There’s no single RBI notification titled “RBI DSA Guidelines.” Loan DSAs are governed indirectly, through RBI Loan Rules that apply to the banks and NBFCs that appoint them: chiefly the Outsourcing Directions, the RBI Digital Lending Directions, 2025, and the Responsible Business Conduct (Second Amendment) Directions, 2026, which for the first time explicitly names DSAs in agent-conduct rules. This amendment was released on June 15, 2026, but doesn’t take effect until January 1, 2027, so DSAs have a compliance runway, not zero lead time. DSAs aren’t RBI-licensed, but they carry real DSA compliance responsibility because their lender is fully accountable to RBI for their conduct.
Understanding the RBI DSA Guidelines this way, as indirect, layered, and evolving, is the starting point for running a compliant DSA business in 2026.
Quick Definitions
These terms come up throughout any discussion of RBI DSA Guidelines and DSA compliance, so it helps to have them straight before diving in.
- DSA (Direct Selling Agent): Sources loan customers for a bank/NBFC under an outsourcing agreement; no prior RBI approval is needed to appoint one.
- RE (Regulated Entity): The bank, NBFC, or co-operative bank RBI directly licenses and supervises.
- LSP (Lending Service Provider): An agent performing digital lending functions, such as acquisition, underwriting support, or servicing, on behalf of an RE.
- KFS (Key Fact Statement): Mandatory all-in-cost disclosure delivered to the borrower before loan signing, one of the clearest markers of RBI’s digital lending guidelines in action.
- DLA (Digital Lending App): The app used by an RE or its LSPs to deliver digital lending.
- CIMS: RBI’s portal where REs report every DLA they operate or engage.
Executive Summary Table
| Compliance Area | Requirement | Applies To | Operational Impact |
| Digital Lending Directions, 2025 | KFS disclosure, direct disbursal, cooling-off period | DSAs sourcing digital loans for REs | Must explain KFS and disbursal flow accurately to borrowers |
| Outsourcing of Financial Services | RE due diligence on DSAs; written agreements | All DSAs appointed by banks/NBFCs | Must maintain documented agreements and conduct standards |
| KYC Master Directions | Customer identification before loan facilitation | DSAs collecting borrower documents | Must verify document authenticity, never bypass KYC |
| Fair Practices Code (carried into 2025 Directions) | No mis-selling, no coercive recovery | DSAs and recovery-linked DSAs | Must avoid misleading claims and aggressive tactics |
| Data privacy norms (RBI Directions + DPDP Act, 2023) | Purpose-limited, consented data collection | DSAs handling borrower personal data | Cannot access contacts/gallery; must secure consent records |
| Grievance redressal | RE and LSP nodal officers; RBI CMS escalation | DSAs interfacing with borrowers | Must direct unresolved complaints to RE’s grievance channel |
| Responsible Business Conduct (2nd Amendment), 2026 | On-person ID for DSAs at bank premises; expanded mis-selling refund rules | DSAs, DMAs, sub-agents, TPPS representatives | Effective Jan 1, 2027. Build the identification and disclosure habit now |
| Credit Information Reporting Directions | Weekly (not fortnightly) bureau data updates | All REs, indirectly affecting DSA-sourced borrowers’ scores | Borrower CIBIL data now refreshes up to five times a month |
Do RBI DSA Guidelines Exist as a Separate Regulatory Framework?
No. RBI does not license, register, or directly supervise individual Loan DSAs. DSAs operate as agents of banks and NBFCs, the Regulated Entities (REs) RBI actually licenses. RBI’s regulatory reach extends to DSAs only through the RE that appoints them.
This indirect structure means a DSA’s compliance obligations are defined by the contract and conduct standards the bank or NBFC sets, themselves derived from RBI norms. The RE is fully accountable to RBI for the DSA’s conduct, documentation accuracy, and customer treatment, even though the DSA itself isn’t an RBI-regulated entity.
