Knowledge Center / RBI Digital Lending
Reserve Bank of India · India

RBI Digital Lending (DLA/LSP) Audit

Technical and privacy due-diligence audit of digital lending apps and service providers.

Introduction: RBI Digital Lending (DLA/LSP) Audit

The Reserve Bank of India's Digital Lending framework has fundamentally reshaped how credit is originated, disbursed, serviced and collected through mobile applications, web platforms and third-party technology intermediaries in India. What began as the report of the Working Group on Digital Lending (WGDL), constituted in January 2021 and published in November 2021, crystallised into the RBI's 'Guidelines on Digital Lending' issued vide circular DOR.CRE.REC.66/21.07.001/2022-23 dated 2 September 2022, followed by the FAQs of 14 February 2023, the 'Digital Lending - Transparency in Aggregation of Loan Products from Multiple Lenders' directions of 15 November 2023, and consolidated into the 'Reserve Bank of India (Digital Lending) Directions, 2025' dated 8 May 2025 (RBI/DOR/2025-26/136).

This guide provides an auditor-grade, controls-based methodology for assessing a Regulated Entity (RE), its Digital Lending Apps/Platforms (DLAs) and its Lending Service Providers (LSPs) against the letter and spirit of the RBI Digital Lending framework. It is written for two audiences simultaneously: the independent assessor who must gather objective evidence and form a defensible opinion, and the implementer (compliance, technology, product and legal teams) who must build, remediate and operate controls. Every requirement is decomposed into 'what to verify' and 'typical evidence', mapped to source circular clauses, and framed so that a Key Fact Statement (KFS) or a data-storage control can be tested end to end.

Scope note: the RBI Digital Lending Directions apply to all commercial banks (including Small Finance Banks, Regional Rural Banks and Local Area Banks), Primary (Urban) Co-operative Banks, State and Central Co-operative Banks, and all Non-Banking Financial Companies (including Housing Finance Companies). They deliberately extend obligations to LSPs and DLAs engaged by these REs, because the regulatory perimeter is drawn around the credit relationship, not merely the technology vendor. Digital lending is defined as a remote and automated lending process, largely by use of seamless digital technologies for customer acquisition, credit assessment, loan approval, disbursement, recovery and associated customer service.

Copyright and source note
The RBI (Digital Lending) Directions, 2025, the WGDL Report, associated FAQs and Master Directions are the copyrighted intellectual property of the Reserve Bank of India, published on rbi.org.in. This guide is original CyberSigma commentary and an assessment methodology; it paraphrases and interprets regulatory obligations and does not reproduce the verbatim text of any RBI circular. Always read the current, authoritative RBI notification on the RBI website before drawing compliance conclusions, as directions are amended periodically. Clause references are indicative and should be re-validated against the consolidated 2025 Directions and any subsequent amendments.

What is RBI Digital Lending

RBI Digital Lending is a principle-and-directions based regulatory framework governing loans that are sourced, underwritten, disbursed, serviced or recovered through digital channels. It is not a single technical standard like PCI DSS; rather it is a conduct-of-business, consumer-protection, data-governance and outsourcing-risk regime enforced through binding directions. The framework's central architecture rests on three defined actors and a set of non-negotiable customer-protection outcomes.

The three actors are: (1) the Regulated Entity (RE) - the bank or NBFC that holds the credit on its books and remains fully responsible and accountable for compliance; (2) the Lending Service Provider (LSP) - an agent of the RE that carries out one or more of the lender's functions or part thereof in customer acquisition, underwriting support, pricing support, servicing, monitoring, recovery of specific loan or loan portfolio on behalf of REs in conformity with extant outsourcing guidelines; and (3) the Digital Lending App/Platform (DLA) - the mobile or web application of the RE or the LSP through which the digital lending happens, including apps of aggregators.

