RBI issued its digital lending guidelines in August 2022. Years later, industry experience shows that many lenders are still making the same avoidable mistakes. RBI inspection findings consistently reflect these gaps. Here are 10 non-compliance patterns we see repeatedly — and what to do about them.
What the regulation says: RBI mandates that all loan disbursements and repayments must flow directly between the RE (NBFC/bank) and the borrower's bank account. Routing funds through the LSP's account or a pool account is prohibited.
What the violation looks like: Disbursements credited to the LSP's escrow or collection account before reaching the borrower; repayments collected by the LSP and remitted to the NBFC.
How to fix it: Implement direct fund flow architecture. All payments must be traceable end-to-end from the RE's account to the borrower's bank account (and vice versa for repayments). Update the NBFC-LSP agreement to reflect this structure.
What the regulation says: A Key Fact Statement (KFS) must be provided to the borrower before execution of the loan contract. The KFS must include: loan amount, tenure, interest rate (expressed as Annual Percentage Rate/APR), all fees and charges, and grievance redressal contact.
What the violation looks like: KFS not issued at all; KFS issued but missing APR; KFS issued after the loan agreement is signed; fees that appear after sanction that were not disclosed in the KFS.
How to fix it: Build KFS generation into your loan origination system as a mandatory step before the borrower e-signs the loan agreement. The KFS format must follow RBI's specified template.
What the regulation says: Borrowers must be given a cooling-off / look-up period during which they can exit the loan without penalty. The KFS must disclose this period and the process for exercising the option.
How to fix it: Include the cooling-off period (typically 3 days for loans with tenure of 7 days or more) in the KFS and ensure your system can process early exits cleanly during this window.
What the regulation says: LSPs can only store borrower data to the extent necessary for the loan origination process. Sensitive data (bank statements, income data, repayment history) must not be stored beyond the loan servicing period without explicit consent. Data must be stored in India.
How to fix it: Audit what borrower data your LSP collects, retains, and where it is stored. Update data processing agreements to define permissible data use and retention periods. Ensure data is purged post-loan servicing unless explicit consent for retention exists.
What the regulation says: Both the RE and the LSP must have a designated Nodal Grievance Redressal Officer whose contact details are disclosed to borrowers. Complaints must be resolved within 30 days.
How to fix it: Appoint a designated officer, publish their contact details prominently in the app and KFS, and establish a complaint tracking mechanism with defined escalation timelines.
What the regulation says: The RE's IT and cybersecurity framework must cover all digital lending systems — including mobile apps, web portals, APIs, and LSP integrations. VAPT must cover the digital lending stack, not just core banking.
How to fix it: Extend your VAPT scope to include all digital lending touchpoints. Ensure your IT framework (per the RBI IT Framework for NBFCs) explicitly covers digital channel risks. Review app-level security separately from network security.
What the regulation says: The RE is responsible for the actions of its LSPs. Prior to engaging an LSP, the RE must conduct due diligence on the LSP's compliance posture, data security, and operational capability. This is not a one-time exercise — annual reassessment is expected.
How to fix it: Build a formal LSP due diligence checklist covering: RBI compliance (KFS, direct flow), cybersecurity controls, data handling practices, grievance redressal capability, and financial stability. Document reviews annually.
What the regulation says: IS audits must cover digital lending infrastructure. Many NBFCs conduct IS audits but define scope only for their core CBS, excluding the digital lending platform and LSP integrations.
How to fix it: Expand IS audit scope to explicitly include the digital lending platform, mobile app, API gateways, and data flows to/from LSPs.
What the regulation says: The NBFC's digital lending activities must be governed by a board-approved policy that covers: eligible borrower segments, eligible LSPs, risk management, data governance, and compliance framework.
How to fix it: Develop a formal Digital Lending Policy and get it board-approved. The policy should be reviewed at least annually and after any significant change in digital lending partnerships or products.
What the regulation says: Fair Practices Code obligations apply to all lending, including digital lending. Interest rates must be fair, non-discriminatory, and disclosed transparently. Pre-payment penalties must be reasonable and disclosed. Loan covenants must be fair.
How to fix it: Review your Fair Practices Code to confirm it explicitly covers digital lending products and channels. Update the NBFC-LSP agreement to impose equivalent obligations on the LSP in borrower-facing interactions.
RBI inspections increasingly focus on the end-to-end digital lending value chain — not just the NBFC's systems, but the LSP's processes, the data flows, and the borrower experience. A compliance gap anywhere in the chain is a finding against the RE.
Infosek Team
For context on DLG-specific compliance under digital lending arrangements, see our guide on RBI DLG Rules Explained. For the broader IT framework requirements, see our RBI IT Framework for NBFCs guide.
Our team conducts a comprehensive digital lending compliance review covering all 10 areas above — and delivers a remediation plan before your next RBI inspection.
Book Your Free Compliance Review