RBI Digital Lending Directions 2025: What Fintechs and NBFCs Must Do Now

The Reserve Bank of India issued the Reserve Bank of India (Digital Lending) Directions, 2025, which came into effect on 8 May 2025, consolidating and updating the RBI's regulatory framework for digital lending in India. These Directions replace and expand upon the 2022 Guidelines on Digital Lending, creating a comprehensive, unified code for all Regulated Entities (REs) — including banks, NBFCs, and microfinance institutions — that engage in lending through digital channels or through Lending Service Providers (LSPs) and Digital Lending Apps (DLAs). For the rapidly growing Indian fintech ecosystem, these Directions are not optional: non-compliance exposes REs to regulatory action, loss of licence, and reputational damage. Understanding what has changed — and what must be done immediately — is critical.

The 2025 Directions introduce several new and strengthened obligations for REs and their LSP and DLA partners. First, DLA registration: all Digital Lending Apps — whether owned by the RE or its LSP — must be reported on the RBI's Centralised Information Management System with details of app ownership, grievance officer contacts, and compliance certifications, updated regularly. Second, data governance: data collection must be purpose-specific, consent-based, and minimal. Access to mobile phone resources such as contacts, call logs, or microphones is prohibited except for one-time KYC verification needs. All borrower data must be stored within India; if processed overseas, it must be repatriated and deleted from foreign servers within 24 hours. Third, loan disbursement: all loans must be disbursed directly to the borrower's verified bank account. Disbursals to LSP accounts are prohibited. Fourth, creditworthiness: REs must collect minimum borrower information — age, occupation, and income — before approving any loan.

The accountability framework has also been strengthened. The outsourcing of lending operations to LSPs does not dilute the RE's regulatory obligations — the RE remains fully accountable for its LSP's conduct. This means REs must conduct thorough due diligence of their LSP and DLA partners, include specific RBI-compliant clauses in their LSP agreements, and maintain oversight mechanisms. For borrowers, the Directions strengthen the cooling-off or look-up period — a borrower must be given the option to exit a digital loan within a specified period by paying the principal and proportionate APR (Annual Percentage Rate) without penalty. All credit information, including digital loans, must be reported to Credit Information Companies (CICs) regardless of the loan's tenor or nature.

The 2025 Directions signal the RBI's clear intent to bring the digital lending sector under the same rigour as traditional banking. Fintechs operating as LSPs without an RE licence must carefully structure their arrangements to avoid being treated as de facto lenders, which would require RBI registration. NBFCs and banks with existing digital lending partnerships must audit their DLA and LSP agreements, update their privacy policies, reconfigure data storage to comply with the India data localisation mandate, and register all DLAs with the RBI's CMS. Sansa Kanoon Pranali Partners advises fintech companies, NBFCs, and banks on RBI Digital Lending Directions compliance: LSP agreement drafting, data governance frameworks, DLA registration advisory, and regulatory risk assessments. Visit sansalegal.com to speak with our team.