Digital Lending Business in India: RBI Guidelines and Compliance for 2026
Digital lending in India is governed by the RBI Digital Lending Guidelines issued on September 2, 2022 (Circular DOR.CRE.REC.66/21.07.001/2022-23), which regulate every entity involved in disbursing credit through digital channels. Starting a digital lending business requires either NBFC registration with RBI (minimum Net Owned Fund: ₹2 crore) or a partnership with an existing RBI-regulated entity as a Lending Service Provider (LSP). The guidelines cover three entity categories, mandate loan disbursal only through borrower bank accounts, cap First Loss Default Guarantee (FLDG) at 5% of outstanding portfolio, and prohibit lending apps from accessing borrower phone contacts. Whether you are planning a lending app, a P2P platform, a Buy Now Pay Later service, or an embedded lending product, this guide covers every compliance requirement, registration step, and cost involved in running a digital lending business in India in 2026.
- RBI Digital Lending Guidelines (September 2, 2022) regulate all lending through digital channels, covering banks, NBFCs, LSPs, and DLAs
- NBFC registration requires a minimum Net Owned Fund of ₹2 crore (increased from ₹25 lakh for new applications)
- First Loss Default Guarantee (FLDG) is capped at 5% of the outstanding loan portfolio
- Lending apps can only access camera, microphone, and location data with explicit consent. Phone contacts, call logs, and media files are strictly prohibited
- All digital lending data must be stored exclusively in India, with DPDP Act 2023 adding penalties up to ₹250 crore for data breaches
What Is Digital Lending? Definition and Business Models
Digital lending is the process of providing credit facilities to borrowers through online platforms, mobile applications, or web-based services where the entire loan lifecycle, from application to disbursal to repayment, is managed through digital channels. It is regulated by the Reserve Bank of India under the Digital Lending Guidelines dated September 2, 2022, and governed by the RBI Act, 1934, the Banking Regulation Act, 1949, and NBFC-specific Master Directions.
The Indian digital lending market has grown rapidly, with disbursements crossing ₹1.7 lakh crore through fintech platforms in FY 2024-25. This growth has been driven by increasing smartphone penetration, India Stack infrastructure (Aadhaar, UPI, Account Aggregator), and the demand for quick, small-ticket credit among MSMEs and individuals who are underserved by traditional banks. But with growth came regulatory concerns about predatory lending, data misuse, and hidden charges, which prompted RBI's comprehensive framework.
Digital lending in India is governed by RBI Circular DOR.CRE.REC.66/21.07.001/2022-23 dated September 2, 2022, supplemented by the FLDG guidelines (June 8, 2023) and the Digital Personal Data Protection Act, 2023. The regulatory framework is administered by the Reserve Bank of India through www.rbi.org.in.
Digital Lending Business Models in India
There are five primary digital lending business models operating in India, each with different regulatory requirements:
| Business Model | How It Works | RBI Licence Required | Typical Ticket Size |
|---|---|---|---|
| Lending App / Digital NBFC | Direct lending through own app/platform, using own balance sheet | Yes (NBFC-ICC or NBFC-MFI) | ₹5,000 to ₹10 lakh |
| P2P Lending Platform | Connects individual lenders with borrowers through a marketplace | Yes (NBFC-P2P) | ₹10,000 to ₹50 lakh |
| Buy Now Pay Later (BNPL) | Short-term credit at point of purchase, repaid in instalments | Requires RE partnership | ₹500 to ₹1 lakh |
| Embedded Lending | Lending integrated within non-financial platforms (e-commerce, SaaS) | Requires RE partnership | ₹1,000 to ₹5 lakh |
| LSP / Loan Marketplace | Aggregates loan offers from multiple REs, earns commission | No (operates under RE contract) | Varies by partner |
RBI Digital Lending Guidelines: Summary of Key Provisions
The RBI circular dated September 2, 2022 introduced a comprehensive framework that fundamentally changed how digital lending operates in India. Before these guidelines, lending apps operated in a regulatory grey zone, with widespread reports of harassment, hidden charges, and data misuse. The circular addresses these issues through mandatory transparency, data protection, and borrower rights. Every provision traces back to one principle: the regulated entity (bank or NBFC) bears full responsibility for the loans disbursed through digital channels.
