Co-lending and multi-lender arrangements under RBI Digital Lending Directions 2025 — a 2026 reference

ControlForge free guide · 2026-05-24 · Reflects RBI (Digital Lending) Directions 2025 (notified 8 May 2025) with multi-lender provisions effective 1 November 2025

Quick reference

The hard timing facts:
8 May 2025: RBI (Digital Lending) Directions 2025 notified, consolidating earlier digital lending guidelines.
15 June 2025: DLA (Digital Lending App) reporting to CIMS becomes operational.
1 November 2025: Multi-lender arrangement provisions (Para 6) come into force.
Mid-2026: Active supervisory examination of multi-lender compliance and CIMS DLA registration.
The structural innovation: the 2025 Directions explicitly address multi-lender arrangements — where an LSP-operated platform offers loans from multiple Regulated Entities (REs) to a borrower. This was a regulatory gap pre-2025 that fintech platforms had exploited; the Nov 2025 effective date closed it.
Co-lending vs multi-lender — two distinct models with overlapping but distinct regulatory treatment:
Co-lending (RBI Co-Lending Master Direction 2020 / 2024 amendments) — two REs share the origination, funding, and risk of a single loan to a borrower.
Multi-lender (RBI Digital Lending Directions 2025 Para 6) — an LSP platform presents the borrower with offers from multiple REs; the borrower selects; each loan is from one RE.
Audience: CCOs, CISOs, Heads of Digital Lending, Heads of Compliance at RBI Regulated Entities engaged in digital lending; LSPs operating multi-lender platforms; auditors and external counsel.
ControlForge density: 22 controls across RBI DL/PA + co-lending overlay; cross-walked with RBI ITGRCA, ITO 2023, CSF, DPDPA, and CERT-In.

What changed on 1 November 2025

The multi-lender provisions in Para 6 of the 2025 Directions create explicit obligations for transparency, borrower consent, and lender disclosure in multi-lender arrangements. The core principle: a borrower interacting with an LSP-operated platform offering multiple lenders' loans must be able to:

See which lenders are available, not just one default lender.
Compare loan offers across the available lenders.
Understand which lender's loan they are accepting, not have it presented as the LSP's generic offer.
Consent to data sharing across lenders only with explicit per-lender consent.
Receive the standardised Key Fact Statement (KFS) for each lender's offer.

The pre-Nov 2025 pattern that this targets: LSP platforms that captured borrower data, ran the data through underwriting models from multiple partner lenders in the background, presented one or two pre-selected "best matched" offers as the platform's recommendation, and processed the borrower's acceptance without clear disclosure of which lender they were accepting. This pattern was operationally efficient but obscured the lender-borrower relationship and reduced borrower comparison choice.

The five Para 6 obligations

1. Transparency at the offer stage. The LSP platform must show the borrower all available lenders' offers matching the borrower's profile, not just one. The presentation must enable comparison — APR, fees, tenure, repayment terms presented side by side per the standardised KFS format.

2. No preferential routing without disclosure. If the LSP has commercial arrangements with specific lenders that influence the order or visibility of offers (e.g. revenue share, exclusivity), this must be disclosed to the borrower. The "best match" presentation, where used, must be based on documented borrower-benefit criteria, not LSP commercial interests.

3. Borrower consent for cross-lender data sharing. The LSP cannot share the borrower's data across all partnered lenders without explicit borrower consent. The borrower must be able to select which lenders receive their underwriting data. This is a substantial UX departure from the pre-Nov 2025 pattern where consent was implicit in using the platform.

4. Per-lender KFS. Each lender's offer must be accompanied by the standardised Key Fact Statement (KFS) in the prescribed format, with that lender's identity, APR, all fees, repayment schedule, recovery process, cooling-off period. The borrower's loan acceptance specifically references the lender providing the loan.

5. Lender identity clarity in subsequent communications. Post-disbursement, the borrower's loan servicing, repayment, and any recovery communications must clearly identify the lending RE — not the LSP. The LSP's role as servicing agent (where applicable) must be clear, not blurring lender accountability.

