RBI Protects Borrowers in the Latest Guidelines on Digital Lending

April 2, 2023
Updated on

The Reserve Bank of India (RBI) has taken a firm stance on the protection of customer privacy and data protection in its guidelines on digital lending. According to RBI guidelines, regulated organisations are only permitted to store the bare minimum of borrower data. A lender may keep records of information needed to handle and distribute a loan as well as its repayments, such as the borrower’s name, address, and contact information. Digital lending apps cannot store the borrower’s biometric data.

It is crucial that the regulator safeguard consumer rights when customers transit from being “new to credit” to being “new to digital.” Many naïve users of digital technology have been taken advantage of by far too many illegal businesses and digital lending apps that were not registered with the RBI. 

Customers typically are not aware that they are signing away their privacy rights when accepting the service terms and conditions of unregulated platforms. This gave such unlawful lending apps the ability to gather users’ entire phone contacts, media, gallery, etc. and they chose to use it to harass borrowers and their connections in case of delayed payments. 

So, the major purpose of RBI for introducing its guidelines on digital lending is to decrease consumer fraud. RBI’s decision will increase accountability and transparency for lenders and uphold privacy rights of consumers. 

More About RBI Guidelines on Data Protection

The latest series of guidelines issued by the RBI to preserve data privacy and security for customers came recently, with the central bank taking steps to bring digital lending platforms into the regulatory ambit. 

Lenders can get one-time access to certain functions like camera, microphone or location to complete KYC or onboarding processes, but only with the explicit consent of the customer. These measures will curb the rampant increase in cases of predatory lending practices by unregulated platforms and lenders that resorted to unscrupulous recovery practices like blackmail.  

The RBI’s data protection guidelines are effective now and apply to both new customers joining and existing customers seeking new loans from (September 2, 2022). The central bank states that in order to “ensure a smooth transition,” regulated entities will be given until November 30, 2022 to put in place the necessary systems and processes to ensure that “existing digital loans” (approved as of the date of the circular) also adhere to these regulations in letter and spirit.

All Commercial Banks, Primary (Urban) Co-operative Banks, State Co-operative Banks, District Central Co-operative Banks, and Non-Banking Financial Companies are covered by the RBI’s regulations (including Housing Finance Companies). Following are the RBI’s guidelines on digital lending aimed at data protection of borrowers.

Borrowers Must Receive Permission Requests and Notifications:

  • The borrowers must be notified about the storage of customer data, including the types of data that can be stored, the amount of time that data may be stored, usage restrictions, data destruction procedures, procedures for resolving security breaches, etc. Companies must always make the information available on their website and apps.

Key Fact Statement:

  • A Key Fact Statement (KFS) will be given to the borrower at the time of disbursement for loans made using digital apps before the contract is executed for all digital lending products.
  • The Key Fact Statement should mention the borrower and also include details about the total cost of digital loans.
  • The amount of the loan that is still due will be taken into account when calculating any penalties that may be assessed against the borrowers. Additionally, the borrower shall be informed in the Key Fact Statement of the annualised rate of any penal costs.
  • Borrowers cannot be charged for any fees, levies, or other amounts without disclosure of the fees.
  • KFS  must include the annual percentage rate, the recovery procedure, information on the grievance redressal officer particularly assigned to handle issues relating to digital lending/FinTech, and the cooling-off/look-up time. If a borrower decides not to continue with the loan, they are allowed a certain amount of time to cancel it (the cooling-off/look-up period).
  • On the successful completion of the loan contract or transaction, the information will be delivered to the borrowers on their verified email address or SMS. The letterhead of the regulated institution (bank) must be used when sending the information, which must include a Key Facts statement, a summary of the loan product, a sanction letter, terms and conditions, account statements, and privacy policies of the LSPs and DLAs with regard to the data of the borrowers.