Core Provisions of the September 2022 Circular
- Loan disbursal and repayment: All loan amounts must be disbursed directly into the borrower's bank account and repaid from the borrower's bank account. No pass-through accounts or wallets are permitted for disbursal.
- RE responsibility: The regulated entity is fully accountable for the actions of its LSPs and DLAs. Any customer grievance or regulatory violation by a partner is treated as the RE's violation.
- Fee transparency: All fees, charges, and the Annual Percentage Rate (APR) must be disclosed upfront through a standardized Key Fact Statement (KFS) before the loan agreement is executed.
- Cooling-off period: Borrowers must be given a defined look-up or cooling-off period during which they can repay the loan with principal and proportionate APR, without any penalty.
- Data minimization: DLAs can collect only essential data with explicit, one-time consent. Phone contacts, call logs, media storage, and other irrelevant data cannot be accessed.
- Reporting to credit bureaus: All digital loans must be reported to credit information companies (CICs) by the regulated entity, regardless of the loan amount or tenure.
- Grievance redressal: Every RE must designate a nodal grievance officer whose details are displayed on the DLA and the RE's website. Unresolved complaints can be escalated to the RBI Ombudsman under the Integrated Ombudsman Scheme.
- No automatic loan enhancements: Increasing a borrower's credit limit or sanctioning a new loan without explicit borrower consent is prohibited.
Start Your Digital Lending Business with Full RBI Compliance
Register your NBFC or set up as a compliant Lending Service Provider. Our team handles the entire regulatory process.
Get NBFC Registration AssistanceThree Categories of Digital Lending Entities
RBI's framework classifies every participant in the digital lending ecosystem into one of three categories. Understanding which category your business falls into determines your compliance obligations, licensing requirements, and operational boundaries.
Category 1: Regulated Entities (REs)
Regulated Entities are banks and NBFCs that hold valid licences from the RBI. They are the only entities authorized to disburse loans and collect repayments. In the digital lending context, an RE either operates its own lending app or partners with LSPs and DLAs to reach borrowers digitally. The RE bears full regulatory responsibility for every digital loan, regardless of which technology partner facilitates the process. Examples include scheduled commercial banks, small finance banks, NBFCs (ICC, MFI, P2P), and cooperative banks.
Category 2: Lending Service Providers (LSPs)
LSPs are entities that perform specific lending functions on behalf of regulated entities through outsourcing arrangements. Their roles can include customer acquisition, credit assessment support, loan processing, disbursement support, and recovery operations. LSPs do not hold separate RBI licences but operate under contractual agreements with REs. They must comply with all guidelines on disclosure, data handling, and borrower treatment. Common LSP models include fintech companies that provide underwriting algorithms, loan marketplaces that connect borrowers with multiple lenders, and digital platforms that facilitate loan origination.
Category 3: Digital Lending Apps (DLAs)
DLAs are the customer-facing mobile or web applications through which borrowers access digital lending services. A DLA can be owned by the RE itself, by an LSP, or by a third-party technology provider. Regardless of ownership, the DLA must clearly display the RE's identity to the borrower. DLAs face the strictest data access restrictions: they can access only camera, microphone, and location, and that too only with purpose-specific, one-time consent.
Compliance Requirements by Entity Type
Each category has different levels of compliance obligations. This comparison helps you identify exactly what applies to your digital lending business model.