The framework's defining innovations are: the mandatory flow of all loan disbursals and repayments directly between the borrower's bank account and the RE's bank account (no pass-through or pooling through the LSP/DLA); the Key Fact Statement (KFS) with a computed Annual Percentage Rate (APR) disclosed before contract execution; a cooling-off / look-up period allowing the borrower to exit; explicit, auditable, purpose-limited and revocable data consent; a prohibition on automatic increase in credit limit without explicit consent; disclosure of the LSPs engaged; a nodal grievance redressal officer and escalation to the RBI-RB Integrated Ombudsman Scheme; and comprehensive reporting of digital loans to Credit Information Companies (CICs) regardless of nature or tenor. The 2023 aggregation directions further require DLAs that offer products from multiple lenders to present a digital view of all offers in an unbiased manner without any partisan promotion.

Who must comply

The obligations attach primarily to the Regulated Entity, but flow down contractually and operationally to every LSP and DLA in the credit-delivery chain. The RE cannot outsource accountability; it can only outsource activity. Fintech partners, technology service providers, aggregators, sourcing agents and recovery agents are all captured where they perform lending functions on behalf of an RE.

Entity / actorNature of obligation
Commercial Banks (incl. SFBs, RRBs, LABs)Full applicability as Regulated Entity; owns compliance and accountability for all DLAs/LSPs engaged.
Non-Banking Financial Companies (incl. HFCs)Full applicability as RE; a large share of app-based lending flows through NBFC-fintech partnerships.
Co-operative Banks (Urban, State, Central)Applicable as REs; expected to build proportionate governance despite smaller scale.
Lending Service Providers (LSPs)Must operate strictly within outsourcing directions; disclose identity; route no funds through own accounts; support KFS, consent and grievance obligations.
Digital Lending Apps/Platforms (DLAs)Must implement consent screens, KFS display, data-minimisation, and (for aggregators) unbiased multi-lender display and loan-product matrix.
Aggregator / marketplace DLAsSubject to 15 Nov 2023 transparency directions - digital view of all offers, willingness-to-lend disclosure, no partisan promotion.
Recovery / collection agents engaged digitallyBound by fair-practices, permitted contact hours, grievance and DLG conduct rules through the RE.
Default Loss Guarantee (DLG) providersGoverned by RBI's 8 June 2023 DLG guidelines - cap, form, invocation and disclosure requirements.

Structure of RBI Digital Lending

For assessment purposes the framework is best decomposed into control domains that align with the structure of the 2025 Directions and its predecessor circulars. Each domain groups a family of testable requirements. The table below is the master domain map used throughout this guide; the Master Assessment Checklist that follows expands each domain into individual controls with evidence.

Domain IDDomain / control familyCore regulatory intent
DL-1Governance, Board oversight & applicabilityRE accountability, Board-approved policy, technology & risk governance.
DL-2LSP & outsourcing due diligenceEnhanced due diligence, contracts, monitoring, no core-decision outsourcing.
DL-3Fund flow & disbursal-repayment routingDirect borrower-to-RE flows; no pooling; fees paid by RE not borrower.
DL-4Key Fact Statement & APR transparencyStandardised KFS, all-in APR, no hidden charges, no post-facto changes.
DL-5Cooling-off / look-up periodRight to exit within stipulated period without penalty (proportionate fee only).
DL-6Data collection, consent & privacyNeed-based, purpose-limited, revocable consent; audit trail; no biometric harvesting.
DL-7Data storage & localisationServers in India; no borrower data stored on DLA except minimal; retention limits.
DL-8Credit-limit & automatic-increase controlsNo automatic credit-limit hike without explicit borrower consent.
DL-9Disclosure & transparency to borrowerWebsite disclosure of DLAs/LSPs, product details, and for aggregators unbiased offers.
DL-10Grievance redressal & Nodal OfficerGRO, defined TAT, Ombudsman escalation, complaint MIS.
DL-11Credit reporting to CICsAll digital loans reported per CICRA 2005 and RBI CIC directions.
DL-12Fair practices, conduct & recoveryFair Practices Code, permitted contact windows, no harassment, recovery-agent conduct.
DL-13Default Loss Guarantee (DLG/FLDG)Cap (5% of portfolio), permitted forms, invocation timelines, disclosure.
DL-14Technology, cybersecurity & app securityIT/IS controls, secure SDLC, app-store integrity, SBOM, VAPT, IT outsourcing MD.
DL-15Reporting, monitoring & regulatory returnsCIMS/regulatory reporting, self-declaration, LSP register, periodic reviews.

