Back to blogs
Guides

RBI Digital Lending Guidelines: A Compliance Guide for NBFCs and Fintechs

The RBI Digital Lending Directions, 2025 consolidate years of fragmented guidance into one enforceable framework for NBFCs, banks, and fintechs. This guide explains the core obligations, the DLG framework, and how to operationalise compliance across your lending programme.

RBI Digital Lending Guidelines: A Compliance Guide for NBFCs and Fintechs

Digital lending in India grew faster than the rules that govern it. For a few years, that gap produced exactly the problems you would expect: opaque pricing, aggressive recovery, misuse of borrower data, and a flood of unregulated apps. The Reserve Bank of India has now closed that gap decisively.

On 8 May 2025, the RBI issued the Reserve Bank of India (Digital Lending) Directions, 2025, consolidating and replacing the earlier 2022 Guidelines on Digital Lending and the 2023 Default Loss Guarantee Guidelines into a single, enforceable framework. If you are an NBFC, bank, or fintech lending through a digital channel, these Directions reshape how you design, disburse, and service loans, and they hold you fully accountable for the partners who act on your behalf.

What the RBI Digital Lending Directions, 2025 cover

The RBI digital lending guidelines are, in their current form, a consolidation exercise with real additions. Rather than a scatter of circulars, regulated entities now work from one instrument that carries the force of law.

The 2025 Directions came into force on 8 May 2025, with two provisions phased in: the reporting of all Digital Lending Apps on the RBI's Centralised Information Management System (CIMS) portal was to be completed by 15 June 2025, and the rules governing arrangements where a Lending Service Provider works with multiple lenders took effect from 1 November 2025.

The framework governs the entire loan lifecycle, which the RBI defines as a remote, largely automated process spanning customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service. Its focus areas are transparency to borrowers, due diligence over partners, data protection, grievance redressal, and a structured approach to Default Loss Guarantee arrangements.

Who the Directions apply to

The 2025 Directions expanded the scope of who must comply. They apply to all Regulated Entities engaged in digital lending, which now includes commercial banks; primary (urban), state, and central co-operative banks; all non-banking financial companies, including housing finance companies; and, newly, all-India financial institutions.

Two definitions matter for fintechs specifically. A Digital Lending App (DLA) is any mobile or web-based application that facilitates digital lending, whether operated by the regulated entity or by a partner. A Lending Service Provider (LSP) is an agent engaged by a regulated entity to perform lending functions such as customer acquisition, underwriting support, servicing, monitoring, or recovery. Notably, the Directions clarify that one regulated entity can act as an LSP for another.

The critical principle running through the framework: if you are the regulated entity, outsourcing does not dilute your responsibility. You remain fully accountable for every act and omission of your LSPs and DLAs, regardless of how much you delegate. A fintech partnership is not a way to offload regulatory risk.

The core compliance obligations

The RBI digital lending guidelines impose a connected set of obligations across the loan journey. The most significant are these.

Direct disbursal and repayment flows. Loan disbursals must go directly into the borrower's bank account, and repayments must flow directly to the regulated entity's account. Funds cannot pass through the account of an LSP or any third party. LSP fees are paid by the regulated entity, never collected from the borrower.

Key Fact Statement (KFS). Borrowers must receive a standardised Key Fact Statement before executing the contract, setting out the all-in cost of the loan, including the annual percentage rate, tenor, repayment schedule, and any penalties. This is the RBI's direct answer to hidden charges and mis-selling.

Cooling-off period. Borrowers can exit a loan within a cooling-off period, determined by the entity's board but set at a minimum of one day regardless of tenor, without penalty beyond a disclosed one-time processing fee.

LSP due diligence and contracts. Every RE–LSP engagement must be governed by a formal contract defining roles, responsibilities, and liabilities. Regulated entities must conduct enhanced due diligence on each LSP, assessing technical capability, data-handling practices, conduct, and regulatory history, and must review that relationship periodically.

