RBI’s revised loan recovery draft is a major consumer-protection intervention. However, its device-restriction clause raises serious concerns over consent, privacy, livelihood, proportionality and digital coercion.
Mumbai (ABC Live): RBI’s revised loan recovery draft is not a routine compliance document. Instead, it is a major regulatory intervention in India’s changing credit market. Today, loans are sold through branches, mobile apps, business correspondents, NBFC partnerships, consumer durable finance channels, and digital lending platforms. Therefore, recovery regulation must also move beyond traditional branch-based lending.
The Reserve Bank first issued draft amendment directions on February 12, 2026. Following substantial stakeholder feedback, RBI amended many key provisions and issued a revised draft for another round of public consultation on May 20, 2026. Importantly, the regulator has noted feedback regarding technology-based mechanisms that may restrict or disable certain functions of a financed mobile device, such as a mobile phone or tablet, to recover loan dues from defaulting borrowers.
Consequently, the central issue is no longer limited to recovery-agent harassment. Instead, the question has become sharper: can a lender use software control over a borrower’s financed device as a recovery tool?
This question matters because a mobile phone is no longer an ordinary consumer product. Rather, it is a payment instrument, identity gateway, work device, education tool, emergency contact system and access point for public services. Therefore, RBI’s final framework must ensure that recovery remains lawful, proportionate and accountable.
Why RBI’s Revised Draft Matters
RBI has issued revised draft amendment directions for several categories of regulated entities. These include commercial banks, small finance banks, local area banks, regional rural banks, urban co-operative banks, rural co-operative banks, all-India financial institutions, NBFCs and housing finance companies. Therefore, the framework seeks to create a broad conduct standard across the formal lending system.
This wide coverage is important for three reasons.
First, borrowers face similar recovery pressure regardless of whether the lender is a bank, an NBFC, a co-operative bank, or a housing finance company. Therefore, fragmented rules would weaken consumer protection.
Second, outsourced recovery has grown rapidly. As a result, many borrowers now deal not with the lender directly, but with recovery agencies, business correspondents, field staff, call-centre teams and digital collection systems.
Third, technology has changed recovery behaviour. Earlier, coercive recovery mainly involved calls, visits, threats or public embarrassment. However, recovery can now also occur through digital nudges, app restrictions, phone-locking tools and data-driven pressure.
Thus, the RBI’s draft matters not only to lenders but also to millions of small borrowers who use mobile devices for daily survival, income, and financial access.
Data Snapshot: Why This Draft Has Public Importance
| Indicator | Data / Draft Position: Why | y It Matters |
|---|---|---|
| Date of revised RBI draft | May 20, 2026 | RBI reopened the consultation after stakeholder feedback. |
| Earlier draft date | February 12, 2026 | The revised draft reflects changes made in response to public comments. |
| Public feedback deadline | May 31, 2026 | Stakeholders have a short consultation window. |
| Proposed effective date | October 1, 2026 | Lenders may get a limited time to redesign recovery systems. |
| Regulated entity categories covered | 9 categories | The framework covers banks, NBFCs, HFCs, co-operative banks and AIFIs. |
| Device restriction threshold | 90 days past due | RBI seeks to prevent immediate digital coercion. |
| First notice stage | 60 days past due + 21 days to cure | Borrowers receive a warning window. |
| Second notice stage | At least 7 days more | RBI creates a graduated warning process. |
| Delayed unlocking compensation | ₹250 per hour | Borrowers receive compensation for delayed reversal. |
| Call record preservation | 6 months, or till disposal if sub judice | Creates evidence for recovery-abuse complaints. |
| Contact timing | 8:00 AM to 7:00 PM | Restricts intrusive recovery calls and visits. |
What RBI Gets Right
RBI Treats Recovery as Responsible Business Conduct
The revised draft rightly treats loan recovery as a conduct issue. This approach is important because recovery abuse rarely arises only from individual misconduct. Instead, it often flows from weak supervision, target pressure, poor outsourcing controls and incentive structures that reward aggressive collection.
