The Reserve Bank of India (RBI) has released the Digital Lending Guidelines 2025 to overhaul how digital loans are offered and serviced in India. These guidelines aim to curb unethical practices, increase borrower protection, and standardise digital lending processes. Applicable to all regulated entities (REs) like banks and NBFCs, and their lending partners (LSPs), these rules bring big changes-from mandatory disclosures and cooling-off periods to strict data privacy rules and limits on default loss guarantees (DLGs). Fintechs offering or facilitating digital loans must adapt their products, engineering flows, and legal contracts now.
Why This Matters Now?
Over the past few years, digital lending in India has exploded – thanks to fast loan apps, embedded credit, and fintech innovation. But this rapid growth also brought serious issues:
- Apps hiding loan terms or fees
- Outrageous interest rates
- Data privacy violations
- Harassment by recovery agents
- Lenders using third-party fronts to avoid accountability
To address this, RBI formed a Working Group on Digital Lending. The 2025 guidelines are the culmination of their recommendations-streamlining previous circulars and adding new, stricter rules to protect borrowers and system integrity.
Key Highlights
1. Who’s Covered?
These rules apply to all RBI-regulated entities (REs):
- Commercial banks
- Urban, state, and central co-op banks
- NBFCs (including Housing Finance Cos.)
- All-India Financial Institutions
And to their Lending Service Providers (LSPs)-third-party players helping in sourcing, underwriting, disbursing, collecting, or recovering loans.
2. What Counts as Digital Lending?
Fully or mostly digital processes for:
- Loan sourcing (via apps or websites)
- Underwriting and approval
- Disbursal and repayment
- Customer communication
3. Clear Agreements with Lending Partners
REs must:
- Sign detailed contracts with LSPs outlining roles and liabilities
- Vet LSPs for tech, data, conduct, and compliance track record
- Regularly monitor LSP performance
4. Multi-Lender App Rules (Effective Nov 1, 2025)
If one app lists multiple loan offers:
- It must show all matches – not just one preferred lender
- Each offer must disclose: lender name, APR, tenure, EMI, penalties, KFS link
- No nudging or “dark patterns” (design tricks that manipulate borrower choices) to bias borrowers
5. Transparency and Disclosures
- Borrowers must receive a digitally signed Key Facts Statement (KFS) before disbursal
- Other documents like sanction letter, privacy policy, etc. must also be auto-shared via email/SMS
- If a recovery agent is assigned or changed, notify the borrower first
6. Loan Disbursal and Repayment
- Disburse funds directly into borrower’s account (exceptions apply)
- Repayments must go directly to RE’s account-not through LSPs
- LSPs cannot collect payments unless specially permitted
- Any LSP fee must be paid by RE, not the borrower
7. Cooling-Off Period for Loans
- Minimum 1-day period where borrower can cancel the loan
- Only pay back principal + applicable interest for the period
- Reasonable processing fees may apply (must be disclosed)
- Prepayment must be allowed anytime without penalty
8. Grievance Redressal System
- RE and LSP must appoint nodal officers
- Contact info to be shared on apps, websites, and in the KFS
- Unresolved complaints in 30 days? The borrower can escalate to the RBI’s CMS portal
9. Data Collection, Usage & Consent
- Explicit borrower consent is mandatory for any data collection
- DLAs cannot access contact lists, files, or call logs
- Borrowers can:
- Revoke consent
- Restrict data use/sharing
- Request deletion of data
10. Data Storage Rules
- Personal data must be stored only in India
- If processed abroad, data must be deleted and brought back within 24 hours
- No biometric data storage unless permitted by law
11. Privacy Policy Requirements
- RE and LSP websites/apps must publish a privacy policy
- Must list all third parties accessing user data
12. Cybersecurity Standards
- Must comply with RBI’s IT security requirements
13. Credit Reporting
- All loans, including short-term and deferred payments, must be reported to credit bureaus
14. RBI DLA Reporting (Effective June 15, 2025)
- All digital lending apps must be reported via the RBI’s CIMS portal
- The Chief Compliance Officer must certify the data
- RBI will publish this info but does not endorse any app
15. Default Loss Guarantee (DLG) Rules
DLG is when a third-party (usually an LSP) promises to cover loan losses. RBI’s 2025 rules:
- The DLG provider must be a registered company
- DLG cannot replace proper credit assessment
- Total DLG cover capped at 5% of disbursed loan portfolio
- DLG must be backed by cash, FD, or bank guarantee
- DLG once invoked can’t be reinstated-even if recovered later
- Disclosure of DLG portfolios on LSP websites is mandatory
DLG restrictions:
- Not allowed for credit cards or revolving facilities
- Not allowed for P2P NBFC loans
- Not allowed where existing credit guarantee schemes (like CGTMSE) apply
Think of DLG as an insurance promise from the fintech partner to the bank: “If this ₹100 crore loan pool fails, I’ll cover ₹5 crore.” RBI now wants this to be formal, cash-backed, and tightly regulated.
Impact on Fintechs
Fintech Product Teams:
- Update all apps to show multiple loan offers and include APR, EMI, etc.
- Build in a cooling-off period for flows and disclosures
- Implement full KFS and auto-document sharing mechanisms
- Ensure all data storage is India-based; purge foreign servers within 24 hrs
Engineering Teams:
- Modify APIs to ensure repayments bypass LSPs
- Add borrower-facing toggles for data consent, deletion, and revocation
- Support digital signatures and document delivery on loan execution
Compliance and Legal Teams:
- Review RE-LSP contracts
- Verify DLG structures comply (5% cap, form of cover, certification)
- Prepare reporting formats for CIMS portal
Deadline Reminders:
- June 15, 2025: Report all DLAs on RBI CIMS portal
- Nov 1, 2025: Implement fair display rules for apps with multiple lenders
Conclusion
The 2025 RBI Digital Lending Guidelines signal a regulatory maturity phase in India’s fintech sector. These rules provide clarity and structure to an otherwise fragmented digital lending environment. For fintechs, it’s both a challenge and an opportunity – to build safer, more compliant, and ultimately more trusted lending products.
Our take: These rules push the sector to clean up its act. Founders, product heads, and legal teams should treat this as a priority compliance sprint. Build trust now, and you’ll win in the long run.
