Legal Suvidha is a registered trademark. Unauthorized use of our brand name or logo is strictly prohibited. All rights to this trademark are protected under Indian intellectual property laws.
Legal Suvidha
General

Guidelines to protect interest of borrowers

RBI's Digital Lending Guidelines require all loans originated digitally in India to be disbursed and repaid directly between borrower and Regulated Entity bank accounts, prohibit pass-through accounts of Lending Service Providers, and mandate APR disclosure and a standardised Key Fact Statement before loan acceptance. Borrowers get a cooling-off period to exit, strict data-privacy protections aligned with the DPDP Act, and clear grievance redress through the RE and RBI Integrated Ombudsman. The RE remains directly accountable for any LSP's conduct, and non-whitelisted Digital Lending Apps are liable to be taken down.

Priyanka WadheraPriyanka Wadhera
Published: 1 Sept 2022
Updated: 16 May 2026
4 min read
Guidelines to protect interest of borrowers
1
2
3
4
5
6
7
8
9

RBI Digital Lending Guidelines protecting borrowers in 2026 — APR disclosure, KFS, cooling-off, recovery limits, data privacy and enforcement of LSPs and REs.

RBI's Digital Lending Guidelines — first issued in 2022 and progressively expanded through 2026 — have re-architected how loans are sourced, disbursed and serviced online in India. The framework places the regulated entity (RE) firmly at the centre of accountability, sharply curtails the role of unregulated app-only lenders, and gives borrowers enforceable rights that did not exist a few years ago.

Who is covered

The guidelines apply to all Regulated Entities (banks, NBFCs and select cooperative entities) and to any Lending Service Provider (LSP) acting on their behalf. They cover all loans originated digitally — through apps, websites, embedded finance partnerships, BNPL constructs and platform-based credit. Group lending and certain microfinance products have specific overlays.

Core borrower-protection principles

  • All loan disbursals and repayments must flow directly between the borrower's bank account and the RE's bank account — no pass-through accounts of LSPs.
  • Any fees paid to the LSP must be borne by the RE, not the borrower.
  • Mandatory disclosure of the Annual Percentage Rate (APR) — capturing all fees, charges and interest — before loan acceptance.
  • Standardised Key Fact Statement (KFS) in a prescribed format that the borrower must receive before signing.
  • Cooling-off / look-up period during which the borrower can exit the loan by repaying principal and proportionate APR, without penalty.
  • Loan agreement and all communications in a language understood by the borrower.
  1. Explicit, granular borrower consent for data collection — purpose-bound and time-bound.
  2. Strict prohibition on access to contacts, gallery, files and other phone resources except where directly relevant to the loan service.
  3. Data must be stored on servers within India, with explicit DPDP Act compliance.
  4. Borrowers can withdraw consent and require deletion of personal data subject to legal retention requirements.
  5. All LSPs must publish their privacy policy and grievance officer details prominently.

Recovery practices and limits

Recovery agents and LSPs must follow the RBI Fair Practices Code — contact only during prescribed hours, no harassment, no contacting references unless authorised, and no public shaming. The RE remains directly responsible for any recovery practice deployed by its LSP. Borrowers can complain to the RE's grievance redressal officer and escalate to the RBI Integrated Ombudsman if unresolved in 30 days.

Disclosures and the borrower-facing experience

  • Borrower must see the RE's name (not just the app's name) in every credit decision communication.
  • Sanction letter and signed loan agreement must be delivered to the borrower's registered email/SMS/app.
  • Loan account statement on demand, with full charge break-up.
  • Display of APR, fees, late payment policy, conversion to NPA, and recovery process in plain language.
  • Co-lending and FLDG arrangements have specific disclosure formats.

Penalties and enforcement

RBI has progressively used its supervisory toolkit — including fines, app delistings (via DLAB), business restrictions and cease-and-desist directions — against non-compliant LSPs and partner REs. The Digital Lending Apps (DLA) framework requires REs to publish whitelists of approved DLAs, and any DLA not whitelisted is liable to be taken down.

FLDG and co-lending overlays

First Loss Default Guarantee (FLDG) arrangements between REs and LSPs are now permitted but capped at a prescribed percentage (around 5% of the underlying loan portfolio at the time of disbursal) and subject to disclosure norms. The RE remains the lender of record, holds the regulatory provisioning, and accounts for the FLDG amount as recovery support, not as a balance-sheet reduction. Co-lending under the RBI Co-Lending Model overlays additional disclosure and back-end accounting requirements on the lead lender.

What a compliant digital loan journey looks like

  • Borrower opens app or website of an LSP onboarded by a specified RE; LSP/RE relationship is disclosed upfront.
  • Borrower views the RE name, product summary, indicative APR, fees and grievance officer details.
  • Eligibility check uses only purpose-bound data with explicit consent.
  • Pre-sanction Key Fact Statement (KFS) is delivered with itemised APR before any electronic signature.
  • Cooling-off period offered; borrower can exit by repaying principal and proportionate APR.
  • Disbursement and repayment flow directly between borrower and RE bank accounts; no LSP pass-through.
  • Recovery operations follow the Fair Practices Code; grievances escalate to RE and then to RBI Integrated Ombudsman.

Conclusion

If you are a borrower, the rules now genuinely shift power your way — APR, KFS, cooling-off and direct-account flows are non-negotiable. If you operate or partner with a digital lender, treat the guidelines as the operating manual; the enforcement appetite is high and the reputational cost of breach is higher. Legitimacy is now both a moral and a market-share question.

Frequently Asked Questions

What is the Key Fact Statement (KFS) in digital lending?
It is a standardised, easy-to-read disclosure document that the lender must provide before the borrower signs the loan agreement. It captures APR, total fees and charges, repayment schedule, late payment policy, recovery process and grievance officer details. Without a valid KFS, the loan is not compliant with the RBI Digital Lending Guidelines.
Can the lending app access my contacts or gallery?
No. RBI guidelines prohibit access to a borrower's contacts, gallery, files and other phone resources except where directly necessary for the loan service. Access requires explicit, granular and time-bound consent, and the data must be stored within India in compliance with the DPDP Act, 2023.
Is there a cooling-off period in digital loans?
Yes. RBI's guidelines require a cooling-off or look-up period during which the borrower can exit the loan by repaying the principal and proportionate APR, without any penalty. The exact period varies based on loan tenure, and the lender must disclose it clearly in the Key Fact Statement.
Where do I complain against an unfair digital lending practice?
Start with the grievance redressal officer of the Regulated Entity (bank or NBFC) named in your sanction letter or app disclosures. If unresolved within 30 days or you are unsatisfied with the response, escalate to the RBI Integrated Ombudsman through the CMS portal at cms.rbi.org.in.
Priyanka Wadhera
Content Reviewed By

Priyanka Wadhera

CA | POSH Consultant | Financial Advisor

"I help startups and mid-sized businesses scale by streamlining their tax advisory, POSH compliances, and virtual CFO systems with 100% precision."

View Profile
Share this article:4,410 Views
Previous
Form 11 vs Form 8 LLP: 12 Differences Every Partner Must Know (2026 Verified Guide)

Related Posts

View All