Banks and financial institutions increasingly rely on fintech vendors and third-party platforms to augment services. This collaboration brings efficiency but also significant legal and operational risks. India’s regulators have responded with an evolving framework of guidelines, emphasising that responsibility remains with the bank/financier. Recent RBI initiatives – notably the 2025 Digital Lending Directions and draft Digital Banking Channels Authorisation master directions – underscore stringent due diligence, governance, and consumer-protection norms for third-party service providers Against this backdrop, banks and NBFCs must craft robust contracts and governance processes.
In this post we analyse RBI’s current rules for fintech partnerships and outsourcing, the impact of India’s new data protection law (DPDP Act 2023), and key legal safeguards (service levels, data governance, audit rights, etc.) needed in contracts. We also review cases where lax oversight triggered enforcement actions, and outline best-practice approaches to vendor risk, compliance, and accountability.
RBI’s Evolving Framework for Fintech Partnerships
Digital Lending Directions, 2025
In May 2025 RBI replaced prior advisory guidelines with binding RBI (Digital Lending) Directions, 2025. These apply to all banks, NBFCs and AIFIs engaged in digital lending. The Directions require formal contracts with Lending Service Providers (LSPs) that clearly define each party’s roles, responsibilities and limits.
Regulated entities (REs) must conduct risk-based due diligence on fintech/LSP partners, assessing technical capability, financial soundness, data privacy and fair practices – before onboarding them. Crucially, REs remain fully responsible and liable for all activities of their fintech partners, even when outsourced. As RBI emphasizes, “outsourcing of any IT services…does not dilute [the RE’s] obligations and REs shall be liable for the actions of their Service Providers”. REs must continuously monitor LSP conduct (especially when LSPs also act as loan recovery agents) and promptly correct deviations.
The Directions also cover multi-lender models: when a fintech app presents competing loan offers, each bank must ensure impartial matching methods, clear disclosures (interest rates, fees, APRs, key fact statements) and avoid any dark-pattern selling. All digital lending apps (owned or run by LSPs) must be registered on RBI’s portal. Thus, the new regime tightens oversight of fintech vendors and ties all lending outcomes squarely to the lender’s compliance obligations.
Draft Digital Banking Channel Authorisation: In July 2025 RBI released draft Digital Banking Channels Authorisation directions. These proposals distinguish “view-only” services (e.g. balance enquiry) from “transactional” services (fund transfers, payments). Banks can launch view-only channels without prior RBI approval (subject to a post-launch risk-control report), but transactional channels now require RBI authorization with higher eligibility criteria: e.g. minimum net worth, independent cyber-security certification, and robust IT preparedness.
The draft also extends existing IT/cybersecurity norms to smaller banks (RRBs, co-op banks, local area banks) and mandates stronger tech controls: risk-based transaction monitoring, network-independent mobile apps, multi-factor authentication and explicit customer consent for digital services.
For example, explicit multi-lingual disclosures, an option to opt-out of new digital services, and prohibitions against making digital banking mandatory for credit are stipulated. These measures reflect RBI’s supervisory expectations: fintech-enabled banking channels must comply with core cyber-risk and data protection standards, with regulators reviewing certifications and governance frameworks as pre-conditions for rollout.
Outsourcing Risk Management: RBI Guidelines
Indian regulators have long recognized the risks of outsourcing. The RBI’s original 2006 Guidelines on outsourcing financial services required banks to maintain control and oversight even when activities are outsourced. They emphasized that outsourcing “does not diminish [the bank’s] obligations” and that boards must approve an outsourcing policy covering selection criteria, risk parameters, and exit strategie. In practice, most of these principles now flow through to the new Master Directions on IT outsourcing.
RBI Master Direction on IT Outsourcing (2023): In April 2023 RBI issued a comprehensive Master Direction to regulate material outsourcing of IT services by all regulated entities. It came into effect October 2023 for new contracts. Key requirements include:
- Board-approved Outsourcing Policy: An RE must have a detailed policy specifying governance roles, selection criteria for outsourcing (including arm’s-length conditions for group entities), materiality thresholds, and exit strategies.
- Due Diligence: Prior to engaging any IT vendor or fintech partner, the RE must perform risk-based due diligence on the provider’s financial strength, technical competence (including cyber-resilience), legal compliance, and reputation. Independent market feedback or audits on the vendor should be obtained wherever possible.
- Detailed Contracts: Outsourcing agreements must be legally binding and vetted by legal counsel, explicitly spelling out both parties’ rights and obligations. Per RBI, contracts should include:
- Audit & Inspection Rights: The RE (and RBI) must have direct rights to audit and inspect the vendor’s relevant systems and records at reasonable notice.
- Data Governance: Clauses mandating safe return or destruction of data, hardware, and records at contract end; forbidding vendors from deleting or altering data during transition; and requiring data storage only in India unless otherwise regulated.
- Reporting Obligations: Immediate reporting by the vendor of material incidents (e.g. cyber breaches) so the RE can inform RBI within tight timelines.
- Sub-contractor Limits: Prior written approval of the RE for any sub-contracting, with obligations flowing down to sub-vendors.
- Business Continuity: The vendor must maintain robust BCP/DR plans and regularly test them.
- Termination & Exit: Provisions for an orderly transition, including identifying alternate service providers or the possibility to insource, along with cost/time estimates.
- Ongoing Monitoring: Banks/NBFCs must continuously monitor vendor performance and compliance. Regular reviews/audits of the vendor (and any subcontractors) are required. Cybersecurity controls at the vendor should be reviewed and updated. If a vendor services multiple REs, safeguards must prevent information commingling. The RE must maintain an inventory of IT outsourcing activities and ensure any interlocks (e.g. personnel or ownership overlap) are addressed.
- Grievance & Customer Redress: REs must implement a grievance redress mechanism for issues arising via vendors. Importantly, the RBI clarifies that customer rights are unaffected by outsourcing: banks/NBFCs remain responsible for complaints and cannot deflect liability to the vendor.
NBFC Outsourcing Directions (2017): For NBFCs, RBI’s 2017 Directions on outsourcing are similar in spirit: NBFCs, too, “shall ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and RBI nor impede effective supervision”. NBFCs are also held responsible for actions of their agents (marketing, recovery, etc.) and must have board-approved policies, due diligence, and contracts mirroring the bank norms. (For example, RBI has penalized an NBFC for outsourcing its internal audit, a prohibited core function).
In sum, modern RBI rules make risk management an active, board-level responsibility: regulated entities must govern fintech relationships through formal policies, continuous oversight, and prescriptive contractual safeguards.
