Digital Lending and Changing Face of Banking Regulation in India

Digital Lending and the Changing Face of Banking Regulation in India: Between Financial Inclusion and Consumer Protection

Introduction

Banking law, like the banks it governs, is built on trust. It embodies what Walter Bagehot once called “the delicate machinery of confidence” an intricate balance between credit expansion and legal control. In modern India, that machinery stands at a critical inflection point. The digital revolution, which has transformed communication and commerce, has now entered the financial bloodstream through digital lending.

Mobile applications, fintech platforms, and non-bank entities now disburse loans in seconds often without the borrower ever entering a branch. While this democratization of credit aligns with the government’s financial inclusion agenda, it also challenges the regulatory foundations of banking law built under statutes such as the Banking Regulation Act, 1949, Reserve Bank of India Act, 1934, and Negotiable Instruments Act, 1881.

This blog examines the legal and doctrinal transformation unfolding within Indian banking law as digital lending redefines the roles of banks, intermediaries, and consumers. It explores the intersection of financial innovation and legal accountability, tracing how core banking principles fiduciary duty, regulatory oversight, and consumer protection adapt to an ecosystem increasingly governed by algorithms rather than tellers.

The Foundations of Banking Law: Trust, Regulation, and Public Interest

The classical framework of banking law rests on three fundamental pillars acceptance of deposits, lending of funds, and regulation in the public interest. Section 5(b) of the Banking Regulation Act, 1949 defines banking as “accepting, for the purpose of lending or investment, of deposits of money from the public.”

Historically, banking law evolved to protect depositors and maintain systemic stability. The relationship between banker and customer, while contractual, has always carried fiduciary undertones. The Supreme Court in Canara Bank v. Union of India (2005 5 SCC 773) observed that “the banker-customer relationship is not a mere commercial transaction but one of trust and confidence.”

From this principle of trust flows the legal duty of the banker to act prudently, maintain confidentiality, and ensure fair dealing. These obligations, codified through regulatory supervision by the Reserve Bank of India (RBI), form the moral architecture of banking law.

Yet, as banking migrates from vaults to virtual platforms, the locus of trust shifts from the institution to the interface. Law must therefore ensure that technology does not erode the fiduciary essence of banking, it must make digital confidence as robust as physical trust.

The Rise of Digital Lending: Disintermediation and the New Financial Order

Digital lending refers to the process of issuing credit primarily through digital channels mobile applications, fintech platforms, or NBFC-partnered ecosystems. The defining features are speed, automation, and minimal physical interaction.

India’s digital lending market, estimated by the RBI to reach USD 350 billion by 2026, reflects a global trend toward disintermediation, the gradual bypassing of traditional banks in favour of technology intermediaries. Non-bank entities now act as “loan service providers” (LSPs), sourcing customers and facilitating credit on behalf of regulated banks or NBFCs.

However, this innovation blurs long-standing legal boundaries. The Banking Regulation Act envisaged a world of identifiable banks, not code-driven ecosystems. Lending through digital apps often involves third-party data processing, algorithmic risk assessment, and cross-border cloud storage realities unimagined when the Act was framed in 1949.

This shift raises fundamental legal questions:

1. Who bears responsibility when a loan app misuses data or imposes hidden charges?

2. How should “outsourced” credit activity be regulated when the ultimate decision lies with software?

3. Can existing banking law, designed for human judgment, accommodate machine-led finance?

The RBI’s Guidelines on Digital Lending (2022) represent India’s first comprehensive attempt to answer these questions by reasserting that the regulated entity not the fintech partner remains legally accountable for all digital lending operations.

Legal Character of Banker-Customer Relationship in the Digital Context

At the doctrinal level, the banker–customer relationship encompasses multiple facets: debtor-creditor, agent–principal, bailor–bailee, and trustee–beneficiary, depending on the transaction. These classical relationships, grounded in contract and trust, now acquire new dimensions in digital banking.

For instance, in traditional banking, consent is explicit, customers sign forms, receive receipts, and understand terms. In digital lending, consent often hides behind opaque “terms and conditions”, making informed consent more a legal fiction than a practical reality. The Information Technology Act, 2000 recognizes electronic contracts, but the jurisprudence of free consent under Section 13 of the Indian Contract Act, 1872 faces fresh tests in this digital terrain.