How co-lending differs

The co-lending model (under the RBI Co-Lending Master Direction 2020, with subsequent amendments through 2024–25) is structurally different:

Two REs share a single loan: typically a bank (with low-cost funds, branch network) and an NBFC (with priority sector expertise, underwriting depth) jointly fund a loan to a borrower.
Risk and reward shared per pre-agreed ratio: typically 80:20 (bank:NBFC) with the priority-sector classification benefits flowing through.
Single lender perspective for the borrower: from the borrower's viewpoint, this is one loan from "Bank X and NBFC Y" — the borrower interacts with one of the REs (typically the originating NBFC) as the primary servicer.
Joint regulatory treatment: priority sector lending norms apply; the loan counts towards the RBI priority sector targets of one or both REs.

Co-lending pre-dates the 2025 Digital Lending Directions but the digital execution of co-lending (where applicable) is subject to the 2025 Directions' transparency and consent provisions. The KFS for a co-lending loan identifies both lenders.

CCO certification and CIMS DLA reporting

Two structural compliance mechanisms in the 2025 Directions:

CCO certification

The Chief Compliance Officer of each Regulated Entity is personally accountable for certifying that the RE's digital lending workflows comply with the 2025 Directions. Specifically: - LSP arrangements properly documented and audit-defensible. - Fund flow direct from the RE to the borrower (not pass-through via LSP nominee accounts). - KFS format compliant with the prescribed standard. - Multi-lender provisions implemented where the RE participates in multi-lender platforms. - DLG (Default Loss Guarantee) arrangements within the 5% cap and permitted instruments. - DLA inventory submitted to CIMS and current.

The CCO certification is typically annual, with mid-year refreshes on material change. Supervisory inspection examines the certification process: what controls were tested, what evidence was reviewed, what gaps were closed before certification was signed.

CIMS DLA registration

Every Digital Lending App used by the RE or its LSPs must be registered with RBI's CIMS portal under the structured DLA reporting format. The registration captures: - DLA identity, ownership (RE-owned or LSP-owned), version. - Grievance officer details. - Compliance certifications held by the operator. - Permitted activities (origination, servicing, recovery, customer service). - Cross-references to the LSP arrangement under which the DLA operates.

The CIMS DLA directory is public. Inclusion does not equate to endorsement, but absence from the directory creates immediate supervisory exposure for any active digital lending operation. The directory is searched and referenced by: - Borrowers checking the legitimacy of a digital lender. - Sectoral regulators. - Law enforcement investigating unauthorised digital lending. - Compliance audits examining LSP networks.

The June 15, 2025 effective date means by mid-2026 the directory has been operational for nearly a year. RBI has been actively flagging unregistered DLAs and pursuing entities operating without registration.

The fund flow rule — direct disbursement

Para 10–11 of the 2025 Directions reinforce the direct disbursement principle from the 2022 Digital Lending Guidelines: loan disbursement is direct from the lender's account to the borrower's account; no pass-through via the LSP's bank account. Similarly, repayments flow back through standard banking channels, not via the LSP.

This forecloses two patterns that had been operational pre-2022:

LSP-controlled nominee accounts that intermediated the disbursement, creating opacity in fund flow and enabling skim-by-LSP patterns.
LSP-collected repayments that were aggregated before forwarding to the lender, creating reconciliation complexity and enabling delay-by-LSP patterns.

The structural insight: the LSP is a service provider, not a quasi-lender. The fund flow remains lender-to-borrower directly.

Inspection focus: end-to-end fund-flow tracing per loan product. Inspectors sample 5–10 loans across the RE's digital lending volume and trace the fund flow to verify direct disbursement.

The 5% DLG cap and permitted instruments

The Default Loss Guarantee (DLG) is a financial arrangement where an LSP (or other third party) provides loss-absorption on the lender's behalf for a defined portion of the lender's digital lending portfolio. Para 16 of the 2025 Directions caps and structures DLG arrangements:

Cap: DLG capped at 5% of the disbursed loan portfolio covered by the DLG.

Permitted instruments: - Cash deposit. - Fixed deposit lien-marked to the lender. - Bank guarantee.

Not permitted: - Corporate guarantees from the LSP or third parties. - Insurance-style covers from third-party insurers. - Promissory notes. - Lien on the LSP's future commissions.

Invocation: DLG must be invocable within 120 days of default. Pre-2022 arrangements that effectively converted the LSP into a substantive risk-bearer beyond the 5% cap are not compliant.

Disclosure: monthly portfolio disclosure of DLG details on the RE's website within 7 working days of month-end.

