What is the FLDG cap and how is it tested?

5% of the loan amount disbursed under the arrangement, in eligible instruments only (cash, FD lien, BG). We reconcile the FLDG ledger to outstanding portfolio per arrangement and aggregate, and validate invocation triggers and CIC reporting.

Does the DPDP Act change anything for digital lenders?

Yes — consent capture, retention and data-principal rights now overlap with DLG. We run DLG and DPDP as a combined engagement for digital lenders.

What about the cooling-off / look-up period?

DLG mandates a cooling-off period during which the borrower can exit the loan by paying principal + proportionate APR, without prepayment penalty. We test that the cancellation flow actually fires end-to-end.

Do you cover BNPL and PPI-linked credit lines?

Yes — RBI's June 2022 clarification on PPI + credit lines and the 2023 BNPL guardrails are part of the engagement where applicable.

Reserve Bank of India · REs · LSPs · DLAs · FLDG partners

RBI Digital Lending Guidelines Audit

FLDG, DLG, LSP and DLA audit — disbursement-to-collection trail RBI inspectors actually read.

End-to-end audit against the RBI Digital Lending Guidelines (DLG) — covering Regulated Entities, Lending Service Providers (LSPs), Digital Lending Apps (DLAs), the First Loss Default Guarantee (FLDG) framework, Key Facts Statement, cooling-off, customer redressal and data-localisation obligations.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

RBI Guidelines on Digital Lending (RBI/2022-23/111 dated 02-Sep-2022)
RBI Default Loss Guarantee in Digital Lending (RBI/2023-24/41 dated 08-Jun-2023)
Working Group on Digital Lending Report (Nov 2021) — annexed expectations
RBI Master Direction on Outsourcing of IT Services (2023)
RBI Master Direction on IT Governance (2024)
RBI Storage of Payment System Data (Apr 2018) — data localisation
Fair Practices Code + SBR for NBFCs
DPDP Act 2023 — overlap on consent + data principal rights

Why this matters

Compliance is leverage, not paperwork.

RBI's Digital Lending Guidelines (Sep 2022) and the subsequent FLDG circular (Jun 2023) re-wrote how every RE, fintech, NBFC and bank-LSP must operate. Disbursement and repayment must flow only between the borrower's and the RE's bank account — no LSP pass-through. The FLDG cap of 5% of the loan portfolio, DLA registration and Key Facts Statement requirements are now active enforcement triggers; RBI has already debarred multiple LSPs and barred new customer onboarding for non-compliant REs. Macksofy's audit produces the disbursement-vs-collection trail, FLDG ledger reconciliation and DLA artefact pack RBI inspections demand on day one.

Applicability

Scheduled Commercial Banks + Small Finance Banks running digital lending
NBFCs (Upper / Middle / Base layer) with own or partner-app lending
Lending Service Providers (LSPs) sourcing for an RE
Digital Lending App (DLA) operators — owned or white-labelled
FLDG-receiving REs + FLDG-providing LSPs
Payment Aggregators routing loan disbursement / repayment flows

Standards & frameworks

Aligned to the regulations that matter.

RBI Guidelines on Digital Lending (RBI/2022-23/111 dated 02-Sep-2022)

RBI Default Loss Guarantee in Digital Lending (RBI/2023-24/41 dated 08-Jun-2023)

Working Group on Digital Lending Report (Nov 2021) — annexed expectations

RBI Master Direction on Outsourcing of IT Services (2023)

RBI Master Direction on IT Governance (2024)

RBI Storage of Payment System Data (Apr 2018) — data localisation

Fair Practices Code + SBR for NBFCs

DPDP Act 2023 — overlap on consent + data principal rights

Methodology

How we run a RBI DLG engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

Phase 01 of 6

1 · RE-LSP-DLA mapping

4 activities

Inventory of LSPs, DLAs, co-lending and FLDG partners
Loan-product classification (own-book / co-lend / FLDG)
Customer journey + data-flow walk-through
Board-approved digital-lending policy review