The draft requires banks to frame a policy on the collection and recovery of loan dues. Specifically, this policy must cover recovery triggers, graded actions, an escalation matrix, a code of conduct for employees and recovery agents, recovery after the death of a borrower, due diligence for recovery agencies, inspection, audit, control mechanisms, and penal action against non-compliant recovery agencies. Moreover, it must include compensation for borrowers or guarantors who suffer loss due to a recovery action that is inconsistent with the directions.
Therefore, RBI is shifting recovery from informal field practice to board-level governance and audit controls. In practical terms, this makes recovery a compliance issue rather than merely a collection target.
RBI Makes Lender Accountability Non-Delegable
The draft broadly defines a recovery agency. It includes any entity or individual engaged under an outsourcing arrangement to assist in recovery, regardless of contractual name. Furthermore, the draft states that a business correspondent involved in recovery-related activities will also be treated as a recovery agency.
This is a strong provision. Lenders often use outsourced structures to distance themselves from field-level misconduct. However, borrowers experience these persons as representatives of the lender. Therefore, the RBI is correct in holding regulated entities accountable for the entire recovery chain.
In addition, this approach may reduce the risk of fake agents. For example, a borrower can verify whether the person contacting them is linked to an authorised recovery agency.
RBI Requires Disclosure of Recovery Agencies
The draft requires banks to make an updated list of recovery agencies available through prominent customer channels, including branches, websites, mobile apps and other digital platforms. In addition, the list must include the agency’s name, type, address, engagement period, purpose and assigned geographical area. Further, any modification must be updated within seven calendar days, while termination must be updated immediately.
This provision improves transparency. Moreover, it protects borrowers from fake recovery agents, unauthorised callers and expired agency arrangements. Consequently, recovery becomes more traceable and less vulnerable to informal intimidation.
RBI Protects Borrowers During Pending Grievances
The draft states that where a borrower has lodged a grievance related to loan dues or recovery, the bank shall not forward the recovery case to any employee or recovery agency until it has finally disposed of the grievance.
This is one of the strongest borrower-protection clauses. Otherwise, lenders could use recovery pressure even when the borrower disputes the amount, interest, charges, mis-selling, payment credit or classification of default. Therefore, this protection should remain intact in the final directions.
However, the RBI should go further. For instance, the same pause should apply to restrictions on technology-based devices where the borrower has raised a genuine dispute.
The Digital Device Restriction Clause: The Most Sensitive Provision
The most controversial part of the revised draft concerns technology-based recovery mechanisms.
The draft says a bank shall not deploy any technology-based mechanism that restricts or turns off any functionality of a borrower’s mobile device, except to recover dues arising from financing of that specific device. In other words, a lender cannot use a phone-locking mechanism for unrelated loans. Therefore, the restriction can apply only where the bank financed the concerned mobile phone, tablet or similar device.
This distinction is crucial. Without it, lenders could convert the mobile phone into a universal recovery switch for personal loans, credit cards, vehicle loans or business loans.
However, even this limited permission raises serious concerns. After all, a mobile phone is not merely a financial object. It is also a borrower’s daily interface with money, identity, work, education and public services.
Therefore, RBI must treat device restriction as an exceptional measure. Moreover, it must ensure that lenders do not use technology to create pressure that they could not lawfully create through human recovery agents.