Master assessment checklist

This is the core of the engagement. Each domain is expanded into individual controls. For every control the assessor confirms 'what to verify' against 'typical evidence'. No control area is omitted. Findings should be rated on the maturity model defined later and cross-referenced to the source circular clause.

DL-1: Governance, Board oversight & applicability

What to verifyTypical evidence
A Board-approved Digital Lending policy exists covering technology, risk, consumer protection and outsourcing.Board resolution, minutes, versioned policy document, review dates.
The RE has clearly assigned senior-management ownership for digital lending compliance.Org chart, role mandates, RACI, committee charters (Risk/IT/Customer Service).
A complete inventory of all DLAs and LSPs engaged is maintained and Board-reviewed.LSP/DLA register with onboarding dates, functions, review status.
Applicability determination documented (whether an activity is 'digital lending').Scoping memo, legal opinion, product-classification note.
Periodic (at least annual) review of the digital lending programme by Board/committee.Review packs, action-tracker, closure evidence.

DL-2: LSP & outsourcing due diligence

What to verifyTypical evidence
Enhanced due diligence performed before onboarding each LSP (technical, financial, conduct, data-security).Due-diligence reports, security assessments, financial checks, references.
Written outsourcing agreements exist aligning with RBI outsourcing directions and DL Directions.Executed contracts, SLAs, data-processing clauses, audit-rights, exit clauses.
Core decision-making (credit sanction, pricing) is retained by the RE, not delegated to LSP.Underwriting workflow, sanction authority matrix, model-governance evidence.
Ongoing monitoring of LSP performance, conduct and control effectiveness.Monitoring MIS, periodic LSP reviews, incident logs, audit reports.
LSPs prohibited from accessing/collecting data beyond what RE permits.Data-access matrix, API scopes, DPA schedules.
Right to audit and inspect LSP (including by RBI) is contractually assured.Audit-rights clause, evidence of exercised audits.

DL-3: Fund flow & disbursal-repayment routing

What to verifyTypical evidence
All disbursals are made directly to the borrower's bank account from the RE's account.Disbursal ledger, bank statements, escrow/collection-account architecture diagram.
All repayments flow directly from borrower to RE without LSP/DLA pass-through pooling.Repayment reconciliation, NACH/UPI mandates, settlement flow diagram.
No funds are pooled or held in the account of any third party (LSP/DLA/aggregator).Account-mapping evidence, pooling-account exception log (should be nil).
Fees/charges payable to LSPs are borne by the RE and not charged to the borrower.Fee-settlement invoices, RE-LSP commercial terms, borrower fee-schedule.
Permitted exceptions (e.g., statutory/regulatory flows, co-lending) are documented and compliant.Exception register, co-lending agreement, regulatory basis note.

DL-4: Key Fact Statement & APR transparency

What to verifyTypical evidence
A standardised KFS is provided to the borrower before contract execution in the prescribed format.Sample KFS documents, template, timestamped delivery logs.
APR is computed on an all-inclusive basis (interest, all fees, charges) and disclosed in KFS.APR calculation worksheet, methodology note, sample computations.
No charges not mentioned in the KFS are levied at any stage of the loan.Charge-schedule vs actual-billing reconciliation, complaint analysis.
A computer-generated summary/KFS is sent to the borrower on the RE/LSP letterhead or digital record.Communication logs (SMS/email/app), audit trail.
Cooling-off penal terms and recovery mechanism are disclosed in the KFS.KFS clauses, terms & conditions, borrower acknowledgement.
Any change in terms is only prospective and communicated transparently.Change-communication logs, revised KFS versions.