Bottom line: DSAs are regulated by extension, not by direct RBI license. Compliance failures by a DSA become compliance failures attributed to the RE.
RBI Rules Every Loan DSA Must Know
RBI loan rules for DSAs aren’t found in one place. The core framework a DSA operates under includes the RBI Digital Lending Directions, 2025, RBI’s outsourcing directions for banks and NBFCs, the Fair Practices Code, KYC/AML Master Directions, and now the 2026 Responsible Business Conduct amendment, covering disclosure, data handling, ethical selling, and identity verification.
1.RBI Digital Lending Directions, 2025 (RBI/2025-26/36, dated May 8, 2025), which replaced the 2022 digital lending guidelines and is now the primary reference for any loan sourced or processed digitally:
- A Key Fact Statement (KFS) disclosing the all-in cost, including interest, fees, penal charges, and APR, must reach the borrower before the loan contract is signed.
- Direct disbursal: loan proceeds move straight from the RE’s account to the borrower’s account, never through a DSA’s or LSP’s pass-through account, except for specific co-lending or end-use cases.
- Data collection limits: only data necessary for the loan purpose, with explicit consent; borrowers can revoke consent or request erasure.
2.Outsourcing directions for banks and NBFCs: RBI’s outsourcing framework, including the NBFC (Managing Risks in Outsourcing) Directions, 2025 (RBI/DOR/2025-26/363, dated November 28, 2025), requires REs to maintain a board-approved Code of Conduct for DSAs and DMAs, train them properly, and retain control over core decisions like credit sanction. A DSA can source and verify, but final loan approval always stays with the RE.
3.Fair Practices Code: the umbrella principle behind customer-facing conduct, meaning no intimidation, no harassment, no misleading representation, and clear upfront communication of terms.
4.KYC/AML obligations: DSAs assisting with onboarding must ensure documents are genuine, current, and collected through the RE’s approved verification process.
5.DPDP Act, 2023 (data privacy): runs alongside RBI’s rules and requires informed consent before collecting personal data, breach reporting to the Data Protection Board (by the RE, as data fiduciary), and honoring a borrower’s right to erasure. A note on timing: the DPDP Rules were notified on November 13, 2025, and most operational obligations, including the breach-notification clock, are on an 18-month phase-in, reaching full enforcement on May 13, 2027. Treat this as the direction things are firmly heading, not yet a fully live enforcement regime today.
6.Responsible Business Conduct (Second Amendment) Directions, 2026: released June 15, 2026, effective January 1, 2027. This is the first RBI framework to explicitly widen agent-conduct rules to name DSAs, DMAs, sub-agents, and TPPS representatives. Two provisions matter most for DSAs: any DSA physically present at a bank’s premises must carry clear “on-person” identification distinguishing them from bank employees, and mis-selling now carries a mandatory full-refund-plus-compensation obligation for the RE, which flows straight back to scrutiny of the DSA’s sales conduct.
Bottom line: RBI loan rules for DSAs sit at the intersection of outsourcing accountability, digital lending disclosure, and, from January 2027, explicit, named anti-mis-selling conduct rules for DSAs specifically.
Also read: List of India’s Leading Loan DSA Companies (2026)
Myth vs Fact
| Myth | Fact |
| RBI licenses Loan DSAs | RBI licenses banks/NBFCs only; DSAs are empanelled by these REs |
| DSAs can hold loan funds briefly before crediting the customer | Disbursal must go directly to the borrower’s account, with no pass-through |
| Verbal promises of “guaranteed approval” are fine if the loan usually gets approved | Any misleading assurance violates the Fair Practices Code |
| Data collected for one loan can be reused for future cross-selling without asking again | Fresh, purpose-specific consent is required each time under DPDP norms |
| RBI mandates DSA commission disclosure to customers | No standalone RBI rule requires this; some lenders choose to disclose it |
Key takeaway: RBI loan rules for DSAs sit at the intersection of outsourcing accountability, digital lending disclosure, and (from 2026 onward) explicit anti-mis-selling conduct rules.
