RBI Digital Lending and Payment Aggregator Directions, 2025 — a practitioner reference

ControlForge free guide · 2026-05-24 · Reflects RBI (Digital Lending) Directions, 2025 effective 8 May 2025 + RBI (Payment Aggregators) Directions, 2025 effective 15 September 2025

Quick reference

Applies to: for Digital Lending — all RBI Regulated Entities (banks, NBFCs, AIFIs) engaged in digital lending, and their Lending Service Providers (LSPs); for Payment Aggregators — all non-bank Payment Aggregators (PAs) and bank PAs offering payment aggregation services. Payment Gateways (PGs) are encouraged but not mandated.
Mandatory or voluntary: mandatory regulation under the Banking Regulation Act, RBI Act, and Payment and Settlement Systems Act, 2007.
Year published: RBI (Digital Lending) Directions, 2025 notified 8 May 2025; multi-lender arrangements provisions effective 1 November 2025; DLA reporting effective 15 June 2025. RBI (Payment Aggregators) Directions, 2025 issued 15 September 2025.
Issuing body: Reserve Bank of India, Department of Regulation (DoR) and Department of Payment and Settlement Systems (DPSS).
Penalties: monetary penalties under Section 47A of the Banking Regulation Act and Section 30 of the Payment and Settlement Systems Act; supervisory action including restrictions on customer onboarding, removal from approved-aggregator list, and licence conditions. Recent enforcement actions in the digital-lending and PA sectors have reached ₹5 crore per violation.
ControlForge density: 22 controls curated across both Directions; cross-walked with RBI CSF, ITGRCA, ITO 2023, DPDPA, and CERT-In Direction 70B.

What it is

The 2025 directions are a consolidation and modernisation of India's digital-lending and payment-aggregator regulatory framework. They replace a patchwork of earlier circulars that had accumulated since 2020–2023 with two coherent Master Directions:

RBI (Digital Lending) Directions, 2025 (notified 8 May 2025) consolidates and supersedes: - Guidelines on Digital Lending dated 2 September 2022 + FAQs dated 14 February 2023. - Guidelines on Default Loss Guarantee in Digital Lending dated 8 June 2023 + FAQs through November 2024. - Fair Practices Code and Outsourcing Guidelines for digital lending arrangements.

RBI (Payment Aggregators) Directions, 2025 (issued 15 September 2025) consolidates the PA framework that had been built up through guidelines from 2020 onwards covering: PA authorisation requirements; non-bank PA settlement standards; merchant onboarding obligations; technology and cyber requirements; merchant due diligence; and customer-facing fund-flow controls.

The 2025 instruments are not regulatory overhauls — they consolidate existing requirements into single, navigable Master Directions and add specific provisions for emerging risk areas:

For Digital Lending, the new material includes: - Multi-lender arrangements: requirements for transparency when a borrower is offered loans from multiple REs through a single LSP-operated platform. - DLA reporting to CIMS: every Digital Lending App (DLA) used by an RE or its LSP must be reported to RBI's Centralised Information Management System with structured details (ownership, grievance officer, compliance certifications), maintained as a public directory. - Chief Compliance Officer (CCO) certification that all digital lending workflows comply with the Directions.

For Payment Aggregators, the new material includes: - Refined merchant onboarding due diligence with proportionate KYC and ongoing monitoring. - Settlement and escrow management with clear separation between PA funds and merchant settlement amounts. - Cyber resilience integration with the RBI Cyber Resilience for Payment System Operators framework from July 2024.

These instruments sit at the intersection of consumer protection, prudential regulation, and cybersecurity — the digital-lending sector has been a focus of consumer-protection concern in India through 2022–2025, and the PA sector has expanded rapidly as the merchant-acquiring rails for UPI-driven payment growth.

Structure at a glance

RBI (Digital Lending) Directions, 2025 is organised into 19 paragraphs covering:

Para 1-2 — Preliminary: definitions, applicability.
Para 3-5 — Scope and Coverage: what constitutes digital lending; applicable arrangements; carve-outs.
Para 6 — Multi-Lender Arrangements: transparency, borrower consent, lender disclosure (effective 1 November 2025).
Para 7-9 — Lending Service Provider Arrangements: due diligence on LSPs; contractual coverage; conduct standards.
Para 10-11 — Fund Flow and Disbursal: direct disbursement to borrower; restriction on pass-through; cooling-off period.
Para 12-13 — Borrower Protection: Key Fact Statement (KFS) format; APR disclosure; cool-off period and exit rights.
Para 14-15 — Data Privacy and Security: borrower data handling; security obligations of REs and LSPs; CERT-In and DPDPA cross-references.
Para 16 — Default Loss Guarantee (DLG): capped at 5% of disbursed portfolio; permitted instruments (cash, FD, bank guarantee); 120-day invocation; monthly portfolio reporting.
Para 17 — DLA Reporting: registration with CIMS (effective 15 June 2025).
Para 18-19 — Grievance Redressal, Repeal, Interpretation.

