RBI Digital Lending Directions: what licensed loan apps can and cannot do

Borrowing through an app can feel quick and convenient — a few taps and the money arrives. But when something goes wrong, many borrowers discover they do not really know who lent them the money, what they agreed to, or what the app is allowed to do with their phone. If that is where you find yourself, please take a breath. The Reserve Bank of India has issued firm rules for digital lending, and they exist to protect you. Knowing what a licensed app can and cannot do puts the ground back under your feet.

This article explains the RBI Digital Lending Directions in plain language: how legitimate app-based lending is supposed to work, the limits on what an app can do, and the calm steps to take when those limits are crossed. The aim is not to help anyone avoid a genuine debt, but to make sure your borrowing — and any recovery — stays within the law.

Why these rules exist

For a few years, app-based lending grew faster than the rules around it. Some apps operated in grey areas: hiding who the actual lender was, harvesting borrowers' contacts and photos, charging undisclosed fees, and using shame and threats to recover. The RBI's Digital Lending Directions were issued to bring this activity firmly within the regulated system and to protect borrowers from exactly these abuses.

The core principle is simple: digital lending is still lending, and a regulated entity — a bank or NBFC supervised by the RBI — must stand behind it. An app is just a channel. The lender cannot use the app as a curtain to hide behind, and it remains responsible for everything done in its name.

What a licensed loan app CAN do

A compliant digital lender, working through an app, is permitted to:

• Lend through a regulated entity. The actual lender must be an RBI-regulated bank or NBFC, and its identity should be disclosed to you clearly.
• Charge interest and lawful fees — provided every cost is disclosed upfront and reflected in your Key Fact Statement.
• Disburse and collect directly between the lender and you. Money should move directly between the regulated lender's account and your bank account, not through the app's own pool account or a third-party wallet that obscures the flow.
• Follow up on repayment within the law — contacting you (the borrower) respectfully, within permitted hours.
• Collect data it genuinely needs for the loan, with your specific, informed consent.

These are the marks of legitimate lending. None of them involve secrecy, pressure, or grabbing your personal data.

What a licensed loan app CANNOT do

This is the part that matters most when things go wrong. Under the Digital Lending Directions, an app and the lender behind it cannot:

• Hide the identity of the actual lender. You are entitled to know which RBI-regulated entity holds your loan.
• Access your full contacts, photo gallery, or files. Blanket harvesting of your phonebook or media is not permitted. An app should only seek data necessary for the loan, with consent.
• Skip the Key Fact Statement. Every borrower must receive a standardised Key Fact Statement (KFS) setting out the loan amount, tenure, all charges, and the Annual Percentage Rate (APR) — the true, all-in cost of borrowing.
• Add hidden or automatic charges that were never disclosed, or change the cost after you have signed.
• Route money through opaque channels so you cannot tell who paid you or whom you are repaying.
• Harass you in recovery. Calls outside 8 AM to 7 PM, persistent or abusive contact, calling your family or contacts to shame you, threats, or public posting are all prohibited. The lender owns the conduct of every agent and tele-caller it engages.

If you have experienced any of these, you are not imagining a problem. These are recognised breaches with clear remedies.

Your data rights under the Directions and the DPDP Act

The Digital Lending Directions place real limits on data collection: an app should not access data unrelated to the loan, should obtain consent, and should give you control — including the ability to revoke consent and seek deletion of data. These rules sit alongside the Digital Personal Data Protection Act, 2023 (DPDP Act), which governs how organisations handle your personal data and gives you rights over it. If an app has copied your contacts and is using them to pressure you, that is a misuse that engages both frameworks. Our guide on how loan apps misuse your data goes deeper into your options.

How to tell a compliant app from a risky one

Without naming any company, here are generic red flags worth checking before you borrow — or as you assess a loan you already have:

• The app does not clearly name the RBI-regulated lender behind it.
• You were never given a Key Fact Statement or a written agreement.
• The app demanded access to your contacts, photos or location that had nothing to do with the loan.
• Money was disbursed from or repaid to an unclear account or wallet.
• The disbursed amount was less than promised because of large upfront deductions never disclosed.
• There is no grievance officer or working complaints channel.

Any one of these deserves caution. You can cross-check whether a lender is genuinely RBI-registered before you respond to anything using our lender check tool. This single step protects you from both non-compliant operators and outright impersonators.

Quietly build your record

If an app or its recovery agents have broken these rules, gather calm evidence.

• Save your loan agreement and Key Fact Statement, or note that you never received them.
• Keep screenshots of the app's permission requests, the disbursal, and any messages, with timestamps.
• Log every call: date, time, number and what was said.
• Note any contact made with your family, employer or phone contacts.

A secure, private place to keep this matters when you are stressed. You can store your documents, screenshots and logs safely using the document locker, so everything is ready if you need to complain.

How to act — step by step

You have a clear, free, escalating path.

1. Write to the lender's grievance officer first. Send a short written complaint (email is fine) describing the breach — undisclosed charges, data misuse, recovery harassment, or a hidden lender — and quote the Digital Lending Directions. Ask for it to stop and for written confirmation. Keep a copy.

2. Verify the lender. Confirm the actual lender is RBI-registered using our lender check tool.

3. Escalate to the RBI Ombudsman. If the lender does not resolve your complaint within 30 days, or rejects it, approach the RBI Ombudsman under the Reserve Bank – Integrated Ombudsman Scheme (RB-IOS), online at cms.rbi.org.in. There is no fee.

4. Use the Sachet portal. RBI's Sachet portal (sachet.rbi.org.in) lets you report unfair, unauthorised or coercive digital-lending practices to the regulator.

5. For data misuse, threats or cyber-harassment. Report to the police, and for online or app-based harassment use the cybercrime helpline 1930 and cybercrime.gov.in.

If you cannot afford a lawyer

You do not need to hire anyone to use these remedies — they are designed for borrowers to access directly, free of cost. If your situation is more serious and you need legal help but cannot afford it, India's free legal aid system exists for exactly this. Under the Legal Services Authorities framework, NALSA, the State Legal Services Authorities (SLSA) and District Legal Services Authorities (DLSA) provide free legal assistance to eligible people, and Lok Adalats can help settle disputes amicably. Learn how to approach them through our free legal aid guide.

A calm closing thought

The Digital Lending Directions exist because the RBI decided that convenience must never come at the cost of your dignity, your data, or your right to clear information. A licensed app can lend to you and follow up fairly — but it cannot hide who it is, grab your phonebook, hide the cost, or harass you into paying. When you understand where the lines are, an app that crosses them loses its power to intimidate you. Document calmly, complain in writing, and let the rules do their work.

For more borrower-rights explainers, our blog has further guides on checking a lender's registration, your data rights and recovery harassment.

This is general information, not legal advice. Rules and procedures can change, and your situation may have specific facts that matter. For advice on your own case, consider free legal aid through NALSA/DLSA or a qualified professional.