Don’t Sell Me This Pen: RBI Prohibits Lending Service Providers From Playing Salesmen 

While promoting financial inclusion, rapid evolution of the digital lending sector in India simultaneously ushered in grave consumer protection risks in the form of opaque pricing, aggressive collection methods, and misuse of personal data. To address these systemic vulnerabilities, the Reserve Bank of India (RBI) promulgated the comprehensive Reserve Bank of India (Digital Lending) Directions, 2025 (DL Directions), which was effective May 8, 2025, consolidating the prior guidance and superseding it.[i] These Directions are rooted in the RBI’s mandate under the Banking Regulation Act, 1949, and the Reserve Bank of India Act, 1934, to ensure orderly growth and protect borrowers’ interests.[ii]  

Most importantly, the DL Directions structurally redefine the permissible function of LSPs. The provisions related to multi-lender arrangements, which will come into force on November 1, 2025, constitute a studied legal measure aimed at blocking the ability of LSPs to undertake any discriminatory promotional or sales-type behaviour and, in effect, bar them from performing the role of salesmen for preferred as Regulated Entities (RE).[iii] The onus is now shifted upon the REs for ensuring fair market conduct while significantly strengthening the consumer protection mechanism against informational asymmetry. 

1. The Statutory Mandate for Neutral Marketplaces 

The essence of the “salesman ban” lies in the increased transparency requirements for multi-lender platforms. [iv] If one LSP is integrated with multiple REs (commercial banks, NBFCs, etc.), the platform has to display a digital view of all loan offers that match the borrower’s request. [v] Such a list needs to be unbiased and objective. 

Accordingly, the Directions prohibit the use of dark patterns or deceptive designs by the LSP, which are intended to influence the borrower towards a particular product. [vi] This is also in line with the larger intent of the Consumer Protection Act, 2019, to address “unfair trade practices” and misleading representations, operationalizing these concepts within the arena of digital finance. [vii] Dark patterns are known legal concepts under extant guidelines, referring to user interface tricks that aim at misleading consumers. [viii] 

The lender must provide comprehensive information upfront, prior to the borrower accepting any offer, giving the name of the RE, loan tenor, Annual Percentage Rate (APR), monthly repayment obligation, and all penal charges. [ix] Most importantly, a prominent link to the Key Fact Statement (KFS) must be provided for each RE offering a loan, reinforcing the principle of informed consent. [x] The KFS standardization ensures disclosure of the all-inclusive cost of the digital loan (APR) and other penal charges in accord with the RBI’s April 2024 circular on KFS and August 2023 circular on penal charges. [xi] Any charges that are not disclosed in the KFS cannot be levied later. 

2. Absolute Accountability and Non-Delegable Duty 

The DL Directions formalize the legal relationship between the regulated lender and its technology partner through a mandatory contractual framework.^xii All engagements must be premised on a formal contract laying out the roles, rights, and obligations of the RE and the LSP. [xiii] 

The foregoing formalization is layered with an enhanced due diligence mandate on the part of the RE prior to engagement, relating to the technical capability, data privacy robustness, and history of fair conduct of the LSP. [xiv] The RE is also obliged to periodically review the performance of the LSP. 

The most far-reaching factor in the context of legal responsibility is the enunciated principle that no outsourcing agreement shall dilute or absolve the RE of its obligations, the RE remains fully responsible and liable for all acts and omissions of the LSP. [xv] Thus, it crystallizes the doctrine that there can be no delegation of financial duty of care-a doctrine already quite well settled through decisions on the liability of a regulated financial entity for the acts of its agents. For example, in matters concerning banking regulation, the Supreme Court has expressed the RBI’s role as a watchdog for ensuring compliance, and the tenet of a lender being accountable for the activities it outsources has long been established under Indian law. All customer complaints and grievances arising in respect of a Digital Lending Application (DLA) should, therefore, be handled by the concerned RE directly, notwithstanding whether the DLA is offered through a DLA operated by the RE or the LSP. [xvi] 

3. Data Sovereignty and the Right to Informational Privacy 

This crackdown on unrestrained LSP influence includes strict data-handling norms, essential in the protection of informational privacy-a basic right that the Supreme Court has recognized in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017). [xvii] 

The DL Directions implement data minimization and explicit consent strictly. DLAs are not permitted to use sensitive mobile phone resources such as contact lists, call logs, or media files, any one-time access, say camera for KYC, has to be explicitly provided with audit trails. The borrower is also empowered with the right to withdraw consent to use data and request explicitly that the RE/LSP delete/forget data, in case the data is no longer needed. This is in tune with Section 43A of the Information Technology Act, 2000, which provides for compensation for failure to protect sensitive personal data. [xviii] 

Furthermore, the Directions stipulate that all borrower data must be stored only on servers located in India. One such procedure goes on to provide that when data is processed out of India, it shall be deleted from foreign servers and brought back to India within 24 hours. [xix] This stringent data localization policy increases legal certainty and supervisory control over sensitive financial information. [xx] 

4. Legal and Economic Impact 

The DL Directions introduce a clear paradigm shift, changing the digital lending industry toward a governance-heavy model. 

The immediate effect is more responsibility for REs, which, accordingly, can no longer pass on operational or reputational risk to their fintech partners. The need for significant investment in majorly robust internal compliance, audit systems, and heightened partner monitoring is demanding. For LSPs, biased marketing restrictions, together with onerous compliance burdens around UI neutrality and strict data practices, have resulted in a tougher regime and higher operational costs. Smaller players might find meeting the financial and technological requirements of this compliance readiness quite challenging. Ultimately, the aim is to increase consumer confidence and transparency. By ensuring that LSPs act as transparent aggregators and not as commissioned salesmen, the Directions minimize the risk of mis-selling and fraudulent activities. This should result in much better protection for the borrowers, even if it does lead to a reduced conversion rate for platforms previously reliant on hard-selling techniques. In other words, RBI exercised its regulatory authority to reinvent the digital loan platform as a highly regulated e-display platform, where the product owner (the RE) is fully liable, and the displayer (LSP) has to ensure neutrality in display, a much-needed intervention that anchors digital innovation within the rich continuing consumer protection jurisprudence in India. Made of sand, non-clastic sedimentary rock is formed from mineral and rock fragments.  

For more details, write to us at: contact@indialaw.in