FinTechGuidelines on Digital Lending by RBI – Paving the Way for New Age of Lending in India

October 21, 20220


In this fast-moving world, user convenience and seamlessness is shifting everything to digitalization. This era of digitalization has an impact over various aspects of our lives including finance. Over the past years the Lending sector has witnessed exponential growth and with the introduction of Digital Lending Platform, the business of lending has metamorphosed into a different shape altogether.

Digital lending is the process of obtaining credit online, with just 3 minute to think, 1 minute to transfer and 0 human touch. Its growing popularity among new-age lenders can be attributed to the expansion of smartphones, credit range flexibility, and speedier online transactions.

The Reserve Bank of India (herein referred as “RBI”) recently has issued guidelines for Digital Lending Platforms, to bring in a robust regulatory framework, especially for the protection of data and to ensure that digital applications are not misused.

In this article, we attempt to discuss what was the need for such guidelines, what are the guidelines and how will help revolutionize the sector of Lending in India. 


In the recent years the Digital lending channels have rapidly gained popularity and the rapid growth of Digital Lending Platforms, have also resulted in the rise of risk of cyber crimes, data theft, data manipulation etc., the RBI shared the same concern and stated, if these concerns are not addressed, then it could damage the public’s confidence in the ecosystem of digital lending.

In light of this, the RBI established the Working Group on Digital Lending (herein referred as “WGDL”) on 13.01.2022 which included Lending through Online platforms and Mobile Apps.

These guidelines, issued by the RBI on 02.09.2022 is an extension to the strategy highlighted by the RBI in the Press Release on 10.08.2022 wherein RBI has reaffirmed that the banks and NBFCs are required to ensure that all service providers they employ abide by the legal standards outlined in these guidelines.

RBI has placed the lenders into three categories:

  • Entities regulated by the RBI and permitted to carry out lending business;
  • Entities authorized to carry out a lending as per other statutory/regulatory provisions but not regulated by RBI;
  • Entities lending outside the purview of any statutory/ regulatory provisions.


1.Customer Protection and Conduct Issues

i. All loan payments and disbursements must only be made through the borrower’s and Regulated Entities (hereinafter referred as “RE”) respective bank accounts and not via pass-through or pool accounts of the Lending Service Provider (hereinafter referred as “LSP”) or any other party.

ii. All fees, charges, and other amounts due to LSPs during the credit intermediation process will be paid directly by the RE and not the borrower.

iii. The borrower must get Standardized Key Facts (hereinafter referred as “KFS”) before signing the loan contract.

iv. The All-inclusive cost of the digital loan must be disposed to the borrowers in the form of the Annual Percentage Rate (hereinafter referred as “APR”). APR must also form part of KFS.

v. Automatic credit limit increases without the borrower’s expressed consent are forbidden.

vi. To handle complaints relating to FinTech and Digital Lending, REs must make sure that both they and the LSPs they have engaged have access to an appropriate nodal Grievance Redressal Officer (hereinafter referred to as “GRO”). The GRO would also handle complaints against their respective Digital Lending Applications (hereinafter referred as “DLA”). The GRO shall be prominently indicated on the website of RE, its LSPs, and on DLAs.

vii. According to RBI regulations, if a borrower’s issue is not resolved by the RE within the allotted time frame (currently 30 days), he or she may file a complaint through the Reserve Bank-Integrated Ombudsman Scheme (hereinafter referred to as “RBI-IOS”).

2. Technology and Data Requirements

i. Data gathered by DLAs must be need-based, have clear audit trails, and be done exclusively with the borrower’s expressed prior consent.

ii. Borrowers may be given the choice of accepting or declining consent for the use of certain data, as well as the ability to revoke previously granted consent, in addition to the choice of having their data deleted by the DLAs/LSPs.

iii. These guidelines also require REs to check that the DLAs have a thorough privacy policy in place with rules to handle with breaches.

iv. It must also be ensured by the REs that all data is stored in servers located within India while ensuring compliance with statutory and regulatory obligations.

3. Regulatory Framework

i. Any lending obtained through DLAs (either of the RE or of the LSP engaged by RE) is obliged to be reported to Credit Information Companies (hereinafter referred as “CIC”) by REs irrespective of its nature or tenor.

ii. The REs is required to report to CICs and new digital lending products to merchant platforms that involve short-term credit or deferred payments.


Only a handful of the Report’s recommendations were carried out in the Press Release, herein below, we have listed some of the noteworthy recommendations that the RBI and/or stakeholders are still reviewing.

