RBI (Digital Lending) Directions, 2025: Key Changes

The Provisions included under these regulations deals with following:

• REQUIREMENTS FOR RE-LSP ARRANGEMENTS/AGREEMENTS
• All Arrangement with LSP shall be done through a contractual agreement and proper enhanced due diligence shall be conducted regarding the systems and procedures and past records of LSP.
• The Due diligence of LSP and its procedures are often not conducted by Res hence this guidelines has provided for specific checks to be conducted by the RE for LSP which shall include:
  • LSP’s technical capabilities,
  • LSP’s robustness of data privacy policies and storage systems,
  • Past records of conduct of LSP and its ability to comply with all applicable regulations and statutes.
• The RE can enter into an outsourcing agreement with LSP or can appoint the LSP as its recovery agent also by complying with the guidelines and statutory provision as specified by the RBI in this regard.
• The LSP having multiple lenders in its fold shall ensure that (Note: this shall be applicable from November 01, 2025):
  • They show all loan offers that match the borrower’s request on the DLA, along with the names of lenders whose offers didn’t match.
  • The digital view of loan offers from matching lenders shall include the name (s) of the RE (s) extending the loan offer, amount and tenor of loan, APR, KFS, a monthly repayment obligation and penal charges, in a way which enables the borrower to make a fair comparison between various offers.
  • The LSP shall not directly/indirectly push the product of any particular RE and shall be unbiased and objective in showing all the loan products of all RE on its application.

• DUTIES OF REGULATED ENTITIES (RE)
• The RE must collect and record key borrower details like age, job, and income to assess creditworthiness before giving a loan and no Credit limits should be increased unless the borrower explicitly requests it, and such request is reviewed and recorded. Therefore the credit worthiness of the borrowers shall be evaluated by the RE itself and not outsourced to the LSP.
• Upon execution of the Loan Agreement the RE shall ensure that the documents automatically flow to the borrower on the registered and verified email/ SMS which shall include the KFS, sanction letter, summary of loan product, terms and conditions, account statements, privacy policies of the RE / LSP with respect to storage and usage of borrowers’ data, etc.
• RE shall ensure that it shall have a functioning website which shall include in the public domain:
  • Details of all of its digital lending products and its DLAs;
  • Details of LSPs and the DLAs of the LSPs along with the details of the activities for which they have been engaged for;
  • Particulars of RE’s customer care and internal grievance redressal mechanism;
  • Link to RBI’s Complaint Management System (CMS) and Sachet Portal;
  • Privacy policies and other details as required under extant guidelines of the Reserve Bank.
• In case of Recovery proceedings being initiated against the borrower, It shall be ensured that the details of Recovery Agent shall be communicated to the borrower through email/ SMS before the recovery agent contacts the borrower for recovery.
• LOAN DISBURSAL & REQUIREMENTS
• The Loans must be disbursed directly into the borrower’s bank account only and not to any third-party accounts, including those of Lending Service Providers (LSPs), unless specifically allowed by regulations. However the exceptions are allowed only in the following cases:

1.When required by RBI or other regulatory rules.

2. For co-lending transactions between regulated entities (REs).

3. For specific end-use purposes, where the money goes directly to the end beneficiary’s account.

• The borrower must repay the loan directly into the RE’s bank account—no third-party or pool accounts should be involved. Loan-related payments must not be routed through or controlled by any third party, including Lending Service Providers (LSPs).Any fees or charges due to the LSP must be paid by the RE directly, not collected from the borrower.
• GREIVANCE REDRESSAL
• The RE and its LSP must appoint nodal grievance officers for handling digital lending complaints and their contact details must be clearly shown on the RE’s and LSP’s websites, the digital lending app (DLA), and in the Key Fact Statement (KFS). Borrowers should be able to file complaints through the app and websites, but the RE remains responsible for resolving all issues.
• In case the borrower is not satisfied with the reply; or the borrower has not received any reply within 30 days of receipt of complaint by the RE, the said borrower can lodge a complaint over the Complaint Management System (CMS) portal under the Reserve Bank-Integrated Ombudsman Scheme (RB-IOS) or send a physical complaint to the RBI Office.
• PRIVACY POLICIES AND USAGE OF DATA
• The Consent of Borrower shall be obtained before taking the personal information with any third party and the purpose for which the data is taken shall be intimated at each stage of application of borrower along with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data and if required, make the RE/LSP delete/ forget the data.
• RE must ensure that their and their LSP’s digital lending apps (DLAs) collect only necessary data with the borrower’s clear consent and proper records. DLAs must not access phone files, contacts, call logs, etc. However, a one-time access to camera, mic, or location is allowed only for onboarding or KYC, with the borrower’s consent.
• Responsibility regarding data privacy and security of the customer’s personal information on an ongoing basis shall be that of the RE. Hence it shall ensure that it has a comprehensive privacy policy compliant with applicable laws, associated regulations and RBI guidelines which shall be made available publicly on the website of RE and LSP, as the case may be which shall also include details of third party that are allowed to share to collect such personal information of borrowers.
• REPORTING REQUIREMENTS to RBI

• There is no major implied changes to reporting to CICs by the RE and those shall flow as per the guidelines specified by the RBI.
• RE shall report all DLAs deployed/ joined by them, whether their own or those of the LSPs, either exclusively or as a platform participant, on the Centralised Information Management System (CIMS) portal of RBI and the same shall be updated as and when additional DLA are deployed.
• the Chief Compliance Officer/ other official designated by the Board of the RE shall certify that:
  • the data on DLAs submitted by them on the CIMS portal is correct and the DLAs are compliant with all the extant regulatory instructions.
  • DLAs (in case owned by LSP), have appointed a suitable nodal grievance redressal officer to deal with digital lending related complaints/ issues raised by the borrower.
  • DLA’s particulars submitted by the RE are also suitably disclosed on the RE’s website.

Note: These provisions under this point are Applicable from June 15, 2025.

• DEFAULT LOSS GUARANTEE (DLG)
• There is no major change from the existing guidelines relating to the DLG schemes and this Regulation provides a consolidation of such existing regulations.
• RE before entering into a DLG Agreement shall ensure that include a declaration from the DLG provider, certified by the statutory auditor of the DLG provider, on the aggregate DLG amount outstanding, the number of RE and the respective number of portfolios against which DLG has been provided. The declaration shall also contain past default rates on similar portfolios.
• Even if a loan is covered by a Digital Loan Guarantee (DLG), the Regulated Entity (RE) must still carry out proper credit checks and assess the borrower’s ability to repay. The DLG should not replace the need for thorough credit appraisal and strong underwriting standards.