The digital lending ecosystem in India has expanded rapidly through mobile apps and embedded finance models, raising concerns about unauthorised lenders, hidden charges, data misuse, and coercive recovery practices. To address these risks, the RBI introduced a comprehensive regulatory framework applicable to banks, NBFCs, and fintech companies acting as Lending Service Providers. Under this framework, only regulated entities are permitted to undertake lending, while fintech platforms may provide technology, onboarding, and servicing support under outsourcing arrangements. The regulated lender remains fully responsible for prudential compliance, fair practices, customer protection, and grievance redressal.

The guidelines also mandate direct fund flow between the regulated lender and the borrower, eliminating pass-through accounts operated by fintech platforms. Loan disbursal must occur directly to the borrower’s bank account, and repayments must be made directly to the lender. This ensures a clear audit trail, prevents fund diversion, strengthens regulatory oversight, and enhances borrower confidence by clearly identifying the licensed entity providing the credit.

In this article, CA Manish Mishra talks about RBI Digital Lending Guidelines for Fintech Companies.

Key Fact Statement and Transparent Pricing

The Key Fact Statement (KFS) is a mandatory pre-loan disclosure document that provides borrowers with a comprehensive summary of the loan’s financial terms. It must clearly state the annual percentage rate, interest computation methodology, processing fees, penal charges, repayment schedule, and total cost of borrowing. By presenting this information in a standardised format, the KFS enables borrowers to make informed decisions and compare loan products across digital platforms.

The guidelines prohibit hidden charges and unauthorised auto-debits, ensuring that no additional costs are introduced after disbursal without explicit borrower consent. The cooling-off period allows borrowers to exit the loan within a specified timeframe by repaying the principal and proportionate interest without penalty. This provision protects borrowers from impulsive borrowing driven by aggressive digital marketing and reinforces fair lending practices.

Data Protection and Consent-Based Processing

Data governance is a central pillar of the digital lending framework. Fintech platforms may collect only need-based data required for credit assessment, customer onboarding, and loan servicing, and must obtain explicit, informed consent before accessing personal information. The purpose of data collection must be clearly disclosed, and borrowers must be given the option to withdraw consent at any time.

Access to sensitive mobile phone data such as contact lists, call logs, photo galleries, and location information is strictly restricted unless it is essential for the lending process and supported by a lawful purpose. Fintech companies are required to implement encryption, secure storage systems, role-based access controls, and controlled data sharing protocols to prevent unauthorised access or breaches. Borrowers also have the right to request deletion of their data, subject to regulatory record retention requirements.

Outsourcing Governance and LSP Regulation

Fintech companies function as Lending Service Providers under outsourcing arrangements with regulated entities, but regulatory accountability remains with the lender. Banks and NBFCs must conduct thorough due diligence on fintech partners, assessing their technical infrastructure, data protection standards, governance practices, and compliance history. Formal outsourcing agreements must define the scope of services, data handling responsibilities, confidentiality obligations, audit rights, and termination conditions.

Digital lending interfaces must clearly disclose the identity of the regulated lender to avoid customer confusion. Even when customer acquisition, onboarding, or servicing functions are performed by fintech platforms, the regulated entity remains responsible for grievance redressal, fair practices compliance, and regulatory reporting. This governance structure ensures operational control and prevents regulatory arbitrage.

Default Loss Guarantee and Credit Discipline

Default Loss Guarantee (DLG) arrangements allow fintech partners to share a portion of credit risk with regulated lenders, but they are subject to strict prudential limits and contractual safeguards. Regulated entities must conduct independent credit appraisal, maintain provisioning norms, and ensure that DLG does not substitute proper underwriting.

This framework preserves credit discipline by preventing excessive risk transfer to unregulated entities and ensuring that lending decisions are based on sound risk management practices. It also protects the financial system from unsustainable credit expansion driven by inadequate risk assessment.

Customer Protection and Fair Practices

The digital lending framework places strong emphasis on borrower protection throughout the loan lifecycle. Digital platforms must provide accessible grievance redressal mechanisms, including nodal officer contact details and defined timelines for complaint resolution. Recovery practices must be respectful, transparent, and non-coercive, with strict prohibition on harassment, public shaming, or misuse of personal data.

