Alerts & Updates 4th Oct 2022

India’s Road Map for Digital Lending – Action Points for The Lenders


Mukesh Chand Senior Counsel | Mumbai

Latest Thought Leadership

Alerts & Updates 17th Jun 2024

Trade Update – June 17, 2024

Read More
Alerts & Updates 17th Jun 2024

GAAR v. SAAR on bonus stripping of shares

Read More
News & Media 17th Jun 2024

Centre makes fresh bid to push labour codes

Read More
News & Media 14th Jun 2024

GST Council to face the challenge of reducing the GST rate slabs

Read More

[This paper discusses the existing and the proposed Digital Lending Framework in India and the conditions, policies, technological parameters and standards and the Mechanism that need to be put in place by Commercial Banks, Primary (Urban) Co-operative Banks, State Co-operative Banks, District Central Co-operative Banks, and Non-Banking Financial Companies (including Housing Finance Companies) for Digital Lending.

Compliance of these RBI guidelines need to be adhered to by November 30, 2022]


    The Hon’ble Finance Minister in her budget speech of 2022-23, ushered in a new era for Indian banking and set up 75 Digital Banking Units (DBUs) in 75 districts of the country by Scheduled Commercial Banks.

    Prior to this, in November 2021, the Reserve Bank of India (RBI) released the Report[1] of the Working Group on Digital Lending including lending through Online Platforms and Mobile Apps. Post announcement in the Union Budget 2022-23, the RBI has been working on guidelines for operationalizing the structure for digital lending. Many initiatives and reports followed each other on close heels. In June 2022, RBI released a document on Payments Vision 2025 – a road map to elevate payments to achieve less-cash and less-card society.

    In July 2022, India’s NITI Ayog [“National Institution for Transforming India” policy-making institution of India] released its report titled “DIGITAL BANKS A Proposal for Licensing & Regulatory Regime for India”. [2] Earlier in 2017, the RBI issued Master Directions – Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017.

    Building on the above, the RBI, on September 2, 2022 issued guidelines for digital lending applicable to all Commercial Banks, Primary (Urban) Co-operative Banks, State Co-operative Banks, District Central Co-operative Banks; and Non-Banking Financial Companies (including Housing Finance Companies). With this, the stage is now set for an ‘open banking’ system. This follows tremendous success on the payments front (where the Unified Payments Interface (UPI) recorded over 4.2 billion transactions worth INR 7.7 trillion in October 2021). Additionally, the digital lending framework will also extend the reach of Indian banking to micro and small businesses.

    World over technology is playing a significant role in transforming lending system. Blockchain technology is increasing being deployed in international remittances. Artificial Intelligence and cloud computing is also in for a big boost in the near future[3]. In the lending sphere too, various models such as Person-to-Person (P2P), Person-to-Business (P2B), Business-to-Person (B2P), Business-to-Business (B2B) models are bring increasingly used by credit or intermediary platforms.

    An RBI report[4] notes that the total global alternative credit (i.e., credit through FinTechs and BigTechs) in 2019 stood at USD 795 billion in which share of FinTechs and BigTechs is around USD 223 billion and USD 572 billion respectively. As regards the Indian market, the RBI report observed that lending through digital mode relative to physical mode is still at a nascent stage in case of banks as lending of (INR 1.12 lakh crore via digital mode vis-à-vis INR 53.08 lakh crore via physical mode was transacted.  On the other hand, on the NBFC front a higher proportion of lending i.e. (INR 0.23 lakh crore via digital mode vis-à-vis INR 1.93 lakh crore via physical mode was noticed. Overall volume of disbursement through the digital mode for the sampled entities has exhibited a growth of more than twelvefold between 2017 and 2020 (from INR 11.6 thousand crore to INR 1.4 lakh crore). As per some market estimates[5], digital lending in India is expected to become a USD 1.3 trillion market opportunity by 2030. The digital lending market size is set to grow from USD 270 billion in 2022 at a CAGR of 22% between 2022 and 2030.


    There is no single universally accepted definition available for this – the obvious reason is that the field is still evolving, and newer methods are being deployed in light of new technological advancements. However, based on its features,  ‘digital lending’ can be defined as a platform-based seamless lending process which uses digital technologies for the entire process of credit dispensation including credit assessment, loan approval, documentation, disbursement, loan repayment, and customer service. Majorly, DL takes two forms – (i) Balance Sheet Lending (BSL) and(ii)Market Place Lending (MPL).

    RBI guidelines define Balance Sheet Lending (BSL) as “Financial service involving extension of monetary loans, where the lender retains the loan and associated credit risk of the loan on its own balance sheet” and “Balance Sheet Lenders” as Lenders who undertake balance sheet lending’.

