On May 8, 2025, the Reserve Bank of India (RBI) issued the Digital Lending Directions, 2025. These guidelines update and consolidate the regulatory framework for digital lending across India. The Directions aim to support innovation and growth in digital credit. At the same time, they focus on protecting borrower interests, ensuring data privacy, and maintaining financial stability.
The RBI’s Digital Lending Directions, 2025, set out detailed rules for Regulated Entities (REs) and Lending Service Providers (LSPs). Also, these include requirements on data privacy, consent, data sharing, and security. The rules align closely with the Digital Personal Data Protection Act (DPDPA), 2023—India’s key data privacy law. Together, they create a regulatory framework that protects borrower rights and promotes responsible data use.
Key RBI Sections on Data Privacy & Sharing
| RBI Direction | Key Points on Data Privacy and Sharing |
| Section 12 | Data collection with explicit borrower consent; limited resource access; revocation rights. |
| Section 13 | Data storage only in India; minimal data storage by LSP; strict privacy & security protocols. |
| Section 14 | Mandatory comprehensive privacy policies publicized by RE and LSP. |
| Section 8 | Transparency to borrower on loan terms, privacy policies, grievance contacts. |
| Section 9 | Prohibition on third-party fund flows; no direct borrower charges by LSPs. |
| Section 11 | Grievance redressal mechanisms clearly defined and publicly accessible. |
| Section 16,17 | Reporting to CICs and RBI CIMS for audit and monitoring. |
| 5 Section | Due diligence on LSPs for data privacy, compliance, and technical robustness. |
1. Clear Consent and Collecting Only Needed Data
The RBI requires Lending Service Providers (LSPs) and Digital Lending Apps (DLAs) to collect data only when absolutely necessary. They must obtain the borrower’s express consent before gathering any information. Accordingly, borrowers must respond “yes” before their information is gathered (Para 12.i).
Additionally, borrowers are free to decide what information they consent to share. Borrowers can refuse certain uses of their data, limit access, revoke consent at any time, and request data deletion (Para 12.ii). Additionally, these apps and service providers are unable to access private information on a borrower’s phone, such as call logs or contacts, unless it
2. Clear Information and Privacy Policies
Lending Service Providers and Regulated Entities (REs) must maintain clear privacy policies. These must explain how borrower data is collected, used, and shared.These guidelines must be easily accessible to the general public, such as through their websites or applications (Para 14).
Lenders must digitally sign important documents like loan agreements, terms, and privacy policies, and email them to the borrower’s verified phone number or email address. Additionally, this ensures borrowers receive official copies of these crucial documents (Para 8.iii).
3. How and Where Data Is Stored
LSPs may keep only basic personal details needed for their tasks, such as the borrower’s name, address, and contact info. The main lender (RE) is responsible for making sure all the data is kept safe and private (Para 13.i).
LSPs must not store or collect biometric data, such as fingerprints or facial scans, unless a specific law permits it (Para 13.iii). Only computer servers situated within India may house the collected personal data. LSPs must bring back data from abroad and delete it there within 24 hours if processed overseas (Para 13.iv).
LSPs may retain only the minimum personal information needed to perform their duties, such as the borrower’s name, address, and phone number. The primary lender (RE) must ensure all data remains confidential and secure (Para 13.i). LSPs must not collect or store biometric data, like fingerprints or facial scans, unless a specific law permits it (Para 13.iii).
4. Rules for Sharing Data with Others
Lenders can share borrower data with third parties only after obtaining the borrower’s prior, explicit, and unambiguous consent. The only exception is when the law requires it (Para 12.iv). Borrowers must be clearly informed about the purpose and intended use of any data collected or shared. This guarantees complete transparency (Para 12.iii).
5. Responsibility and Care in Handling Data
Regulated Entities must thoroughly investigate the history and data security policies of the Lending Service Providers they work with, ensuring these providers comply with privacy regulations (Para 5.ii). This due diligence helps confirm the providers’ reliability and regulatory compliance. Even after onboarding these service providers, Regulated Entities remain solely accountable for their actions or omissions. If a Lending Service Provider breaches privacy rules, the responsibility still lies with the Regulated Entity (Para 5.vii).
6. Borrowers’ Rights and Complaint Process
Borrowers have the right to know whom to contact for any concerns about their loans or data handling. Borrowers can contact the officers who will handle complaints using the contact information provided by REs and LSPs, as well as the RBI’s Complaint Management System (Para 11). Borrowers can also choose to cancel a digital loan without incurring penalties by repaying the principal and interest in accordance with the amount of time they used the loan. This is known as the “cooling-off” period. This allows borrowers to take charge of their data and financial choices (Para 10).
