Digital Lending and BNPL in India: Are New Guidelines Hurting Startups?

Introduction

In the past couple of years, the emergence of Buy Now, Pay Later (BNPL) apps and online lending startups revolutionized India’s credit landscape. With their frictionless digital boarding, free EMIs, and emphasis on financial inclusion, the platforms captured a gigantic user base. But regulatory eyes soon started to glare with allegations of opaque business models, predatory lending, and misuse of data. To these challenges, the Reserve Bank of India (RBI) responded by unveiling the 2025 Digital Lending Guidelines^[1], bringing in a more stringent regime for online lenders. The guidelines emphasize lender responsibility, data security, and customer disclosures but are faulted by its critics as having the potential to stifle innovation and damage nascent fintech’s.

This article discusses the RBI attempts to balance and if the new regulations turn out to be an elixir or a curse for India’s online lending startups. It also analyses the implications of these regulations in legal and market terms in comparative global experiences and judicial stances.

Understanding the 2025 RBI Digital Lending Guidelines

The 2025 guidelines are a continuation of RBI’s efforts since 2022 to bring digital lending under regulatory oversight. They stem from the final recommendations of the Working Group on Digital Lending and build on the guidelines published in August 2022. Key changes include:

• Direct Lending Only by RBI-Regulated Entities (REs): BNPL platforms must now operate exclusively with REs like NBFCs or banks, thus keeping non-regulated players out of lending activities.
• Loan Disbursal and Repayment Flow Control: All disbursements and repayments must be processed directly between the borrower and the RE, with third-party app or wallet disbursement kept out.
• Annual Percentage Rate (APR) Disclosure: All fees, charges, and interest need to be presented by lenders as a single figure of APR so that the borrower can better compare lending bids in a more transparent manner.
• Three-Day Cooling-off Period: The borrower can withdraw from the loan without any cost within 3 days for short-term loans and 7 days for tenure-based long-term loans.
• Forced Reporting to Credit Information Companies (CICs): Credit histories of BNPL transactions need to be reported to the credit bureaus so that small-ticket credit also contributes to a credit history.
• Registering Explicit and Granular Consent Requirements for Data: Consent needs to be informed, specific, and revocable. Blanket or default opt-ins are not valid.
• Pre-approved Credit Line Ban: No top-ups or credit line increases are permitted without the explicit borrower consent.
• Digital Audit Trails and Grievance Portals: There should be an open digital trail of all borrower interactions, consents, and disclosures kept.

These measures act to fill the regulatory space that earlier existed as a result of the runaway expansion of credit-tech firms working in uncharted territory.

Legal Context and Policy Goals

The regulatory underpinning of the 2025 digital lending guidelines is based on a triad of regulatory pillars making up India’s data and financial governing ecosystem:

• Reserve Bank of India Act, 1934^[2]: Provides RBI with the authority to control monetary policy, promote public confidence in the banking system, and promote financial system stability. In Sections 35A and 45L, RBI has great discretion to instruct banks and NBFCs to prohibit activities prejudicial to the public interest.
• Banking Regulation Act, 1949^[3]: Empowers RBI to regulate commercial banks and NBFCs, for example, licensing, capital adequacy, and prudential standards. The 2025 guidelines get their operationalization in the regulatory powers of RBI under the said above Act to the effect that only those institutions which RBI regulates (regulated entities or REs) should undertake lending operations.
• Information Technology Act, 2000^[4]: Expresses the cyber infrastructure of data protection, e-contracts, and intermediary liability. Sections 43A and 72A express the responsibility of data fiduciaries in case of misuse of personal information. These sections are the background for the consent, grievance, and data flow conditions that have been inserted into the digital lending space.

The 2025 guidelines are also grounded in the RBI’s 2021 Working Group Report on Digital Lending, which found that over 600 lending apps operating in India were unregulated, many of which indulged in excessive interest rates, abusive recovery methods, and data misuse. The report emphasized the need for a regulatory perimeter that preserves financial innovation while protecting borrowers.

The key policy goals driving the guidelines include:

• Preventing Regulatory Arbitrage: By limiting lending to RBI-regulated entities, the new framework plugs loopholes being exploited by technology platforms and shell intermediaries.
• Increasing Transparency and Disclosure: Simplification of representation of cost of loan through APR disclosure and rendering loan agreements readable, accessible, and understandable.
• Protecting Consumer Rights: Through a cooling-off period, borrower consent procedures, and grievance redressal procedures, the guidelines demonstrate a rights-based approach to extension of credit.
• Enforcing Financial and Data Integrity: Electronic audit trails and mandatory credit bureau reporting are an effort to create strong electronic credit histories and utilize data legal, bounded, and voluntary.
• Promoting Long-term Market Credibility: By ensuring legal clarity and supervisory coherence, RBI seeks to attract prudent capital into the digital lending market and provide investor confidence.

The guidelines fit into India’s overall effort at governance through the digital age as seen in the Digital Personal Data Protection Act, 2023 and proposed Digital India Bill, both of which seek to legalize obligations on digital intermediaries and strengthen consumer protections. Globally, the guidelines are part of the trend of coming together to regulate digital credit as seen in the EU, the UK, and Australia, all of whom are increasingly regulating fintechs through traditional financial regulatory models.

Startups’ Concerns: A Regulatory Roadblock?

Startups and new-age lenders have voiced sharp concerns:

• Threat to Sustainability of BNPL Model: BNPL platforms gained on delayed payments and merchant commission models. Forced disclosure of APR and reporting all transactions as loans dilutes the 0% EMI proposition.
• Compliance Overheads: Legal re-engineering, technical changes, integration of KYC, reporting with credit bureaus, and data compliance have escalated operational expenses significantly.
• Decreased User Acquisition: Frictionless UX is disrupted by extra disclosures, cooling-off periods, and express consent layers.
• Licensing Obstacles: Smaller platforms cannot get NBFC licenses because of net-worth and regulatory capital requirements.