Moreover, the duty of confidentiality, affirmed in Tournier v. National Provincial and Union Bank of England (1924 1 KB 461), now extends to digital data. In India, data protection obligations derive from the Digital Personal Data Protection Act, 2023, yet sector-specific norms under RBI circulars impose parallel confidentiality requirements.

Hence, banking law’s core fiduciary principle, trust now converges with data privacy law. Banks and fin- techs must not only safeguard money but also information, recognizing that in the digital age, data is the new deposit.

The Regulatory Architecture: RBI’s Expanding Mandate

The Reserve Bank of India, as the apex monetary and banking regulator, derives authority from the RBI Act, 1934 and the Banking Regulation Act, 1949. Its functions have expanded from monetary control to encompass consumer protection and digital supervision.

The RBI Digital Lending Guidelines (2022) and subsequent clarifications (2023) introduced three cardinal principles:

1. Transparency: All loan disbursements and repayments must flow directly between              the borrower’s bank account and the regulated entity’s account, eliminating LSP intervention.

2. Accountability: The regulated entity remains wholly responsible for the actions of its digital partners.

3. Data Protection: Borrower data can be collected only with explicit consent and for disclosed purposes.

These guidelines reflect an evolution from entity-based regulation to activity-based regulation, a recognition that risks arise not from who performs the activity but how it is performed.

The RBI also established the Digital Payment Security Controls (2021), Outsourcing of IT Services Directions (2023), and Cybersecurity Framework for Banks (2016), collectively forming a layered regulatory matrix.

This demonstrates a constitutional continuity: while technology transforms financial behaviour, the regulatory goal, financial stability and consumer confidence remains immutable.

Financial Inclusion versus Consumer Protection: The Policy Paradox

Digital lending has undeniably deepened financial inclusion. Instant micro-credit, buy-now-pay-later (BNPL) schemes, and app-based loans have reached unbanked populations and small businesses previously excluded from formal credit.

However, this expansion also spawned predatory lending practices with exorbitant interest rates, hidden charges, and coercive recovery methods. Reports from the RBI Working Group on Digital Lending (2021) revealed over 1,100 illegal lending apps operating in India, many linked to offshore entities.

This creates a policy paradox. The state’s commitment to inclusion under Article 38 of the Constitution must coexist with its obligation to protect consumers under Article 21’s right to life and dignity.

Banking law, thus, becomes the balancing instrument. The RBI’s 2022 guidelines sought to protect consumers without stifling innovation, mandating:

1. Clear disclosure of interest rates and fees,

2. Cooling-off periods for borrowers,

3. Restrictions on automatic credit lines,

4. Ban on unauthorised data scraping.

This reflects a broader jurisprudential evolution: from financial liberalization to financial literacy. Law’s role is no longer merely to permit banking but to ensure it remains humane.

Non-Bank Financial Companies (NBFCs) and Shadow Banking Risks

NBFCs occupy a unique position in India’s financial ecosystem bridging the gap between formal banks and informal lenders. Their role in digital lending is particularly significant, as many fintech platforms operate through NBFC partnerships.

However, NBFCs are regulated under a lighter regime compared to banks. The RBI Act, 1934 empowers the RBI to register and supervise NBFCs, but prudential norms such as CRR (Cash Reserve Ratio) and SLR (Statutory Liquidity Ratio) do not apply. This regulatory asymmetry can amplify systemic risk when digital credit proliferates unchecked.

The IL&FS and DHFL crises demonstrated how liquidity shocks in NBFCs can destabilize the financial system. In response, the RBI introduced a Scale-Based Regulatory Framework (2021), classifying NBFCs into four layers Base, Middle, Upper, and Top each subject to escalating supervision.

Digital NBFCs, often leveraging algorithmic underwriting, fall under the “Upper Layer,” reflecting their systemic importance. Through this, Indian banking regulation seeks to preserve functional parity ensuring that entities performing similar activities face similar oversight, regardless of technological form.