    On the other hand, Market Place Lending (MPL) is a platform which connects lenders with borrowers/customers and investors who may buy or invest in such loans/ lend to such borrowers. These MPL are also known as Market Place Aggregators (MPAs) and is P2P.

    There are other similar systems like Prepaid Payment Instruments (PPIs) which are basically payment wallets. These PPIs are used to facilitate buying of goods and services, including the transfer of funds, financial services and remittances, against the value stored in the instrument. PPIs are also regulated by RBI under the Payment and Settlement Act, 2005. The framework governing “Issuance and Operation of PPIs” are issued and updated by RBI in the form of Master Direction[6]. No entity can set up and operate payment systems for issuance of PPIs without prior approval / authorization of RBI. These guidelines lay down the eligibility criteria and the conditions of operation for payment system.


    Entities engaged in DL are presently outsourcing many functions to private agencies and this raises concerns about data privacy, unfair practices, exorbitant interest rates, and unethical recovery practices. As per reports[7] RBI identified a whopping 600 illegal lending apps operating in India in the last year. This Report also mentions that, “Sachet”, a portal established by RBI against unregistered entities, has received approximately 2,562 complaints against digital lending apps between the start of January 2020 to end of March 2021. There are other issues relating to money laundering and data privacy and data storage which are sensitive not only from the point of view of lending but also from the point of view of internal security systems.

    There were other practices as ‘Rent a NBFC’. This arrangement used “First Loss Default Guarantee (FLDG)” to share credit risk without having to maintain any regulatory capital.


    Now RBI has on September 2, 2022 issued Comprehensive Guidelines which would govern Digital Lending by the Regulated Entities (REs) in India. These Guidelines address a wide range of issues ranging from engagement of services of Service providers, credit appraisal, data privacy, maintenance of transparent process and systems, reporting and a grievance redressal mechanism.

    These guidelines will also apply to the ‘existing customers availing fresh loans’ and to ‘new customers getting onboarded’ from September 2, 2022 onwards. However, lenders have been provided time till November 30, 2022,  to put adequate systems and processes in place to ensure that ‘existing digital loans’ are also in compliance with these guidelines in both letter and spirit.


    All Commercial Banks, Primary (Urban) Co-operative Banks, State Co-operative Banks, District Central Co-operative Banks; and Non-Banking Financial Companies (including Housing Finance Companies).


    The Guidelines covers three specific areas of:

    • Customer Protection and Conduct requirements
    • Technology and Data Requirement and
    • Regulatory Framework.

    These guidelines allow outsourcing arrangements by Regulated Entities (REs) with a Lending Service Provider (LSP)/ Digital Lending App (DLA) but the onus of compliance with RBI guidelines will remain with the REs. Both the REs and LSP need to be regulated entities.


    The Guidelines basically allow only Balance Sheet type of lending and all loan servicing, repayment etc. need to be in the RE’s bank account without any pass-through account/ pool account of any third party.

    Disbursements would need to be made into the bank account of the borrower except for disbursals covered exclusively under statutory or regulatory requirements for specific end use, or into the bank account of the end-beneficiary. No third- third-party account disbursal is allowed, including the accounts of LSPs and their DLAs.

    Co-lending arrangements are allowed as per the RBI guidelines in Circular dated November 05, 2020[8]


    Outsourcing of various functions such as customer acquisition, underwriting support, pricing support, servicing, monitoring, recovery of specific loan or loan portfolio is allowed. REs are required to comply with RBI guidelines on outsourcing of various functions. As per “Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks” dated November 3, 2006, banks are required to have a comprehensive Board approved outsourcing policy. Offshore outsourcing is permitted subject to strict compliance of the regulatory requirements and only in jurisdictions upholding confidentiality clauses and agreements. However, the banks are prohibited from outsourcing core management functions including Internal Audit, Compliance function and decision-making functions like determining compliance with KYC norms for opening deposit accounts, sanction for loans (including retail loans) and management of investment portfolio. Agreement with such an LSP should cover all requirements as specified by RBI in the above-mentioned circular.

    Before engaging services of an LSP/DLA, REs need to conduct enhanced due diligence covering its technical abilities, data privacy policies and storage systems, fairness in conduct with borrowers and ability to comply with regulations and statutes etc. Periodic reviews are also required.


    First Loss Default Guarantee (FLDG) is allowed. “First loss facility” means the first level of financial support provided by the originator or a third party to improve the creditworthiness under which the provider of the facility bears part or all of the risks associated with the assets.

    FLDG is permitted subject to adherence to the provisions of the Master Direction – Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021 dated September 24, 2021, especially, synthetic securitization contained in Para (6)(c). As per the said guidelines lenders, including overseas branches of Indian banks, cannot undertake synthetic securitization “where credit risk of an underlying pool of exposures is transferred”, in whole or in part, using credit derivatives or credit guarantees that serve to hedge the credit risk of the portfolio which remains on the balance sheet of the lender.