Loan advertisements and digital interfaces must present accurate and complete information without misleading claims, hidden eligibility conditions, or dark patterns that manipulate user consent. Ethical communication and fair treatment enhance borrower trust and support long-term sustainability of digital lending models.

KYC, AML, and Digital Onboarding Compliance

Digital onboarding processes must comply with KYC and anti-money laundering requirements prescribed for regulated entities. Video-based customer identification and other non-face-to-face verification methods are permitted, provided they meet prescribed standards and maintain proper audit records.

Fintech systems must support transaction monitoring, customer due diligence, suspicious activity reporting, and record retention to prevent fraud, identity theft, and financial crime. Integrating AML controls into digital lending workflows ensures regulatory compliance while enabling seamless and secure customer onboarding.

Technology, Audit, and Reporting Requirements

A robust technology framework is essential for ensuring transparency, traceability, and regulatory compliance in digital lending operations. Fintech platforms must maintain detailed system logs that record every stage of the loan lifecycle, including customer consent, KYC verification, credit assessment, disbursal, repayment, and communication history. These audit trails enable regulated entities and supervisors to verify that disclosures were made correctly and that funds were transferred through authorised channels. Proper logging also supports internal audits, fraud detection, and customer dispute resolution.

• Maintenance of Audit Trails: Digital lending systems should capture time-stamped records of consent, loan documentation, and transaction flows. These records must be securely stored and easily retrievable for regulatory inspections and partner lender reviews.

• Algorithmic Accountability in Credit Decisioning: Automated credit scoring models must be transparent, documented, and periodically validated to ensure fairness and prevent discriminatory outcomes. Fintech companies should maintain model governance policies, testing reports, and version controls.

• Regulatory Reporting Obligations: Regulated entities are required to submit periodic reports on digital lending exposure, outsourcing arrangements, and risk controls. Accurate and structured system data is necessary to meet these reporting requirements.

Multi-Lender and Partnership Models

Digital lending structures increasingly operate through co-lending or multi-lender arrangements, where more than one regulated entity jointly funds a single loan. While this model improves credit availability and risk distribution, it also creates a higher need for transparency and customer clarity. Borrowers must be clearly informed about the identity of each participating lender, the proportion of the loan funded by them, and their respective roles in servicing, repayment collection, and grievance handling. Without proper disclosure, customers may be unaware of their contractual obligations to multiple lenders, which can lead to disputes and regulatory concerns.

Disclosure in Co-Lending Arrangements

Digital lending platforms must prominently display the names of all regulated lenders involved in the transaction along with their funding shares. The loan agreement and Key Fact Statement should clearly specify which entity is responsible for disbursal, interest computation, customer support, and recovery processes. This ensures informed consent and prevents misrepresentation.

Unified Customer Interface

Even when multiple lenders are involved, the borrower should experience a single, integrated digital journey. The platform must provide a consolidated Key Fact Statement, a unified repayment schedule, and a single view of outstanding dues. This reduces operational confusion, improves customer experience, and ensures compliance with transparency requirements under the RBI context.

Compliance Governance for Fintech Companies

A strong compliance governance framework is essential for fintech companies operating in the digital lending ecosystem. Since they function as Lending Service Providers to regulated entities, they must ensure that their technology, data handling, customer communication, and outsourcing practices align with RBI requirements. Internal policies should cover data protection standards, cybersecurity controls, consent management systems, and clearly defined roles in outsourcing arrangements. This helps prevent regulatory breaches and builds trust with partner banks and NBFCs.

• Internal Compliance: Fintech companies should establish structured policies for data governance, secure system architecture, access controls, and lawful data usage. Clear internal procedures ensure that loan journeys, customer onboarding, and disclosures remain compliant.

• Periodic Internal Audits: Regular compliance audits should review Key Fact Statements, consent mechanisms, data access logs, and vendor performance. These reviews help identify gaps early and enable corrective action.

• Documentation and Record Keeping: Maintaining LSP agreements, customer consent records, system logs, and audit reports ensures regulatory readiness and supports inspections by partner lenders and authorities.

