Understanding the CCO’s Certification for DLAs: Digital Lending Directions, 2025

Aditya Iyer | finserv@vinodkothari.com

The Reserve Bank of India (Digital Lending) Directions, 2025 (DL Directions), introduce the requirement for Regulated Entities (‘REs’) to report the Digital Lending Apps (DLAs) utilized by them on the CIMS Portal (Para 17). Moreover, there is now also a requirement for the Chief Compliance Officer or other designated officer to certify the compliance of these DLAs.

Simple as it may appear, this poses several questions such as: (i) Which entities exactly would need to be reported; (ii) Would entities with an indirect / lead-referral arrangement to the DLA also need to be reported; (iii) What about DLAs used in co-lending – which RE does the reporting?; and (iv) What compliances exactly need to be certified, since the regulations also require compliance of DLA with “extant regulatory instructions”.

In addition to the above, this also warrants discussion because the regulator has in recent news also been auditing the LSPs and is reportedly directly engaging with them. Therefore, the certification cannot be mere lip-service or a “tick-box” compliance, and must be founded on some substantive review  of the DLA. Hence, we attempt to answer the above questions in our present write-up, beginning of course, with the contextual background for these compliances.

Background

As of April 2025, there are a reported 24 Fintech “unicorns” in India, with a combined estimated valuation of $125 Billion^[1], and as of December 2024, Fintech lenders reportedly serve around 23 million consumers (from 14 million in December 2022).^[2] Hence, with drivers such as reduced geographical barriers, quick onboarding, expedited underwriting and disbursements, fintech lending seems to be booming.

While this growth is laudable, the RBI’s Annual Report for FY 2024-2025 also reveals a growing concern around “illegal” Digital Lending Apps, which by falsely representing partnerships and associations with Regulated Entities (REs) beguile innocent consumers into obtaining facilities from such apps/platforms. Even in the case of “legal” Digital Lending Apps, there may be concerns around the disclosure of information, consumer rights, data protection with respect to information harvested from consumers, etc.

Perhaps in an attempt to combat such false representations, the DL Directions, bring with it increased regulatory oversight of DLAs and fintech platforms. This increased oversight is a result of the (a) more clarified definition of DLAs; and (b) the requirement for the CCO (or other equivalent officer) to certify the DLAs compliance with “all the extant regulatory instructions”, including the instructions under the DL Directions.

By expanding the definition of DLA, and requiring the contracting RE’s CCO to certify the DLAs compliance, these platforms which are otherwise not directly regulated by RBI, are brought into a gossamer web of regulation.

DLAs to be covered – For Reporting & Certification

a.     Which entities need to be reported/certified?

Under Para 17 (i) of the DL Directions, the requirement is that: the “REs shall report all the DLAs deployed/joined by them, whether of their own or those of the LSPs, either exclusively or as a platform participant” on the CIMS portal. Further, under Para 17(iii) the CCO of the RE (or other official designated by the Board for such purpose) shall certify inter alia that the DLAs reported are compliant with all the regulatory instructions.

The DL Directions 2025, defines the ambit of a DLA to include:

“Mobile and/or web-based applications, on a standalone basis or as a part of suite of functions of an application with user interface that facilitate digital lending services…”

Applications facilitating digital lending functions on a standalone basis, clearly refer to the run-of-the-mill DLAs, that offer dedicated digital lending services.  What would then be included under DLAs that offer it as a “part of suite of functions”? In our view, this would include instances where the lending is incidental or complimentary to the main offering, for e.g. e-commerce platforms which offer check-out financing. In this example, such platforms would also be considered LSPs of the lenders, and the applications would be the lender’s DLA, in case the digital lending process is being carried out on the same platform.

Hence, such entities would need to be reported, and accordingly their compliance with the extant regulatory instructions, would need to be certified.

Before proceeding to explore the scope of this certification, it is prudent to clarify whether such compliances would also be applicable upon: (a) “indirect DLAs”; and (b) DLAs in co-lending arrangements.

b.     “Indirect” DLAs

Here, “indirect” DLAs refer to DLAs that have a lead referral arrangement with the LSP used by the RE. For instance, Lender ‘A’ uses DLA ‘X’. X in turn has a lead referral arrangement with DLA ‘Y’, such that, when customers come to Y’s platform, and are not serviceable (for e.g. due to lenders who don’t offer the requested facility / borrower’s ineligibility against the same), the borrower is redirected to X’s platform. From here, X may pair the borrower with a host of other lenders, including Lender A.

In this case, one may call Platform Y an indirect DLA to Lender A. These lead referral arrangements are becoming increasingly common, and the question that arises here is, whether Lender A would need to report Platform Y, and undertake certification of the same.

In our view, the answer to this question is a ‘no’. Because these platforms are not facilitating the digital lending process. Further, they are neither owned by the RE, nor are owned by an LSP of the RE, they would not be considered the RE’s DLA, and hence would not necessitate certification of compliance.

c.      DLAs in Co-Lending

In the case of a co-lending arrangement, where two or more REs come together to extend a facility to a borrower, and there is a DLA being used to source the borrower, it is pertinent to consider whether all  the Partner Lenders would need to report the DLA and certify the same, or only a particular RE.