| Compliance Requirement | Regulated Entity (RE) | LSP | DLA |
|---|---|---|---|
| RBI licence required | Yes (NBFC/Bank) | No | No |
| Minimum capital (NOF) | ₹2 crore (NBFC) / ₹10 crore (NBFC-ICC with public deposits) | No minimum | No minimum |
| KYC responsibility | Full responsibility | Can assist, RE accountable | Can collect, RE accountable |
| Loan disbursal | Direct to borrower bank account | Not permitted to disburse | Not permitted to disburse |
| Key Fact Statement (KFS) | Must provide before loan execution | Must display on behalf of RE | Must display on app/website |
| Cooling-off period | Must offer as per board policy | Must honour RE's policy | Must display terms clearly |
| Credit bureau reporting | Mandatory for all loans | Not applicable | Not applicable |
| Data access restrictions | Must enforce on all partners | Subject to restrictions | Camera, mic, location only |
| Grievance redressal | Nodal officer mandatory | Must escalate to RE | Must display RE's grievance officer details |
| FLDG arrangement | Must comply with 5% cap | Can provide FLDG (5% cap) | Can provide FLDG (5% cap) |
| Annual compliance audit | Statutory audit + RBI inspection | As per RE's contract terms | As per RE's contract terms |
Registration and Licensing for Digital Lending
The registration path depends entirely on your business model. If you want to lend from your own balance sheet, you need an NBFC licence from RBI. If you want to facilitate lending for others, you register as an LSP under a contractual arrangement with existing REs. Here is a breakdown of both routes.
Route 1: NBFC Registration with RBI
If your digital lending business will disburse loans from its own funds, you must register as a Non-Banking Financial Company with the Reserve Bank of India. The process requires careful planning because RBI evaluates the promoter's track record, the business plan's viability, and compliance readiness. For a digital lending-focused NBFC, you will typically apply under the NBFC-Investment and Credit Company (ICC) category.
- Incorporate a Private Limited Company: Register a Private Limited Company under the Companies Act, 2013 with financial services as the main object in the Memorandum of Association. Timeline: 7 to 15 working days.
- Build the Net Owned Fund: Inject a minimum of ₹2 crore as equity capital. This must be unencumbered and certified by a Chartered Accountant. The NOF must be maintained at all times after registration.
- Prepare the business plan: Submit a 3 to 5 year projection covering target segments, lending products, interest rate structure, technology infrastructure, risk management framework, and capital adequacy projections.
- Submit the application to RBI: File the application through the RBI COSMOS portal with all supporting documents. Pay the application fee of ₹10,000.
- RBI due diligence: RBI conducts background verification of promoters and directors, evaluates the business plan, and may conduct an in-person interview. Timeline: 3 to 6 months.
- Certificate of Registration (CoR): On approval, RBI issues the NBFC CoR. You can begin lending operations only after receiving this certificate.
- Post-registration compliance: Set up the technology platform, implement KYC and AML processes, register for GST, and begin operations within the scope approved by RBI.
Route 2: P2P Lending Licence (NBFC-P2P)
Peer-to-peer lending platforms must register as NBFC-P2P with RBI under the Master Direction on NBFC-Peer to Peer Lending Platform, 2017. The requirements are similar to standard NBFC registration with additional conditions: individual lender exposure capped at ₹50 lakh across all P2P platforms, individual borrower exposure capped at ₹50 lakh, loan tenure capped at 36 months, and mandatory escrow account arrangements for fund movement between lenders and borrowers.
Route 3: Operating as an LSP (No Separate Licence)
If you do not want to lend directly, you can partner with one or more RBI-regulated entities as a Lending Service Provider. This route does not require an RBI licence but demands a formal outsourcing agreement with the RE. The RE must conduct due diligence on your operations, technology, and data practices before onboarding you. While the entry barrier is lower (no ₹2 crore NOF requirement), you earn commission rather than interest income, and the RE retains control over credit decisions and loan pricing.
Register Your Company for Digital Lending
The first step for any digital lending business is company incorporation. We handle MCA filing, DSC, DIN, and PAN/TAN in 7 to 15 working days.
Start Company RegistrationKey Compliance Provisions: What Every Digital Lender Must Follow
Whether you are an RE, an LSP, or a DLA operator, these compliance provisions apply to your operations. Ignoring any of these is the fastest way to attract RBI's attention, and not in a good way.
KYC and Customer Verification
All borrower verification must follow the RBI KYC Master Direction, 2016. For digital lending, this means implementing Aadhaar-based e-KYC (through UIDAI's authentication service) or Video-KYC (Video-based Customer Identification Process, or V-CIP). The KYC process must be performed by or under the supervision of the regulated entity. While LSPs and DLAs can assist in collecting KYC data, the RE cannot outsource the verification decision entirely. PAN verification is mandatory for all loan applications, and enhanced due diligence applies for loans above ₹10 lakh.