Correlation with Digital Personal Data Protection Act (DPDPA), 2023
| RBI Digital Lending Directions | Relevant DPDPA Provisions | Notes on Correlation |
| Prior, explicit, auditable consent for data collection and sharing (12.i, 12.ii, 12.iv) | Section 3 (Definitions of Consent), Section 11 (Consent), Section 17 (Processing of Personal Data) | Both emphasize free, informed, specific, and explicit consent before personal data processing. RBI directions align with DPDPA’s consent principles and audit trail requirements. |
| Data minimization and need-based collection (12.i, 13.i) | Section 16 (Data Minimization and Purpose Limitation) | RBI mandates minimal data collection consistent with DPDPA’s principle that personal data collected must be limited to what is necessary for the purpose. |
| Data subject rights — consent withdrawal, restriction, erasure (12.ii) | Section 18 (Rights of Data Principals) | RBI requires mechanisms for data subjects (borrowers) to revoke consent and demand data deletion, directly reflecting DPDPA rights. |
| Data localization: storage only in India; foreign processing allowed with deletion within 24 hours (13.iv) | Section 29 (Cross-border Transfer Restrictions) | RBI’s storage and repatriation rules correspond to DPDPA’s cross-border transfer restrictions ensuring adequate protection for personal data transferred outside India. |
| Transparency: comprehensive privacy policies, disclosure of third parties (14) | Section 12 (Transparency and Accountability) | RBI’s requirement for publicly available privacy policies and disclosures map to DPDPA’s transparency mandates. |
| Accountability and due diligence on service providers (5.ii, 5.vii) | Section 25 (Data Fiduciary Obligations), Section 26 (Data Processor Obligations) | RBI holds regulated entities accountable for actions of their LSPs, reflecting DPDPA’s fiduciary and processor obligations. |
| Cybersecurity and data protection standards (15) | Section 26 (Security Safeguards), Chapter on Data Security | RBI’s technology standards align with DPDPA’s requirement for reasonable security practices and safeguards. |
| Right to grievance redressal and complaint mechanisms (11) | Section 30 (Grievance Redressal) | RBI’s grievance redressal officers and links to complaint systems mirror DPDPA’s grievance redressal provisions. |
What Does This Mean for Borrowers and Lenders?
- Borrowers retain control over their personal data with the ability to grant, restrict, or revoke consent at any stage.
- Data collection is strictly regulated to be only what is necessary for lending, eliminating invasive data grabs or misuse.
- Data storage localization ensures sovereign control over sensitive borrower data, reducing risks of foreign misuse.
- Regulated Entities bear full responsibility for the conduct of outsourced Lending Service Providers, ensuring accountability throughout the lending chain.
- Transparency and grievance redressal mechanisms empower borrowers with clarity on data use and recourse options for violations.
- RBI’s mandates closely track DPDPA’s foundational principles, reinforcing a robust, borrower-centric data protection regime.
The RBI’s Digital Lending Directions, 2025 and the Digital Personal Data Protection Act, 2023 collectively establish a strong framework that enshrines borrower consent, privacy, data security, and transparency at the core of digital lending. This alignment not only boosts borrower confidence in digital credit but also imposes clear, enforceable responsibilities on lenders and service providers, ensuring India’s digital finance ecosystem remains secure, fair, and compliant.
Correlation with Digital Personal Data Protection Act (DPDPA), 2023
| RBI Digital Lending Directions (2025) | DPDPA, 2023 Provisions |
|---|---|
| Need-based data collection with explicit borrower consent (Para 12) | Section 6(1)(a): Consent must be free, informed, specific, clear, and capable of being withdrawn. |
| Borrower rights to revoke consent and data deletion (Para 12.ii) | Section 8: Right to correction, erasure, and data portability. |
| Data storage only in India with strict cross-border transfer rules (Para 13.iv) | Section 24: Cross-border transfer allowed under prescribed safeguards. |
| Transparency via publicly available privacy policies (Para 14) | Section 10: Privacy notices must be clear, concise, and easily accessible. |
| Prohibition on collecting/processing sensitive personal data (biometric) without statutory allowance (Para 13.iii) | Section 3(36): Definition of sensitive personal data; special protections apply. |
| RE’s accountability for LSPs’ compliance with data privacy (Para 5.vii) | Section 13: Data fiduciary responsible for processing by data processor; must ensure compliance. |
| Borrower grievance redressal & complaint escalation channels (Para 11.iv) | Section 20: Rights of data principals to approach adjudicating officers or appellate authority. |
| Requirement to maintain audit trails for consent (Para 12.i) | Section 6(2): Data fiduciaries must maintain records of consent and processing. |
As digital lending grows, it’s important for lenders to follow RBI and data protection rules carefully. They need to get clear permission from borrowers and keep their data safe. Concur Consent Manager helps lenders do this easily. It makes collecting consent, keeping records, sharing policies, and handling complaints simple and clear.
Book a Free Consultation Now →