The structural intent: DLG complements, but does not replace, robust credit underwriting. The 5% cap prevents the LSP from becoming an effective credit risk-taker that should be regulated as a lender itself.

What good looks like in 2026

A mature 2026 digital lending compliance posture for an RE participating in single-lender or multi-lender arrangements:

Governance: - Board-approved Digital Lending Policy aligned with the 2025 Directions. - CCO accountability for digital lending compliance with documented certification process. - Regular Board / Risk Committee oversight of digital lending volumes, performance, and compliance.

LSP management: - LSP inventory with classification (originating LSP, servicing LSP, recovery LSP, multi-purpose LSP). - Due diligence file per LSP with current refresh. - ITO 2023-compliant contracts with each LSP. - Right-to-audit exercised at least biennially per critical LSP. - Ongoing performance monitoring with KPIs.

Multi-lender arrangements: - Documented platform participation with each multi-lender LSP. - Verified compliance with Para 6 transparency, comparison, and consent requirements. - KFS format compliance per lender. - Lender-identity clarity in borrower communications.

Fund flow: - Direct lender-to-borrower disbursement architecture. - Repayment flow through banking channels without LSP pass-through. - Periodic reconciliation evidence.

KFS: - Standardised KFS format per the prescribed template. - Documented APR calculation methodology. - KFS template review against the prescribed format annually.

Cooling-off period: - Operational cooling-off mechanism with the prescribed terms. - Borrower exit during cooling-off without prepayment penalty.

DLG: - DLG portfolio reviewed quarterly for 5% cap and permitted instrument compliance. - Monthly portfolio disclosure on the RE's website. - 120-day invocation discipline.

DLA registration: - DLA inventory complete and reconciled with active operations. - CIMS registration current. - LSP-owned DLA inventory captured in the RE's CIMS submission.

Data handling: - Borrower data handling per DPDPA + CERT-In + the 2025 Directions Para 14–15. - Indian-jurisdiction data residency. - Defined retention with erasure on consent withdrawal or post-closure.

Customer protection: - Cooling-off, KFS, APR transparency. - Grievance mechanism with documented SLA. - Recovery practices compliant with the 2025 Directions and broader RBI consumer protection.

Common failures in 2024–26

Five recurring patterns:

1. DLA inventory incomplete in CIMS. RE registers its own DLAs but misses LSP-owned DLAs being used to acquire customers. The LSP-owned DLA is still operating in the RE's name; the RE is accountable for CIMS registration coverage.

2. Fund flow violations through LSP nominee accounts. Legacy arrangements route disbursement through LSP-controlled accounts. The 2025 Directions foreclose this; supervisory examination identifies the pattern in transaction sample.

3. KFS format non-compliant. Specific required fields omitted, or the standardised APR calculation methodology not followed. Common variants include omitting certain fee categories from the APR calculation and misrepresenting the cooling-off period terms.

4. DLG above the 5% cap or in non-permitted instruments. Legacy DLG arrangements above 5%; corporate guarantees or insurance-style covers in place of permitted instruments; 120-day invocation discipline not exercised.

5. Multi-lender platform transparency missing. LSP platforms operate with default single-lender presentation; the multi-lender provisions under Para 6 not implemented; borrower consent for cross-lender data sharing not captured.

Two further patterns specific to 2026:

6. CCO certification process underdeveloped. Annual CCO certification signed without structured controls testing. The certification is the artefact for inspection; insufficient process behind it is an inspection finding.

7. Recovery practices not refreshed against the 2025 Directions. Recovery activities continuing per pre-2025 standards; broader consumer-protection developments (RBI fair practices code applicability, recovery agent practices) not fully integrated.

How ControlForge supports this

Relevant clusters: - cl-supplier-policy — LSP governance and oversight. - cl-third-party-due-diligence — LSP due diligence. - cl-payments-and-settlements — fund flow architecture. - cl-consent-management — borrower consent capture. - cl-data-classification — borrower data handling. - cl-customer-security — customer-facing controls. - cl-mandatory-audit — CCO certification + cyber audit cadence. - cl-incident-reporting-external — incident handling per the 2025 Directions.

The synthesis surfaces the cross-walk between the 2025 Directions + RBI ITO 2023 + ITGRCA + CSF + DPDPA, allowing an RE to satisfy overlapping obligations through coordinated controls implementation.

