RBI Digital Lending in ChronoVault

1. What the RBI Digital Lending Guidelines are

RBI's Guidelines on Digital Lending were issued in 2022 and have been refined through subsequent circulars. They apply to regulated entities — banks, NBFCs, and other RBI-regulated lenders — when they use digital channels, mobile apps, or loan service providers (LSPs) to source, underwrite, disburse, or collect on loans. The guidelines draw a clear line: only a regulated entity can lend. LSPs and digital lending apps are channels, not lenders. Every rupee must flow directly between the regulated entity's account and the borrower's account, without any LSP or pass-through wallet in the middle.

2. The core obligations at a glance

A regulated entity must disclose the identity of every LSP and digital lending app acting on its behalf. Before disbursal, the borrower must receive a standardized Key Fact Statement containing the all-in annualized cost, the fee schedule, the cooling-off period, and the grievance channel. A cooling-off or look-up period — typically three days — must be offered during which the borrower can exit without penalty beyond the proportionate APR. Direct data collection by LSPs is restricted: access to contacts, gallery, and location is either prohibited outright or tightly scoped. Personal data collected in the lending process must be stored only in India, with narrow exceptions.

3. What ChronoVault provides

The guidelines are canonicalized into structured requirements, separated into the obligations that sit on the regulated entity and the obligations that it must push down to its LSPs by contract. Due diligence on LSPs is modeled as a recurring obligation with evidence patterns for the diligence file, contract clauses, and the board-approved LSP policy. The Key Fact Statement is modeled as both a control (the generation process) and an evidence pattern (the actual statements issued). Cooling-off period adherence is monitored on a per-loan basis. Data handling requirements — localization, retention limits, access controls on contact and SMS data, and consent trails — are mapped to DPDPA and ISO 27701 so that a single privacy control library covers both regimes.

4. How a Digital Lending program runs in ChronoVault

Scope your digital lending channels and LSP partners. Bring your existing LSP due diligence files into the evidence library so past diligence is not rediscovered every quarter. Track each LSP as an obligation owner with its own review cadence — the guidelines expect ongoing oversight, not a one-time onboarding. Monitor cooling-off period adherence and KFS issuance as operational controls with automated evidence from your lending stack. When RBI asks about a specific loan, specific borrower, or specific LSP on a specific date, walk the examiner through the state as it was on that date without reconstructing it from scratch.

5. Frequently asked

The guidelines interact with several other regimes. DPDPA 2023 governs the data processing aspects; ChronoVault's cross-mapping means a single control often satisfies both. The RBI Cybersecurity Framework governs the underlying security posture of the regulated entity's lending stack. Fair Practices Code governs borrower treatment in general. Running these as separate programs is the most common mistake digital lenders make — ChronoVault is designed so each requirement is tagged once and appears wherever it is relevant, rather than being duplicated across programs.