    FLDG provider should ensure that the following conditions are fulfilled failing which the credit enhancement provider will be required to hold capital equal to the full value of the securitized assets:

    • Entities providing such facilities must be regulated by at least one financial sector regulator.
    • The facility should be distinct from other facilities and documented separately from any other facility provided by the facility provider.
    • The nature, purpose, extent of the facility and all required standards of performance should be clearly specified in a written agreement to be executed at the time of originating the transaction and disclosed in the offer document.
    • The facility should be on an ‘arm’s length basis’ on market terms and conditions and subjected to the facility provider’s normal credit approval and review process.
    • Payment of any fee or other income for the facility is not subordinated or subject to deferral or waiver.
    • The facility should be limited to a specified amount and duration. The duration of the facility should be limited to the earlier of the dates on which (i) all claims connected with the securitization notes issued by the SPE are paid out; or (ii) the facility provider’s obligations in relation to such facility are otherwise terminated.
    • There should not be any recourse to the facility provider beyond the fixed contractual obligations and the facility provider should not bear any recurring expenses of the securitization.

    RBI guidelines also define some of the major terms as follow:

    Digital LendingA remote and automated lending process, largely by use of seamless digital technologies for customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service.

    Digital Lending Apps/Platforms (DLAs): Mobile and web-based applications with user interface that facilitate digital lending services. DLAs will include apps of the REs as well as those operated by LSPsengaged by REs for extending any credit facilitation services in conformity with extant outsourcing guidelines issued by the Reserve Bank.

    Lending Service Provider (LSP)An agent of a Regulated Entity who carries out one or more of lender’s functions or part thereof in customer acquisition, underwriting support, pricing support, servicing, monitoring, recovery of specific loan or loan portfolio on behalf of REs in conformity with extant outsourcing guidelines issued by the Reserve Bank.


    In the light of the RBI Guidelines, REs are required to ensure the following in connection with their digital lending processes:

    • Both the REs and LSP need to be regulated entities.
    • No automatic increase in credit limit unless explicit consent of borrower is taken on record for each such increase.
    • Annual Percentage Rate (APR) – APR which should be an all-inclusive cost of digital loans should be disclosed upfront by REs and shall also be a part of the Key Fact Statement.
    • Key Fact Statement (KFS) is to be sent to the borrower before the execution of the contract as per the format provided in Annex-II to the RBI circular dated September02, 2022.
    • Fees, charges, etc. of LSPs are to be directly paid by RE and cannot be charged by LSP to the borrower.
    • The penal interest/charges levied, if any, shall be based on the outstanding amount of the loan. Rate of such penal charges need to be disclosed upfront on an annualized basis to the borrower in the Key Fact Statement (KFS).
    • Digitally signed documents (Digitally signed means a document signed using digital signature) viz., KFS, summary of loan product, sanction letter, terms and conditions, account statements, privacy policies of the LSPs/DLAs with respect to borrowers’ data, etc. should automatically flow to the borrowers on their registered and verified email/ SMS upon execution of the loan contract/ transactions.
    • Details of the LSP (including any change), acting as recovery agent and authorized to approach the borrower for recovery need to be disclosed to the Borrower along with sanction.
    • The cooling off period for exit will be as per Board approved policy of the RE which should not be less than three days for loans having tenor of seven days or more and one day for loans having tenor of less than seven days.
    • Borrower should be given an option to exit digital loan by paying the principal and the proportionate APR without any penalty during this period.
    • Beyond the above, pre-payment charges can be levied as per extant RBI guidelines.
    • Reporting to Credit Information Companies (CICs) is to be ensured by REs as per extant RBI Guidelines[9] irrespective of its nature/ tenor of the loan.
    • Extension of structured digital lending products by REs and/or LSPs engaged by REs over a merchant platform involving short term, unsecured/ secured credits, or deferred payments, need also to be reported to CICs by the REs.
    • REs shall ensure that LSPs, if any, associated with such deferred payment credit products shall abide by the extant outsourcing guidelines issued by the Reserve Bank and be guided by these guidelines.
    • List of their DLAs, LSPs engaged with the details of the activities for which they have been engaged, should be displayed on the website of REs.

     – DLAs or DLAs of their LSPs at on-boarding/sign-up stage of the borrower should prominently display information relating to the product features, loan limit and cost, etc. Further, there should be links to REs’ website where further detailed information about the loan products, the lender, the LSP, particulars of customer care, link to Sachet Portal, privacy policies, etc. can be accessed by the borrowers.

    – It shall be ensured that all such details are available at a prominent single place on the website for ease of accessibility.

