Abstract
The Reserve Bank of India (Digital Lending) Directions, 2025 aims at enhancing transparency, borrower protection, and systemic accountability, marking a significant evolution in regulating the digital lending industry from not only a financial but also from a data-governance perspective. This article analyses the key changes introduced and critically evaluates their strengths and drawbacks. While the Directions offer much-needed structure to a rapidly growing sector, they also raise concerns around implementation, data governance, and fintech flexibility. The author concludes with recommendations for both the regulators and the industry stakeholders to enable balanced and inclusive digital lending growth.
Introduction
The growth of digital lending in India over the past decade has fundamentally reshaped how credit is originated, delivered and repaid, particularly after the rise of digital transactions post-COVID-19. This is enabled by embedded finance, which includes mobile devices, data-driven credit scoring and non-traditional distribution channels. The most significant contribution of this transition is the widespread access to the previously underserved sections of society. Digital lending refers to the remote, technology-enabled disbursal of loans, often via Digital Lending Apps (“DLAs”), operated by Lending Service Providers (“LSPs”) on behalf of Regulated Entities (“REs”) like banks and Non-Banking Financial Companies (“NBFCs”) under the supervision of the Reserve Bank of India (“RBI”). However, this rapid evolution has also exposed serious regulatory and consumer protection challenges, particularly with respect to the large amounts of sensitive personal data that are being used for processing.
To address these rising concerns, the RBI issued the Guidelines on Digital Lending in 2022. While being a significant step, these guidelines did not fully encompass the needs of the fast-growing sector, which led to the release of the more detailed Reserve Bank of India (Digital Lending) Directions, 2025 (“Directions”), on May 08, 2025. This provides a more detailed and enhanced approach to address the gaps in the former guidelines.
Through this article, the author shall first explain the key changes in the framework. Second, the author shall highlight the drawbacks of these key provisions and provide suggestions to overcome the same. Finally, the author shall conclude by providing suggestions for the industry stakeholders and the regulators.
Salient Reforms in the 2025 Directions
Enhanced REs – LSPs Relationship
The Directions, while expanding the scope of regulation to include All-India Financial Institutions in addition to the commercial banks, co-operative banks and NBFCs, introduce a mandatory contractual agreement between the REs while engaging LSPs, coupled with comprehensive due diligence and continuous monitoring. In case of multiple lender arrangements facilitated by LSPs, they are now required to offer a transparent digital interface allowing borrowers to compare the loan offers on uniform parameters.
Data Privacy and Security
REs are now required to conduct a minimum creditworthiness assessment using data such as age. income and occupation before disbursing loans. This can be done by employing software systems that can collect and analyse user data and enable automated decision-making. While this brings in efficiency in the system, it also raises concerns revolving around the manner and modes of processing the sensitive financial information required for this purpose. To address this, the Directions include comprehensive data privacy and security provisions which include explicit consent, purpose limitation, storage limitation, data localisation and necessary technology integration for cybersecurity. It also mandates that data stored in servers outside India shall be deleted and brought back to India within 24 hours of processing.
Direct Transactions and Disclosure Requirements
The Directions mandate that loans are disbursed and repaid directly into the bank account of the borrowers and lender, respectively, except for those covered under statutory or regulatory mandates. In case of delinquent loans, the REs can now deploy a physical interface to recover the cash, wherever necessary. In case a recovery agent is assigned, the details of the same are to be communicated to the borrowers through email or SMS before the recovery agent contacts the borrower, along with the other necessary disclosures.
Mandatory Reporting
The Directions, to enhance transparency and accountability, mandate that all lending activity must be reported to the Credit Information Companies (CICs). It also required all REs to report all Digital Lending Apps (DLAs) they use or participate in, whether owned directly by the RE or operated by LSPs, to the Centralised Information Management System (CIMS) portal of the RBI. To ensure the accuracy and integrity of this data, the Chief Compliance Officer (CCO) of the RE or another designated officer must certify the correctness of the submitted details and confirm that each DLA is fully compliant with the applicable regulatory framework. This data shall be published automatically in the public domain without any validation or vetting by the RBI.
Grievance Redressal
In case of any grievances arising out of such processing, the same shall be addressed by dedicated nodal grievance officers appointed by the REs and LSPs interfacing with the borrowers. The unresolved complaints can be escalated to the RBI either physically or through the RBI’s Complaint Management Systems (CMS).