DL-5: Cooling-off / look-up period

What to verifyTypical evidence
A cooling-off / look-up period is defined and disclosed in the loan contract.Loan agreement clause, product policy, KFS.
Borrowers can exit within the period by repaying principal and proportionate APR without penalty.Exit-request logs, refund/settlement evidence, fee calculation.
The period is reasonable and Board-approved (typically 3 days for loans <90 days per practice).Board-approved product parameters, policy documentation.
System supports and records look-up-period exits operationally.System configuration, test cases, sample exit transactions.

DL-6: Data collection, consent & privacy

What to verifyTypical evidence
Data collected is need-based, with clear audit trail and prior explicit borrower consent.Consent architecture, screenshots, consent-log with timestamps.
Consent is purpose-limited, and borrowers can grant/deny/revoke consent for specific data.Consent-management platform, revocation workflow, granular toggles.
No access to mobile phone resources (files, media, contacts, call logs, telephony) except one-time camera/mic/location/KYC needs.Android/iOS permission manifest review, runtime permission audit.
Borrower option to delete/forget collected data and to restrict its disclosure to third parties.Data-deletion workflow, DSAR handling records.
Explicit consent obtained before sharing personal information with any third party.Third-party sharing register, consent linkage, DPAs.
Alignment with DPDP Act, 2023 principles where operationalised (notice, purpose, minimisation).Privacy notice, DPDP gap assessment, consent-manager design.

DL-7: Data storage & localisation

What to verifyTypical evidence
Borrower data is stored only on servers located within India.Data-residency attestation, cloud region configuration, hosting contracts.
No biometric data is stored in DLA/LSP systems (unless permitted by statute/regulator).Data-inventory, DLA data-map, biometric-handling policy.
The DLA does not store borrower data beyond minimal necessary; retention limits enforced.Retention schedule, purge logs, DLA data-storage design.
Clear ownership, access controls and encryption of stored personal data.Access-control matrix, encryption standards, key-management evidence.

DL-8: Credit-limit & automatic-increase controls

What to verifyTypical evidence
No automatic increase in credit limit occurs without explicit borrower consent on record.Credit-limit change logs, consent capture per increase, system rules.
Any credit-limit revision is preceded by fresh disclosure/KFS where material.Communication logs, revised KFS, consent evidence.
Controls prevent silent limit expansion in revolving/BNPL products.Product config, control test results, exception report.

DL-9: Disclosure & transparency to borrower

What to verifyTypical evidence
RE publishes the list of DLAs/LSPs engaged on its website.Website capture, LSP/DLA disclosure page, update log.
The DLA prominently displays the name of the RE on whose behalf it interacts with the borrower.App screenshots, branding review.
Product details, interest, charges and terms are disclosed clearly and upfront.Product pages, KFS, terms & conditions.
Aggregator DLAs provide a digital, unbiased view of all lender offers (15 Nov 2023 directions).Aggregator UI review, willingness-to-lend matrix, no-partisan-promotion attestation.
Loan-product matrix from multiple lenders is presented without partisan promotion.Comparison-screen evidence, ranking-logic disclosure.

DL-10: Grievance redressal & Nodal Officer

What to verifyTypical evidence
A Grievance Redressal Officer (GRO) is appointed for digital lending / DLA-related complaints.GRO appointment letter, contact details published on DLA and website.
Grievance mechanism, TAT and escalation are disclosed to borrowers.Grievance policy, TAT SLA, DLA help screens.
Unresolved complaints (>30 days) can be escalated under the RB-Integrated Ombudsman Scheme.Ombudsman-escalation records, complaint MIS, ageing report.
LSP-level grievances also route to RE's GRO with clear responsibility.LSP grievance flow, integration evidence, complaint linkage.

DL-11: Credit reporting to CICs

What to verifyTypical evidence
All lending through DLAs is reported to CICs irrespective of nature/tenor.CIC submission files, reconciliation between LMS and CIC reports.
Reporting complies with CICRA 2005 and RBI CIC directions (data quality, frequency).Data-quality reports, rejection-handling, upload cadence.
Short-tenor / small-ticket / BNPL loans are not excluded from reporting.Loan-population reconciliation, BNPL reporting evidence.

