Financial Services

RBI’s Proposed Responsible Business Conduct revisions: Recovery Practices and Device-locking in Mobile Financing Products

INTRODUCTION

Over the last few years, the Reserve Bank of India’s (“RBI”) approach to lender regulation has moved steadily from broad fair-practices principles to a more prescriptive borrower-protection framework to prevent predatory and unfair conduct towards borrowers. This shift is visible across the Digital Lending Guidelines, the Key Fact Statement framework, Fair Practices Code, restrictions on penal charges, grievance redressal guidelines, outsourcing controls, recovery-agent conduct, and the more recent Responsible Business Conduct Directions.

A common theme running through these regulatory interventions is that recovery of loan dues must be proportionate, transparent, documented and free from coercion. The RBI has repeatedly sought to curb practices such as harassment by recovery agents, excessive or repeated borrower contact, misuse of borrower data, indirect charges through lending service providers, and recovery methods that affect a borrower’s dignity.

Against this backdrop, the RBI’s issuance of the Draft Amendment Directions on ‘Conduct of Regulated Entities in Recovery of Loans and Engagement of Recovery Agents’ (“Draft Directions”) for various categories of RBI regulated entities (“REs”) intends to address present market practices, while prescribing fair practices and standardising acceptable conduct in order to further strengthen the borrower protection mechanisms.

RECOVERY PRACTICES – KEY CHANGES

Key changes brought to the extant framework by the Draft Directions include:

Definitions of Recovery Agent/Agency	The RBI has widened and clarified the recovery-agent framework by adding a definition for a ‘recovery agency’ and a ‘recovery agent’. A “recovery agency” includes any third-party entity or individual engaged by an RE under an outsourcing arrangement to assist in recovery or possession-related activities, regardless of contractual nomenclature. A “recovery agent” is the agency’s customer-facing representative. The Draft Directions also provide guidelines for the operation of recovery agents with the authorisation to collect financed collateral, subject to strict compliance with the Reserve Bank of India (Managing Risks in Outsourcing) Directions, 2025 (“Outsourcing Directions”).
Engagement Due-Diligence	The Draft Directions establish mandatory due diligence requirements on recovery agencies by building upon the existing regulatory framework. REs engaging recovery agencies must put in place a formal due-diligence process aligned with the RBI’s Outsourcing Directions. They must also ensure that recovery agencies verify the antecedents of their recovery agents before engagement and thereafter on an ongoing basis, at a periodicity specified in the RE’s recovery policy.
Training Requirements	The RBI requires REs to ensure that recovery agencies engage only trained recovery agents who have obtained certification from the Indian Institute of Banking and Finance after completing the debt recovery agents’ training programme, or an equivalent programme through an IIBF-tied institute. Existing uncertified agents must obtain certification within the prescribed transition period.
Notice to Borrower	Before assigning a case to a recovery agency for an in-person visit, the RE must notify the borrower or guarantor of the agency’s details. This must be done at least one day before the first visit by message or email, or three days before by letter where digital contact details are unavailable. REs must also publish an up-to-date list of all empanelled or engaged recovery agencies across prominent customer-facing channels. The list must include details such as name, type, address, engagement period, purpose and assigned geography. Any modification must be updated within seven calendar days; termination must be reflected immediately.
Maintenance of Records of Call Logs	REs must document the time and number of recovery calls made by their employees or recovery agents to borrowers or guarantors. They must also record the content or text of such calls, preserve these records for six months, and take precautions such as informing borrowers that calls are being recorded.
Recovery Practices Standards	The RBI has prescribed conduct standards for recovery interactions, including civil communication, restricted calling hours, respect for borrower-preferred contact locations, avoidance of sensitive occasions, receipts for collections, and prohibitions on abusive language, harassment, threats, excessive calls, public humiliation, social media misuse, violence, privacy intrusion, and misleading representations.

