The RBI’s Digital Lending Guidelines Two Years On: Compliance Gaps, Enforcement Actions, and What Fintech Lenders Got Wrong

Introduction

When the Reserve Bank of India released its comprehensive Digital Lending Guidelines in September 2022, the response from the fintech lending industry was a mixture of relief and alarm. Relief because years of regulatory uncertainty — during which novel business models had proliferated faster than compliance frameworks could track — were partially resolved. Alarm because several of the guidelines’ most specific requirements, particularly around disbursement flows, interest rate disclosure, and third-party lending service provider accountability, required significant changes to business models that had been optimised for customer acquisition rather than regulatory compliance.

Two years later, the picture is mixed. Larger regulated entities — banks and NBFCs with established compliance teams — have largely adapted, though imperfectly. The first-loss default guarantee (FLDG) model has been clarified and is permitted within specified limits. Co-lending arrangements have been brought within a defined regulatory perimeter. But a substantial subset of the digital lending ecosystem, particularly smaller lending apps operating through multiple layers of outsourcing, continues to operate in ways that the guidelines explicitly prohibit. Regulatory enforcement has begun in earnest, and the RBI’s actions against specific entities are clarifying where the compliance red lines actually sit.

Legal Framework

The Digital Lending Guidelines (2022) were issued by the RBI under Section 35A of the Banking Regulation Act 1949 and the relevant provisions of the RBI Act 1934. They apply to all regulated entities (REs) engaged in digital lending — scheduled commercial banks, small finance banks, and NBFCs — and extend, through regulated entities, to their Lending Service Providers (LSPs) and Digital Lending Apps (DLAs).

The Guidelines’ key prescriptions are: loan funds must flow directly from the regulated entity to the borrower’s bank account (not through the LSP); all loan charges must be included in the Annual Percentage Rate (APR) and disclosed upfront; a Key Fact Statement (KFS) must be provided before loan execution; borrowers have a cooling-off period to exit the loan; data collection by LSPs must be limited to data necessary for underwriting; and the regulated entity retains primary regulatory accountability for all LSP conduct.

The FLDG Guidelines (2023), issued following the digital lending framework’s implementation, permitted FLDGs up to 5% of the loan portfolio, ending the prior regulatory ambiguity about whether FLDG structures constituted illegal guarantees or legitimate credit enhancement arrangements.

Judicial and Regulatory Developments

The RBI’s enforcement actions since 2023 have established the practical contours of the Guidelines’ requirements. Actions against specific lending apps for disbursement routing violations — transferring loan proceeds through LSP-controlled escrow accounts rather than directly to borrowers — have been the most common enforcement trigger. The Guidelines are explicit: the borrower’s bank account, not the LSP’s escrow, is the required disbursement destination, and deviations are treated as violations regardless of the commercial rationale.

The cancellation of several NBFC registration certificates in 2023 and 2024, where the NBFCs were effectively acting as front-end regulated entities for unregulated lending operations with the NBFC providing only the regulatory license, signals the RBI’s willingness to use its most drastic enforcement tool against what it characterises as regulatory arbitrage.

The Madras High Court’s engagement with digital lending in a series of writ petitions concerning recovery harassment by lending apps — petitions that called attention to the practice of accessing borrower contact lists and using personal connections to pressurise repayment — prompted the RBI to issue supplemental guidance on fair practices and to coordinate with state governments on criminal action against violators.

Contemporary Issues and Analysis

The most significant compliance gap is in the data processing obligations applicable to LSPs. The Guidelines require that data collection be limited to data necessary for loan processing, obtained with informed borrower consent, and subject to specified retention limits. In practice, many lending apps continue to collect far broader data sets — contacts, call logs, photos — and retain them for purposes that go well beyond underwriting. The RBI’s enforcement capacity in this area is limited because the guidelines do not specify the legal consequences for data misuse (which is now addressed separately under the DPDP Act 2023), and because the large number of LSPs operating in the ecosystem makes systematic monitoring difficult.

The APR disclosure requirement has generated significant implementation controversy. The APR must include all charges — interest, processing fees, insurance, and any other mandatory charges — expressed as a single annualised figure. Many lenders continue to present APRs that exclude certain fee categories or that are calculated on a reducing balance basis in ways that understate the effective cost of credit. The KFS requirement compounds this: while KFS disclosure is now mandated, the quality of KFS documents varies enormously, with many using technical language that defeats the consumer-protection purpose.

The cross-border dimension is a persistent regulatory enforcement gap. Several digital lending apps operating through entities incorporated in China, Singapore, or other offshore jurisdictions have used Indian-registered subsidiaries or partnership arrangements with Indian LSPs to access Indian borrowers while structuring the actual lending and recovery operations offshore. The RBI’s jurisdiction over these arrangements is limited to the Indian-incorporated entities in the chain, and offshore principals often remain beyond regulatory reach even when their apps are blocked.

Comparative and International Perspective

China’s experience with digital lending regulation offers both instructive parallels and cautionary lessons. Following the peer-to-peer lending collapse of 2018-2019, the People’s Bank of China imposed comprehensive regulations on fintech lenders, including capital requirements, interest rate caps, and mandatory registration. The regulatory correction was effective at curbing the worst excesses but also significantly contracted credit supply, leaving millions of small borrowers without access to formal lending.

The UK’s Financial Conduct Authority (FCA) has developed a “Buy Now Pay Later” and digital lending regulatory framework that shares several principles with the RBI guidelines — APR disclosure, cooling-off periods, affordability assessments — but goes further in requiring lenders to assess creditworthiness systematically rather than relying on alternative data models that may have discriminatory effects.

Practical and Policy Implications

For NBFC-based fintech lenders, the compliance investment required by the Digital Lending Guidelines is substantial but proportionate to the business risk of operating outside the framework. The enforcement pattern suggests that the RBI’s priority targets are entities involved in disbursement routing violations and recovery harassment — both of which carry not only regulatory consequences but potential criminal liability for individual officers.

For banks participating in co-lending arrangements with fintech partners, the Guidelines’ requirement that the bank retain primary regulatory accountability for LSP conduct is the key commercial risk: a fintech LSP’s compliance failure can expose the bank to regulatory action even if the bank played no operational role in the violation.

Suggestions and Reforms

The RBI should publish quarterly aggregate enforcement data — number of actions taken, categories of violations, entities sanctioned — to create a public deterrence signal without compromising individual enforcement confidentiality. The current opacity about enforcement frequency and severity limits the Guidelines’ deterrent effect.

The APR calculation methodology should be standardised through a mandatory RBI-specified formula, eliminating the current variation in calculation approaches that allows lenders to present equivalent credit products with different effective APRs.

Conclusion

The Digital Lending Guidelines represent the RBI’s most comprehensive engagement with the fintech lending sector and have undeniably improved baseline standards of transparency and accountability. But two years of implementation experience show that compliance quality is uneven, enforcement reach is limited, and the most exploitative practices — aggressive data collection, recovery harassment, and regulatory arbitrage through offshore structures — remain persistent. The Guidelines’ next evolution should focus on enforcement capacity and cross-border regulatory coordination as much as on the substantive rules themselves.

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these