Supervisory Risks and Consequences of Non-Compliance

Non-compliance with the RBI digital lending framework can lead to serious operational and regulatory consequences for both fintech companies and their partner banks or NBFCs. Since only regulated entities are permitted to lend, any failure by a fintech partner to follow data protection, disclosure, fund flow, or customer protection norms may result in the immediate termination of the outsourcing arrangement. This can disrupt business operations, customer servicing, and revenue models that depend on regulated lender partnerships.

In addition, lending applications that violate RBI guidelines may be removed from app stores or digital distribution platforms to prevent further customer onboarding. The regulator may also impose supervisory restrictions on the regulated entity, including limits on digital lending activities, enhanced compliance reporting, or penalties. Repeated or serious violations can damage the credibility of both the fintech platform and the lending institution, affecting future partnerships and market reputation.

Conclusion

The RBI Digital Lending Guidelines create a structured framework that brings transparency, accountability, and borrower protection to app-based credit. By requiring direct fund flows between lenders and borrowers, standardised Key Fact Statements, consent-based data collection, and strict outsourcing controls, the guidelines eliminate hidden charges and reduce the risk of data misuse. Fair recovery practices and grievance mechanisms further ensure that digital lending remains ethical and customer-centric, strengthening confidence in fintech-driven credit models.

For fintech companies, aligning technology systems, data governance policies, and customer communication with these regulatory requirements is essential for long-term sustainability. Compliance not only prevents regulatory action but also builds trust with partner banks and NBFCs. A transparent and well-governed lending platform enhances brand credibility, supports responsible innovation, and enables scalable growth in India’s evolving digital lending ecosystem.

Frequently Asked Questions (FAQs)

Q1. Can a fintech company lend directly to customers in India?

Ans. No. Only entities regulated by the Reserve Bank of India, such as banks and NBFCs, are permitted to undertake lending. Fintech companies can act only as Lending Service Providers by offering technology platforms, customer acquisition, underwriting support, and servicing functions under an outsourcing arrangement with a regulated lender.

Q2. What is the role of a Lending Service Provider (LSP)?

Ans. An LSP provides digital infrastructure, onboarding interfaces, credit scoring tools, customer support, and loan servicing on behalf of a regulated entity. However, it cannot disburse loans, hold borrower funds, or represent itself as the lender. The regulated entity remains legally responsible for compliance and customer protection.

Q3. Why is direct flow of funds mandatory in digital lending?

Ans. Direct disbursal from the regulated lender’s bank account to the borrower’s bank account ensures transparency and prevents misuse of funds. It eliminates intermediary pass-through accounts and creates a clear audit trail for regulatory monitoring and fraud prevention.

Q4. What is a Key Fact Statement (KFS) and why is it important?

Ans. The KFS is a standardised disclosure document that must be provided before loan execution. It contains the annual percentage rate, interest calculation method, total cost of borrowing, processing fees, and penal charges. It ensures informed consent and prevents hidden charges.

Q5. Are fintech apps allowed to access mobile contacts and photo galleries?

Ans. No. Digital lending applications can access only need-based data with explicit borrower consent. Access to contacts, media files, call logs, or location data is restricted unless it is essential for the lending process and clearly disclosed.

Q6. Can borrowers revoke consent for data collected by lending apps?

Ans. Yes. Borrowers have the right to withdraw consent and request deletion of their personal data, subject to legal record retention requirements. Fintech platforms must provide a clear mechanism for consent revocation.

Q7. What are the RBI rules on Default Loss Guarantee (DLG) arrangements?

Ans. DLG structures are permitted within specified limits and must be contractually documented. Regulated lenders must conduct independent credit assessments and maintain provisioning requirements. DLG cannot be used to bypass prudent underwriting standards.

Q8. Who is responsible for grievance redressal in digital lending?

Ans. The regulated lender is responsible for addressing customer complaints, even if services are provided through a fintech platform. Digital interfaces must display nodal officer contact details and grievance resolution timelines.

Q9. Are digital lenders required to provide a cooling-off period?

Ans. Yes. Borrowers must be given a cooling-off period during which they can exit the loan without penalty by repaying the principal and proportionate interest. This protects borrowers from mis-selling and impulsive borrowing.

Q10. What are the rules for recovery practices in digital lending?

Ans. Recovery must be fair, transparent, and non-coercive. Harassment through accessing personal contacts, public shaming, or misuse of borrower data is strictly prohibited. Recovery agents must follow respectful communication protocols.