RBI's digital lending rules aren't a compliance patch. They're four permanent states in your loan engine.
A 2022 fund-handling ban, a 2025 lender registry, and a recovery-hours rule landing 1 July 2026 — mapped onto the loan lifecycle your code has to track.
On 1 July, recovery agents at every regulated lender in India lose the right to call a borrower before 8 AM or after 7 PM. That's the line most fintech compliance newsletters led with this week. It is also the smallest of four changes inside RBI's digital lending rules that actually reach into a loan-servicing codebase.
The framework did not arrive as one document. It has been built in layers since 2022: a circular that banned lending service providers from ever touching loan money, a 2025 set of Directions that consolidated years of circulars and added a public registry of approved lending apps, and now, in 2026, a conduct amendment that puts a hard clock on debt collection. Compliance teams have treated each layer as a separate, one-time launch: ship the disclosure, file the registration, brief the collections desk. Teams that build the underlying systems are the ones who will keep re-discovering, for the next two years, that none of these are one-time.
None of the four is a copy change. Each is a state a loan record has to carry for its entire life, a clock a scheduler has to obey regardless of when a batch job fires, or a dependency on a registry the company doesn't control. Below is what each piece actually requires, mapped onto the loan lifecycle rather than the compliance memo.
Pillar one (2022): the lending service provider never touches the money
Most large digital lending apps in India are not the actual lender. A regulated entity, a bank or an NBFC, originates and funds the loan, while a separate lending service provider (LSP) handles the parts borrowers actually see: the app, the onboarding flow, sometimes the underwriting model. RBI's original digital lending circular, from September 2022, drew a sharp line through that split: the LSP is never allowed to be a custodian of loan funds in either direction. Disbursal has to move directly from the regulated entity's account into the borrower's own bank account, and repayment has to move the same way back. The only carve-outs are physical cash recovery on already-delinquent loans, where a digital transfer genuinely isn't practical, and co-lending arrangements between two regulated entities.
Plenty of fintech-NBFC partnerships built before 2022 used a pooled or nodal account sitting between the two parties, convenient for reconciliation, incompatible with this rule. Rebuilding around it meant the disbursal path had to originate from the lender's core banking system or treasury rails, not the fintech's own payment gateway, even when the fintech's app is where the borrower clicked accept. The LSP's role in the money path becomes purely instructive: it can tell the lender's system to disburse, but it can never be the account the money sits in, even for a few hours.
Pillar two: the cooling-off period is a loan state, not a clause in the Key Fact Statement
Every digital loan now carries a mandatory cooling-off, or look-up, period, disclosed in the borrower's Key Fact Statement before they accept. RBI leaves the exact duration to each regulated entity's board to set and disclose, which in practice clusters around one to three days depending on tenure. During that window the borrower can exit by repaying the principal plus the proportionate annual percentage rate for the days the loan was live, no prepayment penalty, and the lender has to refund the processing fee, keeping only genuine pass-through costs such as stamp duty or a one-time KYC check.
The part that's easy to under-build is the instruction that the exit has to be exactly as digital and frictionless as the loan application itself. A call-our-support-line-to-cancel flow doesn't satisfy that. A real implementation needs a loan record that enters a cooling_off state at disbursal, carries its own expiry timestamp computed from the board-set window, runs a fee-proration calculation if the borrower exits early, and blocks the loan from transitioning to a fully active, collections-eligible state until that window closes or the borrower affirmatively keeps the loan. RBI also bars the lender from calling the borrower to talk them out of exiting during this window, which means any retention or win-back trigger in a marketing or collections system has to know to suppress itself specifically while a loan sits in this state, not just respect a general contact-frequency cap.
Pillar three (2025): the app you ship has to match a registry you do not control
The Reserve Bank of India (Digital Lending) Directions, 2025 consolidated years of separate guidance and added something genuinely new: a public registry of every Digital Lending App (DLA) deployed by a regulated entity. Lenders had to furnish details of each app through RBI's Centralised Information Management System by 15 June 2025; the public directory went live on RBI's website from 1 July 2025; and the broader framework became fully effective from 1 January 2026. An app not listed is, by definition, unauthorised, a status that used to take RBI enforcement action to establish and now takes one visit to a public web page.
In practice, the registry isn't a form a compliance team files once per company. It's a dependency that has to be checked per product surface. A new white-label loan flow for a partner brand, a new co-branded credit line, a new NBFC tie-up: each is a separate entry that has to exist and stay current in RBI's directory before that specific surface goes live, and there's no API for checking it. Anyone responsible for a launch checklist for a new lending product now has a step that says go check the RBI page, an unusual thing to find in a deploy pipeline. The same Directions also tightened how data collected during underwriting can be reused: it's scoped to credit assessment, and reusing it for cross-sell marketing needs fresh, explicit consent rather than the blanket consent bundled into the original loan application.