DL-12: Fair practices, conduct & recovery

What to verifyTypical evidence
Fair Practices Code is applied to digital lending including via LSPs.FPC document, LSP flow-down clauses, training records.
Recovery/collection is conducted within permitted hours and without harassment.Contact-time logs, call-recording sampling, complaint analysis.
Recovery agents engaged for a specific borrower are disclosed to that borrower.Agent-assignment notice, communication logs.
Penal charges/interest comply with RBI penal-charges directions (reasonable, disclosed).Penal-charge policy, KFS, computation samples.
No misleading advertising or coercive practices in customer acquisition.Marketing-review, ad approval workflow, complaint trends.

DL-13: Default Loss Guarantee (DLG/FLDG)

What to verifyTypical evidence
Total DLG cover does not exceed 5% of the amount of the underlying loan portfolio.DLG agreements, portfolio-cap computation, monitoring MIS.
DLG is in permitted forms (cash deposit, fixed deposit with lien, or bank guarantee).Deposit/FD/BG evidence, custody arrangements.
DLG is invoked within the prescribed timeline (within 120 days of overdue) and disclosed.Invocation logs, ageing, provisioning treatment.
DLG arrangements do not substitute for the RE's own credit-underwriting discipline.Underwriting policy, model governance, NPA recognition rules.
Portfolio over which DLG is offered is identifiable and fixed upfront.Portfolio definition, agreement schedules, reconciliation.

DL-14: Technology, cybersecurity & app security

What to verifyTypical evidence
DLA/LSP systems comply with RBI IT Governance & IT Outsourcing Master Directions (Apr/Nov 2023).IT governance policy, IT outsourcing register, control mapping.
Secure SDLC, periodic VAPT and application-security testing of DLAs.VAPT reports, remediation trackers, secure-coding standards.
App-store integrity: DLA is verifiable, RE-branded, and free of malicious permission scope.App-store listing, permission audit, code-signing evidence.
Encryption of data in transit and at rest; strong authentication for borrower access.Crypto standards, TLS config, MFA/2FA design.
Incident response and breach notification to RBI/CERT-In within required timelines.IR plan, CERT-In 6-hour reporting evidence, incident register.
API security, rate-limiting and access control between RE, LSP and DLA.API gateway config, OAuth scopes, penetration-test results.

DL-15: Reporting, monitoring & regulatory returns

What to verifyTypical evidence
Periodic self-assessment and internal audit of the digital lending programme.Internal-audit reports, self-assessment questionnaires, management responses.
Regulatory reporting/returns submitted accurately and on time (incl. via CIMS where applicable).Return submission logs, sign-offs, reconciliation.
LSP register and DLA inventory kept current and available for inspection.Register with change history, review evidence.
Corrective actions from RBI inspections/observations tracked to closure.RBI correspondence, action-plans, closure evidence.

Scoping

Accurate scoping determines audit effort and defensibility. The first scoping question is always definitional: does the activity constitute 'digital lending' as defined in the Directions? A loan that is merely serviced online but sourced and underwritten through a traditional branch process may fall partially in scope, whereas an app-native BNPL product is squarely in scope. Scoping must be documented in a memo signed off by legal and compliance.

  • Enumerate every product delivered via a DLA (personal loans, BNPL, revolving credit, MSME digital loans, co-lending, embedded finance).
  • Map each product to its RE, LSP(s) and DLA(s); a single product may span multiple LSPs (sourcing, KYC, collections).
  • Identify aggregator/marketplace arrangements that trigger the 15 Nov 2023 transparency directions.
  • Identify DLG/FLDG arrangements and confirm applicability of the 8 June 2023 guidelines.
  • Determine data-flow boundaries: where borrower data is collected, processed and stored across RE, LSP and DLA.
  • Determine fund-flow boundaries: all disbursal and repayment accounts, escrow/collection accounts, and any pooling risk.
  • Confirm co-lending and securitised portfolios and how DL Directions interact with those frameworks.
  • Exclude non-digital, branch-originated legacy loans, documenting the exclusion rationale.

