In 2020, a borrower in Hyderabad took a Rs 10,000 loan from an app on his phone. Within weeks, the app had accessed his entire contact list, sent threatening messages to his family members, and demanded repayment of Rs 45,000 — interest, processing fees, and penalties that were never disclosed upfront. He wasn't alone. Hundreds of unregistered lending apps had flooded Indian smartphones, and the regulatory framework hadn't caught up. The reason was structural: these apps operated in a grey zone, neither licensed as NBFCs nor clearly under any existing RBI direction. What followed was one of the fastest regulatory responses in Indian financial history — from a public caution in 2020 to a comprehensive consolidated direction by 2025.
Why Did Predatory Lending Apps Proliferate So Fast?
The explosion was triggered by three factors converging at once: smartphone penetration crossing 500 million, the availability of Aadhaar-based digital identity verification, and a regulatory gap that let non-bank entities offer credit without disclosing who the actual lender was.
The RBI's December 2020 public caution (PR_50846) laid out the problem in unsparing terms:
"Individuals/small businesses falling prey to growing number of unauthorised digital lending platforms/Mobile Apps...excessive rates of interest and additional hidden charges...adoption of unacceptable and high-handed recovery methods; and misuse of agreements to access data on the mobile phones of the borrowers."
Why couldn't existing regulation catch this? Because the apps weren't lenders themselves — they were Lending Service Providers (LSPs) fronting for banks and NBFCs that remained invisible to the borrower. The borrower dealt with the app. The app set the terms. The bank behind it stayed silent. When things went wrong, the borrower had no regulated entity to complain to, because they didn't even know a regulated entity was involved.
What Was the First Regulatory Response?
The RBI moved even before the public caution. In June 2020, Loans Sourced over Digital Lending Platforms, June 2020 RBI/2019-20/258 (since withdrawn) — identified the core deception:
"Lending platforms tend to portray themselves as lenders without disclosing the name of the bank/NBFC at the backend, as a consequence of which, customers are not able to access grievance redressal avenues."
The fix was targeted: every digital lending platform had to disclose the name of the bank or NBFC actually sanctioning the loan. Loan agreements had to name the regulated entity. The borrower had to know who was lending. It was a disclosure mandate — necessary but not sufficient. The deeper problems of data misuse, opaque pricing, and abusive recovery would take two more years to address.
Why Did the RBI Convene a Working Group?
By January 2021, the RBI recognised that disclosure alone wouldn't fix digital lending. The press release announcing the Working Group (PR_50961) framed the tension:
"Digital lending has the potential to make access to financial products and services more fair, efficient and inclusive...Recent spurt and popularity of online lending platforms/mobile lending apps has raised certain serious concerns which have wider systemic implications."
The Working Group was chaired by Jayant Kumar Dash, Executive Director. Its terms of reference covered everything from the legal framework for digital lending to the role of third-party LSPs to data protection concerns. The group submitted its report in November 2021 (PR_52589), recommending a comprehensive regulatory overhaul. The reason the RBI chose a Working Group rather than issuing immediate directions was pragmatic — the fintech lending ecosystem had grown so complex that the regulator needed industry input to avoid breaking legitimate innovation while shutting down abuse.
What Changed in the September 2022 Guidelines?
The September 2022 digital lending guidelines (Reserve Bank of India (Urban Co-operative Banks –) were the most consequential intervention. They restructured the economics and data flows of every lending app in India. The key mandates:
Fund flows locked down. All loan disbursements must go directly from the regulated entity to the borrower's bank account — not through the LSP's wallet or pool account. All repayments flow directly from the borrower to the regulated entity. This killed the model where LSPs held borrower funds and extracted charges before forwarding the remainder. The reason for mandating direct flows was simple: intermediary control of funds enabled hidden fee extraction and delayed disbursements that functioned as additional interest.
Pricing transparency mandated. Every digital loan must disclose the Annual Percentage Rate (APR) — the all-in cost including processing fees, insurance charges, and any other deductions. Why APR specifically? Because lending apps had been advertising low interest rates while burying the real cost in processing fees deducted upfront from the disbursement amount, making effective rates several multiples of the stated rate.