Pillar four (2026): RBI's digital lending rules add a clock for recovery calls
The newest layer is the one making headlines this week. Under the recovery-conduct amendment due to take effect from 1 July 2026, recovery agents and lender staff cannot contact a borrower, by voice call, automated IVR, SMS, WhatsApp, or in person, before 8 AM or after 7 PM. They cannot contact family members who aren't co-borrowers, and they cannot use social media or messaging platforms to disclose a borrower's default status to anyone else.
The interesting failure mode here isn't lenders deliberately calling at midnight. It's that most collections dialers and SMS or WhatsApp campaign schedulers are built as batch jobs: a job kicks off at 7:55 PM because that's when the batch was scheduled, and by the time a call actually connects, or a message clears a telco queue, it's 7:04 PM and the contact attempt that left the system compliant arrives as a violation. That's a different engineering problem from a frequency cap. It needs a scheduler that's deadline-aware about actual delivery time, not initiation time, and it needs the contact list itself to carry a verified relationship field, because a phone number scraped from the loan application's emergency-contact field isn't the same thing as a verified co-borrower.
| Pillar | Introduced | What it requires of the system |
|---|---|---|
| LSP fund-handling ban | Sept 2022 circular | Disbursal and repayment move lender ↔ borrower directly; the LSP never holds funds |
| Cooling-off period | 2022 rule, standardised via 2025 Directions/KFS | A timed loan state with self-serve exit, fee proration, and a suppressed retention trigger |
| DLA public directory | Registered by 15 Jun 2025; live 1 Jul 2025 | Every loan-product surface must map to a current, listed entry before launch |
| Recovery contact window | Conduct amendment effective 1 Jul 2026 | Collections contact gated to 8 AM–7 PM at actual delivery time, to verified co-borrowers only |
The state machine these four rules are actually describing
Read together, the four pillars stop looking like four separate compliance projects and start looking like one diagram: a small number of states a loan record has to pass through, plus two external facts, the wall clock and a registry the company doesn't own, that the system has to check at specific transitions. Sketched out, it looks roughly like this:
created
-> kyc_verified
-> sanctioned [gate: product surface listed in RBI DLA directory]
-> disbursed [gate: funds move lender -> borrower directly, LSP never holds them]
-> cooling_off [timer: board-set window from KFS; blocks next edge until expiry
or borrower confirms; suppresses retention/win-back contact]
-> active
-> in_collections [gate: every contact checked against 8AM-7PM window
and verified co-borrower status, at send time]
-> closedEvery one of the four pillars attaches to a specific edge in that diagram, not to the loan record as a whole. The LSP fund-handling rule only matters at the disbursed transition. The cooling-off rule blocks the disbursed-to-active edge until its own timer expires. The DLA registry check belongs before sanctioned, gating whether this specific product surface is even allowed to originate a loan. The recovery contact window only matters inside in_collections, and only at the moment of an actual contact attempt, not at job-scheduling time.
What breaks when the rules get treated as a checklist instead of a model
The failures that actually show up are mundane, and they surface months after the go-live date the compliance team signed off on. A marketing automation platform keeps firing a win-back SMS to borrowers three days into a loan, because the campaign trigger checks days-since-disbursal rather than loan state, and nobody told marketing that cooling_off is a state that exists. A collections vendor's dialer is configured in a way that drifts against local time, so the 7 PM cutover silently slips by an hour during certain weeks. A partnerships team ships a new co-branded loan product through an existing NBFC tie-up, and because the registry filing has always been someone else's job, the product runs live, unlisted, for several weeks before anyone notices. A data pipeline backfills a marketing-eligible flag from old loan applications without checking whether fresh cross-sell consent was actually captured for that batch.
None of these show up in a pre-launch QA pass, because each one is correct at the moment of launch and wrong only once a specific edge case, a particular day, a particular product, a particular borrower's complaint, actually occurs.
The pattern worth watching beyond lending
What makes this framework worth a closer look outside fintech is the shape of the mistake, not the specifics of Indian lending law. Regulators increasingly hand engineering teams what reads like a one-time launch requirement and means a permanent invariant: a state that has to persist for the life of a record, a clock that has to be checked at the moment of action rather than the moment of scheduling, a registry that has to be reconciled on every new surface rather than once per company. Any regulated product, payments, healthcare data, insurance underwriting, tends to get the same kind of rule eventually. The teams that do well with this one will be the ones that built a state machine instead of a checklist the first time.
Frequently asked questions
Related reading
173 Indian IPOs are SEBI-approved and unlisted. The clock on that approval does not reset twice.
An SEBI IPO approval lasts 12 months, not indefinitely. The regulator's one-time extension to September 2026 already used the only lever on record, and roughly ₹2.7 lakh crore in approved listings still has not moved.
OCEN was pitched as 'UPI for credit'. Here's why that never happened
OCEN launched in 2020 to do for credit what UPI did for payments. NPCI and Sahamati publish their numbers every month. OCEN publishes none, and that absence explains more than any feature gap.
PhonePe holds 47% of UPI volume. NPCI's cap is 30%. Here's why no one can enforce it.
PhonePe holds 47% of UPI volume against NPCI's 30% cap, six months from the December 2026 deadline. Enforcement keeps slipping because the only lever NPCI defined can't shrink volume that's already there.