New Digital Lending Norms – Preliminary Review



The ‘Recommendations of the Working group on Digital Lending – Implementation (“Press Release”) issued by the RBI, on August 10, 2022, overhaul the regulatory framework for digital lending in India. The Press Release changes the landscape for Regulated Entities (REs), Digital Lending Apps (DLAs) and Lending Service Providers (LSPs). Based on the existing needs of the ecosystem, the Press Release dictates norms that ought to be implemented immediately, while leaving some decisions for a future date.


Loan Disbursals and Repayments

The RBI requires REs to ensure that any loan disbursals and any repayment transactions, are undertaken solely between the accounts of the RE and the borrower, without any pass-through account or a pool account.

At present, there are multiple financial services products that are structured such that funds are disbursed by an RE to (i) the bank account of a third-party recipient (on the instructions of the sanctioned borrower, of course); or (ii) the tripartite escrow account set up by the LSP with the bank and the RE or with a trustee. It is not uncommon for REs to authorise LSPs to collect repayments from the borrowers into their own bank accounts or pool accounts and settle the funds in the RE’s account within T+1. Such arrangements would now not be permissible and alternatives that are consistent with RBI directives would have to be explored. The exceptions that are carved out by the RBI account for the following scenarios only:

  1. disbursals covered exclusively under statutory or regulatory mandate;
  2. flow of money between REs for co-lending transactions; and
  3. disbursals where loans are mandated for ‘specified end-use’ as per regulatory guidelines of RBI or of any other regulator.

These exceptions apply to instances where monies are being handled by an NBFC P2P or a payment aggregator, or to instances where loans are offered for purchase of assets against a charge on such assets (home loans, vehicle loans, etc.). At this point, what is unclear is whether these exceptions include products such as BNPL or not. Should the intent be to exclude any settlements to merchants (i.e., not a ‘specified end use’ as per regulatory requirement), all players offering BNPL products would be significantly impacted.


It has also been mandated that any fee with respect to the services rendered by the LSP must be paid by the RE and not directly charged to the borrower. Therefore, LSPs can no longer charge a platform/ processing fee to the borrowers and any fee payable to them must be paid by the RE out of the repayments collected from the borrowers. Unfortunately, the Press Release does not take into account the possibility of LSPs providing certain services to the potential borrowers, independent of their role as an LSP.

Nodal Grievance Redressal Officer

The RBI requires the REs and the LSPs to appoint a nodal grievance redressal officer to deal with any FinTech/digital lending related complaints.

Key Fact Statement

REs have been directed to provide a Key Facts Statement (KFS) to borrowers before the execution of the loan agreement. The KFS document would cover details of a loan and be akin to a sanction letter, apprising the borrowers of the most important terms related to the loan product.

Terms and Conditions, Privacy Policy, Loan Agreement etc.

The Press Release requires REs to ensure that the digitally signed copies of any important documents such as the KFS, sanction letter, account statements, terms and conditions of the LSP, privacy policy of the LSP, are communicated directly by the RE to the borrower. Accordingly, while certain LSPs communicate with the borrowers directly in the existing regime, they will no longer be allowed to do so as per the stipulations under this Press Release. This would compel digital lending businesses to restructure the way these activities are being carried out or come up with innovative solutions to ensure compliance.

Data Security and Privacy

The biggest challenge that the LSPs would face due to the revised legal framework pertains to data security and privacy. The Press Release imposes various obligations on LSPs to ensure that the customers’/borrowers’ interests are always protected. Below is a summary of some of the obligations imposed on LSPs:

  1. Minimal Data: LSPs engaged by the REs must not be allowed to store the personal information of the borrowers, except for some ‘basic minimal data’ required to carry out operations. It will be interesting to note whether REs construe loan data to be ‘basic minimal data’ and allow LSPs to store such loan data. Presently, LSPs have access to all information pertaining to the loan disbursed, repayments made, and outstanding dues in respect of every borrower. Given that such loan data will not only be categorised as personal information, but also sensitive data, it will be noteworthy to see whether REs allow LSPs to store such data to carry out collection services.
  2. Restriction on accessing Mobile Phone Resources: Another provision related to data security restricts LSPs from accessing mobile phone resources such as files, media, contact lists, call logs and telephony data. This may significantly impact the role of the LSPs in the entire arrangement, especially their ability to undertake risk assessment and preliminary credit checks.
  3. Borrower’s Right to Deny Consent and Require Deletion of Data: The RBI has also mandated that borrowers be given an option to give or deny consent for the use of specific data, the ability to restrict disclosure of data to third parties, the ability to revoke consent for collection of data and request for deletion of his/her data from the DLA. This creates a host of uncertainties for the business of LSPs. If by virtue of this provision, a borrower restricts the LSP from sharing his/her data with third parties, it would imply that the LSP would not be able to outsource the obligation for collection of dues from such borrowers to a collection agent. It remains ambiguous whether the RE/LSP would be required to purge the borrower’s data from their data bases, if the borrower chooses to revoke consent for collection of personal data, or request for the deletion thereof.


Annex II of the Press Release stipulates recommendations which are accepted by the RBI ‘in-principle’, but do not yet constitute law. This offers a tantalising glimpse into regulatory intent.

The Press Release suggests that, pending examination by the RBI of FLDG arrangements, REs should ensure that financial products involving third party guarantees should adhere to the extant guidelines laid down in Master Direction – Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021 dated September 24, 2021 (“Securitisation Regulations”). The Securitisation Regulations require that the ‘originator’ or ‘facility provider’ ought to be a regulated entity, stakeholders are concerned as to how the Securitisation Regulations would extend to the FLDG arrangements between a FinTech (unregulated entity) and a lender (regulated entity). Has the RBI banned FLDGs given by entities that are not REs?


The RBI also recommends setting up an SRO, that will, inter alia, be responsible for framing a code of conduct for all DLAs for recovery of loans, prescribing responsible advertising and marketing standards, and maintaining a ‘negative list’ of LSPs, which are non-compliant with regulatory and statutory provisions.

With a focus to ban unregulated lending activities, the Press Release harps on the need for a legislation governing unauthorized and unregistered lending entities and setting up a Digital India Trust Agency (DIGITA) to combat the same.


We are of the view that digital lending offers significant efficiencies, and the explosion of digital lending apps have the potential to enable public good. As we grapple with multiple ways to comply with the RBI regulations and to structure responsible digital lending, we wonder whether a light touch licensing regime (requiring all digital lenders to register with the RBI) and directly imposing prudential norms might be preferred to the approach adopted by the regulator.


                                                       Please reach out to Mathew Chacko and Ankita Hariramani for queries.