Grow your MSME with collateral-free business loans

Borrowers Must be Given the Important Information:

  • The borrowers must be given information on the product’s features, the loan limit, the pricing, etc., during the sign-up/onboarding stage.
  • The list of the digital lending apps and service providers that the banks and NBFCs have contracted with must be made public on their websites.
  • It is required that information about nodal grievance redressal officers be made available on the websites of banks, NBFCs, lending service providers, digital lending apps, as well as on the key fact statement.
  • Apps and websites that offer digital loans must enable borrowers to file complaints.
  • Before extending any loan through their own Digital Lending Apps and/or through Lending Service Providers they have hired, the banks and NBFCs may gather the economic profile of the borrowers covering (age, occupation, income, etc.) in order to evaluate the borrower’s creditworthiness in an auditable way.
  • No credit limit will automatically increase unless the borrower’s explicit approval is recorded for each such increase.

Cooling-off and Look-up Period:

  • The borrower must be offered the choice to explicitly quit the digital loan during the cooling-off/look-up period by paying the principal and the proportionate APR within this time without incurring any penalties. The board of the bank or NBFC will decide on the cooling-off period. For loans with a length of seven days or longer, the period cannot be fewer than three days; for loans with a term of less than seven days, it cannot be less than one day. Pre-payment shall continue to be permitted as per current RBI guidelines for borrowers who continue to make loan payments even after the look-up period.

Lenders Must Ensure that their Lending Service Provider is Reported to Credit Information Companies:

  • Regardless of the type or duration of the lending, banks and NBFCs must make sure that any lending completed through their digital lending apps and/or the digital lending apps of lending service providers is reported to credit information companies (like CIBIL).
  • Banks, NBFCs, and/or Lending Service Providers engaged by them over a merchant platform must report any extensions of structured digital lending products including short-term, unsecured/secured credits or deferred payments to credit information companies.

The Loan Must Always be Disbursed Directly into the Bank Account of the End-beneficiary:

  • The regulated entities must make sure that all loan servicing, repayment, etc., is done directly by the borrower into the bank account of the regulated businesses, without using a pass-through account or pool account of any kind from a third party. The loan must always be disbursed directly into the bank account of the end-beneficiary. 
  • The only exceptions are disbursals covered solely by statutory or regulatory mandate (of the RBI or of any other regulator), money flow between regulated entities for co-lending transactions, and disbursals for specific end uses. Unless specifically stated in these regulations, lenders must make sure that no disbursal is ever sent to a third-party account, including those of lending service providers and their digital lending apps.

How Does Open Banking Help with Data Protection?

In order to create applications and services like those that offer real-time payments, increased financial transparency options for account holders, marketing and cross-selling opportunities, banks must share and use customer data with third-party developers and businesses. The RBI Deputy Governor remarked that, India has adopted a strategy in which the market and the regulator have worked together to establish the open banking space.

In India, RBI and the National Payments Corporation of India (NPCI) came out with a payment system like UPI and released its Application Programming Interfaces (APIs) for the banks and third-party app providers to build upon. As a part of driving innovation, many banks are releasing their own APIs and joining forces with the fintech companies to provide a better experience to their customers.

Simply said, Open Banking enables firms in the financial market to diversify their service and product portfolios. Customers retain control over how much data they use and have the option to disconnect at any moment.


The Reserve Bank of India has been working to introduce adjustments to control digital payments and safeguard end-user interests. Since some illegal FinTech platforms collect enormous volumes of client data, including highly sensitive financial and personal data, the RBI expressed concerns about potential customer data privacy violations by such firms. This is the reason RBI has taken a firm stance on the protection of customer privacy and data protection in its guidelines on digital lending. 

Kinara Capital, an RBI Registered last-mile lending firm for MSMEs support and value RBI’s move towards protecting borrowers. With the myKinara App, Kinara has consumerised their technology to give MSMEs immediate access to funding, while keeping their clients’ security as their top priority. Kinara’s business loans empowered numerous MSME entrepreneurs to realise their dream and take their business to new heights. To learn more, check the official page of Kinara Capital or give us a missed call at 080-68264454.

You may also like