Data Privacy and Protection
Data protection in digital lending has two layers: RBI guidelines and the DPDP Act, 2023. Under RBI norms, DLAs can only access camera, microphone, and location on a borrower's phone, and that too with one-time, purpose-specific consent. Phone contacts, call logs, SMS messages, media files, and other device storage are off-limits. All data must be stored in servers located within India. The DPDP Act adds requirements for explicit consent, purpose limitation, data minimization, breach notification (within 72 hours to the Data Protection Board), and the borrower's right to data erasure. Non-compliance with the DPDP Act can attract penalties up to ₹250 crore.
Loan Agreement Transparency and Key Fact Statement
Before executing any loan agreement, the RE must provide the borrower with a Key Fact Statement (KFS) in a standardized, machine-readable format. The KFS must include: the Annual Percentage Rate (APR) covering all costs, the loan amount, tenure, repayment schedule, processing fees, late payment charges, prepayment penalties (if any), and the total cost of borrowing. The borrower must actively acknowledge receipt of the KFS. Burying terms in fine print or within lengthy agreements is treated as non-compliance.
Cooling-Off Period
The cooling-off period (also called the look-up period) is a defined window after loan disbursal during which the borrower can return the loan amount with proportionate APR and no additional penalties. This provision tackles predatory lending practices where borrowers were trapped in high-interest loans without time to evaluate the terms. The duration of the cooling-off period is set by each RE's board, but it must be clearly communicated to the borrower in the KFS and loan agreement.
FLDG (First Loss Default Guarantee) Norms
The FLDG framework, introduced by RBI on June 8, 2023, governs guarantee arrangements between REs and their LSP/DLA partners. An FLDG is a guarantee provided by an LSP or DLA to the RE, promising to compensate the RE for a portion of defaults on the loan portfolio sourced by the LSP/DLA. The key rules:
- 5% cap: The total FLDG from an LSP/DLA cannot exceed 5% of the outstanding loan portfolio sourced by that entity, or 5% of the incremental portfolio in the case of new arrangements
- Acceptable forms: FLDG must be in the form of cash deposits, fixed deposits with the RE's bank, or bank guarantees. No other form (equity pledge, future revenue commitments) is permitted
- Invocation timeline: The FLDG must be invoked within 120 days of the loan becoming overdue (NPA classification)
- Disclosure: The existence and terms of the FLDG arrangement must be disclosed to borrowers
- Board approval: The RE's board must approve the FLDG policy, and each arrangement must be reviewed periodically
If an LSP or DLA exceeds the 5% FLDG cap, RBI can direct the RE to terminate the partnership. For startups building their lending business around FLDG arrangements, maintaining the 5% threshold requires active portfolio monitoring and provisioning. The FLDG amount is locked and cannot be withdrawn until the loan portfolio is settled.
Technology and Data Requirements
Building a compliant digital lending platform is not just about the front-end app. The back-end infrastructure must meet specific RBI requirements on data handling, storage, and security. Cutting corners on technology compliance is one of the most common reasons RBI rejects NBFC applications or penalizes existing operators.
Data Localization
All data generated, processed, or stored in connection with digital lending operations must reside within India. This applies to customer personal data, KYC records, transaction data, loan performance data, and credit assessment data. Cloud infrastructure must use servers physically located in India. If you use a global cloud provider (AWS, Azure, GCP), ensure your instances are deployed in Indian data centre regions (Mumbai, Hyderabad). Cross-border data sharing, even for analytics, is restricted without explicit regulatory approval.
No Third-Party Data Access
The DLA or LSP cannot share borrower data with any third party beyond what is strictly necessary for the lending process. Data collected for credit assessment cannot be repurposed for marketing, advertising, or selling to data brokers. Borrower data cannot be retained after the loan is fully repaid and the borrower requests deletion. Any data sharing with third parties (such as credit bureaus or insurance partners) requires separate, explicit consent from the borrower.