RBI (Payment Aggregators) Directions, 2025 is organised into similar chapters covering: - Authorisation and net-worth requirements for non-bank PAs. - Merchant onboarding and ongoing due diligence. - Settlement, escrow, and fund flow. - Technology, security, and cyber resilience. - Customer-facing controls and dispute handling. - Reporting and inspection.

Annexures provide baseline technology recommendations (Annexure 1 of PA Directions) that PGs are encouraged to adopt voluntarily.

Who must comply

Digital Lending Directions apply to:

All RBI-Regulated Entities (REs) engaged in digital lending or arranging digital loans through LSPs: Scheduled Commercial Banks, NBFCs (all categories, including Base Layer where they engage in digital lending), AIFIs.
Lending Service Providers (LSPs) engaged by REs to perform digital lending functions (customer acquisition, underwriting support, servicing, monitoring, recovery). LSP obligations are flowed down via the LSP–RE agreement and the RE's outsourcing oversight.

Digital lending is defined broadly: any remote-and-automated process leveraging digital technologies for customer acquisition, credit assessment, loan approval, disbursement, recovery, and customer services. Both REs and their LSP networks are in scope.

Payment Aggregator Directions apply to:

Non-bank Payment Aggregators: entities authorised by RBI under the Payment and Settlement Systems Act to facilitate online and offline merchant onboarding and aggregate payments.
Bank Payment Aggregators: banks offering PA services follow the directions to the extent applicable.
Payment Gateways (PGs) — as defined in Para 4(j) of the PA Directions — are outside the binding scope but are encouraged to adopt the baseline technology recommendations in Annexure 1.

Carve-outs for Digital Lending include: - EMI programmes on credit cards (governed by the Master Direction on Credit Card and Debit Card Issuance, 2022). - Pure offline lending arrangements with no digital component.

A common scoping consideration: a payment aggregator that also functions as an LSP for an RE faces both Directions — PA Directions for its merchant-acquiring activities, Digital Lending Directions for its LSP activities. Both sets of obligations apply concurrently.

Core obligations

Walking the major obligations across both Directions.

Digital Lending Directions, 2025

LSP due diligence and oversight (Para 7-9). REs must conduct documented due diligence on LSPs before engagement and on an ongoing basis covering financial soundness, governance, cyber security posture, compliance history, references. Contractual coverage includes right to audit, data protection obligations, breach notification flow-back, exit assistance, sub-contracting controls. Maps into ControlForge clusters cl-supplier-policy, cl-cloud-shared-responsibility, and cl-supply-chain-risk.

Fund flow and disbursement (Para 10-11). Loan disbursement is direct from the lender's account to the borrower's account; no pass-through via the LSP's bank account; repayments flow back through standard banking channels. This forecloses LSP-controlled fund routing that had been a feature of problematic digital-lending arrangements pre-2022. Maps into cl-payments-and-settlements.

Borrower-facing transparency (Para 12-13). A standardised Key Fact Statement (KFS) in prescribed format with all material loan terms: lender identity, APR, all fees, repayment schedule, recovery process, cooling-off period. APR disclosure with a defined calculation methodology. Cooling-off period during which the borrower can exit without prepayment penalty.

The KFS is one of the most consequential consumer-protection provisions. It standardises what borrowers see at the loan-offer stage across REs and LSP platforms, allowing direct comparison and informed consent. The APR calculation methodology — prescribed in detail — covers all fees, processing charges, insurance premia, and similar costs contributing to the borrower's effective cost. Where the borrower's experience is mediated through an LSP platform offering multiple lenders, each lender's KFS must be presented separately and clearly. Maps into cl-customer-security and cl-consumer-disclosure.

Data privacy and security (Para 14-15). Borrower data may only be collected with explicit consent for specified purposes; storage and processing comply with CERT-In Direction 70B and (from May 2027) DPDPA; LSPs follow the security requirements of the RE; data residency within Indian jurisdiction except where specifically permitted; data retention limited to defined periods post-loan-closure. Maps into cl-data-classification, cl-personal-data-erasure, cl-encryption, and cl-cross-border-transfer.

Default Loss Guarantee — DLG (Para 16). Where an RE arranges DLG cover from an LSP or other party, the DLG is capped at 5% of the disbursed loan portfolio, in permitted instruments (cash, fixed deposit, bank guarantee); the DLG must be invoked within 120 days of default; monthly disclosure of DLG portfolio details on the RE's website within 7 working days. DLG complements but does not replace robust credit underwriting. Maps into cl-credit-risk and cl-risk-management.

