Borrower Privacy in Digital Lending: RBI’s 2025 Directions and Judicial Scrutiny

By – Devank Maheshwari and Astha Sehgal

Table of Contents

INTRODUCTION

Access to financial credit in India, has traditionally been associated with physical branches, paperwork and time-consuming verification processes. However, over time, the mechanics of lending have begun to change in ways. Against this backdrop, digital lending has now quietly altered the manner in which credit is accessed. What once required multiple visits to a bank branch and prolonged documentation can now be completed on a mobile phone within minutes. The increasing use of digital interfaces in lending has altered how borrowers engage with credit. Digital platforms, mobile applications and interfaces of banks and Non-Banking Financial Company (“NBFCs”) has enabled faster credit disbursal to borrowers, frequently in the absence of direct human oversight. 

This digital lending reform in India has witnessed significant expansion in recent years, enhancing ease of access to credit. However, this growth has simultaneously raised serious regulatory concerns relating to transparency, borrower consent, data usage, recovery practices, and accountability.

UNDERSTANDING DIGITAL LENDING AND THE APPLICABLE LEGAL FRAMEWORK

Concept of digital lending:

Digital lending is the process of providing credit through online platforms, bypassing traditional intermediaries like banks.  It requires use of technology to facilitate the entire lending process, full circle i.e. from customer onboarding to credit assessment, disbursal and recovery, through digital means. Unlike conventional lending models that rely heavily on physical documentation and in-person interactions, digital lending operates through digitised applications, automated approvals and remote disbursals. The borrowers are typically onboarded through mobile applications or websites, identity verification is conducted electronically, and loan amounts are disbursed directly to bank accounts with minimal manual intervention. While this shift has made credit more readily available and less cumbersome, it has also reduced the visibility of the lending process and the roles played by different actors within it. 

The rapid expansion of digital lending has also brought to light several regulatory and consumer protection concerns. Questions surrounding transparency, data usage and the role of intermediaries have necessitated closer regulatory scrutiny. Accordingly, the Reserve Bank of India (“RBI”) has undertaken the task of regulating digital lending through detailed guidelines and statutory directions applicable to digital lending applications and platforms.

RBI and Regulatory Framework:

The Government of India, in coordination with the RBI has been actively engaged in curbing the operations of unauthorized digital loan applications in the country. Several measures have been undertaken in this regard, including the following:

1. For public information, RBI has operationalized a directory ‘Digital Lending Apps (“DLAs”)’ on its website with effect from 01.07.2025, consisting of all DLAs deployed by Regulated Entities (“REs”) of RBI. The directory aims to aid the customers in verifying the claim of DLA’s association with a regulated entity.

2. In the case of unauthorized digital loan apps being identified, Ministry of Electronics and Information Technology (MeitY) is empowered to issue directions for blocking of information for public access under Section 69A of Information Technology Act, 2000 after following the due process as provided in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

3. Further, the Government and RBI have been taking up various initiatives from time to time to protect citizens from exploitation by unauthorized loan apps. This inter-alia includes the issuance of Reserve Bank of India (Digital Lending) Directions, 2025 on 08.05.2025 / RBI Digital Lending Guidelines (“2025 Directions”). 

The 2025 Directions on Digital Lending

1. Scope, Rationale and Definitions:

The 2025 Directions were introduced with the objective of consolidating the multiple circulars and guidelines previously issued by the RBI in relation to digital lending by REs. Specifically, the 2025 Directions consolidate and repeal the following:

• Guidelines on Digital Lending dated 02.09.2022 (“2022 Guidelines”)
• Guidelines on Default Loss Guarantee (“DLG”) in Digital Lending dated 08.06.2023 ; and
• Loans Sourced by Banks and NBFCs over Digital Lending Platforms: Adherence to Fair Practices Code and Outsourcing Guidelines dated 24.06.2020

The primary concerns sought to be addressed under the 2025 Directions relate to the unregulated engagement of third parties, instances of mis-selling, breach of data privacy, unfair business practices, charging of exorbitant interest rates, and unethical recovery mechanisms adopted in the digital lending ecosystem. These concerns predominantly arise in lending activities facilitated through mobile or web-based platforms operated by banks and non-banking financial companies.

Accordingly, to fully appreciate the regulatory framework under the 2025 Directions, it becomes necessary to examine the meaning and scope assigned to certain key terms under the said directions, including the definitions of ‘Digital Lending’ and ‘DLAs’, as below:

(i)  Digital Lending: Refers to a remote and automated lending process, largely by use of seamless digital technologies for customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service.