Multi-lender transparency. Where an LSP works with more than one lender, it must present all available loan offers impartially, showing the lender's name, amount, APR, tenor, and repayment terms. Ranking offers is permitted only on a publicly disclosed, unbiased basis.

Data protection and localisation. Data collection through a DLA must be need-based and backed by prior, explicit borrower consent with an audit trail. Personal borrower data must be stored in India. Where data is processed abroad, it must be deleted from foreign servers and brought back to India within 24 hours.

Grievance redressal. Both the regulated entity and any interfacing LSP must appoint nodal grievance redressal officers, with contact details displayed on websites, the DLA, and the KFS. Unresolved complaints after 30 days can be escalated to the RBI under its Integrated Ombudsman Scheme.

CIMS reporting. Regulated entities must report all DLAs, whether their own or their LSPs', on the RBI's CIMS portal, keep the list current, and have a designated official certify the accuracy of that data.

The Default Loss Guarantee framework

The 2025 Directions fold in and tighten the Default Loss Guarantee (DLG) rules first issued in 2023. A DLG is a contractual arrangement under which one party compensates the regulated entity for losses up to an agreed percentage of the loan portfolio.

Under the current framework, a regulated entity can only enter a DLG arrangement with an LSP, or another regulated entity acting as an LSP, and that provider must be incorporated under the Companies Act, 2013. The Directions also impose restrictions on where DLG can be applied, including limitations around revolving credit facilities and certain other product structures. For any fintech offering a first-loss-guarantee model to a lending partner, these eligibility and structural rules are not optional detail. They determine whether the arrangement is permissible at all.

Where digital lending compliance breaks down

Understanding the RBI digital lending guidelines is the easy part. Operationalising them across a live lending programme, often one that runs through multiple fintech partners, is where firms struggle.

The recurring failure points are these. Partner oversight is the biggest: the Directions make you responsible for LSP conduct, but monitoring several partners' disclosures, data practices, and recovery behaviour manually does not scale. CIMS reporting is an ongoing obligation, not a one-off, and the DLA list has to stay current as partnerships change. Mapping each obligation to a specific, testable control, and being able to evidence it when the RBI asks, is difficult when policies live in documents and monitoring lives in spreadsheets. And because the Directions consolidated several older circulars, teams that built controls around the 2022 guidelines need to confirm those controls still map to the current requirements.

How Finnulate supports RBI digital lending compliance

Finnulate is an AI-native compliance platform built to turn regulatory obligations like the 2025 Directions into structured, monitored, audit-ready work, across your own operations and your lending partners.

  • Regulatory ingestion and requirement extraction: The Directions and subsequent RBI updates are ingested and converted into structured obligations and tasks, so nothing is missed when rules consolidate or change.
  • Lineage across regulatory change: When the RBI amends or clarifies a requirement, lineage shows exactly which controls, disclosures, and partner obligations are affected.
  • Partner and multi-entity oversight: LSP and DLA obligations can be tracked per partner, with consolidated visibility for the regulated entity that remains accountable for all of them.
  • Continuous monitoring through the Autonomous Compliance Module: Rule-based checks monitor whether key controls, from KFS disclosure to CIMS list currency, are operating as intended.
  • No-code rule building with validation: Compliance teams define and test monitoring logic for digital lending controls without engineering support.
  • Audit readiness by design: Every check, disclosure, and decision is logged with timestamps and ownership, producing the defensible evidence trail the RBI expects.

The RBI digital lending guidelines have moved digital lending from a lightly governed frontier to a fully accountable, RE-anchored activity. The 2025 Directions consolidated years of fragmented rules into one enforceable framework, expanded who is covered, and made clear that no amount of fintech partnership dilutes a regulated entity's responsibility. For NBFCs and fintechs, compliance is now a continuous, evidenced discipline spanning disclosure, data, partners, and reporting. To see how Finnulate helps NBFCs and fintechs operationalise the RBI digital lending guidelines across their lending programmes, book a demo.

Continue Exploring

See how Finnulate brings compliance execution, ownership, and proof together.

Book a DemoView all blogs