In our view (and in the absence of any specific regulatory clarity here), in the case of co-origination of loans pursuant to a non-discretionary and ex-ante arrangement, the REs with whom the DLA has an agreement with would be responsible for undertaking the reporting and certification. Ideally, the co-lending arrangement should specifically segregate the responsibilities between the co-lenders, including the responsibility to certify the compliances by the DLA on the Originating RE. For instance, consider that the DLA has an arrangement with Lender ‘X’ , who at the back-end has a co-lending arrangement in place with Lender ‘Y’. In this X-Y relationship, it may be clearly delineated that the sourcing responsibilities will be undertaken by ‘X’ through its channels, and hence the contract with the DLA may only be with ‘X’. In such a case, the responsibility to report and certify the DLA would be on Lender X.

Alternatively, in case of the erstwhile “CLM-2” arrangement (done away with under the 2025 Co-Lending Directions) or other loan transfer arrangement, where the loan is sourced by a sourcing partner, and subsequently transferred in part to the funding partner, only the sourcing partner in our view would need to undertake the certification and reporting of DLA.

What should the certification cover?

The CCO is required to certify that the DLA is in compliance with, “all the extant regulatory instructions, including the provisions of these Directions” as updated from time to time.

1. Provisions of the DL Directions to be considered when certifying:
   1. Multi Lender LSP – Para 6: In case of a multi-lender LSP, the DLA should display all the information required for the customer to make informed decision making, and should not utilise dark-patterns (for more on what exactly is a “multi-lender LSP”, see our detailed resource here, and for an explainer on dark patterns in in lending, see here.). To remain on the side of caution, the DLA may also carry out a “self-audit” as mandated by the CCPA circular here.
   2. Storage and processing of data – Para 12, 13, and 14: The storage of data by the DLA should be on need-to-know basis and with explicit consent, and the borrower shall have an option to deny/revoke the consent.

From an operational standpoint, the RE may also need to ensure that in addition to merely having “buttons” on the app that allow for this, the DLA also has the means/systems needed to effectuate the same. For instance, if the borrower does exercise their option to revoke consent, how is the data dealt with and disposed subsequently?

Similarly, the DLA shall have clear policy guidelines on the storage of customer data, including type of data, length of time it can be stored for, data destruction protocol, etc. Data shall only be stored within India, and if stored outside India, shall be brought into India within 24-hours of processing. The DLA shall not use biometric data unless otherwise allowed under applicable law, and there shall also be a comprehensive privacy policy as specified under Para 14.

This too should be seen not just from the standpoint of a certain policy document merely existing, but from the POV of the standards and systems in place to ensure the same.

1. Compliance with technology standards – Para 15: It is stated that the RE and their LSPs are to ensure that they comply with the various technological standards and requirements on cybersecurity stipulated by RBI or other relevant organisations from time to time, for undertaking digital lending.
2. GROs: Where the DLA is not owned by the RE, it shall have a nodal grievance redressal officer to deal with the digital lending related complaints, and the details shall be prominently displayed on the LSP. It would also in our view suffice that the nodal GRO of the RE itself is appointed to handle the digital lending grievances, insofar as the details of the said person are disclosed by the DLA (see also Para 42 of our FAQs on the old directions here)
3. RE has disclosed all the particulars submitted by the GRO on its website as provided under Para 8(iv) of the Directions.
4. Other “extant regulatory instructions”: Admittedly, the phrase “extant regulatory instructions” is quite vague and does not afford the RE much clarity on what exactly needs to be complied with. However, in our view, following regulatory and legal compliances may be considered at a minimum:
   1. IT Outsourcing Directions (insofar applicable on scale of entity): It shall be ensured that the platforms discharge their obligations stemming from the IT Outsourcing Directions (e.g. having in place a business continuity and disaster recovery plan ).
   2. Digital Personal Data Protection Act, 2023: Where the platforms are engaged in any processing of the personal data of the borrower on behalf of the lender, they may be regarded as “Data Processors” under the DPDPA. Hence, it should be ensured that the safeguards placed with regards to Data Processors are being adhered to by the platform (for instance, see Section 8 of DPDPA, and Rule 6 of the DPDP Rules). Similarly, where the Borrower being the Data Principal exercises their rights (e.g. right to withdraw, grievance redressal, right to update and correction, right to nominate successor, etc) the Platform should have the systems and processes in place to effectuate the same. For more on the compliances under the DPDPA, and what has been proposed in Draft Rules, see here our explainer for lenders.
   3. KYC-related aspects: Any KYC functions facilitated by or via the platform are in compliance with the KYC Directions and PML Rules (under Para 14 of the KYC Directions). Additionally for instance if any process flow is being initiated by the platform on behalf of the lender (e.g. initiation of digi-locker based KYC), then it shall be ensured that documents flowing to the platform are as per the regulatory fetters.

Concluding notes

The certification is to be done by the Chief Compliance Officer of the RE, or other official designated by the Board (i.e. in the absence of a CCO due to regulatory mandate for instance, the compliance officer / legal counsel authorized by the Board may undertake the same).

Given that the Directions were notified on May 08, 2025, and the deadline for compliance with Para 17 was June 15, 2025, there may have been time constraints on the comprehensiveness of review. However, for future DLAs onboarded and certified, given the increasing regulatory scrutiny (of both lenders and platforms), an extent of review as discussed here above may be advisable.

---

^[1] Data sourced from: https://fintechnews.sg/108940/fintech-india/the-complete-list-of-india-fintech-unicorns-2025/#:~:text=As%20of%202025%2C%20India%20has,the%20United%20States%20and%20China (last accessed in September 2025).

^[2] TransUnion, ‘Fintech Compass’, 2024, available at: https://www.transunioncibil.com/content/dam/transunion-cibil/corporate/documents/fintech-compass-report-april-2025-updated.pdf (last accessed in September 2025)