Cybersecurity and Legal Accountability in Digital Finance

As banking migrates online, cybersecurity emerges as the new frontier of fiduciary responsibility. The Information Technology Act, 2000, under Sections 43A and 66, prescribes liability for failure to protect data and for unauthorized access.

However, the practical application of these provisions to digital lending is complex. Cyber incidents may arise from external hacking or internal negligence, raising questions about attribution and standard of care.

RBI’s Cybersecurity Framework for Banks (2016) and IT Outsourcing Directions (2023) mandate:

1. Board-level oversight of cyber risk,

2. Periodic vulnerability assessments,

3. Reporting of breaches within six hours.

Yet, enforcement remains uneven, especially among smaller NBFCs and fintechs. The 2024 CERT-In report noted that financial sector breaches rose by 32% in one year, with phishing and identity theft as primary causes.

This reality reframes the banker’s traditional duty of care. In the digital age, prudence is measured not by lock and key, but by firewall and encryption. Banking law must now define negligence not merely as an omission in record-keeping but as a failure to implement adequate cyber hygiene.

Data Protection and the Right to Privacy

The Supreme Court’s landmark judgment in K.S. Puttaswamy v. Union of India (2017 10 SCC 1) elevated privacy to a fundamental right under Article 21. For banking law, this constitutional shift redefines the contours of confidentiality.

Where earlier, confidentiality was a contractual duty, it is now a constitutional imperative. The Digital Personal Data Protection Act, 2023 operationalizes this right, mandating lawful processing, consent, and purpose limitation.

Banks and digital lenders are classified as “data fiduciaries,” bearing the responsibility to handle personal data fairly and securely. Violations attract penalties up to ₹250 crore under Section 33 of the Act.

This convergence of banking regulation and data protection transforms the moral character of banking law, it is no longer about safeguarding capital alone but also about preserving informational dignity. As Justice Brandeis once wrote, “The right to be let alone is the most comprehensive of rights and the right most valued by civilized men.”

In the financial context, it is the right not to have one’s digital footprint turned into a financial weapon.

Consumer Disputes and Legal Remedies

Digital lending has given rise to novel disputes, unauthorized deductions, algorithmic bias in credit scoring, and abusive recovery practices. Traditional legal remedies under the Consumer Protection Act, 2019, and Banking Ombudsman Scheme now coexist with new grievance redressal channels.

Under the Integrated Ombudsman Scheme, 2021, the RBI merged sector-specific ombudsman frameworks into one unified system. Borrowers can now lodge complaints online for issues such as misrepresentation, hidden charges, or breach of confidentiality.

Courts, too, have begun adapting to digital realities. In RBI v. Sahara India Financial Corporation Ltd. (2012 10 SCC 603), the Supreme Court reaffirmed the RBI’s primacy in protecting public interest even against large financial conglomerates. More recently, High Courts have directed digital lenders to refund illegally charged fees and to cease coercive recovery calls.

Yet, the challenge remains structural, lawsuits are slow, consumers are under-informed, and technology evolves faster than jurisprudence. Effective consumer protection in digital banking thus requires pre-emptive regulation rather than reactive litigation.

The Future of Banking Regulation: Toward a Principles-Based Regime

Indian banking law has traditionally followed a rule-based model, prescribing specific conduct. However, as technology diversifies, prescriptive rules struggle to keep pace. The global regulatory consensus is shifting toward a principles-based approach, emphasizing accountability over compliance.

Such a model, already reflected in the Basel III framework and the RBI’s Regulatory Sandbox Guidelines (2019), encourages innovation within defined ethical boundaries. Fintechs can experiment with new credit models, but must demonstrate consumer fairness, risk transparency, and data protection.

In essence, law must move from “permission to operate” to “responsibility to operate.” As the Canadian jurist Bora Laskin aptly noted, “The purpose of regulation is not to restrain enterprise but to ensure that enterprise restrains itself.”

