Digital Lending Apps & RBI Regulations: How to Stay Safe
Last updated: 2 June 2026 | Loan Free Editorial Team | 6 min read
Quick answer
To stay safe with digital lending apps in India, borrow only from apps that clearly lend on behalf of a bank or an RBI-registered NBFC. Under the RBI Guidelines on Digital Lending (2022), loans must flow through regulated entities, all costs must be disclosed upfront in a Key Fact Statement, and apps cannot harvest your contacts or gallery. If an app uses threats, contact-list misuse or morphed images, that conduct is unlawful — keep evidence and report it to the lender's grievance officer, the RBI Sachet portal, and the cybercrime portal or police.
Digital lending apps have made small loans fast and paperless — but the same convenience has been used by unregulated and sometimes outright illegal apps that overcharge borrowers and recover money through fear. In response, the Reserve Bank of India issued the Guidelines on Digital Lending in 2022 to put clear limits on how these apps may operate. This guide explains, in plain terms, what those rules require, how to tell a safe app from a dangerous one, and what you can lawfully do if a lending app is harassing you.
Why the RBI made these rules
The core problem the RBI set out to address was simple: borrowers often could not tell who was actually lending to them, what they were really being charged, or what an app was doing with their personal data. Many problem apps were not lenders at all — they were front-ends that hid the regulated entity behind them, buried the true cost of credit, and treated a borrower's phone as a recovery tool.
The Digital Lending Guidelines are built on a straightforward principle: a digital loan is still a loan, so it must be made by an entity the RBI regulates, on terms the borrower can see and understand, with data handled responsibly. The rules are about transparency and conduct — not about making lending harder for honest borrowers.
What the Digital Lending Guidelines require
While the framework is detailed, a borrower really needs to remember a handful of borrower-facing protections:
- Lending only through regulated entities. The loan must be made by a bank or an RBI-registered NBFC. A digital app may be the technology layer, but the actual lender must be a regulated entity, and disbursal and repayment should flow directly between you and that lender rather than through a third party's pooled account.
- All-inclusive cost disclosure (Key Fact Statement). Before you borrow, you should receive a Key Fact Statement (KFS) setting out the all-in cost of the loan, including interest and fees expressed as an annual percentage rate. There should be no surprise "service" or "processing" charges revealed only after disbursal.
- No unauthorised data or contact-list access. An app should collect only the data needed for the loan, with your explicit consent, and must not demand blanket access to your contacts, photo gallery or files. Using such data to pressure you is outside the rules.
- A cooling-off period. The framework provides for a cooling-off (or look-up) window during which a borrower can exit the loan by repaying the principal and the proportionate cost, without facing a penalty for doing so.
- Grievance redressal. The regulated lender and its lending service providers must have a clearly named grievance redressal officer and a defined complaints process, so a borrower always has someone accountable to approach.
These protections sit alongside the RBI's broader Fair Practices Code, which already requires lenders and their recovery agents to behave fairly, avoid harassment and respect borrower privacy.
How to spot an illegal or unregulated app
You can avoid most trouble by checking a few things before you borrow rather than after. Warning signs that an app may be unregulated or illegal include:
- It will not clearly name the bank or RBI-registered NBFC that is actually lending, or that name cannot be verified on the RBI website.
- It demands sweeping permissions during installation — full access to your contacts, photo gallery or files — that have nothing to do with assessing a loan.
- The real cost is hidden: large upfront "fees" are deducted from the amount you receive, so you get far less than the sanctioned figure, and no proper Key Fact Statement is shared.
- There is no verifiable company address, customer support channel or named grievance officer.
- Repayment is collected into a personal or unrelated account rather than flowing to an identifiable regulated lender.
If several of these are present, it is generally safer to walk away before accepting any money. Verifying the lender against the regulated-entity information published on the RBI website is the single most useful check you can do.
