In this article
What changed in March 2026
RBI's original digital lending guidelines came out in September 2022. The March 2026 supplement closed loopholes that fly-by-night apps had been exploiting. Key changes:
- Standardised APR disclosure in the Key Fact Statement (KFS) — covering all fees, GST, insurance and any recurring charges. No more "1% per day, no hidden costs" marketing.
- Direct disbursal mandatory — the regulated lender must transfer money directly to the borrower's bank account. No pass-through wallets, no third-party intermediaries.
- Borrower data access banned — contacts, gallery, SMS and call logs are now hard-blocked. Only camera (for KYC), microphone (for video KYC), and location (when needed) are permitted.
- Recovery call timings — only between 8 AM and 7 PM. No early morning or late night calls.
- Cooling-off period — every loan must offer a window in which the borrower can return the principal without prepayment penalty.
- Mandatory grievance officer — name, email and phone of a grievance officer must be visible on every app's home screen.
The 12 red flags — do this check BEFORE you sign
If you see any one of these, do not borrow. The app is non-compliant and your money + data are at risk.
1The app does not show its regulated lender's name on the home screen
Every legal lending app must display the name of the licensed NBFC or bank behind it, prominently — not in tiny grey fine print at the bottom. The lender name must match an entity listed on rbi.org.in's regulated entity list. If the only name you see is the app's brand name (e.g., "QuickCash" or "InstaLoan"), the app is non-compliant.
2No Key Fact Statement (KFS) is shown before signing
When you tap "Apply" or "I Accept", a KFS must appear showing APR, processing fees, GST, insurance, cooling-off period and grievance officer. If you go straight from "Apply" to "Money disbursed", the app has skipped a legally mandated step.
3App requests access to your contacts, gallery, SMS, or call logs
This is hard-banned under the 2026 rules. The only permitted permissions are camera, microphone (for video KYC), and location. If the app asks for contacts at any point, leave immediately. Most contact harvesting is used to harass family and friends if you default.
4The interest rate is shown as "per day" or "flat" instead of APR
"Just 1% per day" sounds small but works out to an APR of around 365%. Legal apps must disclose APR — the all-in annualised rate. Per-day or flat-rate framing without APR is illegal under the new rules.
5Money is credited from a personal account or a non-bank wallet
Under the direct-disbursal rule, the regulated lender must transfer money to your bank account from THEIR official account. If you see money credited from a personal UPI ID or a non-bank wallet, the lender is breaking the rules — and your repayment is going into a black box.
6Disbursed amount is less than the sanctioned amount, without explanation
Some apps sanction ₹10,000 but credit ₹7,000, calling the rest "processing fees". This is legal only if the KFS clearly disclosed every fee. Anything else is a violation.
7Recovery calls come before 8 AM or after 7 PM
The 8 AM to 7 PM call window is strict under the 2026 norms. Calls outside this window — and calls to family, friends, or your employer — are reportable harassment.
8App threatens you with morphed photos, social media exposure, or police
This is criminal extortion under IPC, not just an RBI violation. Report to cybercrime.gov.in (call 1930) and file an FIR at your local police station. The morphed-photo and contact-shaming playbook was the signature of the 2021–2024 Chinese loan-app scams; under the new rules it is grounds for instant licence cancellation.
9No grievance officer details visible
Every legal app must display the name, email and phone number of a grievance officer on the home screen — not buried in Terms & Conditions. If you cannot find it within 30 seconds, the app is non-compliant.
10Cooling-off period is missing from the KFS
Every digital loan must offer a window to return the principal without prepayment penalty. If the KFS doesn't mention a cooling-off period — or says "non-refundable" — it's illegal.
11Privacy policy is missing, unsigned, or hosted on a free blog domain
A real lender's privacy policy lives on its own corporate domain, names a data fiduciary, and complies with the Digital Personal Data Protection Act. If the policy is on Blogger, a Telegram link, or a "freewebs" type domain, the lender is illegitimate.
12The app is not on Google Play or Apple App Store — distributed via APK or Telegram
Since the 2026 store sweeps, the safest legitimate lending apps are all on Play Store and App Store. APKs shared via WhatsApp, Telegram, or downloaded from random websites are almost universally illegal. Never sideload a lending app.
