By Anuradha Gandhi and Rachita Thakur
Introduction
On May 08, 2025, Reserve Bank of India (hereinafter referred to as RBI) issued consolidated guidelines on digital lending by Regulated Entities (hereinafter referred to as RE) to streamline various regulatory instructions.[1]
This direction have repealed various previous circular and guidelines[2] which dealt with digital lending to provide a comprehensive directions and increase confidence in digital lending ecosystem.
Purpose
The current direction is an updated version, addressing issues like primarily relating to unbridled engagement of third parties, mis-selling, breach of data privacy, unfair business conduct, charging of exorbitant interest rates, and unethical recovery practices.
Key definitions
Digital Lending- A remote and automated lending process, largely by use of seamless digital technologies for customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service.
Lending Service Provider- an agent of RE carrying the digital lending function on his behalf for customer acquisition, providing loan, recovery of loan, monitoring of services, etc.
What does the direction say on data protection requirement?
With the rapid growth of digital innovation, continuous updates, stronger enforcement mechanism and integration with broader data protection legislation like Digital Personal Data Protection Act, 2023 the directions have integrated data privacy to acknowledge the increasing concerns of borrowers relating to their data. The directions covers the following data privacy concerns-
Data collection & consent- the collection of data must be need-based and with prior and explicit consent and audit trails. One time access of camera/microphone/location shall be permitted only for KYC on explicit consent. Data lending platforms shall strictly restrict from accessing mobile resources like files, call logs, etc. Further the consent shall be in granular format including right to deletion.
Data storage & security- lending service providers (hereinafter referred to as LSPs) shall store minimal customer data necessary for operations. There shall be mandatory privacy policies covering storage duration, destruction protocols and breach handling. Storage of biometric data is prohibited except where permitted by statutory guidelines. The data collected must be stored in India-based servers and if stored outside India shall be returned within 24 hours.[3]
Transparency requirements- the purpose of data collection shall be disclosed to customer at every interaction point and a comprehensive privacy policy shall be made publicly available on website also disclosing third party data collectors.
RE shall report the list of DLAs deployed on the Centralised Information Management System (CIMS) portal. Further the data shall be correct and up-to-date.
Compliance standards- the direction put responsibility on Regulated entities for customer data privacy and security. All entities must meet RBI and other agencies cybersecurity standards.
Due diligence- Further the directions require RE to conduct due diligence related to robustness of data privacy policy, technical capabilities, fairness in conduct and storage systems before entering into agreement with Lending service providers.
Prohibition on use of dark patterns- LSP shall not display biased and misleading content and shall restrict from using deceptive patterns.
Grievance redressal mechanism– customer care details along with grievance redressal mechanism shall be displayed on the website of RE along with ensuring LSPs have link to the website.
Conclusion
The RBI has taken significant steps in ensuring data privacy and protection within the financial realm, aligning with global standards and the increasing need to secure digital financial ecosystems. Through its various directives such as guidelines on storage of payment data, restriction on storage of actual card data, master directions on know your customer and various others, the efforts not only reinforce customer trust but also create a regulatory environment that promotes accountability among banks and financial institutions.
Abhishekta Sharma, Junior Associate Advocate at S.S.Rana & Co. has assisted in the research of this article.
[1] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12848&Mode=0
[2]https://rbidocs.rbi.org.in/rdocs/notification/PDFs/CCN112LNBCF387F4EE693D74EA6A70E6938C7CDCE47.PDF, https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12382&Mode=0, https://rbi.org.in/Commonman/English/Scripts/FAQs.aspx?Id=3413, https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12514&Mode=0, https://www.rbi.org.in/commonman/English/scripts/FAQs.aspx?Id=3592
[3] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=51895