Also read: Corporate DSA vs Individual Agent: Tax Benefits & Payout Tiers in 2026
| Do You Know? (RBI’s 2026 Agent-Conduct Overhaul)→ The Responsible Business Conduct (Second Amendment) Directions, 2026 were released on June 15, 2026 and take effect January 1, 2027. For the first time, any DSA, DMA, sub-agent, or TPPS representative present at a bank’s premises must carry clear “on-person” identification distinguishing them from bank employees. Source: Business Standard, June 15, 2026 — RBI tightens norms on bundled products→ The DPDP Rules, 2025 were notified on November 13, 2025, but full operational obligations, including the breach-notification clock, don’t kick in until May 13, 2027. Only the Data Protection Board’s establishment is live today. Source: Press Information Bureau, Government of India, November 17, 2025 — PIB DPDP Rules notification→ RBI’s NBFC (Managing Risks in Outsourcing) Directions, 2025 gave NBFCs until April 10, 2026, or contract renewal (whichever came earlier), to align existing IT outsourcing agreements. That deadline has already passed, so any DSA-facing NBFC should now be fully compliant on this front. Source: Vinod Kothari Consultants, February 2026 — IT Outsourcing Under the RBI’s 2025 Directions |
Daily Operational Compliance Checklist for Loan DSAs
In practice: verify identity, disclose everything upfront, never touch loan funds, record consent, and document every step. This is the RBI DSA Guidelines translated into a routine you can run before your morning coffee gets cold.
| Stage | What to Do |
| Lead generation | No misleading ads, no guaranteed-approval claims, no fake urgency |
| Customer communication | Disclose interest rate, processing fee, and tenure before collecting documents |
| Document collection | Collect only what the lender’s checklist requires |
| Identity verification | Cross-check Aadhaar/PAN against lender’s KYC checklist; verify originals |
| Consent recording | Capture explicit, recorded consent before submitting any application |
| Data security | Store documents only as long as needed; never share with third parties |
| Application submission | Submit through the lender’s official DSA portal, never informal channels |
| Customer updates | Keep the borrower informed on status |
| Post-disbursement conduct | No aggressive recovery tactics; escalate defaults to the lender |
Bottom line: A clean daily checklist is your best protection if a bank ever audits your file.
Also read: Best Loan DSA Platform in India 2026: Compared for Max Earnings
Digital Onboarding Compliance
DSA registration gets you empanelled, but digital onboarding compliance is where RBI actually scrutinizes your day-to-day conduct. It needs verified KYC, logged electronic consent, and KFS delivery before signing.
- KYC verification must match the lender’s approved e-KYC or video-KYC process.
- Electronic consent for terms, data sharing, and bureau checks must be logged, not assumed.
- KFS delivery before signing: banks are now specifically auditing DSA files for KFS compliance, one of RBI’s biggest 2026 enforcement priorities.
- Cooling-off period: borrowers can exit within the RE-board-set window (minimum one day) by repaying principal plus proportionate interest, without penalty. Tell customers this option exists.
Key takeaway: Every digital onboarding step should leave a paper trail your lender can produce on demand.
Also read: Axis Bank DSA Registration: Direct vs Multi-Bank Commission
Borrower Data Privacy Framework
Data handling is one of the sharper edges of the RBI DSA Guidelines. Collect only what’s needed, get explicit consent, never over-retain data, never share it outside the lender’s approved systems.
Data collection must be need-based with prior explicit consent; one-time camera, microphone, or location access is permitted only for KYC purposes. Access to contacts or call logs is prohibited outside one-time KYC needs.
- Never request contact-list or gallery access “to speed things up.”
- Never keep a personal spreadsheet of customer PAN/Aadhaar outside the lender’s system.
- Never forward documents over personal WhatsApp or email.
- Always share the lender’s privacy policy; don’t skip it.
Key takeaway: Data discipline is now one of the biggest DSA compliance audit points banks check.