    • First-loss-default-guarantee (hereinafter referred to asFLDG”): The Report had advised against the REs engaging in any agreements involving synthetic lending structures like FLDG when their balance sheets are utilised by unregulated firms in any way to take credit risk. Although this advice has been accepted by the RBI in principle, the Press Release is still being reviewed before it is put into effect.
    • Requirements for baseline technology and data: The RBI is developing baseline technology standards for DLAs, which will include (i) secure application logic; (ii) keeping auditable logs of each action a user takes, along with their IP address and device information; (iii) monitoring of transactions being carried out through the DLA; and (iv) multi-step approval for critical activities carried out on the DLA.
    • Self-regulatory organisation (hereinafter referred to as “SRO”): According to the Report, an SRO should be established to regulate REs, DLAs, and LSPs operating in the ecosystem of online lending which is also still under review
    • Digital India Trust Agency (hereinafter referred to as “DIGITA”): The Report suggested creating a nodal agency, i.e., DIGITA, to examine the technical qualifications of DLAs and to keep a public database of approved DLAs on its website. The report suggested that for the purposes of law enforcement, applications that lack a DIGITA “certified” signature be regarded as unlawful. According to the RBI, the Government of India and other stakeholders must be involved in order for this advice to be implemented.



Since the primary objective of guidelines is to control the illegal lending activities of digital lenders and LSPs, their range of application extends beyond entities regulated by RBI but also includes LSPs engaged by REs, DLAs of REs, borrowers and credit information companies.

The guideline presents a challenge for the new generation of BNPL players because it requires them to report every payment as a loan to credit bureaus. Retail consumer borrowers are drawn to BNPL lenders’ products because they have positioned them as deferred payments rather than loans. The positioning of the products and marketing strategy of these players will need to change in order to implement these recommendations.

Few of the principles will have an impact on the business model and operations of some of the FinTech lenders, as many FinTech companies would implement some of these guidelines as a part of their good management practices. The lending institutions’ operations would noticeably change, and the implementation would result in higher operational costs.

  • Guidelines on Digital Lending to Banks and NBFCs

The Guidelines outline a number of compliances that banks and NBFCs must adhere to when working with third-party service providers (who may help with customer acquisition, underwriting support, portfolio monitoring, and loan recovery) and lending through digital lending applications or platforms. . The RBI has reaffirmed that banks and NBFCs are required to make sure that all service providers they employ abide by the legal standards outlined in the Guidelines.

Although the many compliances stated in the Guidelines are consistent with those in the press release listed  below are a few important characteristics, including those that differ from the press release:

  • Implementation of Time-lines

The RBI has stated that the Guidelines will take effect for “existing customers availing fresh loans” as well as “new consumers getting onboarded” as of the notification date, which is 02.09.2022. For existing digital loans approved before the notification date, the RBI has given banks and NBFCs until  30.11.2022 to put in place the necessary systems and procedures for compliance. The absence of a general transition period (for both existing and new customers) could result in the hasty implementation of the various compliance requirements prescribed under the Guidelines..

  • Loss Sharing arrangement in case of default

In the press release, the RBI stated that it was reviewing the working group’s recommendation to prohibit FLDG arrangements from the market and that, in the interim, banks and NBFCs entering into FLDG arrangements must abide by the Reserve Bank of India (Securitization of Standard Assets) Direction 2021 (Securitization Guidelines).

This showed that the RBI was still examining the practice in the industry of banks and NBFCs receiving FLDG comfort from lending service providers (who are not directly regulated or supervised by the RBI).  But it was unclear as to what specific compliances under the Securitization Guidelines banks and NBFCs must adhere to in order to provide lenders FLDG comfort.

  • Flow of Funds

All funds related to loan disbursement and repayment must flow directly between the bank accounts of the lender and borrower, without any pass-through or pool accounts of any third party, according to a rule established by the RBI. There are a few exceptions to this general rule, including

a. co-lending transactions carried out by banks and NBFCs in accordance with the existing regulatory guidelines issued by the RBI,

b. disbursements covered exclusively by the statutory or regulatory mandate of the RBI or any other regulator, and

c. disbursements to third parties in accordance with particular end-uses of the loans (provided the loans are disbursed into the bank accounts of the relevant end-beneficiaries).

Thus, these exceptions or carve-outs provided by the RBI do not specifically cover any repayments made by borrowers through digital payment methods offered by payment service providers/payment aggregators 


The RBI in the guise of these guidelines intends to create a legal structure to encourage the orderly development of digital lending by improving the ecosystem’s transparency, effectiveness, and discipline.

Hence these guidelines are a positive step toward protecting customers of digital lending who have previously experienced harsh treatment and excessive harassment at the hands of some market participants. The RBI has made it very clear that digital lenders must be entirely transparent when disclosing the characteristics of the loan product and any associated terms and conditions. A grievance redressal officer must be appointed by banks, NBFCs, loan service providers, and fintech platforms in order to handle any customer concerns.

Although, these measures will go a long way toward boosting consumer trust and confidence in the Indian digital lending ecosystem, the RBI needs to take another look at a few issues, like FLDG and fund flows, to ensure that all parties involved in digital lending are effectively contributing to the goal of greater financial inclusion.

– Team AMLEGALS assisted by Ms. Pratishtha Vaidhya (Intern)

For any queries or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.