Harassment tactics — and why they are unlawful
When repayment is late, abusive apps often turn to intimidation. Common tactics reported by borrowers include misusing the phone's contact list to message family, friends or colleagues; sending threatening or abusive messages; circulating false or morphed images to shame the borrower; and impersonating officials. It is important to understand that these tactics are not legitimate recovery — they are unlawful conduct, and they can amount to criminal offences such as criminal intimidation, defamation and breach of privacy, regardless of whether any money is genuinely due.
A lawful lender pursues a genuine dues through documented communication and the legal process. No amount of outstanding loan gives anyone the right to threaten you, contact people who never agreed to be your guarantors, or publish doctored images. Recognising this distinction helps you respond calmly: you may owe a debt, but you do not have to tolerate harassment to deal with it.
How to protect your data
- Check permissions before installing. If an app asks for access to contacts, photos or messages that a loan does not need, decline or choose a different lender.
- Read the Key Fact Statement. Confirm the all-in cost, tenure and the name of the regulated lender before you accept funds.
- Keep your own records. Save the loan agreement, KFS, payment receipts and the grievance officer's contact details in one place.
- Preserve evidence if things go wrong. Take dated screenshots of abusive messages, note call timings and numbers, and keep copies of any morphed images circulated about you — this evidence supports any complaint you file.
- Limit exposure. Where your device allows, review and revoke unnecessary app permissions after a loan is closed.
How to report and where to complain
If a lending app has overcharged you, accessed your data without consent, or harassed you, there is an ordered way to raise it:
- Lender's grievance officer first. Submit a written complaint to the named grievance redressal officer of the regulated lender, and keep the acknowledgement.
- Escalate to the RBI. If the lender does not resolve it within the prescribed period, you can raise the matter with the RBI, including through its Sachet portal for complaints against entities that take deposits or lend.
- Report criminal harassment. Threats, abuse, contact-list misuse and morphed images can be reported to your local police and to the Government of India's national cybercrime reporting portal.
We do not promise that reporting will instantly stop contact from a particular app, and outcomes depend on the facts, the entity involved and the authorities. What reporting does is create an official record, put the regulated lender on notice and bring unlawful conduct to the attention of those who can act on it.
Frequently asked questions
A genuine digital lending app must lend on behalf of a regulated entity — a bank or an RBI-registered NBFC. Before borrowing, look for the name of that bank or NBFC in the app, on its website and in the loan documents, and cross-check it against the list of regulated entities published on the RBI website, rbi.org.in. If an app will not clearly name the regulated lender behind it, treat that as a warning sign.
No. Under the RBI Guidelines on Digital Lending, a lending app should only collect data that is necessary for the loan and with your clear consent. It must not pull your entire contact list, photo gallery or files for recovery purposes. An app that demands blanket access to contacts or media, and later uses it to pressure you, is acting against these rules.
Threats, abuse, contacting your family or colleagues to shame you, and morphed images are unlawful regardless of any amount due. Keep evidence such as screenshots, call logs and messages. Raise a written complaint with the lender's grievance officer, escalate to the RBI through the Sachet portal if it is not resolved, and report criminal harassment to the police or the national cybercrime portal.
Not automatically. RBI rules govern how lending and recovery must be conducted; they do not by themselves erase a genuine debt. However, you are only required to repay what is lawfully due, and unlawful charges or harassment can be challenged. If you are unsure what you actually owe, take written details and consider professional or legal guidance before paying disputed amounts.
Related services & guides
- Digital Lending App Harassment support
- Recovery Agent Harassment Protection
- Legal Notice Reply support
- RBI Guidelines & Borrower Rights
- Fair Debt Collection Practices in India
References
- Reserve Bank of India — Guidelines on Digital Lending (2022) & Fair Practices Code: rbi.org.in
- RBI Sachet portal — complaints against deposit-taking and lending entities: sachet.rbi.org.in
- Government of India — National Cybercrime Reporting Portal: cybercrime.gov.in
About this guide. Written by the Loan Free Editorial Team and reviewed for accuracy against the RBI Guidelines on Digital Lending and the Fair Practices Code by our debt-resolution advisors. Information is provided for general understanding and was last updated on 2 June 2026. It is not a substitute for advice on your specific case — contact us for a confidential review.