DLA reporting to CIMS (Para 17, effective 15 June 2025). Every Digital Lending App used by an RE or its LSPs must be reported to RBI's CIMS portal with prescribed structured details. RBI publishes a public directory based on these submissions; inclusion does not equate to endorsement but absence flags potential non-compliance. Maps into cl-mandatory-audit and cl-incident-reporting-external.

Multi-lender arrangements (Para 6, effective 1 November 2025). Where an LSP-operated platform offers loans from multiple REs to a borrower, transparency requirements apply: which RE the loan is from, comparison of offers, no preferential routing without disclosure, borrower consent for any data sharing across lenders. Maps into cl-consent-management and cl-data-subject-rights.

CCO certification. The Chief Compliance Officer of each RE is accountable for certifying that all digital lending workflows comply with the Directions. This is a personal accountability mechanism reinforcing ITGRCA's CCO independence requirements.

Payment Aggregator Directions, 2025

Authorisation and net worth. Non-bank PAs require RBI authorisation under the PSS Act; minimum net worth ₹15 crore (₹25 crore within three years of authorisation). Bank PAs follow the directions but do not require separate authorisation.

The authorisation regime is consequential for market entry. Non-bank PAs operating without authorisation as of 2024-2025 had to either obtain authorisation, exit the PA business, or be absorbed by an authorised PA. The 2025 Master Direction consolidates the authorisation requirements and the operational obligations into a single Master Direction, replacing the patchwork of authorisation conditions that had evolved since 2020. New entrants face a structured authorisation pathway; existing operators face periodic re-affirmation of authorisation conditions.

Merchant onboarding and KYC. Risk-based merchant due diligence proportionate to merchant category; ongoing monitoring of merchant activity for fraud and money laundering indicators. Higher-risk merchant categories (gaming, lending, crypto-adjacent) face enhanced due diligence. Maps into cl-third-party-due-diligence and cl-aml-monitoring.

Settlement and escrow. Strict separation between PA's own funds, merchant settlement amounts, and customer funds in transit. Escrow operation with prescribed settlement timelines (typically T+1 for merchant settlement). Reconciliation discipline with documented procedures. Maps into cl-payments-and-settlements and cl-segregation-of-duties.

Technology and cyber resilience. PA technology infrastructure follows the RBI Cyber Resilience and Digital Payment Security Controls 2024 (the parallel Master Direction for non-bank PSOs). Annexure 1 baseline technology recommendations include: secure software development, TLS 1.2+ minimum, MFA for administrative and high-value transactions, log retention 12 months with 90 days immediately accessible, regular VAPT, incident response with CIMS 6-hour notification, BCP and DR. Maps into cl-cryptography, cl-multi-factor-authentication, cl-vapt-cycle, cl-logging, and cl-bcp-ict-readiness.

Customer-facing controls. Two-factor authentication for high-value transactions; risk-based authentication for risky transaction patterns; transparent customer-facing fee disclosure; dispute resolution with prescribed SLAs; consumer-grievance redressal mechanism. Maps into cl-customer-security and cl-fraud-detection.

Reporting and inspection. Periodic reporting to RBI in prescribed formats; RBI inspection authority; CIMS reporting for cyber incidents within 6 hours. Maps into cl-incident-reporting-external.

How auditors test it

For Digital Lending arrangements:

CCO compliance certification is the structural anchor. Inspectors review the CCO's certification process — what controls were tested, what evidence was reviewed, what gaps were closed.
DLA inventory and CIMS reporting are scrutinised: every DLA in use must appear on the CIMS submission; ownership trails must reconcile.
LSP due diligence files are sampled — typically 3–5 critical LSPs reviewed in depth.
KFS and APR disclosure are reviewed by sampling actual loan documents.
DLG arrangements reviewed for 5% cap compliance, permitted-instrument verification, 120-day invocation discipline, monthly portfolio disclosure.
Fund flow verified through sample loan tracing — disbursement from lender to borrower without LSP pass-through.

For Payment Aggregators:

Authorisation status verified at the start.
Net worth verified through latest audited financials.
Merchant onboarding files sampled across risk categories; KYC evidence reviewed.
Escrow and settlement verified through reconciliation reports; settlement-timeline adherence checked.
Technology and cyber evidence: VAPT reports, CIMS submission history, BCP test reports, MFA enforcement evidence.
Customer-facing controls: transaction OTP, risk-based authentication, grievance handling SLA evidence.

Three audit pathways: - RBI supervisory inspection by DoR (for digital lending) or DPSS (for PA), risk-based. - Internal audit / IS audit as required by parallel ITGRCA obligations. - External cyber audit by CERT-In empanelled firms.