In a 2024 joint survey by NASSCOM and Bain, 68% of fintech entrepreneurs cited compliance as the biggest hindrance to growth after the issuance of guidelines. Although some platforms such as Simpl and Uni changed product offerings, others such as ZestMoney applied for NBFC licenses to stay compliant.

On the other hand supporters of regulation counter that:

• Disclosure-based pricing fosters consumer trust and improves credit outcomes.
• Accountability for data protects against profiling, financial coercion, and exploitation.
• Bureau reporting makes credit more democratic by providing traceable borrower histories.

There is substantial evidence that irresponsible online lending led to financial distress among consumers. The Ministry of Electronics and IT received more than 1,100 complaints associated with predatory loan apps in 2022 alone.^[5]

Internationally, the UK’s FCA Woolard Review (2021)^[6] and the ASIC BNPL Consultation (Australia, 2022)^[7] have also made similar disclosures, creditworthiness checks, and data governance requirements for BNPL providers. India is therefore not an outlier but a late adopter.

Impact on Startup Ecosystem and Market Structure

The long-term implications are yet to play out, but near-term trends are:

• Market Correction: Some fly-by-night digital lenders have collapsed because they were unable to cope with compliance. Survivors are consolidating or switching to B2B lending.
• Rise of Lending-as-a-Service (LaaS): Fintechs are collaborating with licensed NBFCs to provide backend credit infrastructure (e.g., Setu, Perfios).
• VC Investor Strategy Shift: VCs increasingly evaluate regulatory preparedness as a key measure. Startups with well-defined compliance pathways are better funded.
• Revaluation of BNPL: BNPL startups have seen their valuations suffer because of diminished margins, higher scrutiny, and declining customer acquisition.
• More NBFC License Queries: Players are shifting to regulated models—f.e., Capital Float became a full-stack NBFC with inbuilt lending business arms.

Legal and Constitutional Considerations

1. Delegated Legislation and Judicial Review

The RBI’s power to regulate stems from statute and has been repeatedly upheld by courts. In ICICI Bank Ltd. v. Official Liquidator^[8]The Supreme Court recognized RBI’s expansive authority in protecting financial stability. The judiciary generally refrains from interfering in economic policy unless arbitrary.

2. Data Protection and Consent Architecture

The Digital Personal Data Protection Act, 2023 makes explicit data processing reasons a requirement, logs of consent, and grievance redressal compulsory. RBI guidelines reinforce the same by making in-app disclosures, privacy policies, and third-party restriction on data sharing necessary. Non-compliance may mean punishment under either or both legislations.

3. Proportionality and Startup Ecosystem

There are demands for tiered compliance thresholds. For instance, lenders offering credit below ₹10,000 or under trial sandboxes may be exempted from full compliance, echoing SEBI’s approach to regulatory sandboxes. The principles of proportionality, non-discrimination, and ease of doing business are being invoked in policy representations to the RBI.

Conclusion

The RBI’s 2025 Digital Lending Guidelines mark a definitive shift in India’s regulatory approach to fintech. Rather than an outright clampdown, the guidelines appear as a course correction—a move to clean up a sector marred by predatory practices and data misuse.

Though the shift will prove to be trying for startups, the reforms are intended to provide financial prudence, borrower protection, and innovation sustainability. Global alignment, judicial encouragement, and industry input all indicate that India is headed towards a more evolved digital lending ecosystem.

It is their determination to stay consultative, balanced, and evolving that will make these rules a success—making sure the fintech story of the country does not run out of steam but gets a firmer and more secure base.

Author:- Ansh Das, in case of any queries please contact/write back to us atsupport@ipandlegalfilings.com or   IP & Legal Filing.

References

1. Vaidya, Alka. “Digital Lending in India.” India Banking and Finance Report(2024).
2. Dokku, Srinivasa Rao, et al. “A Study on Buy Now and Pay Later (BNPL) Alternative Model of Financing in India: Issues and Challenges.” Retail Innovations in Business Models(2025): 1-16.
3. Kumar, Sandeep, and Aman Sonkar. “Legal Challenges and Consumer Protections in India’s Digital Lending Landscape.” Motherhood International Journal of Research & Innovation01 (2025): 41-49
4. Maity, Sagnik. “Fintech lending in India: A Threadbare Analysis of the Demand Factors.” International Journal of Contemporary Research in Multidisciplinary5 (2023): 34-37.
5. Modi, Avi, and Vaibhav Kesarwani. “Digital Lending Laws in India and Beyond: Scrutinizing the Regulatory Blind Spot.” Indian Journal of Economics and Finance1 (2023): 1-7.
6. Reserve Bank of India. (n.d.). https://www.rbi.org.in/commonman/english/scripts/FAQs.aspx?Id=3413

^[1] Reserve Bank of India (Digital Lending) Directions, 2025, RBI/2025-26/36, DOR.STR.REC.19/21.07.001/2025-26 (May 8, 2025)

^[2] Reserve Bank of India Act, No. 2 of 1934

^[3] Banking Regulation Act, No. 10 of 1949

^[4] Information Technology Act, No. 21 of 2000

^[5]MeitY Grievance Reports on Loan Apps (2022)

^[6] Financial Conduct Authority (UK), Woolard Review (2021)

^[7] ASIC Consultation Paper on BNPL Regulation (Australia, 2022)

^[8] ICICI Bank Ltd. v. Official Liquidator, (2006) 10 SCC 452