LSPs Under the RBI’s Scanner

The Economic Times recently reported that the RBI is now directly auditing Loan Service Providers (LSPs).

Until now, RBI queries were routed through Regulated Entities (REs). But this time, during annual RE inspections, the RBI reportedly called in LSP employees directly. Questions were centered around tech stacks, onboarding flows, KYC, and disclosure practices.

Legally speaking, nothing has changed – the RBI always had this power.The outsourcing guidelines require REs to give the RBI inspection rights over LSPs in their contracts - even though LSPs aren’t directly regulated. It’s just that the RBI rarely exercised this right. Until now.

Why now? Because LSPs have gone from being in ‘supporting roles’ to becoming ‘systemically critical’.

Just a handful of LSPs today enable most of India’s digital lending ecosystem - handling everything from customer acquisition to KYC and customer servicing. While these LSPs operate outside RBI’s direct regulatory authority, their failure can pose systemic risk to the lending landscape. RBI is watching this concentration risk - and it’s stepping in, pre-emptively.

So, if you’re an LSP, what should you do? Obviously, your goal would be to partner with as many REs are possible. So, you really cannot help the concentration. What, however, you can do is assure REs, and in turn the RBI, that your practices are robust enough to incept and avoid any possible risks.

Here’s your broad checklist:

Get ahead on Data Privacy:

Even though the Digital Personal Data Protection Act (DPDP Act) is freshly passed and its rules are being finalized, the principles are here: explicit consent, purpose-limited data use, and data security.

Why wait for implementation?

Ask for clear, explicit, specific, and informed consent
Let customers opt out of non-essential data sharing.
Disclose how long you store data, what your data destruction protocol is and how you handle breaches.
List third parties accessing user data.
Adopt the best cybersecurity practices available in the market.

Disclosures? Keep them simple and transparent

Your app or site should clearly name the REs. They should describe the service being offered, and all applicable charges.
Make your grievance redressal easy to find and easy to use;
Detail all fees, charges, and interest rates in simple language. No hidden costs;
Present critical information upfront, not buried in fine print.

Part of a big group? Prove your independence

If you’re the LSP arm of a large business house, show that you are insulated from risks your parent company may face. So:

Maintain your own capital, operations, and risk controls.
Set up clear business continuity protocols.
Show that decisions are made in-house - not dictated by the parent.

Further outsourcing? Do it carefully. Always get RE consent.

RBI’s directions explicitly require that your contract with the RE allows subcontracting only with the RE’s prior consent.

Keep the RE in the loop – they must have visibility into and audit rights over your subcontractors too.
Ensure your agreements flow down the same privacy, security and audit clauses you’re required to follow.
Train every vendor on RBI-aligned standards and have them agree to notify you of incidents immediately.

Working with a group NBFC? Keep things at arm’s length

If you’re an LSP owned by or part of an NBFC’s corporate group, be especially diligent about keeping duties separate.