On May 8, 2025, the Reserve Bank of India (RBI) issued the Digital Lending Directions, 2025, consolidating and updating the regulatory framework governing digital lending activities across the country. These Directions aim to promote innovation and growth in digital credit while ensuring the protection of borrowers’ interests, data privacy, and financial stability.
The Reserve Bank of India’s (RBI) Digital Lending Directions, 2025 lay out comprehensive requirements for regulated entities (REs) and Lending Service Providers (LSPs) on data privacy, consent, data sharing, and security. These rules align closely with the Digital Personal Data Protection Act (DPDPA), 2023, India’s landmark data privacy legislation, creating a regulatory ecosystem safeguarding borrower rights and ensuring responsible use of personal data.
Key RBI Sections on Data Privacy & Sharing
| RBI Direction | Key Points on Data Privacy and Sharing |
| Section 12 | Data collection with explicit borrower consent; limited resource access; revocation rights. |
| Section 13 | Data storage only in India; minimal data storage by LSP; strict privacy & security protocols. |
| Section 14 | Mandatory comprehensive privacy policies publicized by RE and LSP. |
| Section 8 | Transparency to borrower on loan terms, privacy policies, grievance contacts. |
| Section 9 | Prohibition on third-party fund flows; no direct borrower charges by LSPs. |
| Section 11 | Grievance redressal mechanisms clearly defined and publicly accessible. |
| Section 16,17 | Reporting to CICs and RBI CIMS for audit and monitoring. |
| 5 Section | Due diligence on LSPs for data privacy, compliance, and technical robustness. |
1. Clear Consent and Collecting Only Needed Data
The RBI mandates that Lending Service Providers (LSPs) and Digital Lending Apps (DLAs) only gather data when it is absolutely required. They must obtain the borrower’s express consent before gathering any information. Accordingly, borrowers must respond “yes” before their information is gathered (Para 12.i).
Additionally, borrowers are free to decide what information they consent to share. They have the ability to refuse certain uses of their data, restrict who can access it, revoke their consent at any time, and even request that their data be removed if they so choose (Para 12.ii). Additionally, these apps and service providers are unable to access private information on a borrower’s phone, such as call logs or contacts, unless it
2. Clear Information and Privacy Policies
Lending service providers and Regulated Entities (REs) are required to have comprehensive privacy policies. These guidelines ought to provide a clear explanation of how borrower data is gathered, used, and shared. These guidelines must be easily accessible to the general public, such as through their websites or applications (Para 14).
Important documents like loan agreements, terms, and privacy policies also need to be automatically emailed to the borrower’s verified phone number or email address and digitally signed. By doing this, borrowers are guaranteed official copies of these crucial documents (Para 8.iii).
3. How and Where Data Is Stored
LSPs are allowed to keep only the most basic personal details needed to perform their tasks, such as the borrower’s name, address, and contact information. The main lender (RE) is responsible for making sure all the data is kept safe and private (Para 13.i).
Storing or collecting biometric data (like fingerprints or facial scans) is not allowed unless there are other specific laws that permit it (Para 13.iii).
Only computer servers situated within India may house the collected personal data. Data must be removed from foreign servers and returned to India within 24 hours if it is processed outside of India for any reason (Para 13.iv).
LSPs are only permitted to retain the bare minimum of personal information required to carry out their duties, including the borrower’s name, address, and phone number. The primary lender (RE) is in charge of ensuring that all information is kept confidential and secure (Para 13.i). Unless otherwise authorized by law, it is prohibited to store or gather biometric information (such as fingerprints or facial scans) (Para 13.iii).
4. Rules for Sharing Data with Others
Only with the borrower’s prior, explicit, and unambiguous consent can borrower data be shared with any third party. The only exception is if sharing is required by law (Para 12.iv). The borrower must be fully informed of the purpose and intended use of any data collected or shared. This guarantees complete transparency (Para 12.iii).
5. Responsibility and Care in Handling Data
Regulated Entities are required to thoroughly investigate the history and policies of the Lending Service Providers they collaborate with, particularly with regard to the way in which these providers manage data security and privacy. This due diligence aids in guaranteeing the reliability and adherence to regulations of the providers (Para 5.ii). Even after hiring these service providers, REs are still solely liable for everything the providers do or don’t do. Therefore, the RE will still be held responsible if an LSP violates privacy regulations (Para 5.vii).
6. Borrowers’ Rights and Complaint Process
Borrowers are entitled to know who to contact in the event that they have concerns or grievances regarding their loans or the way in which their data is managed. Borrowers can contact the officers who will handle complaints using the contact information provided by REs and LSPs, as well as the RBI’s Complaint Management System (Para 11). Borrowers can also choose to cancel a digital loan without incurring penalties by repaying the principal and interest in accordance with the amount of time they used the loan. This is known as the “cooling-off” period. This allows borrowers to take charge of their data and financial choices (Para 10).
