RBI Digital Lending Cybersecurity: Complete Guide for India

RBI digital lending cybersecurity compliance in India is governed by the Reserve Bank of India's Digital Lending Guidelines (DLG), published September 2, 2022. The DLG mandates cybersecurity controls for every bank, NBFC, and Lending Service Provider operating in digital credit — requiring all borrower data to be stored in India, annual VAPT-backed IT audits, six-hour CERT-In incident reporting, and contractual vendor risk management. Non-compliance exposes Regulated Entities to RBI enforcement action. This guide maps every DLG cybersecurity requirement to the controls Indian fintechs and NBFCs must implement before their next audit cycle.

Who the RBI Digital Lending Guidelines Cover

The DLG applies to two categories of entities:

Regulated Entities (REs): Banks, cooperative banks, and Non-Banking Financial Companies (NBFCs) registered with RBI. If you are an RE offering digital loan products — including through a third-party app — the full weight of DLG compliance falls on you.

Lending Service Providers (LSPs): Technology companies, fintech platforms, or agents acting on behalf of an RE to source or service loans. LSPs are not directly regulated by RBI but must comply with the security requirements their RE partner contractually imposes. In practice, REs push down the full DLG security stack onto their LSPs through agreement clauses.

The scope is broad. If your platform touches loan origination, credit decisioning, disbursement, repayment, or collections in any way — digitally — the DLG governs your cybersecurity obligations.

RBI Digital Lending Cybersecurity Requirements Under the DLG

The DLG consolidates cybersecurity requirements across five domains. Understanding the structure is the first step to mapping them to your existing controls.

These five domains form the backbone of a DLG-compliant security programme. The following sections address each in detail.

The Data Localization Mandate for Indian Digital Lenders

The DLG's data requirements are explicit: all data collected by digital lenders — borrower identity, financial details, repayment behaviour, and device metadata — must be stored exclusively within Indian borders. Any cloud infrastructure, database, or backup system used for this data must have its servers physically located in India.

Beyond geography, the DLG mandates specific technical controls:

1. Encryption in transit and at rest: TLS 1.2 or higher for all communications; AES-256 or equivalent for stored data.
2. Access controls: Role-based access with least-privilege enforcement. No open APIs exposing raw borrower data without authentication and authorization gates.
3. Data minimization: Apps may only request device permissions that are necessary for the loan product. The DLG explicitly prohibits collecting contacts, call logs, and media without a direct lending use case and explicit user consent.
4. Retention and deletion: Data must be deleted or anonymized after the purpose is fulfilled, consistent with applicable regulatory retention obligations.

IT Security Audit and VAPT Requirements for Indian Fintechs

The DLG mandates regular IT security assessments. For Regulated Entities, this means engaging a qualified auditor — a CERT-In empanelled firm for the formal annual assessment — to conduct comprehensive security evaluations of the entire digital lending stack: web applications, APIs, mobile apps, cloud infrastructure, and third-party integrations.

The table below maps the core DLG IT security audit requirements to the controls your team needs to implement:

Vendor and LSP Risk Management

One of the most significant cybersecurity implications of the DLG is how it handles the RE–LSP relationship. Regulated Entities cannot outsource their compliance obligations. If an LSP suffers a data breach that exposes borrower data, the RE is accountable to RBI.

This creates a clear contractual and operational requirement. Regulated Entities must:

1. Conduct security due diligence on all LSPs before onboarding
2. Include binding security requirements in the LSP agreement — covering data protection standards, access controls, audit rights, and breach notification timelines
3. Periodically reassess LSP security posture — at minimum, annually
4. Maintain the right to audit LSP systems and request independent security assessments at any time

Incident Reporting Obligations

Digital lenders face two overlapping incident reporting requirements that must be tracked and executed in parallel:

RBI reporting: Regulated Entities must report cybersecurity incidents to RBI as per the Cyber Security Framework for Banks (2016) and subsequent RBI circulars. For incidents affecting customer data or lending operations, this typically requires reporting within the timelines specified in the applicable RBI guidance for the incident category.

CERT-In reporting: The CERT-In Information Security Practices, Procedures, Prevention, Response and Reporting of Cyber Incidents Directions 2022 mandate that all entities — including financial institutions — report qualifying cybersecurity incidents within six hours of detection. Covered categories include data breaches, ransomware attacks, phishing campaigns targeting financial customers, and unauthorized access to IT systems.

The six-hour CERT-In window is aggressive. Many fintechs lack the detection and escalation infrastructure to identify a breach and file a structured report within that window. Building this capability requires real-time logging and SIEM integration, defined incident classification procedures, a pre-approved incident report template, and a 24x7 escalation contact list for both RBI and CERT-In.

Compliance Coverage Across DLG Requirement Areas

No single domain dominates the DLG compliance effort. Data privacy and localization carry the largest share because the data protection requirements cascade across every system in your lending stack. IT audit and vendor risk together account for nearly 40 percent of the compliance surface — both demand external engagement and documented evidence trails that must be available for regulatory inspection on demand.

Building a DLG-Compliant Security Programme

Meeting DLG requirements is not a one-time project. It is an operational posture that must be maintained continuously across product releases, vendor changes, and infrastructure updates.

Year 1 — Establish baseline:

1. Commission a VAPT against your entire digital lending application stack
2. Conduct a gap assessment against all five DLG security domains
3. Document all data flows and confirm localization across cloud systems, backups, and third-party processors
4. Engage a CERT-In empanelled partner for the mandatory annual IT audit
5. Draft or update LSP security agreements to include DLG-compliant clauses

1. Run VAPT at every major release and at minimum once per year
2. Review LSP security posture quarterly with documented evidence
3. Test your incident response procedure specifically against the 6-hour CERT-In reporting window using tabletop exercises
4. Monitor RBI cybersecurity circulars and update controls when new requirements are mandated

The Bachao.AI automated VAPT platform, built by Dhisattva AI Pvt Ltd, gives digital lending teams a way to run continuous application security assessments — covering OWASP Top 10, API vulnerabilities, SSL and TLS configuration, and network exposure — without waiting for an annual scheduled audit cycle. For DPDP Act obligations that layer on top of the DLG's data protection requirements for personal data of borrowers, see the /dpdp-compliance page.

Ready to audit your DLG cybersecurity posture? Get your free security scan against your entire digital lending stack — identify OWASP Top 10 gaps, API weaknesses, and SSL misconfigurations before your next RBI inspection.