DEPLOYMENT OF RESTRICTIVE DEVICE TECHNOLOGY

Market participants began implementing restrictive device technologies as early as 2019, often partnering with third party technology providers, or Original Equipment Manufacturers (“OEMs”) to enable device locking functionality.

The RBI Guidelines on Digital Lending in 2022 specifically prohibited lenders and digital lending applications from accessing mobile phone resources, and instilled strict borrower consent requirements for accessing data, with the RBI publicly stating later in October 2025 that they would examine the issue of ‘digital locking’.

As clarified under the Draft Directions, REs may not deploy technology that restricts or disables any of the functionalities of a device of a borrower (including mobile phones, tablets, etc.), as a recovery tool, except to recover loan dues arising out of the financing of such a device under the following conditions:

Contractual Framework: The loan documentation or terms and conditions of the RE must procure the borrowers consent to the use of restrictive technology, and provide a detailed explanation of the stages, restriction methods and resolution process.
Prior Notice Requirement: Restrictive technologies may not be activated until a loan is 90 days past due, and the following notices have been issued:
1. A notice issued to the borrower after the loan is 60 days past due, with at least 21 days of time being provided to the borrower to cure the default; and
2. Another final notice has been given to the borrower following the expiry of the 60 day notice with at least another 7 days of time being provided to the borrower to cure the default.

Subsequent to the above procedure, if the borrower has not cured the default despite being served the mentioned notices, the RE may deploy the restrictive technology, in compliance with the below conditions:

Staggered Approach: The technology shall use a graduated approach rather than disabling the device immediately.
SOS Accessibility/Retention of Emergency Services: Essential functionalities, such as access to internet, incoming calls, emergency SOS features, and receipt of emergency Government or public-safety notifications may not be disabled. Further regulatory clarity is sought on whether features such as incoming calls on popular third party applications may be restricted.
Resolution Timelines and Recompensation: The RBI imposes strict timelines for expeditious release of restrictions on device functionalities upon cure of default by the borrower, and in no case may restrictions on device functionalities remain in place after one hour of cure of default. In cases involving wrongful restriction or delay in reversal of restriction after cure of default, the lender shall compensate the borrower at the rate of INR 250 per hour until remedy.
‘Uninstall’ Obligations: The technology deployed for restriction shall be uninstalled after the loan is repaid in full. This requirement may provide practical and technological challenges to REs and technology service providers.
In most instances the device locking functionality is enabled through applications installed in devices by OEMs. In such instances, it may not be possible to uninstall the OEM apps from the devices. Further, in the event that the device locking functionality is enabled through the digital lending application (“DLA”), it may not be feasible to uninstall the DLA since the borrower may have other ongoing loans through the same DLA. Further there appears to be a technological challenge to remotely trigger the uninstallation.
Borrower rights in respect of Repayment: The borrower retains the right to prepay the loan, either partly or fully, at any stage.
Dedicated Grievance Redressal: In addition to existing measures for consumer grievance redressal, REs employing such methods are to establish a robust grievance redressal mechanism to address delays and issues in relation to the deployed technology.

ANALYSIS AND WAY FORWARD

The RBI first addressed the subject of restrictive lending technology through the RBI Guidelines on Digital Lending in 2022, which laid out comprehensive requirements for borrower privacy and access control mechanisms in DLAs, which regulatory intent has not been further crystallized by the Draft Directions.

REs are advised to strictly adhere to borrower consent and processing requirements, purpose limitation and data sharing norms from a DPDPA compliance standpoint, and must ensure that any development or deployment of device restricting technology is in strict compliance with the Draft Directions to avoid compliance risks.

Market participants are also advised to revise policies, consumer journeys and internal practices to comply with the Draft Directions, including assessment of relationships/contracts with recovery agencies and technology service providers in light of the new diligence requirements.

While the Draft Directions may at present have limited permissibility, they are a welcome guidance that once enforced, will provide significant regulatory clarity to the evolving digital lending market in India.