Correlation with Digital Personal Data Protection Act (DPDPA), 2023
| RBI Digital Lending Directions | Relevant DPDPA Provisions | Notes on Correlation |
| Prior, explicit, auditable consent for data collection and sharing (12.i, 12.ii, 12.iv) | Section 3 (Definitions of Consent), Section 11 (Consent), Section 17 (Processing of Personal Data) | Both emphasize free, informed, specific, and explicit consent before personal data processing. RBI directions align with DPDPA’s consent principles and audit trail requirements. |
| Data minimization and need-based collection (12.i, 13.i) | Section 16 (Data Minimization and Purpose Limitation) | RBI mandates minimal data collection consistent with DPDPA’s principle that personal data collected must be limited to what is necessary for the purpose. |
| Data subject rights — consent withdrawal, restriction, erasure (12.ii) | Section 18 (Rights of Data Principals) | RBI requires mechanisms for data subjects (borrowers) to revoke consent and demand data deletion, directly reflecting DPDPA rights. |
| Data localization: storage only in India; foreign processing allowed with deletion within 24 hours (13.iv) | Section 29 (Cross-border Transfer Restrictions) | RBI’s storage and repatriation rules correspond to DPDPA’s cross-border transfer restrictions ensuring adequate protection for personal data transferred outside India. |
| Transparency: comprehensive privacy policies, disclosure of third parties (14) | Section 12 (Transparency and Accountability) | RBI’s requirement for publicly available privacy policies and disclosures map to DPDPA’s transparency mandates. |
| Accountability and due diligence on service providers (5.ii, 5.vii) | Section 25 (Data Fiduciary Obligations), Section 26 (Data Processor Obligations) | RBI holds regulated entities accountable for actions of their LSPs, reflecting DPDPA’s fiduciary and processor obligations. |
| Cybersecurity and data protection standards (15) | Section 26 (Security Safeguards), Chapter on Data Security | RBI’s technology standards align with DPDPA’s requirement for reasonable security practices and safeguards. |
| Right to grievance redressal and complaint mechanisms (11) | Section 30 (Grievance Redressal) | RBI’s grievance redressal officers and links to complaint systems mirror DPDPA’s grievance redressal provisions. |
What Does This Mean for Borrowers and Lenders?
- Borrowers retain control over their personal data with the ability to grant, restrict, or revoke consent at any stage.
- Data collection is strictly regulated to be only what is necessary for lending, eliminating invasive data grabs or misuse.
- Data storage localization ensures sovereign control over sensitive borrower data, reducing risks of foreign misuse.
- Regulated Entities bear full responsibility for the conduct of outsourced Lending Service Providers, ensuring accountability throughout the lending chain.
- Transparency and grievance redressal mechanisms empower borrowers with clarity on data use and recourse options for violations.
- RBI’s mandates closely track DPDPA’s foundational principles, reinforcing a robust, borrower-centric data protection regime.
The RBI’s Digital Lending Directions, 2025 and the Digital Personal Data Protection Act, 2023 collectively establish a strong framework that enshrines borrower consent, privacy, data security, and transparency at the core of digital lending. This alignment not only boosts borrower confidence in digital credit but also imposes clear, enforceable responsibilities on lenders and service providers, ensuring India’s digital finance ecosystem remains secure, fair, and compliant.
Correlation with Digital Personal Data Protection Act (DPDPA), 2023
| RBI Digital Lending Directions (2025) | DPDPA, 2023 Provisions |
|---|---|
| Need-based data collection with explicit borrower consent (Para 12) | Section 6(1)(a): Consent must be free, informed, specific, clear, and capable of being withdrawn. |
| Borrower rights to revoke consent and data deletion (Para 12.ii) | Section 8: Right to correction, erasure, and data portability. |
| Data storage only in India with strict cross-border transfer rules (Para 13.iv) | Section 24: Cross-border transfer allowed under prescribed safeguards. |
| Transparency via publicly available privacy policies (Para 14) | Section 10: Privacy notices must be clear, concise, and easily accessible. |
| Prohibition on collecting/processing sensitive personal data (biometric) without statutory allowance (Para 13.iii) | Section 3(36): Definition of sensitive personal data; special protections apply. |
| RE’s accountability for LSPs’ compliance with data privacy (Para 5.vii) | Section 13: Data fiduciary responsible for processing by data processor; must ensure compliance. |
| Borrower grievance redressal & complaint escalation channels (Para 11.iv) | Section 20: Rights of data principals to approach adjudicating officers or appellate authority. |
| Requirement to maintain audit trails for consent (Para 12.i) | Section 6(2): Data fiduciaries must maintain records of consent and processing. |
