RBI Issues Guidelines For Lending Apps: Check Major Highlights

With the new guidelines the RBI seeks to protect consumers against predatory, unregulated lending apps.

The Reserve Bank of India has issued the first set of guidelines for digital lending.

It addresses concerns consumers had with regard to digital lending platforms.

The guidelines are the culmination of months of listening to consumer grievances and inputs on the operations of the digital lending sector.


Areas of focus

The notification focuses on three main things:

  • Regulating the entire lending chain
  • Providing transparency to borrowers
  • Defining good data privacy practices

Regulating the lending chain

RBI has stipulated that all loan disbursements have to always be made into the borrower’s bank account so as to ensure that the central bank can keep track of the movement of money through the lending chain.

Repayments must be executed directly in the bank accounts of regulated entities (banks/NBFCs/microfinance institutions).

No money should flow or pass through any third-party pool accounts.


This is mainly to establish a clear audit trail, prevent money laundering, and for the central bank to have clear visibility on how the money has flowed in case the consumer raises any issues during a loan’s lifecycle.

The RBI does not want money to flow through any dark accounts where it cannot see how the funds have moved.

Providing transparency to borrowers

Regulated entities have to disclose in simple language everything about the loan that a borrower is signing up for, including:

  • Total annual percentage rate (APR)
  • The Key Fact Statement (KFS)
  • Details of the grievance redressal officers 
  • All fees and service charges
  • Terms and conditions of the loan recovery mechanism, including the details of the lending service provider that will act as the recovery agent

The Key Fact Statement (KFS)

The KFS must disclose everything related to the loan to the borrower, including details of the APR, names, and contact details of grievance redressal officers, and the cooling-off period.

This comes after a recent study by policy research institution Dvara Research that showed that BNPL, or ‘buy now, pay later’ players did not always disclose facts such as pricing, customer obligations, and penalties in their KFS.

These details are important so that the borrowers know what they are getting into before signing a loan contract.

Menace of predatory, unregulated lending apps

With the new guidelines the RBI seeks to protect consumers against predatory, unregulated lending apps that charge extremely high interest rates and use means such as harassment, threats to life and brute force to recover loans.

Digital lending platforms have to prominently display information relating to the product features, including loan limit, costs, etc., as well as explain how any data captured in the loan process will be used.

Privacy practices

RBI has compiled strict data privacy practices applicable to regulated entities, lending service providers, digital lending applications, and any other platforms involved in the lending equation.

They cannot use a borrower’s data for anything but the specific function it was meant for.

These guidelines are as follows:

  • Regulated entities, or REs, have to conduct due diligence around their LSP/DLA partners’ data privacy and storage policies before they enter into a partnership with them.
  • REs have to ensure the entities they engage with do not store borrowers’ personal data, except basic information.
  • Any collection of data has to be collected with the prior, explicit consent of the borrower.
  • The data has to be need-based, auditable, trackable by the RBI.
  • Lenders cannot access borrowers’ mobile phone resources such as files and media, contact lists, call logs, and telephony functions.
  • Borrowers should have the option to deny consent for use of specific data, revoke consent and, if required, make the app delete or forget his/her data.
  • Purpose for obtaining and accessing a borrower’s data has to be disclosed at each stage to the borrower.
  • For sharing any data with third parties, explicit consent has to be taken, unless it’s a regulatory requirement.
  • All data must be stored in servers located within India.

Digital lenders have to prominently display on their websites the type of data they will access, the length of time that data will be held, how it will be destroyed, and how the platform will handle security breaches.

Comments are closed, but trackbacks and pingbacks are open.

who's online