Guidelines to protect interest of borrowers

Guidelines to protect interest of borrowers

RBI's digital lending framework — anchored in the September 2022 master direction and progressively tightened through circulars up to 2025-26 — makes APR disclosure, a standardised Key Fact Statement, a cooling-off exit, direct account flows and granular data consent legally non-negotiable for every loan originated through an app or website. If you are a borrower, these rights exist today and are enforceable through the RBI Integrated Ombudsman. If you are a Regulated Entity (RE) or Lending Service Provider (LSP), the framework is your operating manual — the supervisory enforcement appetite is high and rising.

Who Is Covered by the RBI Digital Lending Framework

The guidelines apply to three distinct categories:

• Regulated Entities (REs): All scheduled commercial banks, small finance banks, payment banks, NBFCs (including NBFC-MFIs and NBFC-P2P platforms), and select cooperative banks under RBI's direct supervisory jurisdiction.
• Lending Service Providers (LSPs): Any entity acting as an agent of an RE — sourcing borrowers, performing credit assessment, operating the app interface, or managing collections — without itself holding a lending licence or being the lender of record.
• Digital Lending Apps (DLAs): The borrower-facing mobile app or web interface used to complete the loan journey, whether operated by the RE itself or by an LSP on the RE's behalf.

The scope is deliberately broad. Personal loans, consumer durable finance, BNPL (Buy Now Pay Later) constructs, embedded credit in e-commerce platforms, and salary-advance products all fall within the perimeter. Microfinance and group lending carry additional product-specific overlays.

The structural principle that underpins everything: an LSP is never the lender. It can source, score and service, but all credit risk, legal liability and regulatory accountability sits with the RE. If an LSP violates any borrower-protection requirement, the RE answers for it.

The Five Core Borrower-Protection Rights

1. Direct Account Flows — No LSP Pass-Through

Every loan disbursement must credit the borrower's own bank account directly from the RE's bank account. Every repayment must debit the borrower's account and credit the RE's account. An LSP cannot hold loan funds — not in a pooled account, a nodal account, or a prepaid wallet — even for a single day.

This rule closed a specific pre-2022 abuse: app-based lenders were routing disbursals through LSP escrow accounts, deducting fees and charges before the borrower received the money, making the net-of-fees principal effectively invisible.

What to watch for as a borrower: If the app asks you to receive your loan into its own wallet, or if the repayment instruction credits any entity other than the RE named in your sanction letter, stop and report it.

2. APR Disclosure Before You Sign

The Annual Percentage Rate (APR) must be calculated and disclosed to the borrower before the loan agreement is accepted — not buried in terms and conditions, and not disclosed as a footnote. APR is wider than the interest rate. It includes:

• The nominal interest rate (annualised)
• Processing fee, amortised over the loan tenure
• Documentation or stamp charges
• Any insurance premium that is bundled with the loan
• Any other recurring or one-time charges payable to the lender

The formula: APR = [(Total amount paid − Principal) ÷ Principal] × (365 ÷ Loan tenure in days) × 100

No LSP fee can be charged to the borrower. All fees owed to the LSP are the RE's contractual obligation and must be factored into the APR the borrower sees.

3. Key Fact Statement (KFS) — Standardised, Not Optional

The KFS is a prescribed one-page summary that the RE must deliver to the borrower before the loan agreement is signed. It is not a marketing brochure. Minimum mandatory content:

1. Loan amount (principal sanctioned)
2. Loan tenure
3. Annual Percentage Rate (APR) — in font size no smaller than the rest of the document
4. EMI amount and total number of EMIs
5. Total amount payable over the loan term (principal + interest + all fees)
6. Itemised fee schedule — processing fee, penal charges, prepayment charges, foreclosure terms
7. Cooling-off period duration and exit mechanics
8. RE's name and grievance redressal officer details

The borrower must explicitly accept the KFS — via OTP, digital signature or another auditable method — before final sanction. Acceptance without delivery, or delivery after signing, is non-compliant.

4. The Cooling-Off Period — Your Post-Disbursal Exit Window

Every digital loan must carry a cooling-off (or look-up) period after disbursement. During this window the borrower can exit the loan by repaying the principal plus APR accrued for the exact number of days elapsed, with no prepayment penalty, no processing fee forfeiture and no other exit charge.

The duration must be disclosed in the KFS. Supervisory guidance and market practice have converged on 3 days for most personal loan products; some REs offer 7 days. The mechanism must be functional, not theoretical — a cooling-off right that works only in theory is treated as non-compliant.