Implementation approach

A phased approach lets an RE move from gap assessment to sustained compliance while limiting business disruption. Each phase has defined activities and deliverables.

Phase 1 - Discovery & gap assessment

  • Activities: build the DLA/LSP inventory; map products, fund flows and data flows; assess against all 15 domains; interview product, tech, legal and compliance owners.
  • Deliverables: current-state inventory, control-by-control gap register, risk-rated findings, prioritised remediation roadmap.

Phase 2 - Policy, contracts & governance

  • Activities: draft/refresh Board-approved Digital Lending policy; update LSP outsourcing agreements with DL clauses (audit rights, data, exit); establish governance committees and RACI.
  • Deliverables: approved policy, revised contract templates, governance charter, LSP due-diligence framework.

Phase 3 - Technical & product remediation

  • Activities: implement KFS/APR engine, consent-management platform, look-up-period workflow, direct fund-flow routing, data-minimisation and India-only storage; remediate app permissions; complete VAPT.
  • Deliverables: KFS templates live, consent architecture deployed, fund-flow reconciliation, VAPT closure, permission-scope reduction evidence.

Phase 4 - Consumer protection & grievance

  • Activities: appoint GRO, publish DLA/LSP disclosures, wire grievance MIS and Ombudsman escalation, roll out fair-practices and recovery-conduct controls.
  • Deliverables: GRO appointment, disclosure pages live, grievance TAT dashboard, recovery-conduct SOP.

Phase 5 - Assurance, reporting & sustain

  • Activities: embed CIC reporting checks, regulatory returns, periodic internal audit, LSP monitoring cadence, DLG cap monitoring; run independent validation.
  • Deliverables: internal-audit programme, reporting calendar, LSP-monitoring MIS, independent assurance report, continuous-monitoring KPIs.

Maturity / capability model

Because the RBI framework is outcomes-based, a maturity model helps translate binary compliance findings into a capability trajectory that management can prioritise. CyberSigma rates each domain on a five-level scale.

LevelCapability ratingDescription
1Initial / Ad-hocNo formal digital lending policy; controls informal or absent; high regulatory exposure.
2DevelopingSome controls exist (e.g., KFS) but inconsistently applied; LSP oversight weak; gaps material.
3DefinedBoard-approved policy, documented controls across most domains; evidence exists but not fully tested.
4ManagedControls operating effectively and monitored; LSP monitoring MIS live; periodic internal audit; minor gaps.
5OptimisedContinuous monitoring, automated consent/KFS/fund-flow controls, data-driven grievance analytics, proactive regulatory engagement.

Assessment and audit approach

The assessment follows a structured, evidence-led sequence designed to withstand RBI scrutiny.

  1. Initiation: agree scope, timeline, RE/LSP/DLA population, and engagement protocols; issue evidence request list.
  2. Documentation review: examine policies, contracts, KFS templates, consent architecture, fund-flow diagrams and prior audit reports.
  3. Walkthroughs: conduct process walkthroughs for onboarding, disbursal, repayment, consent, grievance and recovery.
  4. Control testing: sample transactions and test each control for design and operating effectiveness (KFS delivery, direct fund flow, consent logs, credit-limit consent).
  5. Technical testing: review app permissions, data-residency configuration, VAPT results, API scopes and encryption.
  6. LSP/DLA inspection: assess due-diligence files, monitoring MIS, DPAs and audit-rights exercise.
  7. Findings & rating: rate each domain on the maturity model; risk-rate gaps (High/Medium/Low) with clause references.
  8. Reporting: issue draft report with management responses, then final report with remediation roadmap and target dates.
  9. Closure & re-test: validate remediation of high-risk findings and confirm sustainable operation.

Evidence request list

The following categorised list is issued at initiation. Complete, timestamped evidence accelerates the assessment and reduces sampling risk.