App Permissions and Device Access
This is where many lending apps have historically violated norms. RBI's guidelines explicitly limit DLA permissions to three categories: camera (for document scanning and selfie verification), microphone (for V-CIP or voice recording during consent), and location (for address verification). Accessing phone contacts, call logs, SMS, photo gallery, file storage, or any other device data is prohibited. Apps must request permissions only when needed for a specific function, and borrowers must have the ability to revoke permissions without affecting their loan status.
IT Security Standards
Digital lending platforms should implement ISO 27001 certification for information security management. Additional requirements include: data encryption at rest and in transit (AES-256 or equivalent), secure API integrations with banking partners, multi-factor authentication for app access, regular vulnerability assessments and penetration testing (at least annually), and incident response plans for data breaches. RBI expects REs to audit the IT security of their LSP and DLA partners before onboarding and periodically thereafter.
Need ISO 27001 Certification for Your Lending Platform?
Data security certification builds trust with banking partners and demonstrates RBI compliance.
Get ISO CertificationHow to Start a Digital Lending Business in India: Step-by-Step
Here is the complete roadmap from idea to launch, covering both the regulatory and operational steps. The path differs based on whether you are building an NBFC or operating as an LSP, but the first three steps are common to both.
- Choose your business model: Decide between operating as an NBFC (own balance sheet lending), NBFC-P2P (marketplace lending), or LSP (facilitation model). This choice determines your capital requirement, timeline, and revenue structure.
- Incorporate a Private Limited Company: RBI issues licences only to companies incorporated under the Companies Act, 2013. Register a Private Limited Company with financial services as the main object in the MoA. Cost: ₹6,000 to ₹15,000. Timeline: 7 to 15 working days.
- Apply for Startup India recognition: Register on the Startup India portal for tax benefits under Section 80-IAC, self-certification compliance, and access to the Fund of Funds. Timeline: 2 to 5 working days.
- Build capital (for NBFC route): Raise ₹2 crore as equity to meet the NOF requirement. This must be in place before filing the RBI application. For the LSP route, there is no minimum capital requirement, but you will need working capital for technology and operations.
- Apply for NBFC registration with RBI: Submit the application through the RBI COSMOS portal with all documents, business plan, and NOF certificate. Timeline: 3 to 6 months for RBI approval.
- Build the technology platform: Develop or procure the lending platform (borrower app, lender dashboard, credit scoring engine, KYC module, disbursal and repayment integration). Ensure compliance with data localization and app permission restrictions. Timeline: 3 to 6 months.
- Set up KYC and AML infrastructure: Integrate with UIDAI for Aadhaar e-KYC, implement Video-KYC, set up PAN verification, and establish transaction monitoring systems for STR reporting to FIU-IND.
- Register for GST: Apply for GST registration before commencing operations. Lending facilitation services attract 18% GST. Timeline: 3 to 7 working days.
- Draft compliance policies: Create your Fair Practices Code, KYC/AML policy, data privacy policy, grievance redressal mechanism, and FLDG policy (if applicable). These must be board-approved.
- Partner with banking institutions: Open an escrow account (mandatory for NBFC-P2P), set up disbursal and collection channels through banking partners, and integrate with credit bureaus (CIBIL, Equifax, Experian, CRIF) for credit reporting.
- Launch and monitor: Go live with a soft launch, monitor compliance metrics, track KFS delivery rates, ensure cooling-off period adherence, and submit regulatory returns to RBI as required.
Based on our experience helping fintech founders with regulatory registration, the most common delay in NBFC applications is incomplete documentation, specifically the business plan and NOF certification. Prepare the 3-year financial projection with a focus on capital adequacy ratios, NPA provisioning, and technology spend. RBI reviewers pay close attention to how realistic your projections are.
