“KFS”). KFS is a document where the RE will make certain disclosers as mentioned under Annexure II of the Regulation [4]. This will be provided to the customers before the execution of any loan product and therefore sufficient information shall be provided by way of this fact sheet in order for the customer to take an informed decision about the loan product that they wish to avail. This fact sheet will also be in standardised format across the industry which shall ensure that customers are able to compare different loan products offered not only within the limits of one RE but across the whole market of digital loans. As mentioned earlier, KFS will also be a definitive statement regarding the charges of the REs by way of APR and other charges such which are not included within the purview of APR as well. This information shall not be subject to any change unless consented by the borrower. Therefore, imposing even further restrictions upon the arbitrary charges as raised by the RE during the term of the loan. All such charges shall be pre-decided and entered carefully by the REs to include all of its costs to provide a loan product.

The most important change to be noted is under this part is introduced as mentioned under sections 3 and 5.6. From the bare reading of the two sections, it is clear that the use of LSPs shall still be allowed subject to compliance with the guidelines as provided in the Regulation. We have explained the various compliances which shall be necessary for the use of LSPs and DLAs of the RE or the LSP as the case maybe. Section 3 deals with loan disbursals and additionally imposes a duty on the REs to abide by the guidelines as mentioned under the Regulation to avail LSPs as well as DLAs. The following requirements have to be mandatorily complied with by the REs: 

(a) privacy policies of LSPs and DLAs with respect to the borrowers data shall be made available to the borrowers/customers of the loan product on the execution of the loan contract/transaction (Section 5.3), 

(b) REs DLAs and their LSPs DLAs shall be made available on the RE’s website along with the list of activities that two of them are engaged in shall be provided (Section 5.4), 

(c) the REs and LSPs DLAs shall prominently display information relating to their product features, loan limits and costs (Section 5.5), 

(d) the website link of the REs shall be provided on both its own DLAs as well as their LSPs DLA, as the case maybe, where further/ detailed information about the loan products, the lender, the LSP, particulars of customer care, link to Sachet Portal, privacy policies, etc. can be accessed by the borrowers (Section 5.7), 

)e) contact details of the Nodal Grievance Redressal Officer shall be clearly mentioned on the respective DLAs of the RE and its LSP as well as shall be provided on the Key Fact Statement as provided by the REs to the borrowers (Section 6.1), 

(f) due diligence of the LSPs before engaging them as service partners. (Section 9)

For the purposes of recovery or collection from borrowers, it is to be noted Section 5.6 requires the RE to provide information to the borrowers regarding their LSP, the recovery responsibilities of the LSP and any change in LSP engaged by the RE as the case maybe before engaging them LSP as service partners.

This Regulation does not materially remove the usage of LSPs and DLAs completely which was a genuine concern after the report of the WGDL, but the Regulation only imposes certain additional requirements and regulations for the protection of the borrowers from the third-party service providers. The Regulation also emphasises on the part that, the REs shall themselves be responsible for the actions of their third-party service providers and any activity undertaken on the digital mobile applications through which the RE is be providing any products or services in relation to these product.

All the above-mentioned clauses look to improve borrower security and enforce the duty of care upon the REs for the protection of their own customers. This part specifically looks to target the curbing predatory practices of the REs and their service partners which previously in an unregulated market have led to undue duress, financial loss and mental unrest among the consumers of digital loans.


It is important to protect the customer data as shared by the customers pursuant to availing digital loan product. It shall be the duty of the REs to maintain the confidentiality of any data shared regardless of whether it has been shared directly, through mobile application or the service partners of the RE. Since the use of LSPs and DLAs requires sharing the data of borrowers with the service partners, the REs shall ensure that the data so shared is protected from any form of leak or misuse of any kind. The Regulations again under this part look to enforce a customer safety-based environment in the market. The Regulations under this part are as follows:

(a) Under Section 10 the data shared on the DLAs of the REs and LSPs have been limited to just basic customer information and the section additionally restricts certain information to be shared on the DLAs which shall ensure the extent to which information is accessed by any third party to the loan transaction undertaken by the REs. The section further states that in all cases for collection of any information or data of the customers, permission shall be explicitly obtained from the customers for receiving data and information in any form by the DLAs.