(ii) DLAs: These refer to mobile and/or web-based applications, on a standalone basis or as a part of suite of functions of an application with user interface that facilitate digital lending services. DLAs shall include applications of the RE as well as those operated by Lending Service Provider (“LSP”) engaged by RE for extending any credit facilitation services in conformity with extant outsourcing guidelines issued by the RBI.

As per the 2025 Directions, REs are required to a) obtain all necessary information relating to the economic profile of the borrower for the purpose of assessing creditworthiness prior to the extension of any loan. b) Such borrower profiles are required to be maintained on record mandatorily, inter alia, for audit and supervisory purposes; c) Further, the REs must ensure that no increase in the credit limit is affected unless the borrower has first received complete information regarding such enhancement, has had the opportunity to evaluate the same, and has provided an explicit and recorded request or consent for the increase.

2. Disclosures to borrowers / Data Protection and Consumer Privacy

The protection of borrower data occupies a central place in the 2025 Directions, reflecting the increasing reliance on personal and behavioral data in credit assessment. 

Under these directions / guidelines, REs are required to obtain explicit and informed consent before collecting data, restrict access to only what is necessary, and use the data solely for the purposes disclosed to the borrower. While the prior 2022 Guidelines provided for basic data privacy obligations, the 2025 Directions significantly strengthen these requirements, aligning them with the Digital Personal Data Protection Act 2023 (“DPDP Act”).  The 2025 Directions adopt a phased implementation approach, with most provisions taking immediate effect, addressing emerging risks while providing a clearer and more structured regulatory framework for digital lending.

A central aspect of the 2025 Directions is ensuring borrower protection and transparency. Under Clause 8, specific disclosures are to be made to borrowers, including:

• Provision of a Key Fact Statement (KFS) detailing interest rates, fees, and penal charges.
• Delivery of digitally signed documents such as the KFS, loan product summaries, sanction letters, terms and conditions, account statements, and privacy policies related to the storage and use of borrower data.
• Automatic transmission of these documents to the borrower via registered and verified SMS/email upon execution of the loan contract or transaction.

3. In addition to disclosures, the 2025 Directions also emphasize the storage and protection of borrower data, detailed under Chapter IV – Technology and Data Requirements – covering “Responsibility regarding data privacy and security of the customer’s personal information on an ongoing basis shall be that of the RE. Key obligations for REs include:

• Data collection by DLA of REs and DLA of their LSPs be need-based, with the explicit consent of the borrower at every stage. 
• Borrowers’ information can be shared with third parties only with their explicit consent. Sensitive personal data collected by LSPs should not be stored unnecessarily, except for minimal, essential information required for the loan process.
• Any phone data of the borrower, such as media and files, contact list, call logs, etc., must not be accessed. 
• The REs is also responsible for ensuring that all the LSPs they engage have a comprehensive privacy policy, including details of third parties that may be allowed to collect personal information through the DLAs. 
• All the data collected must only be stored in servers located within India. If any data is processed outside India, it must be deleted from foreign servers and transferred back to India within 24 hours of processing. 
• Lastly, the REs have the responsibility to ensure the data security and privacy of the personal information of the customer.

4. Technology Standards

Additionally, Clause 15 under Chapter IV mandates compliance with technology standards. REs must ensure that both they and the LSPs they engage adhere to cybersecurity and technology requirements stipulated by the RBI and other relevant authorities, or as may be updated from time to time, to ensure secure and reliable digital lending operations.

EMERGING CHALLENGES AND JUDICIAL OVERSIGHT 

However, despite the law makers’ focus on protecting customer and borrower data through stringent legal frameworks, data privacy breaches remain a growing concern. Incidents such as promotional and unsolicited bank calls, KYC frauds, digital harassment, and fake online investment scams highlight how malicious actors often gain access to highly detailed personal information about their targets even before making the first contact banks themselves.

This growing threat to personal data has already triggered ongoing litigation in the country, including a recent Public Interest Litigation before the Hon’ble Delhi High Court, namely Himakshi Bhargav v. Union of India & Ors., W.P.(C) 118/2026. The petition raises concerns regarding the violation of borrowers’ fundamental right to privacy and data protection by NBFC-backed DLAs operating in India in breach of the RBI’s 2025 Directions / guidelines. A critical issue highlighted in the said petition is that despite the issuance of binding Reserve Bank of India Digital Lending Guidelines dated 08.05.2025, the Impugned Applications continue to access prohibited mobile phone resources such as contact lists and call logs, collect excessive personal and device-level data, and deploy coercive consent mechanisms.