Cost Breakdown: Starting a Digital Lending Business
The total investment varies dramatically based on your business model. Here is a detailed cost comparison between the three primary routes.
| Cost Component | NBFC Route | NBFC-P2P Route | LSP Route |
|---|---|---|---|
| Company Incorporation | ₹6,000 to ₹15,000 | ₹6,000 to ₹15,000 | ₹6,000 to ₹15,000 |
| Minimum Net Owned Fund | ₹2 crore | ₹2 crore | Not required |
| RBI Application Fee | ₹10,000 | ₹10,000 | Not applicable |
| Professional & Legal Fees | ₹1.5 lakh to ₹5 lakh | ₹1.5 lakh to ₹5 lakh | ₹50,000 to ₹2 lakh |
| Technology Platform Development | ₹10 lakh to ₹50 lakh | ₹10 lakh to ₹50 lakh | ₹5 lakh to ₹25 lakh |
| ISO 27001 Certification | ₹1 lakh to ₹3 lakh | ₹1 lakh to ₹3 lakh | ₹1 lakh to ₹3 lakh |
| GST Registration | ₹0 (no government fee) | ₹0 (no government fee) | ₹0 (no government fee) |
| Annual Compliance Cost | ₹2 lakh to ₹10 lakh | ₹2 lakh to ₹10 lakh | ₹50,000 to ₹3 lakh |
| Total Initial Investment | ₹2.5 crore to ₹3.5 crore | ₹2.5 crore to ₹3.5 crore | ₹10 lakh to ₹30 lakh |
The LSP route is where most fintech startups begin. It lets you build a lending product, prove your credit model, and generate revenue without the ₹2 crore capital lockup. Once you have demonstrated traction and built a loan book track record, applying for your own NBFC licence becomes a stronger application because RBI can see real portfolio performance.
Penalties for Non-Compliance
RBI has significantly increased its enforcement activity against non-compliant digital lenders. In 2024-25 alone, RBI took action against multiple NBFCs and issued warnings to several unregistered lending apps. Understanding the penalty structure helps you appreciate why compliance is not optional.
| Violation | Penalty | Additional Consequences |
|---|---|---|
| Operating without NBFC licence | Fine up to ₹10 lakh + imprisonment up to 3 years | App removal from Play Store/App Store |
| Violating digital lending guidelines | Up to ₹5 crore + ₹25,000/day for continuing violation | Licence revocation, cease-and-desist order |
| Data privacy violation (DPDP Act) | ₹50 crore to ₹250 crore per instance | Data Protection Board proceedings |
| KYC non-compliance | Penalty under PMLA, up to 3x the transaction value | FIU-IND reporting, potential criminal proceedings |
| Exceeding FLDG cap | Direction to terminate LSP/DLA partnership | Portfolio reclassification, additional provisioning |
| Harassment during recovery | RE fined under Fair Practices Code violation | RBI Ombudsman action, reputational damage |
RBI has been actively coordinating with Google and Apple to remove non-compliant lending apps from their app stores. In early 2025, over 2,000 unauthorized lending apps were flagged for removal. If your lending app operates without connecting to a licensed RE, it risks being delisted, in addition to the criminal penalties listed above.
Ensure Full RBI Compliance for Your Lending Business
Our compliance advisory team reviews your entire digital lending framework against current RBI guidelines.
Get Compliance AdvisoryDigital Lending vs Traditional Lending: Comparison
For entrepreneurs evaluating whether to enter the digital lending space, here is how it stacks up against the traditional bank lending model across every key parameter.
| Parameter | Digital Lending | Traditional Bank Lending |
|---|---|---|
| Application Process | Fully online, 5 to 15 minutes | Branch-based, multiple visits |
| Loan Disbursal Time | Minutes to 48 hours | 7 to 30 working days |
| Documentation | e-KYC, digital documents, V-CIP | Physical documents, wet signatures |
| Credit Assessment | Algorithm-based (alternative data, bureau data, cash flow analysis) | Manual credit appraisal with collateral valuation |
| Typical Ticket Size | ₹5,000 to ₹5 lakh (personal); up to ₹50 lakh (MSME) | ₹1 lakh and above (personal); ₹10 lakh+ (MSME) |
| Interest Rate (APR) | 15% to 36% | 8% to 15% |
| Collateral Required | Usually unsecured | Often secured (property, FD, gold) |
| Customer Reach | Pan-India via app, including rural/semi-urban | Limited to branch network |
| Regulatory Overhead | High (RBI + DPDP + IT Act) | High (RBI + SEBI for listed banks) |
| Scalability | High, technology-driven | Limited by physical infrastructure |
FLDG Guidelines: The 5% Rule Explained
The FLDG framework deserves its own section because it is the revenue backbone of many LSP business models. Before the June 2023 circular, there was no cap on FLDG, and some LSPs were providing 100% guarantees to REs, effectively bearing all the credit risk while the RE earned risk-free interest income. RBI viewed this as a regulatory arbitrage that undermined the spirit of lending norms.