If you've already borrowed from a fake app — what to do
You're not powerless. Steps in order of urgency:
- Document everything. Screenshot the loan agreement, every call, every message, every payment. Record any harassment calls (legal in India for self-protection).
- Do not pay extortion demands. If they threaten morphed photos or social media exposure, this is criminal extortion. The right answer is FIR, not payment.
- File at cybercrime.gov.in — or call 1930 (national cyber helpline). This creates an FIR-equivalent.
- File at sachet.rbi.org.in — RBI's portal for unauthorised lending. Action is taken against the regulated entity that fronted for the illegal app.
- Inform your bank — they can flag the disbursal account, and may help with reverse-claims for the principal.
- Tell your family yourself — before the harassment does. Removing the leverage stops the playbook in its tracks.
- Block on TRAI DND — and on your phone's call-blocker app.
- Repay only the legal principal — usurious interest and "fees" that were not in a KFS are not legally collectible.
Where to complain — 4 official channels
| Channel | For | How |
|---|---|---|
| Cyber Crime Portal | Harassment, fraud, data theft, morphed-photo threats | cybercrime.gov.in or call 1930 |
| RBI Sachet | Unauthorised lending, app not RBI-compliant | sachet.rbi.org.in |
| RBI Banking Ombudsman | Licensed lender breaking rules | cms.rbi.org.in |
| Google Play / Apple App Store | App removal | App listing → "Report as inappropriate" → "Illegal lending" |
How to find legitimate lenders
Three trusted checks:
- RBI's licensed NBFC list — search by name; if not there, walk away.
- RBI's list of registered Digital Lending Platforms.
- Independent comparison platforms like CreditDost — we only list lenders whose RBI-regulated entity name is verifiable.
Compare RBI-compliant personal loan offers
CreditDost compares loan offers from 30+ RBI-regulated banks and NBFCs. We never list illegal apps — and we are free for borrowers.
Compare Offers →Frequently asked questions
What are RBI's digital lending rules in 2026?
RBI's March 2026 master direction supplement requires: standardised APR in the Key Fact Statement, direct disbursal from regulated lender to borrower (no third-party pass-through), banned access to contacts/gallery/SMS (only camera, mic and location allowed), recovery calls limited to 8 AM–7 PM, mandatory grievance officer details on every app, and a cooling-off period to return the loan without prepayment penalty.
How can I check if a loan app is RBI-compliant?
Three checks: (1) The regulated lender's name must appear on rbi.org.in's licensed NBFC/bank list. (2) The lender name must be on the app's home screen, not buried in fine print. (3) A Key Fact Statement (KFS) must appear BEFORE signing, with APR, processing fees and cooling-off period. If any are missing, the app is not compliant.
What if a loan app accesses my contacts or gallery?
Accessing contacts, gallery, SMS or call logs is BANNED under the 2026 rules — even with consent. Only camera, mic and location are allowed. Report to RBI Sachet (sachet.rbi.org.in), cybercrime.gov.in, and Google Play / Apple App Store as illegal lending.
A loan app is calling my family and friends — what do I do?
This is illegal harassment. Save recordings/screenshots, file at cybercrime.gov.in (or call 1930), file at sachet.rbi.org.in, block the harassing numbers, inform your local police station with evidence. Illegal recovery can void the recovery action and revoke the lender's RBI licence. You do NOT have to pay if recovery is conducted illegally.
Can a loan app charge any interest rate?
No. APR must be disclosed before signing in the KFS, including all fees, GST, insurance and recurring charges. Apps showing "1% per day" without APR are non-compliant. Many illegal apps charge effective APRs of 200–800% per year — predatory and reportable.
What is the cooling-off period for digital loans?
A window during which you can return the principal (with proportionate APR for days used) without prepayment penalty. The exact period must be in your KFS — minimum 1 day for short tenure loans and longer for term loans. If you regret a loan within this window, repay and walk away.
Where do I complain about an illegal loan app?
RBI Sachet (sachet.rbi.org.in) for unauthorised lending, cybercrime.gov.in or call 1930 for harassment/fraud, RBI Banking Ombudsman (cms.rbi.org.in) for licensed lender violations, and Google Play / Apple App Store to report and remove the app. Save all evidence first.