Cooling-off period & Default Loss Guarantee
The Directions further strengthen the borrower autonomy by allowing a mandatory minimum one-day cooling-off period during which the borrowers may exit the loan without a penalty. It also prohibits an automatic increase in the credit limit without the borrower’s formal request. At the same time, it protects the REs by allowing them to enter into Default Loss Guarantee Arrangements (DLGs) for a maximum of 5% of the disbursed value of the loan portfolio in question.
Critical Appraisal of the Revised Framework and its Implications
While the Directions provide for due diligence, contractual clarity, mandatory reporting and data protection, which enhance the transparency and accountability throughout the lifecycle of digital lending, it creates an implementation burden and is laden with various challenges.
Firstly, it imposes a significant compliance and technological burden on REs and LSPs, potentially leading to market exits or forced consolidation among less-resourced entities. This is one of the major concerns as stakeholders are startups or small growing companies that shall face operational and financial challenges owing to these Directions.
To mitigate this, the RBI could consider introducing a tiered or phased compliance framework based on the size and scale of entities, allowing the smaller players more time to support and meet compliance obligations without becoming a hurdle to their innovation. On the other hand, the concerned stakeholders can build shared compliance frameworks by leveraging Reg-Tech solutions and outsourcing non-core compliance functions. Entities like the Unified Fintech Forum can play a significant role in enabling this collaboration.
Secondly, the RBI’s decision to release the data without vetting and validation to the public domain may lead to under-reporting, particularly where the internal governance is weak. This can be addressed by targeted inspections and penalties for non-compliance to deter under-reporting or false submissions. Further, requiring third-party attestations by recognised entities for high-volume lenders can help increase reporting accuracy.
Thirdly, the prohibition on intermediary fund routing could inadvertently constrain the fintech models in embedded finance or merchant-led lending, unless future clarifications provide relief. To avoid any potential constraint, the RBI can issue clarificatory guidelines or carve-outs for well-regulated fund flows such as escrow accounts, co-lending arrangements that ensure transparency without compromising end-user protection.
Fourthly, the collection and processing of such vast amounts of sensitive personal and financial data would attract regulatory compliance requirements of overlapping frameworks, including but not limited to the Digital Personal Data Protection Act, 2023 and the Draft Digital Personal Data Protection Rules, 2025. While ensuring compliance with the data privacy and security provisions of these Directions, entities should also look out for overlapping applicable regulations like these and ensure compliance in order to avoid penalties.
Lastly, due to the increased processing of sensitive personal data, the monitoring and enforcement may become an administrative challenge for the regulator due to the large number of market players. While this is inevitable, the RBI should invest in the automation of data monitoring and risk flagging in the meantime. A risk-based surveillance framework where high-risk entities face greater scrutiny can lead to more efficient enforcement.
Conclusion
The RBI’s Digital Lending Directions, 2025, represent a pivotal shift towards formalising and de-risking India’s fast-evolving digital lending industry. By enhancing borrower protections, tightening oversight of RE-LSP relationships, mandating transparent disclosures, and creating a structured regime for default loss guarantees, the Directions aim to balance innovation with accountability. However, the framework’s implementation poses material challenges, particularly for smaller players grappling with compliance-heavy obligations, evolving fund flow norms, and the complexities of data governance.
Addressing these concerns shall require proactive engagement from both regulators and industry stakeholders. The RBI can play a catalytic role by adopting phased implementation timelines, clarifying grey areas, and investing in supervisory technologies. Simultaneously, the industry must take responsibility for building internal compliance governance and adopting ethical lending practices. A collaborative, iterative approach will be essential to ensure that the Directions not only mitigate risks but also preserve the innovation and inclusiveness that have defined India’s digital lending industry.
(This post has been authored by Shambhavi Anand, a student at NLIU, Bhopal)
CITE AS: Shambhavi Anand, ‘RBI’s 2025 Digital Lending Directions: A New Framework for Trust and Transparency’ (The Contemporary Law Forum, 24 June 2025) <https://tclf.in/2025/06/24/rbis-2025-digital-lending-directions-a-new-framework-for-trust-and-transparency/>date of access.