RBI’s Proposed Safeguards on Device Restriction
| Safeguard | Draft Requirement | Critical Assessment |
|---|---|---|
| Specifically financed device only | Restriction allowed only for dues arising from financing that device | Strong safeguard against misuse for unrelated loans. |
| Express contract clause | The loan agreement must expressly and unambiguously permit such action | Useful, but consent must not remain hidden in fine print. |
| Trigger disclosure | The contract must specify triggers, notices, graduated restrictions, a cure period, and a grievance mechanism. | Positive, but disclosure should be in plain language. |
| First notice | Notice after 60 days past due, with at least 21 days to cure | Prevents sudden restriction. |
| Second notice | Further notice with at least 7 more days to cure | Adds procedural fairness. |
| 90-day threshold | No restriction until the loan becomes 90 days past due | Aligns restriction with serious default. |
| Graduated approach | The bank must not turn off the device ab initio | Prevents extreme first response. |
| Essential functions | Internet, incoming calls, emergency SOS and public-safety notifications must remain active. | Good start, but UPI, OTP and health access also need protection. |
| Unlocking after payment | The restriction must be reversed within 1 hour after the borrower cures the default. | Strong consumer safeguard. |
| Compensation | ₹250 per hour for wrongful restriction or delayed reversal | This is useful, but wrongful locking may need a higher penalty. |
| Data protection | Bank shall neither access, use, obtain, nor retain data stored in the device. | Critical privacy safeguard. |
| Uninstallation | The mechanism must be uninstalled after full repayment | Prevents continuing control after loan closure. |
Critical Concern 1: Consent May Become a Legal Fiction
RBI requires the loan contract to expressly and unambiguously permit device restriction. However, this may not be enough.
In small-ticket device loans, borrowers often accept standard-form contracts. Many borrowers sign at retail counters or through digital interfaces without negotiating terms. As a result, consent may become a formal checkbox rather than a meaningful agreement.
Consequently, RBI should require separate consent, not merely a clause inside the loan agreement. The borrower should receive a separate warning in plain language before disbursal. Furthermore, the warning should appear in the borrower’s preferred language.
A better consent rule would require the following:
| Consent Element | Required Standard |
|---|---|
| Separate consent screen or signed clause | Not buried in general terms |
| Local language explanation | Borrower must understand the consequences |
| Voice or video confirmation for vulnerable borrowers | Useful in low-literacy contexts |
| Clear list of functions that may be restricted | No vague technology clause |
| A clear list of functions that cannot be restricted | Borrower knows essential protections |
| Cooling-off option before final acceptance | Prevents rushed consent |
Without these safeguards, the contract clause may become legally visible but practically invisible. Therefore, RBI should not treat contractual consent alone as sufficient.
Critical Concern 2: A Mobile Phone Is Not Merely a Secured Asset
A car, tractor or machine may be repossessed under lawful procedures. However, a mobile phone is different. It contains the borrower’s private, social, financial and working life.
Even when the RBI protects internet access, incoming calls, emergency SOS, and public-safety notifications, the question remains: what happens to UPI, Aadhaar OTP, DigiLocker, WhatsApp, work apps, school apps, and telemedicine?
For many Indians, these are not optional services. Instead, they are essential digital infrastructure. Therefore, the final directions should expand the list of protected functions.
| Function | Why It Should Remain Protected |
|---|---|
| UPI and banking apps | Needed for food, transport, repayment and emergency funds |
| Aadhaar OTP and SMS | Needed for identity verification and public services |
| DigiLocker | Needed for documents, licences and compliance |
| WhatsApp/basic messaging | Needed for family, work and emergency communication |
| Health apps/telemedicine | Needed for medical access |
| School and workplace apps | Needed for education and livelihood |
| Emergency contacts | Needed for safety and crisis response |
If RBI permits device restrictions without protecting these functions, recovery may damage the borrower’s ability to earn, communicate and repay. Moreover, it may push vulnerable borrowers deeper into default. Thus, the final framework must protect essential digital access.
Critical Concern 3: Recovery Technology May Create Digital Coercion
Loan recovery is lawful. However, recovery must not become coercion.
The danger with device-locking technology is that it may allow lenders to apply pressure without visiting the borrower, without filing legal proceedings and without ordinary judicial supervision. In effect, software may become a private enforcement tool.
This raises a proportionality problem. A borrower may default due to job loss, illness, delayed salary or family emergency. If the lender restricts the device, the borrower may lose work calls, payment access or digital livelihood. As a result, the recovery tool may worsen repayment capacity.
Therefore, RBI should make device restriction an exceptional remedy, not a routine collection step. In addition, lenders should demonstrate that softer recovery measures have failed before activating any device-based restriction.
Otherwise, the device-locking mechanism may become a shortcut around due process. Ultimately, that would weaken borrower dignity and trust in regulated finance.