  • Governance: Board-approved Digital Lending policy, committee charters, review minutes, LSP/DLA register.
  • Outsourcing: executed LSP agreements, due-diligence files, DPAs, audit-rights clauses, monitoring MIS.
  • Fund flow: disbursal and repayment ledgers, bank/escrow account architecture, reconciliation reports, fee-settlement records.
  • KFS/APR: KFS templates and samples, APR computation methodology and worksheets, charge schedules.
  • Cooling-off: product parameters, exit-request logs, refund evidence, policy documentation.
  • Data & consent: consent-management design, consent/revocation logs, privacy notice, DPDP gap assessment, data inventory and retention schedule.
  • Data storage: data-residency attestations, cloud region config, encryption and key-management standards.
  • Credit limit: credit-limit change logs with consent evidence, product configuration.
  • Disclosure: website DLA/LSP disclosure captures, app screenshots, aggregator comparison-screen evidence.
  • Grievance: GRO appointment, grievance policy, complaint MIS, ageing/TAT reports, Ombudsman escalations.
  • CIC reporting: CIC submission files, LMS-to-CIC reconciliation, data-quality reports.
  • Recovery & conduct: Fair Practices Code, recovery SOP, contact-time logs, call-recording samples, penal-charge policy.
  • DLG: DLG agreements, portfolio-cap computation, invocation logs, custody evidence.
  • Technology: VAPT reports, secure-SDLC standards, app permission audit, IR plan, CERT-In reporting evidence, API security config.
  • Reporting & audit: internal-audit reports, regulatory return submissions, RBI correspondence and action-trackers.

Roles and responsibilities

RoleKey responsibilities
Board / Board CommitteeApprove policy, oversee risk appetite, review programme and material findings.
Chief Compliance OfficerOwn regulatory interpretation, monitor compliance, liaise with RBI, sign off returns.
Chief Risk OfficerAssess LSP/DLA risk, DLG exposure, credit and outsourcing risk.
Head of Digital Lending / ProductEnsure KFS, consent, cooling-off and disclosures are built into products.
CTO / CISODeliver secure DLAs, data-residency, VAPT, incident response, API security.
Data Protection OfficerConsent architecture, DPDP alignment, data-minimisation, DSAR handling.
Grievance Redressal OfficerHandle DLA/LSP complaints within TAT, manage Ombudsman escalation.
Internal AuditIndependent testing of controls, report to Audit Committee, track closure.
LSP relationship ownerConduct due diligence, monitor LSP conduct and performance, exercise audit rights.
Independent assessor (CyberSigma)Objective control testing, maturity rating, remediation roadmap, assurance.

KPIs to track

  • Percentage of digital loans with a compliant KFS delivered before contract execution (target 100%).
  • Percentage of disbursals/repayments routed directly borrower-to-RE with zero pooling exceptions.
  • APR-disclosure accuracy: variance between disclosed APR and actual all-in cost (target 0%).
  • Consent coverage: percentage of borrowers with granular, revocable, logged consent (target 100%).
  • App-permission footprint: number of non-essential permissions requested (target minimal).
  • Grievance TAT: percentage of complaints resolved within defined SLA and ageing beyond 30 days.
  • Ombudsman escalation rate and awards against the RE (trend downward).
  • CIC reporting completeness: percentage of digital loans reported (target 100%) and data-quality rejection rate.
  • DLG utilisation vs 5% cap and invocation-timeline adherence.
  • VAPT closure rate for high/critical findings within SLA.
  • LSP monitoring coverage: percentage of active LSPs reviewed within cadence.
  • Data-residency conformance: percentage of borrower data stored within India (target 100%).