This protection is particularly important for BNPL and instant-loan products, where borrowers often act before reading the full terms.

5. Data Privacy and Granular Consent

The guidelines, read with the Digital Personal Data Protection (DPDP) Act 2023, impose a layered consent regime:

• Consent must be explicit, informed and purpose-specific. A bundled tick-box covering all uses fails the standard.
• DLAs may access only phone resources directly necessary for the loan service — camera and microphone for eKYC are permissible. Access to contacts list, photo gallery, call history and file storage is prohibited.
• All borrower data must be stored on servers in India.
• Borrowers have the right to withdraw consent at any time. Upon valid withdrawal and once the loan is closed, data with no legal retention purpose must be deleted.
• Every LSP must publish a privacy policy and the grievance officer's name and contact prominently within the DLA and on its website.

Worked Example: APR vs. Headline Rate on a Rs. 50,000 Personal Loan

Suppose you apply through a fintech DLA backed by an NBFC (the RE) for a Rs. 50,000 personal loan over 12 months at an advertised rate of 24% per annum.

APR calculation: Rs. 8,270 ÷ Rs. 50,000 × (365 ÷ 365) × 100 = 16.54% for the cost-only component. Combining the effective interest with fees gives an effective APR of approximately 28.4% — materially higher than the advertised 24%.

The KFS must display 28.4%, not 24%. A lender that shows only the nominal rate and buries the fees in a separate schedule is in direct violation of the disclosure requirement.

Cooling-off scenario: You read the full terms two days after disbursement and decide to exit. You repay:

Rs. 50,000 + (Rs. 50,000 × 28.4% × 2 ÷ 365) = Rs. 50,000 + Rs. 78 = Rs. 50,078 in total

No processing fee is recovered, no prepayment penalty applies. That Rs. 1,700 saving (processing fee + docs) represents real money recovered through a rule that exists specifically to protect you.

Recovery Limits and the Fair Practices Code

Recovery agents employed by an RE or deployed through an LSP must comply with RBI's Fair Practices Code (FPC). The key operational limits:

• Agents may contact borrowers only between 7:00 AM and 7:00 PM on any day.
• Agents may not contact family members, employers, colleagues or references unless the borrower has specifically authorised such contact in the loan agreement.
• Public shaming — publishing the borrower's photograph, name, or property on social media, messaging groups or notice boards — is explicitly prohibited and has featured in RBI enforcement actions.
• Agents must identify themselves at the start of every contact: name, the RE they represent, and the loan reference number.
• Every repayment must be acknowledged with a receipted record.

The accountability chain: The RE cannot distance itself from LSP recovery conduct. Supervisory proceedings look through the outsourcing arrangement to the RE's own obligations.

Escalation path if your rights are breached:

1. File a written complaint with the RE's internal grievance redressal officer (contact must appear in your KFS and on the RE's website).
2. If unresolved within 30 days, escalate to the RBI Integrated Ombudsman at unknown node.
3. For complaints about unauthorised DLAs or data misuse, report through Sachet at unknown node.

The DLA Whitelist — Verifying Your App Before You Borrow

Every RE must publish a list of DLAs it has authorised on its official website. Any app claiming to operate on behalf of an RE that does not appear on that RE's published whitelist is unregulated and potentially fraudulent.

How to verify in five steps:

1. Open the DLA and note the RE name displayed in the product summary screen.
2. Navigate to the RE's official website by typing the URL directly — do not follow a link from the app.
3. Look for a section titled "Authorised Digital Lending Partners", "DLA Whitelist" or equivalent.
4. Confirm the DLA's name or web domain appears on the list.
5. If the RE has no such list or the DLA is absent, do not share personal data and do not proceed — report the app via Sachet.

RBI's supervisory mechanism can direct app-store platforms to delist non-compliant or fraudulent DLAs. Several apps have already been removed following RE audits and targeted supervisory reviews.

FLDG and Co-Lending — Disclosure Obligations the Borrower Should Understand

First Loss Default Guarantee (FLDG)

An FLDG is a credit-enhancement arrangement where the LSP agrees to absorb the RE's first losses on a loan portfolio the LSP sourced. RBI permits FLDG arrangements subject to:

• A 5% cap on the amount of FLDG relative to the outstanding loan portfolio. An RE cannot use FLDG as a substitute for its own credit underwriting or as a mechanism to shift regulatory provisioning to the LSP.
• Disclosure to the borrower that a guarantee arrangement exists, even if the commercial terms between RE and LSP are confidential.
• RE remains lender of record in all circumstances — regulatory provisioning, credit classification and borrower accountability all sit with the RE, regardless of the FLDG.