(b) Under Section 11 data storage requirements have been provided which states that no storage of information in relation to borrowers shall be lawful except as much shall be required transact business. The provision further states that the REs shall formulate policy regarding the length of time for which such data can be stored, the restrictions on the use of data, data destruction protocol, standards for handling security breaches, etc.

(c) Privacy Policy standards have been under Section 12 which ensure that not only RBI guidelines but all applicable laws shall be complied with by the REs, LSPs and their respective DLAs and the same shall be clearly reflected on the DLAs.

(d) Section 13 enforces technology standards/ requirements on cybersecurity as is stipulated by RBI and other agencies to be followed which ensure protection of the customers from any cybersecurity issues that may arise during any loan transaction.

One of the many Highlighted Issues was breach of data privacy. This part looks to enforce strict standards and guidelines for the protection of borrower’s data, not only upon the REs but also enforce the same on their service partners. Additionally, this part also brings both the REs and their service partners under the purview of RBI laws as well as general data protection laws, to curb the issue of breach of data privacy.


This part of the Regulation looks to bring a shift in basics of the industry of digital lending. Under Section 14, the Regulations ensures that all the loans as provided via the DLAs of the REs or the DLAs of the LSP, as the case maybe, shall be shared with the Credit Information Companies and the relevant rules under Credit Information Companies (CIC) (Regulation) Act, 2005; CIC Rules, 2006; CIC Regulations, 2006 are followed to the letter. This brings the LSPs and the DLAs under the purview of the RBI guidelines which was previously as rightly pointed out by the WGDL an ‘important’ concern.

Under Section 15, the Regulation has taken away the powers of the RE to use any form of arrangements such as First Loss Default Guarantee (FLDG) and other similar arrangements which were very common arrangements of multiple NBFCs. Additionally, certain loan products such as Buy Now Pay Later (BNPL) and similar products have been included within the purview of the RBI guidelines. The REs now have to ensure they abide by the Master Direction — Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021 dated September 24, 2021, especially, synthetic securitisation contained in Para (6)(C) [5].

The main focus of this part was to include certain types of loan products and arrangements which would be detrimental to the financial health of the country to be brought under the Regulation to avoid any form of detriment to the borrowers in general. This part as mentioned earlier will turn a lot of heads towards the present guidelines and will lead to a massive shift in the NBFC digital lending sector.


The Regulation has implemented positive change for the consumer of digital loans which was an urgent requirement owing to the Highlighted Issues and other issues as per the report of the WGDL. The enforcement of these rules also leads to certain shift in policy which will affect the industry of digital loans materially and commercially as has been stated under Part 3: Regulatory Framework. There was a growing concern regarding the health of the lending market in general due to the rise of digital lending and the unregulated market of digital lending. The RBI by enforcing these Regulation has tried to bring into the RBI purview a lot of issues, but only time will tell if these issues have been fully resolved.


  1. Reserve Bank constitutes a Working Group on digital lending including lending through online platforms and mobile apps (dated January 13, 2021) accessed at:
  2. Recommendations of the Working Group on Digital Lending: Implementation (dated August 10, 2022) accessed at:,and%20members%20of%20the%20public.
  3. Guidelines on Digital Lending (dated September 02, 2022) accessed at:
  4. Annexure II: Illustrative Format of Key Factor Statement Sheet/Fact Sheet as under Guidelines on Digital Lending (dated September 02, 2022) accessed at:
  5. Para 6(c), Master Direction — Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021 (dated September 24, 2021) accessed at:

Author: Akarsh Deep, Associate.

Disclaimer: The content of this article is intended to provide a general guide to the subject matter and that the same shall not be treated as legal advice. For any queries, the author can be reached at

Join Our List To Stay In Touch

Leave your email id to receive regular updates on
corporate law changes that have impact on businesses.