Commission Transparency and Ethical Selling
The RBI DSA Guidelines are explicit here: commissions must come directly from the lender, never deducted from the loan amount disbursed to the borrower.
Under the 2026 amendment, incentive structures that drive kickback-linked mis-selling are explicitly closed off, and the mandatory refund-plus-compensation rule for mis-selling gives lenders a direct financial reason to police DSA sales conduct more tightly once it takes effect in January 2027. Understanding your full payout structure, including TDS on DSA commission, is part of running a compliant DSA business, not just a tax exercise.
Key takeaway: Transparent, lender-paid commissions protect your DSA code; mis-selling tied to incentives is now an explicit regulatory target.
Also read: Top 10 Banks/NBFCs Offering Highest DSA Commission in India
Risk Assessment Matrix
This is where DSA compliance most often breaks down under the RBI DSA Guidelines in practice, and where a bank’s audit team looks first.
| Compliance Risk | Likelihood | Business Impact | Mitigation |
| Mis-selling / incomplete disclosure | High | Severe | Always deliver KFS; avoid absolute claims |
| Touching disbursal funds | Medium | Severe | Confirm direct RE-to-borrower transfer |
| KYC/document mismatch | Medium | High | Verify originals against lender system |
| Unauthorized data sharing | Low-Medium | High | Restrict data to lender’s official channels |
| Non-compliant marketing | High | Medium | Use lender-approved messaging only |
| Poor record keeping | Medium | Medium | Maintain a digital compliance file per loan |
Loan DSA Compliance Checklist (Ready Reference)
Most of this checklist traces straight back to what you agreed to at DSA registration, so treat it as a promise-keeping exercise, not a new burden.
- Signed outsourcing/empanelment agreement with the RE in place
- Unique DSA code disclosed to every customer
- Only lender-approved rate cards and marketing material used
- Original documents verified before submission
- Consent captured before data collection or credit pull
- No customer data retained beyond active processing
- No loan funds ever received into a personal account
- KFS shared before signing (digital lending cases)
- Application submitted only via the lender’s official portal
- Complaints escalated to the RE’s grievance officer
Also read: How Corporate DSA Code Registration Helps You Earn Higher Commission as a Loan Agent
How Ruloans Helps Loan DSAs Stay Compliant
Ruloans supports its DSA partner network with structured onboarding, documentation workflows, and technology via the Ruconnect App, helping DSAs meet lender-imposed compliance standards without implying any RBI endorsement, and without adding a single extra step to DSA compliance.
With 275+ banks and NBFCs on its panel and 25+ years of operating history across 4,000+ cities, Ruloans built its DSA experience around removing the friction that causes DSA compliance slips. Structured onboarding walks new DSAs through documentation standards upfront; getting DSA registration right the first time avoids most compliance headaches down the line. The Ruconnect App, India’s Best B2B loan distribution channel partner app, gives one DSA code access to 275+ lenders, with 24-hour onboarding, instant eligibility checks, and real-time tracking, so files move through official channels instead of workarounds. Online payout claims with 100% on-time payouts remove any incentive to seek funds directly from customers, and ongoing product training keeps DSAs current as lender and RBI-linked norms evolve.
This is operational and educational support, not a claim of RBI approval. Ruloans, like every DSA network, operates within the boundaries its partner lenders set.
Also read: B2B Partnerships in Finance: Why DSAs Should Leverage Aggregators
Conclusion
RBI regulates Loan DSAs indirectly, through the banks and NBFCs that appoint them, which means your real job is following the lender’s Code of Conduct, delivering the KFS on time, never touching disbursed funds, and keeping clean records. As the RBI Digital Lending Directions and the 2026 Responsible Business Conduct amendment raise the bar (the latter taking effect January 1, 2027), DSAs who treat these RBI DSA Guidelines as routine, rather than a once-a-year audit scramble, are the ones who stay empanelled and keep earning.