01
1 · RE-LSP-DLA mapping
- Inventory of LSPs, DLAs, co-lending and FLDG partners
- Loan-product classification (own-book / co-lend / FLDG)
- Customer journey + data-flow walk-through
- Board-approved digital-lending policy review
02
2 · Disbursement & collection audit
- Direct RE-to-borrower disbursement trail (no LSP pass-through)
- Repayment routing into RE account only
- Reconciliation against bank statements + payment-aggregator MIS
- Cooling-off / look-up period evidence
03
3 · FLDG framework audit
- FLDG cap test — 5% of outstanding portfolio per arrangement
- Eligible FLDG instruments (cash, FD lien, BG) verification
- FLDG invocation triggers + ageing ledger
- Disclosure to credit-information companies
04
4 · Customer-protection controls
- Key Facts Statement (KFS) format + APR disclosure
- Grievance redressal + nodal-officer SLA
- Recovery-agent code of conduct audit
- Cooling-off cancellation flow testing
05
5 · Data & technology controls
- DLA permissions audit — only need-to-know access (contacts/SMS/gallery prohibited)
- Data localisation evidence per RBI Apr-2018 directive
- Encryption-in-transit + tokenisation review
- Cyber-security + outsourcing controls (cross-mapped to IT Governance MD)
06
6 · Reporting & submission pack
- DLA registration + Sachet portal submission readiness
- CSITE / DoS submission pack
- Inspector Q&A walk-through deck
- Remediation tracker + 30-day retest

Deliverables

Everything you need to satisfy auditors.

Digital-lending policy + procedure gap report
Disbursement-vs-collection reconciliation ledger
FLDG cap + ageing dashboard
Key Facts Statement template pack (per loan product)
DLA permission & data-localisation evidence pack
Sachet / DLA registration submission bundle
RBI inspector Q&A walk-through deck
Free retest within 30 days + closure letter

Recent engagements

Mid-size NBFC (consumer lending)

DLG + FLDG audit across 4 LSP partners

Outcome: FLDG portfolio re-cut to within the 5% cap; two non-compliant LSPs offboarded ahead of RBI thematic inspection

Bank-led co-lending DLA

DLA permission + customer-protection audit

Outcome: Permission set reduced from 17 to 4; KFS rolled out across loan products and cooling-off cancellation rate validated

At a glance

The shape of a RBI DLG engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

RE accountability & policy3 pts
Money-flow integrity3 pts
FLDG governance3 pts
Customer-protection stack3 pts
DLA & data hygiene3 pts
Inspector-ready submission pack3 pts

Pillar 01

RE accountability & policy

RBI holds the Regulated Entity — not the LSP — liable. The audit starts there.

Board-approved digital-lending policy currency
LSP / DLA appointment due-diligence pack
Quarterly digital-lending review at board level

Pillar 02

Money-flow integrity

Disbursement and collection routing is the single most-tested control by RBI.

Direct RE-borrower flow (no LSP pool account)
Pass-through nostro / escrow exception ledger
Reconciliation evidence with PA + bank MIS

Pillar 03

FLDG governance

The 5% cap, eligible instruments and invocation audit-trail.

FLDG cap test per arrangement + portfolio
Eligible instrument (cash / FD lien / BG) validation
Invocation + CIC-reporting ageing ledger

Pillar 04

Customer-protection stack

What every borrower must see, sign and be able to walk away from.

Key Facts Statement + APR disclosure evidence
Cooling-off cancellation tested end-to-end
Grievance redressal + Sachet integration

Pillar 05

DLA & data hygiene

Permissions, localisation, DPDP overlap — where most LSP enforcement actions land.

DLA permission audit (no contacts / SMS / gallery)
Payment-data localisation evidence
DPDP consent + data-principal-rights overlap

Pillar 06

Inspector-ready submission pack

The artefact bundle a CSITE / DoS inspection actually consumes.

DLA registration & Sachet-portal pack
Control-to-evidence map per DLG clause
Remediation tracker + retest letter

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a RBI DLG engagement. Click any station for detail in the methodology section above.

Week 1

RE-LSP-DLA mapping

Week 2

Disbursement & collection audit

Week 3

FLDG framework audit

Week 4

Customer-protection controls

Week 5

Data & technology controls

Week 6

Reporting & submission pack

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

Indirectly — RBI regulates the RE, but holds the RE accountable for every LSP / DLA it appoints. The audit is run on the RE; LSP controls are validated as part of the RE's outsourcing posture.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.