How it relates to other frameworks

Both Directions integrate tightly with RBI's broader regulatory stack:

RBI ITGRCA 2023: governance umbrella; the CCO independence and IS Audit chapter apply to digital lending and PA operations of in-scope REs.
RBI CSF 2016: operational cyber controls for banks; layered on top of digital-lending operations.
RBI Master Direction on IT Outsourcing 2023: LSP arrangements are IT outsourcing arrangements; ITO 2023 applies in addition.
RBI Cyber Resilience and Digital Payment Security Controls 2024: the cyber-resilience layer for non-bank PSOs, including non-bank PAs.
CERT-In Direction 70B: 6-hour incident reporting applies in parallel.
DPDPA 2023 + Rules 2025: borrower data is personal data; DPBI breach notification from May 2027 layers on RBI reporting.
NPCI / UPI / IMPS rules: PA and digital-lending operations frequently touch UPI rails; NPCI requirements apply concurrently.

ControlForge cross-walks the 2025 Directions with the operational frameworks (CSF, ITO 2023) and with DPDPA so that REs can satisfy overlapping compliance via unified evidence.

Common pitfalls

Five recurring failure patterns:

DLA inventory incomplete in CIMS. The RE reports its own DLAs but misses LSP-owned DLAs being used to acquire customers. Fix: comprehensive DLA inventory inclusive of LSP-owned apps; documented owner-and-RE relationship for each.
Fund flow violations through LSP accounts. Some legacy arrangements route disbursement through LSP nominee accounts; the 2025 Directions foreclose this. Fix: end-to-end fund-flow review per loan product; direct-to-borrower disbursement.
KFS format non-compliant. The Key Fact Statement format is prescribed; some KFS implementations omit specific required fields or fail the standardised APR calculation. Fix: KFS template review against the prescribed format; APR calculation test against worked examples.
DLG above the 5% cap or in non-permitted instruments. Permitted instruments are cash, FD, bank guarantee — corporate guarantees and insurance-style covers are not permitted. Some legacy DLG arrangements exceed 5% or use non-permitted instruments. Fix: DLG portfolio review; renegotiation where cap exceeded; instrument validation.
Multi-lender platform transparency missing. LSPs operating multi-lender platforms may default to a single-lender presentation; the November 2025 multi-lender provisions require borrower-visible disclosure of all available lenders. Fix: UX review of multi-lender platforms; borrower-consent flow for cross-lender data sharing.

For Payment Aggregators specifically:

Escrow comingling with operational accounts. Strict separation is required; some PAs operate with overlap that surfaces in reconciliation. Fix: escrow segregation enforced through banking-arrangement and operational discipline; daily reconciliation evidence.
Higher-risk merchant categories under-monitored. Onboarding KYC may be proportionate but ongoing monitoring weakens; fraud-prone merchant categories (gaming, lending intermediaries) need continued review. Fix: merchant-risk classification with ongoing-monitoring intensity tied to classification.

Enforcement patterns through 2025-2026. RBI's enforcement focus across the Digital Lending and PA sectors has evolved alongside the regulatory consolidation. Common enforcement themes include: (i) unauthorised digital lending operations — entities operating digital lending platforms without RE backing, increasingly subject to enforcement coordination with state authorities; (ii) DLA registration gaps — REs whose CIMS-registered DLA inventory does not match the apps actually in use by their LSP network; (iii) fund flow violations — disbursement structures using LSP nominee accounts or other indirect routing in violation of the direct-disbursement requirement; and (iv) PA escrow and settlement discipline — separation of customer funds, merchant settlements, and PA operational accounts. Public RBI orders and CIMS-published warning lists illustrate the enforcement vectors. Entities that maintain inspection-ready evidence of compliance with each major paragraph of the Directions tend to navigate enforcement risk more effectively than entities relying on contractual flow-down to LSPs without operational verification.

When to use this framework

Both Directions apply mandatorily to in-scope entities. Implementation considerations:

Sequencing the 2025 compliance build: most material was in force from May 8, 2025 (Digital Lending) and Sep 15, 2025 (PA); multi-lender provisions from Nov 1, 2025; DLA reporting from June 15, 2025. By mid-2026 most in-scope entities should be in full compliance with retrospective DLA registration and DLG normalisation complete.
Coordinated programme combining digital lending compliance, PA compliance, ITGRCA governance, ITO 2023 outsourcing, and CERT-In incident reporting is more efficient than treating each as a separate workstream.
CCO involvement is structural — the certification requirement makes the CCO accountable for digital-lending compliance; budget and authority for the CCO function need to match.
DPDPA 2027 integration: borrower personal data is in scope of DPDPA from May 2027; planning the DPDPA layer into the existing digital-lending compliance is more efficient than retrofitting.