    •  REs and LSPs should name a nodal grievance redressal officer to deal with FinTech/ digital lending related complaints/ issues raised by the borrowers/complaints against their respective DLAs. Contact details of grievance redressal officers shall be prominently displayed on the websites of the RE, its LSPs and on DLAs and also in the KFS provided to the borrower.

     – Further, the facility of lodging a complaint shall also be made available on the DLA and on the websites.

     – Responsibility of grievance redressal shall continue to remain with the RE. Such complaints should be resolved within 30 days, thereafter the Complaint can be lodged on the Complaint Management System (CMS) portal under the Reserve Bank-Integrated Ombudsman Scheme.

    •  Collection of data by DLAs and DLAs of their LSPs should be need-based and with prior and explicit consent of the borrower having audit trail.

     – No access to mobile phone resources like file and media, contact list, call logs, telephony functions, except for the purpose of on-boarding/ KYC requirements with the explicit consent of the borrower.

    – Borrower should be provided an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data and if required, make the app delete/ forget the data.

     – The purpose of obtaining borrowers’ consent needs to be disclosed at each stage of interface with the borrowers.

     – Explicit consent of the borrower need be taken before sharing personal information with any third party, save and except the data required under the statutory or regulatory requirements,

     – No personal information of borrowers could be stored save and except some basic minimal data (,name, address, contact details of the customer, etc.) that may be required to carry out their operations.

    •  Responsibility regarding data privacy and security of the customer’s personal information will be that of the RE.

     – Clear Policy guidelines regarding the storage of customer data including the type of data that can be stored, the length of time for which data can be stored, restrictions on the use of data, data destruction protocol, standards for handling security breach, etc., need to be put in place by REs and also disclosed by DLAs of the REs and of the LSP engaged by the RE prominently on their website and the apps at all times.

     – No biometric data be stored/ collected in the systems associated with the DLA of REs/ their LSPs, unless allowed under extant statutory guidelines.

     – All data need to be stored only in servers located within India, while ensuring compliance with statutory obligations/ regulatory instructions.

     – Comprehensive privacy policy: REs/DLAs/LPS should have a comprehensive privacy policy compliant with applicable laws, associated regulations and RBI guidelines and for accessing and collection of personal information of borrowers, DLAs of REs/LSPs should make the comprehensive privacy policy available publicly.

     – Details of third parties (where applicable) allowed to collect personal information through the DLA shall also be disclosed in the privacy policy.

    •  REs and the LSPs need to comply with various technology standards/ requirements on cybersecurity stipulated by RBI and other agencies, or as may be specified from time to time, for undertaking digital lending.

    REs needs to ensure the above requirement before embarking on any arrangement for Digital Lending in India.

    Lenders would need to take following steps to make their DL compliant with the RBI guidelines:

    • Formulate Policies (if not already in place) for outsourcing and engagement of LSP/DLAs, Collection and Privacy of Data, FLDs arrangements, Grievance Redressal mechanism etc.
    • Design loan products suited for DL, including costing and mechanism for appraisal and disbursement.
    • Devise standard terms and conditions suited for DL to take care of compliance of such conditions by the borrower..
    • Put in place system of execution of security documents in digitized format.
    • Devise suitable formats of security documents suited for DL on a digitized platform and related compliances and perfection of charges.
    • Verification and compliance of eKYC norms.
  • We hope you have found this information useful. For any queries/clarifications please write to us at  or write to our authors:

    Mukesh Chand, Senior Counsel – Email –

    Disclaimer: The information contained in this document is intended for informational purposes only and does not constitute legal opinion or advice. This document is not intended to address the circumstances of any individual or corporate body. Readers should not act on the information provided herein without appropriate professional advice after a thorough examination of the facts and circumstances of a situation. There can be no assurance that the judicial/quasi-judicial authorities may not take a position contrary to the views mentioned herein

  • References:

    [3]  India banks are projected to spend over US$1 billion by 2025 on public cloud initiatives, indicating the prominence of cloud in driving the technology transformation. Similarly, IT spending for treasury-as-a-service capabilities is projected to cross US$66 million by 2025 at a compound annual growth rate (CAGR) of 20%, reiterating the resolve of the banks in India to get closer to their business clients. []
    [8]Co-lending arrangements shall be governed by the extant instructions as laid down in the Circular on Co-lending by Banks and NBFCs to Priority Sector dated November 05, 2020.
    [9] As per the provisions of the Credit Information Companies (CIC) (Regulation) Act, 2005; CIC Rules, 2006; CIC Regulations, 2006

Disclaimer: Disclaimer: The information contained in this document is intended for informational purposes only and does not constitute legal opinion or advice. This document is not intended to address the circumstances of any individual or corporate body. Readers should not act on the information provided herein without appropriate professional advice after a thorough examination of the facts and circumstances of a situation. There can be no assurance that the judicial/quasi-judicial authorities may not take a position contrary to the views mentioned herein