The RBI’s 2025 Directions expressly prohibit DLAs from accessing mobile phone resources such as contact lists, call logs, and telephony functions. They allow only limited, one-time access to the camera, microphone, or location strictly for onboarding and KYC purposes, and always subject to the borrower’s explicit consent.

The Hon’ble Court – Bench of Hon’ble Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia noted that the RBI had issued statutory guidelines governing digital lending activities in India, which lay down measures to control data proliferation and include a mechanism for grievance redressal. The Bench has directed the RBI to file a response clarifying the steps taken to enforce the 2025 Directions. The relevant extracts from the order dated 07.01.2026 are reiterated below:

“3.This public interest litigation petition raises a serious concern regarding violation of right of protection of data of the borrowers through Digital Lending Applications (DLAs). The Reserve Bank of India, in exercise of its power conferred on it under Sections 21, 35A and 56 of the Banking Regulation Act, 1949 and Sections 45-JA, 45L, 45M of the Reserve Bank of India Act, 1934 and also under Sections 30A and 32 of National Housing Bank Act, 1987 and under various other provisions has issued statutory guidelines titled “Reserve Bank of India (Digital Lending) Directions, 2025” (“Guidelines”). The said guidelines are applicable to all digital lending activities of Commercial Banks, Primary Urban Cooperative Banks, State Cooperative Banks, Central Cooperative Banks, All Non Banking Financial Companies and All India Financial Institutions. 

4. The Guidelines are regulatory in nature and provides for certain measures for checking the proliferation of data of the borrowers. It also provides for mechanism for grievance redressal. 

5. We, thus, require the Reserve Bank of India to file a counter-affidavit not only in respect of the averments made in the writ petition, but also bringing on record the action taken for enforcement of the Guidelines.

These ongoing issues underscore that, despite regulatory frameworks and guidelines, implementation and enforcement remain critical challenges in protecting borrower data and ensuring digital safety.

CONCLUSION:

The rapid growth of digital lending in India has undeniably transformed the credit landscape, providing borrowers with unprecedented convenience and speed. At the same time, this evolution has brought to the fore critical challenges related to data privacy, consumer protection, and regulatory compliance. The RBI’s 2025 Directions reflected a significant step toward addressing these challenges, laying down comprehensive requirements for disclosures, informed consent, data storage, and cybersecurity standards, however, as evidenced by ongoing litigations, compliance remains a critical concern. Despite clear statutory guidelines, the continuous access to an individual’s prohibited phone data, personal information, and deploying coercive consent mechanisms, highlights gaps in enforcement and oversight. These developments underscore that data privacy is not merely a regulatory requirement but a fundamental right, and its protection depends not only on laws but also on effective monitoring, institutional accountability, and borrower awareness.

Furthermore, while technological safeguards and stringent regulatory standards exist on paper, the real-world application of these standards is often inconsistent. This raises broader questions about the adequacy of existing frameworks, the role of fintech and NBFCs in ethical data handling, and the need for continuous adaptation of laws and guidelines to keep pace with innovation and evolving risks.

Ultimately, while the RBI’s Directions and ongoing judicial scrutiny represent progress toward securing borrowers’ data and privacy, the future of digital lending will depend on the delicate balance between innovation, convenience, and protection of fundamental rights. How these issues are navigated, with a careful balance that ensures both the growth of the digital economy and the trust of citizens, remains a critical question for regulators, lenders, and borrowers at large.

FAQs

References –

1. https://www.pib.gov.in/PressReleasePage.aspx?PRID=2200567&reg=3&lang=2
2. https://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=60403
3. https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12382&Mode=0
4. https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12514&Mode=0
5. https://rbi.org.in/Scripts/NotificationUser.aspx?Id=11920&Mode=0
6. Clause 4(iii) of 2025 Directions
7. Clause 4(iv) of 2025 Directions
8. Direction 8 of 20205 Directions
9. Chapter IV of 2025 Directions
10. Direction 15 , Chapter IV of 2025 Directions
11. https://delhihighcourt.nic.in/app/showlogo/1767863785_01a30ed0cb7103ce_683_1182026.pdf/2026

More from Neeti Niyaman Team –