Critical Concern 4: Recovery-Agent Abuse Still Needs Strong Enforcement
The digital-device debate should not overshadow traditional recovery harassment.
The draft prohibits harsh methods. It specifically treats abusive language, posting borrower details or recordings on social media, inappropriate messages, excessive calls, calls outside prescribed hours, threatening or anonymous calls, harassment of relatives or co-workers, public humiliation, privacy intrusion, violence or threat of violence, and false or misleading representations about debt or consequences of non-repayment as harsh practices.
This is a strong list. However, enforcement will decide its value. Therefore, RBI should require lenders to maintain a recovery conduct dashboard.
| Compliance Area | Proposed Control |
|---|---|
| Recovery calls | Mandatory call recording and preservation |
| Recovery visits | GPS/time-stamped visit logs |
| Agency changes | Immediate borrower notice |
| Written communications | Prior lender approval |
| Grievances | Recovery pause until final disposal |
| Incentives | No target structure that encourages harsh recovery |
| Repeat violations | Public penalty disclosure |
| Recovery agents | Mandatory certification and periodic re-verification |
The draft already requires call recording, record preservation and control over incentive structures. Nevertheless, RBI should also require periodic publication of complaint data, repeat-offender action and technology-vendor audits.
Moreover, borrowers should receive a simple complaint reference number whenever they allege recovery misconduct. That way, lenders cannot continue pressure while pretending that no grievance exists.
Critical Concern 5: ₹250 Per Hour Compensation May Be Too Low
The draft proposes compensation of ₹250 per hour for wrongful restriction or delayed reversal after the borrower cures the default. This is a useful deterrent. However, it may not adequately compensate for serious harm.
For example, wrongful restriction may cause real loss.
| Harm | Possible Impact |
|---|---|
| Missed work call | Loss of daily wage or client |
| Failed UPI transaction | Inability to buy essentials |
| Missed OTP | Blocked banking or public-service access |
| Missed medical coordination | Health risk |
| Locked work app | Loss of a gig or field assignment |
| Delayed unlock after payment | Continued pressure despite repayment |
Therefore, RBI should distinguish between delayed unlocking and wrongful locking. Delayed unlocking may attract hourly compensation. However, wrongful locking during a pending grievance, after payment, or without notice should attract higher fixed compensation plus hourly damages.
In addition, the lender should bear the burden of proving that the restriction was lawful. Otherwise, borrowers may struggle to prove technical misuse.
Legal View: Recovery Must Follow Rule of Law
A borrower’s default gives the lender the right to recover money. However, it does not give the lender a right to humiliate, threaten, surveil or digitally control the borrower.
The draft already recognises this principle by prohibiting the misuse of customer information, requiring limited disclosure to recovery personnel, and banning access to device data during technology-based recovery. Nevertheless, the final directions should expressly rest on six legal principles.
| Legal Principle | Practical Meaning |
|---|---|
| Natural justice | Prior notice and opportunity to cure default |
| Proportionality | Recovery action must match the seriousness of the default |
| Privacy | No access to personal data, contacts, photos, messages or app usage |
| Dignity | No public humiliation, threats, abusive language or social-media shaming |
| Fair contract | The device restriction clause must be separate and clearly explained |
| Accountability | Lender remains liable for employees, agents, agencies and technology vendors. |
Thus, RBI must ensure that recovery stays within the rule of law. Otherwise, digital enforcement may quietly replace due process. Moreover, any recovery technology must be auditable, reversible and proportionate.
Link With RBI’s Wider 2026 Regulatory Tightening
This revised recovery draft should not be read in isolation. Rather, it should be seen as part of the RBI’s wider 2026 regulatory tightening.
On the one hand, the RBI is strengthening prudential discipline through capital adequacy reforms. ABC Live has already analysed this in its related report, RBI Draft Capital Adequacy Directions 2026.
On the other side, RBI is strengthening conduct discipline through responsible business conduct directions, digital lending oversight and recovery-agent regulation.
Therefore, the central bank appears to be sending one overarching message: regulated entities must remain strong on their balance sheets, but they must also remain fair in their borrower-facing conduct.