A 60-day uplift plan

For RBI REs participating in digital lending and multi-lender arrangements:

Days 1–15: Inventory and gap analysis. - DLA inventory refresh (RE-owned + LSP-owned). - CIMS submission verification. - LSP inventory with classification. - Multi-lender platform participation inventory.

Days 16–30: Compliance posture review. - KFS format compliance review across loan products. - Fund flow tracing on sample loans. - DLG portfolio review against 5% cap and instrument permissibility. - Multi-lender consent and transparency posture per Para 6.

Days 31–45: Remediation and contract refresh. - Address top 5 gaps identified. - LSP contract refresh for ITO 2023 + 2025 Directions alignment. - Multi-lender consent UX uplift.

Days 46–60: CCO certification readiness. - CCO certification process documentation. - Board / Risk Committee briefing on digital lending posture. - Inspection-ready evidence pack.

A worked example — a multi-lender platform participant

A mid-tier NBFC participating as one of six partner lenders on a multi-lender digital-lending platform operated by an LSP arrives at the following compliance posture under the November 2025 multi-lender provisions:

Pre-November 2025 arrangement: - The LSP captured borrower data, ran underwriting through partner lenders' models in parallel, presented the borrower with one "best matched" offer (typically the lender willing to fund at the lowest rate for the borrower's risk profile), and processed acceptance. - The borrower saw the LSP's brand throughout; the lender's identity was disclosed in fine print on the loan agreement. - The NBFC received borrower data only after the borrower accepted the offer from the NBFC; the NBFC had no visibility into how the platform compared the NBFC's offer against competing lenders.

Post-November 2025 architecture changes: - Comparison view: the platform now shows the borrower up to six lender offers (all participating lenders matching the borrower's profile) with APR, fees, tenure, repayment terms in a side-by-side comparison. - Per-lender KFS: each offer accompanied by the standardised KFS in the prescribed format. - Selective data sharing consent: the borrower selects which lenders may receive the borrower's underwriting data after the comparison; consent is per-lender rather than blanket. - Lender identity in the journey: the borrower's selected lender is identified clearly throughout the acceptance flow; the LSP's role as service provider is disclosed. - Post-disbursement communications: servicing, repayment reminders, and recovery communications identify the NBFC as the lender (rather than the LSP as the platform).

Compliance evidence pack the NBFC maintains: - Documented agreement with the LSP including the Para 6 transparency obligations. - Sample screen captures of the borrower-facing experience for inspection. - Per-loan KFS samples. - Consent records linking the borrower to the NBFC's lending decision. - Quarterly review by the NBFC's CCO of multi-lender platform compliance. - Right-to-audit exercised on the LSP biennially.

DLG arrangement review: the NBFC's DLG arrangement with the LSP (originally ~7% portfolio cover via corporate guarantee) was re-papered to: - 5% cap with bank guarantee + fixed-deposit lien-mark instruments. - 120-day invocation discipline. - Monthly portfolio disclosure on the NBFC's website.

CCO certification: the CCO annually certifies the multi-lender compliance with documented controls testing — including sample borrower journeys, KFS samples, DLG portfolio review, CIMS DLA registration verification. The certification process is the artefact for supervisory inspection.

The NBFC's specific learnings: (a) the LSP initially resisted some Para 6 transparency requirements that exposed the LSP's commercial arrangements; the negotiation took multiple cycles; (b) the per-lender KFS format required UX changes the LSP had to fund; (c) the DLG re-papering reduced the NBFC's effective risk coverage but provided regulatory clarity. These patterns are common across mid-tier NBFCs participating in multi-lender platforms.

Cross-references

The 2025 Directions interact with:

RBI ITGRCA 2024 — governance umbrella.
RBI ITO 2023 — LSP outsourcing arrangements.
RBI CSF 2016 — operational cyber controls.
RBI Co-Lending Master Direction 2020 / amendments — for co-lending arrangements specifically.
RBI Payment Aggregators Directions 2025 — for entities operating as both LSPs and PAs.
CERT-In Direction 70B — 6-hour incident reporting.
DPDPA + Rules 2025 — borrower data is personal data; DPBI from May 2027.
NPCI rules — for UPI-rail integration.