Quick answer: The RBI Digital Lending Guidelines require that all loan disbursals and repayments flow directly between the borrower’s bank account and the regulated entity, that customers receive a standardised Key Fact Statement (KFS) before sanction, that any First Loss Default Guarantee (FLDG) between an RE and an LSP stays within the prescribed cap, that a cooling-off period is provided, and that data collection is minimised, purpose-limited, and explicitly consented. The rules apply whether you are a bank, an NBFC, or a fintech operating as an LSP for one of them.
If you operate a digital lending product in India — your own NBFC app, a partnership with a regulated entity (RE), or a Lending Service Provider (LSP) — every product decision you ship lives or dies inside the Reserve Bank of India’s Digital Lending Guidelines. This is the working checklist our compliance and engineering teams run on every digital lending engagement we build at OpenMalo, condensed into the seven things that actually trip up audits.
1. Who the guidelines apply to (and who they don’t)
The guidelines apply to all Regulated Entities — commercial banks, cooperative banks, and NBFCs — and by extension to every Lending Service Provider that performs one or more of the lending lifecycle functions on their behalf: customer acquisition, underwriting, pricing, KYC, servicing, monitoring, recovery. If your app does any of those for a regulated lender, you are inside the perimeter.
The guidelines do not apply to peer-to-peer lending platforms (separate NBFC-P2P framework), credit cards, or to lending by entities outside the RBI’s regulatory ambit such as Section 8 microfinance trusts. They also don’t apply to merchant credit where the financing is structured as receivables purchase rather than a loan.
2. The KFS — what must be in it
Every borrower must receive a Key Fact Statement in a standardised, comparable format before the loan is sanctioned. The KFS must show:
- The all-inclusive Annual Percentage Rate (APR) — interest plus all fees, expressed as a single rate
- Recovery mechanism (including details of the recovery agent, if any)
- Grievance redressal officer’s name and contact
- Cooling-off period terms
- A unique loan reference number
The KFS must be digitally signed and time-stamped. We’ve seen audits reject KFS implementations where the APR was calculated without including processing fees or where the document was delivered as a non-tamper-evident PDF.
3. Money flow — direct, always
This is the rule that catches the most fintechs. Disbursal must go directly from the RE to the borrower’s bank account and repayment must come directly back to the RE’s account. The LSP cannot sit in the middle, even for a few hours. Pool accounts, escrows held by the LSP, and “settlement floats” are out.
If your architecture today has a wallet step in between, you have a hard re-engineering job. The product pattern that works is: borrower’s account ↔ RE’s nodal account, with the LSP receiving only its service fee on a separate post-disbursal flow.
4. FLDG — what’s allowed
A First Loss Default Guarantee — where the LSP underwrites a portion of the lender’s portfolio losses — is permitted but capped. The current cap is 5% of the outstanding loan portfolio covered by the FLDG arrangement, and the FLDG must be in the form of cash deposit, bank guarantee, or fixed deposit lien-marked in favour of the RE. Corporate guarantees and “soft” FLDGs are not eligible.
The FLDG arrangement must be documented in a board-approved policy at the RE, with explicit disclosure to the borrower that no service is dependent on the FLDG.
[VERIFY 2026] Confirm the 5% cap is still the operative number under the latest RBI circular before publishing. RBI has issued multiple amendment circulars since the original 2022 notification.
5. Cooling-off period
Borrowers must be given a cooling-off window during which they can exit the loan by paying only the principal and proportionate APR — no prepayment penalty. The window varies by loan tenor but for short-tenor digital loans is typically three days. Build the UX so a single tap from the loan dashboard initiates the cooling-off exit and triggers the refund flow.
6. Data privacy — minimise, purpose-limit, consent
You can collect only the data necessary for the loan. Phonebook, photo gallery, file storage, and contact list access are explicitly prohibited — Google Play has been pulling apps that violate this. Permissions must be requested with clear purpose strings; consent must be revocable; biometric data is treated as sensitive personal data under the DPDP Act 2023 framework.
Store data only as long as needed for the loan lifecycle plus regulatory retention. Auto-delete after retention expiry — and log the deletion.
7. Reporting — CICs, CKYCR, and the RBI itself
Every digital loan must be reported to all four Credit Information Companies (CIBIL, Experian, Equifax, CRIF High Mark) within the prescribed cycle. KYC records flow into CKYCR. The RE must publish on its website the full list of LSPs it works with, and the LSP’s website must reciprocate with the RE name.
Build vs. buy: where most teams underestimate effort
The KFS engine, FLDG accounting, cooling-off automation, and CIC reporting pipeline together account for roughly 40% of the engineering load on a compliant digital lending stack. Most teams budget for the loan origination flow and underestimate this back-of-house compliance plumbing. If you are pre-Series A and want to ship in under six months, a configurable lending platform (like OpenMalo’s lending module) is usually faster than building these subsystems from scratch.
CTA: See how OpenMalo’s lending platform handles KFS, FLDG accounting, and CIC reporting out of the box. See the module →
Closing — the compliance posture that pays off
Treat the RBI Digital Lending Guidelines as a product spec, not a legal afterthought. The lenders that build KFS, cooling-off, and direct-disbursal into the architecture from day one are the ones that survive audits without a six-month freeze. The shortcut here is borrowed time — and the bill, when it comes, is paid in shipped features.