How FLDG Works in Practice
Suppose your LSP sources a loan portfolio of ₹10 crore for an NBFC partner. Under the 5% cap, you can provide a maximum FLDG of ₹50 lakh. This ₹50 lakh must be deposited as cash or fixed deposit with the NBFC or backed by a bank guarantee. If ₹30 lakh of loans from your sourced portfolio become NPAs, the NBFC invokes the FLDG and recovers ₹30 lakh from your deposit. Your remaining FLDG balance is ₹20 lakh. You cannot source new loans under the FLDG arrangement until the balance is replenished to the required level.
FLDG Impact on LSP Business Models
The 5% cap fundamentally changed LSP economics. Before the cap, many LSPs charged low fees to REs but provided high FLDG, earning through the spread between interest income and default costs. Now, LSPs must focus on credit quality rather than guarantees. This has pushed the industry toward better underwriting models and genuine risk sharing rather than risk transfer.
Recent Updates and 2026 Outlook
The digital lending regulatory framework continues to evolve. Here are the key developments that will shape the industry in 2026 and beyond.
What Changed in 2024-25
- SRO for fintech: RBI approved the Fintech Association for Consumer Empowerment (FACE) as the Self-Regulatory Organization for fintechs, specifically covering digital lending. SRO membership is expected to become a best practice, if not mandatory, for LSPs.
- Increased NOF for NBFCs: The minimum NOF for new NBFC registrations was increased to ₹2 crore, raising the entry barrier for small-ticket digital lenders.
- Lending app crackdown: Google Play and Apple App Store removed thousands of non-compliant lending apps in coordination with RBI and MeitY.
- DPDP Act enforcement: The Data Protection Board started operationalizing, and digital lending businesses are among the first sectors expected to face scrutiny.
What to Expect in 2026
- Tighter LSP regulation: RBI is expected to introduce a formal registration or accreditation framework for LSPs, moving beyond the current self-regulation model.
- UPI lending integration: Pre-approved credit lines on UPI are expanding, creating new opportunities for NBFCs and their LSP partners to deliver instant credit at the point of transaction.
- Account Aggregator ecosystem maturity: The AA framework is enabling cash flow-based lending, reducing reliance on credit bureau scores and potentially opening the market to borrowers with thin credit files.
- Climate and green lending: RBI has signaled interest in frameworks for green digital lending, which could create new product categories for lending platforms focused on sustainable finance.
Based on our experience working with over 500 fintech and NBFC clients, the biggest mistake new digital lending startups make is underestimating the compliance timeline. Technology can be built in 3 to 6 months, but regulatory approvals, policy documentation, and banking partnerships take 6 to 12 months. Start the compliance workstream in parallel with technology development to avoid a situation where your app is ready but you cannot operate.
Digital Lending Compliance Checklist for 2026
Use this checklist before launching your digital lending operations. Every item on this list is derived from current RBI guidelines and applicable laws.