Cooling-off period introduced. Borrowers got the right to exit a digital loan within a look-up period without penalty. This addressed a pattern where apps disbursed loans with pre-deducted processing fees, leaving borrowers locked in before they understood the terms.
Data minimisation enforced. LSPs cannot access a borrower's phone contacts, photos, media files, or any data beyond what is strictly necessary for the loan. Explicit, granular consent is required for any data access. The accompanying notification (Reserve Bank of India (Regional Rural Banks – Cred) specified audit trail requirements for consent records.
Further operational details were laid out in Digital Lending Compliance Circular (Reserve Bank of India (Commercial Banks – Credit F), which addressed implementation timelines and clarified that the NBFC prudential framework applied fully to digitally originated loans — no regulatory arbitrage just because the loan was sourced through an app.
How Did the May 2025 Consolidation Change the Framework?
By 2024, the digital lending framework was scattered across multiple circulars, FAQs, and clarifications issued since 2020. The May 2025 Digital Lending Directions (PR_60403) consolidated everything into a single unified direction. This superseded RBI/2019-20/258 (since withdrawn), replaced the interim guidelines with a permanent regulatory architecture, and amended the earlier circulars into one authoritative text.
The consolidation carried forward all the September 2022 mandates — direct fund flows, APR disclosure, cooling-off periods, data minimisation — while adding new requirements that had emerged from two years of enforcement experience. The digital lending compliance framework (Reserve Bank of India (All India Financial Institu) laid the groundwork for ongoing oversight.
What Is the Self-Regulatory Organisation Requirement?
The RBI didn't stop at direct regulation. It mandated the creation of a Self-Regulatory Organisation (SRO) for digital lending — an industry body that would set standards, monitor compliance, and act as a first line of defence before the RBI's own supervisory machinery engages. The SRO requirement was triggered by a recognition that the RBI cannot directly supervise thousands of LSPs the way it supervises a few hundred banks and NBFCs. The SRO model — industry policing itself under regulatory oversight — had precedent in securities markets with AMFI and in payments with the Payment Council of India.
The SRO is expected to maintain a registry of legitimate LSPs, handle consumer complaints as a first escalation point, and report systemic concerns to the RBI. Entities that refuse to join the SRO face the consequence of their partner banks and NBFCs being unable to use them as LSPs.
How Does Digital Lending Connect to KYC?
Every digital loan requires borrower identification. The KYC framework applies identically whether the loan is sourced at a bank branch or through an app — Aadhaar OTP-based eKYC, Video-based Customer Identification Process (V-CIP), or in-person verification with Officially Valid Documents. The reason the RBI insisted on parity was to prevent digital lending from becoming a channel for identity fraud or money laundering.
V-CIP, introduced in January 2020, became the enabling technology for legitimate digital lending at scale. A borrower could complete KYC via a live video call, get verified, and receive a loan — all without visiting a branch. But the identity verification standard remained the same as in-person KYC. The digital channel was a convenience, not a lower bar. Digital lending platforms also interact with the broader digital payments ecosystem — disbursements often go via IMPS or UPI, and repayment mandates use the e-NACH or UPI AutoPay framework.
Where Does This Leave Borrowers Today?
The regulatory arc from 2020 to 2025 fundamentally changed what a lending app can do. Before the crackdown, an app could access your contacts, hide the real lender's identity, deduct fees before disbursement, and send recovery agents after your family. After the consolidated 2025 directions, every app must name the regulated entity behind it, disburse directly to your bank account, disclose the full APR, give you a cooling-off period, and access only the data you explicitly authorise.
The framework isn't self-executing — enforcement depends on the RBI's supervisory capacity and the SRO's effectiveness. But the legal architecture is now comprehensive. A borrower who faces abuse from a lending app today has a clear chain: complain to the app, escalate to the regulated entity behind it, approach the SRO, and if all else fails, invoke the RBI's Integrated Ombudsman Scheme. The grey zone that predatory apps exploited in 2020 has been closed — not perfectly, but structurally.
Last updated: April 2026