For India, this means harmonizing three objectives:

1. Inclusion: Ensuring that every citizen can access affordable credit.

2. Integrity: Maintaining systemic stability and preventing misuse.

3. Innovation: Allowing technology to flourish under the shadow of legality.

Comparative Glimpses: Global Trends and Indian Adaptation

Globally, jurisdictions grapple with similar dilemmas. The European Union’s Digital Operational Resilience Act (DORA 2022) and the PSD2 Directive impose strict cybersecurity and data-sharing norms on digital lenders. The United States, through its Consumer Financial Protection Bureau (CFPB), focuses on algorithmic fairness and transparency in credit scoring.

India’s approach remains more evolutionary, incremental reforms under RBI supervision rather than legislative overhaul. However, as digital lending crosses national boundaries, harmonization of standards becomes inevitable.

The Financial Stability Board (FSB) has urged coordinated supervision of BigTech lending, warning that concentration of data and credit in a few platforms could threaten monetary transmission and consumer sovereignty alike.

For India, whose fintech ecosystem is among the world’s fastest growing, participation in such global norm-setting forums will determine whether its banking law remains merely reactive or truly visionary.

Conclusion

India’s digital lending revolution marks a watershed in the history of its banking law. It transforms the banker’s ledger into a line of code, and the vault into a cloud. Yet, beneath these technological shifts, the legal fundamentals endure: fiduciary duty, prudence, accountability, and fairness.

The challenge is not to resist digitization but to govern it with moral and legal clarity. The RBI’s evolving framework rooted in transparency, responsibility, and consumer dignity signals a regulatory philosophy that blends the old and the new.

As the financial landscape grows more virtual, the law must remain human. In the words of Justice Krishna Iyer, “Law is not a static shrine but a living stream that must move with life and yet retain its moral direction.”

Digital lending can either deepen financial democracy or create new inequalities. The future of banking law will be measured not by how swiftly it adapts to technology, but by how steadfastly it upholds the values that made banking a profession of trust.

*****

Author:  Akhand Kuldeep Singh | 4^th year B.A. LLB Student | Institute of Law, Nirma University, Ahmedabad.

BIBLIOGRAPHY

1. Reserve Bank of India, “Guidelines on Digital Lending (2 Sep 2022)”.

2. Modi, A. & Colleagues, “Digital Lending Laws in India and Beyond” (IJEF, 2023).

3. Bank for International Settlements, “Regulating non-bank retail lenders in the digital era” (FSI Insights 56).

4. Financial Sector Development Council, “How has Digital Lending Impacted the Indian Banking Market” (SSRN).

5. Marda, V., “FinTech Lending in India: Taking Stock of Implications for Regulators”.

6. Legality Simplified, “Reserve Bank of India (Digital Lending) Directions, 2025”.

7. AZB & Partners, “RBI (Digital Lending) Directions, 2025 – Update”.

8. DMI Finance, “Digital Lending Industry Code of Conduct for Responsible Digital Lending” (2023).

9. Financial Information & Management Company (FIDC India), “Regulatory Update on RBI’s Consolidated Digital Lending Framework – May 2025”.

10. Legalite, “Summary on FAQs issued by RBI on Digital Lending Guidelines”.

11. CERT‑In / RBI, “FAQs on Digital Lending Guidelines” (Feb 14 2023).

12. Financial Information & Management Company (FIDC India), “Reserve Bank of India (Digital Lending) Directions, 2025 – PDF”.

13. International Journal of Advanced Research, “Digital Lending Landscape in India and the need for ULI” (2024).

14. Federal Reserve Bank / arXiv, “Enhancing Financial Inclusion and Regulatory Challenges: A Critical Analysis of Digital Banks and Alternative Lenders Through Digital Platforms, Machine Learning, and LLMs Integration” (2024).

15. ArXiv, “How Platform-User Power Relations Shape Algorithmic Accountability: A Case Study of Instant Loan Platforms and Financially Stressed Users in India” (2022).

16. Banking Regulation Act, 1949 (India) – Text & commentary.

17. Information Technology Act, 2000 (India) – Legal context for digital contracts/data.

18. CIBIL / LTIMindtree, “Digital Lending White-paper – Trends in Indian Digital Lending Market” (2020).

19. Financial Information & Management Company (FIDC India), “RBI Master Direction – NBFCs (19 Oct 2023)”.

20. ResearchGate, “Digital Lending in India: the Loan Trap” (2021).