| # | Compliance Item | Applicable To | Status |
|---|---|---|---|
| 1 | NBFC CoR from RBI (or RE partnership agreement) | RE / LSP | Required before operations |
| 2 | Private Limited Company incorporation | All entities | Required |
| 3 | Net Owned Fund maintenance (₹2 crore minimum) | RE only | Ongoing |
| 4 | GST registration | All entities | Required before invoicing |
| 5 | KYC/AML policy (board-approved) | RE / LSP | Required |
| 6 | Fair Practices Code | RE | Required |
| 7 | Key Fact Statement (KFS) template | RE / DLA | Required for every loan |
| 8 | Cooling-off period policy | RE | Board-approved, disclosed to borrowers |
| 9 | FLDG policy (if applicable) | RE / LSP / DLA | Within 5% cap, board-approved |
| 10 | Data localization (India-based servers) | All entities | Mandatory |
| 11 | DPDP Act compliance (privacy policy, consent framework) | All entities | Required |
| 12 | App permissions limited to camera, mic, location | DLA | Mandatory |
| 13 | Credit bureau integration and reporting | RE | Mandatory for all loans |
| 14 | Grievance redressal officer (details on app and website) | RE / DLA | Mandatory |
| 15 | ISO 27001 or equivalent security certification | All entities | Recommended (mandatory for some RE partnerships) |
| 16 | Annual IT security audit | RE / LSP | Annually |
| 17 | RBI regulatory returns (NBS-7, ALM, etc.) | RE only | As per RBI schedule |
| 18 | SRO membership (FACE or equivalent) | All entities | Recommended |
Get End-to-End Regulatory Support for Your Lending Business
From company registration to NBFC licensing and ongoing compliance, our team covers the entire regulatory lifecycle.
Talk to Our Legal TeamChoosing the Right Entity Structure for Digital Lending
Entity selection is not a formality for digital lending businesses. It determines what licences you can apply for, how you raise capital, and your compliance obligations going forward.
Private Limited Company (Recommended)
A Private Limited Company is the only viable option for any digital lending business that plans to apply for an NBFC licence. RBI does not issue lending licences to LLPs, partnerships, or sole proprietorships. Beyond regulatory eligibility, a Pvt Ltd structure enables equity fundraising, ESOPs for the tech team, and structured governance that investors and banking partners expect.
LLP or Partnership (Limited Use)
An LLP can work if you are building a pure technology or consulting business that supports digital lending (such as a credit scoring algorithm provider or a compliance tools vendor) but does not itself participate in lending, loan processing, or borrower-facing operations. The moment your business model touches lending activities, you need a company structure.
Summary
Starting a digital lending business in India in 2026 requires navigating a well-defined regulatory framework centred on the RBI Digital Lending Guidelines of September 2022 and the FLDG norms of June 2023. The three routes available are NBFC registration (₹2 crore NOF, own balance sheet lending), NBFC-P2P registration (₹2 crore NOF, marketplace model), or LSP partnership (no minimum capital, facilitation model). Regardless of the route, data privacy, transparent pricing through the Key Fact Statement, and borrower protection through the cooling-off period are non-negotiable compliance requirements. The first step for every digital lending founder is incorporating a Private Limited Company and building a clear, realistic business plan before approaching RBI or potential RE partners.
Ready to Launch Your Digital Lending Business?
Start with company registration and NBFC advisory. Our fintech compliance team has helped 500+ startups navigate RBI regulations.
Get Started with NBFC RegistrationFrequently Asked Questions
What is digital lending under RBI guidelines?
Who regulates digital lending in India?
What are the three categories of digital lending entities?
How much does NBFC registration cost for a digital lending business?
What is the FLDG cap under RBI digital lending rules?
Can a lending app operate without an NBFC licence?
What are the KYC requirements for digital lending platforms?
- Aadhaar-based e-KYC or Video-KYC (V-CIP) for digital onboarding
- PAN verification for all borrowers
- Customer Due Diligence (CDD) before loan disbursal
- Ongoing monitoring and Suspicious Transaction Reports (STRs) to FIU-IND
- Enhanced due diligence for high-risk borrowers
What is the cooling-off period in digital lending?
What data can digital lending apps access on a borrower's phone?
How does digital lending differ from traditional bank lending?
What are the penalties for non-compliance with RBI digital lending guidelines?
What is a Lending Service Provider (LSP) under RBI rules?
What documents are required for NBFC registration for digital lending?
- Certificate of Incorporation of the company (must be a company under Companies Act, 2013)
- Memorandum and Articles of Association with NBFC objects
- Board resolution authorizing the NBFC application
- Net Owned Fund certificate from a CA (minimum ₹2 crore)
- Business plan for 3 to 5 years
- Directors' profiles, PAN, Aadhaar, and CIBIL reports
- Last 3 years' audited financial statements
- IT infrastructure and data security policy documents