Co-Lending Model (CLM)

Under RBI's Co-Lending Model, a bank and an NBFC jointly originate and co-fund loans, typically with the NBFC retaining 20% and the bank funding 80%. Borrower-facing requirements:

• The KFS must reflect the blended effective APR — not the NBFC's rate or the bank's rate in isolation.
• The borrower must know that two regulated entities share the loan exposure.
• Grievance contact, EMI debits and loan statements must all flow through the lead lender's systems.

Common Mistakes and Pitfalls to Avoid

If you are a borrower:

• Ignoring the KFS because "the EMI looked fine". The KFS is the only document where all charges are legally locked in. Read the total amount payable and the APR — not just the EMI.
• Missing the cooling-off window. Mark a calendar reminder from disbursement date. Three days passes faster than most borrowers expect.
• Granting all app permissions reflexively. Deny contacts and gallery access when prompted. A loan app has no legitimate need for your photo library or address book.
• Failing to keep copies. Download and save the KFS, sanction letter and signed loan agreement to personal cloud storage immediately. These are your evidence if charges are disputed later.

If you are an RE or LSP:

• Disclosing only the flat interest rate, not the full APR. The APR must appear prominently in the KFS — not buried in a fee schedule appendix.
• Routing disbursements through an LSP wallet, even intra-day. The direct-flow requirement is absolute; there is no grace window for transit accounts.
• Failing to update the DLA whitelist when new LSP partnerships go live. Borrower-facing DLAs must be whitelisted before they originate a single loan.
• Structuring the cooling-off exit as a foreclosure with charges. Any exit cost during the cooling-off period that goes beyond principal and accrued APR is non-compliant — and Ombudsman rulings have consistently held in the borrower's favour on this point.
• Inadequate ongoing LSP monitoring. Onboarding due diligence is a baseline, not a ceiling. Audit rights, regular compliance certifications and contractual take-down provisions for non-compliant LSPs must be built into every LSP agreement.

Penalties and Enforcement — What Has Actually Happened

RBI's enforcement posture has shifted decisively from guidance to action since 2022:

• Monetary penalties on REs for deficient KFS formats, non-compliant APR disclosures and inadequate internal grievance mechanisms.
• Business restrictions — directions to halt new digital loan originations pending compliance remediation.
• DLA delistings — instructions to major app-store platforms to remove non-whitelisted and non-compliant apps.
• Cease-and-desist directions against specific LSP relationships where the LSP's data collection or recovery practices were found to compromise RE compliance.

The reputational dimension compounds the financial penalty. A public RBI censure on a digital lender generates immediate scrutiny from co-lending bank partners, institutional investors and credit bureaux. The cost of non-compliance — regulatory, financial and reputational — now substantially exceeds the cost of building compliant systems upfront.

Key Takeaways

• APR is the number that matters, not the interest rate. Always locate the APR in the KFS and compare it across lenders. On a Rs. 50,000 loan, a 4-percentage-point APR difference costs you over Rs. 2,000 across the tenure.
• The KFS is your legal baseline. Any charge or fee not itemised in the KFS delivered before signing cannot be imposed on you after disbursement — full stop.
• Use the cooling-off period as a genuine second-look right. Read your terms after disbursement. If something looks wrong, exit within the stated window by repaying only principal and accrued APR.
• Verify your DLA is whitelisted before you share personal data. Go to the RE's official website — not the app — and confirm the DLA appears on the published authorised list.
• Contacts and gallery access are red flags. A compliant loan app has no permission to access your phone's contact list or photo library. If prompted, deny access and report the DLA via Sachet (sachet.rbi.org.in).
• Unresolved RE-level grievances escalate at the 30-day mark. You have a direct right to the RBI Integrated Ombudsman (cms.rbi.org.in) if your complaint receives no satisfactory resolution within 30 days.
• For REs and LSPs: The outsourcing principle is non-existent as a defence. Build robust LSP monitoring, keep DLA whitelists current, ensure direct account flows, and treat every KFS as a legal instrument — because the Ombudsman and supervisory reviewers already do.

This article reflects the regulatory position as at May 2026. RBI master directions and circulars are periodically updated; verify current notifications at [rbi.org.in](https://www.rbi.org.in) before relying on specific figures or procedures for compliance purposes.