Ruloans makes this easier: 275+ lenders, one DSA code, and the Ruconnect App handling KYC, KFS, and payouts from DSA registration through your first payout, so you can focus on loan sourcing, not paperwork. Register with Ruloans today and build your DSA business on a fully compliant footing.
FAQ
1. Does a DSA count as an NBFC, or need NBFC registration?
No. A DSA is an outsourced sourcing agent, not a lending entity. Only the bank or NBFC that appoints you holds an RBI license; you never need separate NBFC registration to work as a DSA, though you’ll still need standard DSA registration with each lender you’re empanelled under.
2. Can RBI penalize a DSA directly, or only the bank/NBFC?
RBI’s enforcement powers act on the Regulated Entity, the bank or NBFC, not on individual DSAs. A non-compliant DSA typically faces contract termination or blacklisting from the lender, rather than a direct RBI penalty.
3. What are the RBI-specified calling hours for loan recovery agents?
Recovery-related contact has long been restricted to between 8 AM and 7 PM under RBI’s existing Fair Practices Code, historically applicable mainly to scheduled commercial banks and Housing Finance Companies. RBI has proposed extending this same window, along with mandatory IIBF certification for recovery agents, to all regulated entities including NBFCs, cooperative banks, and asset reconstruction companies, with a target effective date of July 1, 2026. As of the latest available information, this extension was still a draft awaiting final notification. This applies to recovery agents specifically, which may or may not be the same role as your sourcing DSA work.
4. What is the RBI Ombudsman, and can it be used against a DSA?
The RBI Ombudsman resolves unresolved customer complaints against banks and NBFCs, not against DSAs directly. If a customer complains about a DSA’s conduct, the complaint routes through the lender’s grievance system first, and escalates to the Ombudsman only if the lender’s own resolution fails.
5. How can I verify if a Digital Lending App (DLA) is genuinely RBI-compliant?
RBI publishes a public directory of registered DLAs on its website. Checking whether the app your lender uses appears on this list is the direct way to confirm it isn’t an unauthorized or blacklisted lending app.
6. Does a Master DSA or aggregator platform need separate RBI approval to operate?
No. A Master DSA or multi-lender platform is still operating as an outsourced agent of each bank/NBFC it’s empanelled with; it doesn’t require a standalone RBI license, even though it may work with 100+ lenders simultaneously.
7. If my bank or NBFC gets penalized by RBI, does that affect me as their DSA?
Potentially, yes. If an RE faces RBI action, such as a business restriction or co-lending suspension, sourcing activity through that lender can pause or slow down, even if you personally did nothing wrong.
8. Do these RBI rules apply to Buy Now Pay Later (BNPL) products I source?
Generally yes. RBI’s Digital Lending Directions, often referred to informally as its digital lending guidelines, extend to BNPL and similar short-term digital credit facilities, since these are treated as lending transactions, not just payment deferrals.
9. Do RBI’s digital lending rules apply the same way to business/MSME loans as personal loans?
Yes. RBI has clarified that its digital lending guidelines apply to business and MSME loans as well, not just consumer personal loans, so KFS and disbursal rules aren’t limited to retail products.
10. What’s the practical difference between an LSP and a DSA?
An LSP (Lending Service Provider) is the broader RBI term for any agent performing digital lending functions, such as sourcing, underwriting support, servicing, or recovery, on behalf of a lender. A DSA is typically the sourcing-focused subset of that role; in practice, most DSAs are also technically LSPs the moment they operate digitally. RBI’s June 2026 Agency/Referral framework formalizes this distinction further.

Every article on Ruloans is researched, written, and verified by a team of former bankers, certified financial planners, DSA industry veterans, and lending compliance specialists with over 25 years of hands-on experience in India’s loan distribution landscape. From decoding home loan eligibility and EMI planning for borrowers, to guiding DSA partners on commissions, registrations, and building a lending business — our content is grounded in real industry expertise, fact-checked against live RBI guidelines and current bank and NBFC policies, and built to help you make confident financial decisions.
