India: Reserve Bank's Digital Lending Directions 2025, including data localisation requirement entered into force (No. RBI/2025-26/36)

On 8 May 2025, the Reserve Bank of India's Digital Lending Directions, including data localisation obligations for digital lending services, entered into force. The directions apply to regulated entities, including commercial banks, co-operative banks, non-banking financial companies, and all-India financial institutions. The directions mandate storage of only minimal borrower data, including name, address, contact details and prohibit the collection or storage of biometric data unless permitted by law. The directions also highlight that regulated entities are responsible for customer data privacy and must publish clear policies on data storage, retention, usage restrictions, deletion protocols, and breach management on their websites and digital lending apps. All data must be stored on servers located in India, and any data processed abroad must be deleted from foreign servers and repatriated within 24 hours.