Posts

Remote Device Locking: RBI proposes highly guarded path

/0 Comments/in /by

Some proposals may be impractical

– Jeel Ranavat, Assistant Manager| finserv@vinodkothari.com 

On May 21,2026, RBI issued revised draft RBI (Non-Banking Financial Companies – Responsible Business Conduct) Amendment Directions, 2026  that contains  several paragraphs, not being there in the earlier Draft RBI (Non-Banking Financial Companies – Responsible Business Conduct) Second Amendment Directions, 2026 version, which permit a financier of devices to be able to remotely lock its partial functionality, on continued non-payment of dues. Among other safeguards, such as preserving the basic functionality (access to internet, incoming calls, emergency SOS features, and receipt of emergency Government or public-safety notifications), the RBI also imposes a minimum 90 days default to trigger the locking. In our view, given the short tenure of funding, the 90-day default threshold, clearly a legacy of long-term lending practices, is quite impractical in the context. We present the highlights and our critical appraisal of the RBI’s proposals.

Introduction

Remote device locking is fast becoming the new device in recovery practices. With the ability to remotely restrict access to a borrower’s device, lenders are increasingly viewing the technology as a powerful tool to control defaults and strengthen recoveries.

In the past supervisory observations, RBI raised concerns regarding “full device locking” mechanisms adopted by certain lenders/Lending Service Provider (LSPs), noting that such measures may be disproportionate, coercive, and restrict access to essential device functionalities. The concerns appear to stem from borrower protection and fair practices considerations, particularly where borrowers are denied access to basic device features unrelated to the financed asset or outstanding dues.

At the same time, the Digital Personal Data Protection Act, 2023 (DPDP Act) introduces an additional layer of regulatory scrutiny like device-level restrictions and monitoring inherently involve the processing and control of personal data, making borrower consent, lawful processing, proportionality, purpose limitation, and data minimisation central to any remote locking framework.

From a data protection perspective, excessive control over a borrower’s device may raise serious concerns around privacy, digital autonomy, and the broader obligation to safeguard the rights of data principals.

The RBI has issued Revised Draft – RBI (Non-Banking Financial Companies – Responsible Business Conduct) Amendment Directions, 2026 which provides deployment of technology-based mechanism for recovery of loan duesalso known as “Remote Device Locking”, and proposes to restrict the use of device-locking mechanisms as a recovery tool, except where the loan was specifically granted for financing the concerned mobile device. 

The regulatory message is increasingly clear that technology-driven recovery mechanisms cannot come at the cost of privacy, fairness, or access to essential digital services.

Pre-requisites for Remote Device Locking


Device-locking mechanisms as a recovery tool is not permitted. However, in case the loan was specifically granted for financing the concerned mobile device, such measures may be adopted by the lenders subject to certain conditions:

  • Documentation and Communication: 
    • Clear and unambiguous disclosure which expressly authorises such restrictions in loan agreement. 
    • Further, trigger events for initiating recovery-related restrictions must be clearly defined and disclosed upfront to the borrower.
  • Prior Notice: A structured notice and cure mechanism must be implemented prior to imposing any restriction. 
    • A minimum 21-day notice period should be provided once the account reaches 60 DPD, giving the borrower a chance to cure the default. 
    • Following expiry of 21 days notice an additional 7-day cure period is given to the borrower before any restrictive measure is imposed.
  • DPD Status: Restrictions should be invoked only where the account remains in default beyond 90 DPD despite prior notices and cure opportunities, ensuring that such measures are used strictly as a last resort.
  • Access Control: Under no circumstances should restrictions impair access to essential device functionalities, including internet connectivity, incoming calls, emergency SOS services, or government/public safety notifications. 

Conclusion

Most device financing loans are short-tenure products, typically ranging from 3 to 12 months. If  lenders are required to wait until 60 DPD, followed by a 21-day notice period, an additional 7-day cure window, and eventual restriction only after 90 DPD, this may significantly reduce the commercial effectiveness of remote device locking as a recovery tool.

In short-tenure device financing loans, recovery measures are most effective during the early stages of delinquency, when the borrower continues to actively rely on the device. 

In practice, several lenders have historically adopted much earlier-stage device restrictions upon payment default. However, RBI appears to be consciously moving away from such practices due to concerns around coercive recovery measures, borrower protection, proportionality, and access to essential digital services.