This is the right direction. However, conduct regulation must be enforced with the same seriousness as capital regulation. Otherwise, lenders may remain financially sound while borrowers face coercive recovery on the ground.
Stakeholder Impact
| Stakeholder | Likely Impact |
|---|---|
| Borrowers | Stronger protection against harassment, but the risk of device-based pressure remains. |
| Banks | Higher compliance burden, but clearer recovery framework |
| NBFCs | Greater responsibility for outsourced and digital recovery models |
| Housing finance companies | Recovery conduct will face more formal scrutiny |
| Recovery agencies | Training, certification, authorisation, and conduct standards are becoming stricter. |
| Digital lending platforms | Consent, technology audit, grievance and data-protection controls become essential. |
| Technology vendors | Device-restriction tools may require auditability and privacy-by-design architecture. |
| RBI | The enforcement burden will increase after the final directions |
Overall, borrowers may gain better protection. However, lenders may face heavier compliance costs. Meanwhile, recovery agencies and technology vendors will need stronger documentation, training and audit systems.
ABC Live Assessment
RBI’s revised loan recovery draft is necessary, timely and ambitious. It recognises that India’s credit market has changed. Recovery now moves through field agents, call centres, business correspondents, mobile apps and embedded technology. Therefore, the regulatory framework must also change.
However, the draft also opens a sensitive door. Once the regulator permits even limited restrictions on devices, lenders may try to normalise digital enforcement. Therefore, RBI must ensure that this power remains narrow, exceptional and fully auditable.
The strongest part of the draft is its insistence that device restriction can apply only to the financed device and only after a 90-day overdue threshold, two notices and a graduated approach. Moreover, the privacy safeguard is important because the draft bars lenders from accessing, using, obtaining or retaining data stored in the borrower’s device.
Nevertheless, the weakest area is consent. RBI should not rely solely on loan contract language. Instead, it should require separate, plain-language, multilingual and auditable consent. In addition, it should protect UPI, OTP, DigiLocker, health access and livelihood-related apps from restriction.
Finally, RBI should publish recovery-conduct data after implementation. That would allow borrowers, researchers and regulators to track whether the framework actually reduces harassment.
Final Editorial Stand
ABC Live View:
RBI’s revised loan recovery draft is a welcome consumer-protection intervention. However, its device-restriction framework needs stronger safeguards. India cannot allow loan recovery to become digital coercion. Therefore, the final directions must protect credit discipline while also protecting privacy, dignity, emergency access and livelihood.
The key principle should be clear: default is a financial breach, not a licence for digital punishment.
Final Safeguard Table for RBI
| Area Final | Final Safeguard Needed |
|---|---|
| Consent | Separate, plain-language and multilingual consent |
| Scope | Only the specifically financed device, not unrelated loans |
| Default stage | No restriction before 90 days past due |
| Notice | 60-day notice + 21 days to cure, then 7-day final notice |
| Essential access | Internet, incoming calls, emergency SOS, government alerts, UPI, OTP, DigiLocker and health access |
| Privacy | No access to contacts, files, photos, messages, app data or location history |
| Grievance | No device restriction during a pending genuine complaint |
| Unlocking | Mandatory reversal within one hour after cure |
| Compensation | ₹250 per hour for delay; higher compensation for wrongful locking |
| Vendor control | Technology vendor must be auditable and privacy-compliant |
| Public reporting | RBI should publish recovery-conduct complaint data annually |
Sources & Resources
- RBI Official Press Release: Revised Draft Amendment Directions on Conduct of Regulated Entities in Recovery of Loans and Engagement of Recovery Agents, May 20, 2026.
https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=62776 - RBI Draft Directions for Commercial Banks: Responsible Business Conduct Amendment Directions, 2026.
https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=5029 - ABC Live Internal Link: RBI Draft Capital Adequacy Directions 2026.
https://abclive.in/2026/05/20/rbi-draft-capital-adequacy-directions-2026/
Related
Leave a Comment
You must be logged in to post a comment.