Readiness checklist

  • Board-approved Digital Lending policy in force and reviewed within the last 12 months.
  • Complete, current inventory of all DLAs and LSPs maintained and Board-reviewed.
  • All LSP contracts updated with DL Directions clauses (data, audit rights, exit, fund flow).
  • KFS with all-inclusive APR delivered to every borrower before contract execution.
  • Cooling-off / look-up period defined, disclosed and operationally enforced.
  • All disbursals and repayments route directly between borrower and RE with no pooling.
  • LSP fees borne by RE, never charged to the borrower.
  • Granular, purpose-limited, revocable consent captured and logged; data collection minimised.
  • No non-essential mobile permissions; India-only data storage; no biometric retention.
  • No automatic credit-limit increase without explicit borrower consent.
  • DLA/LSP list and product terms disclosed on the RE website; aggregators show unbiased offers.
  • GRO appointed; grievance TAT and Ombudsman escalation operational.
  • All digital loans reported to CICs regardless of tenor or ticket size.
  • Fair-practices and recovery-conduct controls enforced, including for LSP agents.
  • DLG within 5% cap, in permitted form, with disclosed invocation.
  • VAPT completed, high findings closed, CERT-In incident reporting configured.
  • Internal audit programme and regulatory returns operating on schedule.

Common gaps

  • Funds pooling or transiting through LSP/aggregator accounts instead of direct borrower-to-RE flow.
  • KFS missing, delivered after contract execution, or APR understated by excluding fees.
  • Excessive mobile permissions (contacts, call logs, media) harvested by the DLA.
  • Consent that is bundled, non-revocable, or lacking a timestamped audit trail.
  • LSP fees or hidden charges passed on to the borrower.
  • Automatic credit-limit increases in BNPL/revolving products without explicit consent.
  • Borrower data stored outside India or on the DLA beyond minimal necessity.
  • Weak or non-existent LSP due diligence and no exercised audit rights.
  • No published DLA/LSP list; aggregators promoting a single lender partially.
  • Grievance mechanism without a named GRO or without Ombudsman escalation.
  • Short-tenor/BNPL loans excluded from CIC reporting.
  • DLG exceeding the 5% cap or in impermissible forms; delayed invocation.
  • Coercive recovery, out-of-window contact, or undisclosed recovery agents.
  • Missing CERT-In 6-hour incident reporting and stale VAPT.

RBI Digital Lending mapped to other frameworks

RBI Digital Lending domainRelated framework / requirement
Data collection, consent & privacy (DL-6)DPDP Act, 2023 - notice, consent, purpose limitation, data-principal rights.
Data storage & localisation (DL-7)RBI Storage of Payment System Data (2018); DPDP cross-border rules; ISO 27001 A.5/A.8.
Technology & cybersecurity (DL-14)RBI IT Governance & IT Outsourcing MDs (2023); CERT-In 6-hour directions; ISO 27001; NIST CSF.
LSP & outsourcing (DL-2)RBI Outsourcing of Financial Services guidelines; ISO 27036 supplier security.
Grievance redressal (DL-10)RB-Integrated Ombudsman Scheme, 2021; RBI Internal Ombudsman directions.
Credit reporting (DL-11)CICRA, 2005 and RBI CIC directions; data-quality standards.
Fair practices & recovery (DL-12)RBI Fair Practices Code; Recovery Agents guidelines; penal-charges directions (2023).
KFS & APR transparency (DL-4)RBI KFS harmonisation directive (2024); consumer-protection principles.
DLG / FLDG (DL-13)RBI Default Loss Guarantee guidelines, 8 June 2023.
Governance & Board oversight (DL-1)RBI IT Governance MD; COBIT; ISO 27014 information-security governance.
How CyberSigma helps
CyberSigma is a CERT-In empanelled cybersecurity and compliance firm with deep, hands-on experience in RBI Digital Lending (DLA/LSP) assurance. We take you end to end: a rapid gap assessment across all 15 control domains, a Board-ready remediation roadmap, hands-on support to build KFS/APR engines, consent-management, direct fund-flow routing and data-residency controls, LSP due-diligence and contract uplift, DLA application-security testing and VAPT, and independent assurance you can present to the Reserve Bank. Our dual auditor-and-implementer approach means we not only find the gaps, we help you close them and sustain compliance. Talk to CyberSigma to make your digital lending programme audit-ready and regulator-defensible.

Frequently asked questions

What data controls does RBI digital lending require?
Explicit consent with audit trails, restrictions on mobile-resource access, India-based data storage, and controls over LSP data retention and deletion.

Need help with RBI Digital Lending?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.