1. Executive Summary
Following the initial draft issued on February 12, 2026, the Reserve Bank of India (RBI) has released revised draft Amendment Directions after incorporating substantial stakeholder feedback. The most notable addition is the regulatory enablement for lenders to use technology-based mechanisms to restrict or disable functionalities of financed mobile devices (smartphones, tablets) in the event of loan default. This report outlines the applicable entities, specific changes required, and a comprehensive management action plan to ensure compliance.
2. Applicable Regulated Entities (REs)
The RBI has issued separate (but uniformly themed) draft directions for the following nine categories of financial institutions:
3. Amendment Analysis & Management Action Plan
A. Technology-Based Recovery Mechanisms (Device Restriction)
- Deployment of Device-Locking Technology: REs are now officially permitted to deploy software mechanisms (like Mobile Device Management or OEM-level locks) that restrict or disable functionalities of financed devices (mobile phones, tablets) upon borrower default.
- Customer Transparency: Lenders must explicitly inform borrowers about this technological enablement at the time of loan origination.
- Proportionate Action: The disabling mechanisms must be triggered only under defined default conditions and must have a clear procedure for unblocking once dues are cleared.
- Legal & Compliance Review: Update all loan application forms, Key Fact Statements (KFS), and Most Important Terms and Conditions (MITC) to explicitly include borrower consent for device locking/restriction in case of default.
- IT Infrastructure & Vendor Integration: Partner with established OEMs (e.g., Apple, Samsung Knox) and specialized Fintech software providers to securely integrate the API-driven lock/unlock systems with the institution’s Core Banking System (CBS) or Loan Management System (LMS).
- Standard Operating Procedure (SOP) Formulation: Define strict triggers for locking (e.g., DPD – Days Past Due thresholds) and establish automated, real-time unlocking protocols the moment a borrower makes the pending payment.
- Data Privacy Audit: Ensure that the technology deployed only restricts device functionality and does not access, read, or compromise the borrower’s personal data, photographs, or private messages, adhering to the DPDP Act.
B. Enhanced Code of Conduct for Recovery Agents
- Stringent Oversight: REs are strictly responsible for the actions of their recovery agents. The overarching principle is “Responsible Business Conduct”.
- Prohibition of Harassment: Clear guidelines preventing physical, mental, or digital harassment of borrowers, their family, or friends.
- Time and Channel Restrictions: Restricting the hours during which borrowers can be contacted and limiting the channels of communication to prevent spamming.
- Policy Revamp & Board Approval: Draft a revised “Recovery and Collection Policy” incorporating the new directives. Present this to the Board of Directors for immediate approval.
- Vendor Due Diligence & Contract Renewal: Re-evaluate all existing empanelled Recovery Agencies. Execute addendums to existing Service Level Agreements (SLAs) incorporating the new RBI penal provisions for agent misconduct.
- Mandatory Training & Certification: Implement a mandatory, documented training program for all outsourced recovery agents regarding the revised code of conduct before they are assigned any portfolio.
- Grievance Redressal Mechanism (GRM): Set up a dedicated, fast-track escalation matrix for complaints specifically related to recovery harassment or wrongful device locking. Integrate this with the Internal Ombudsman mechanism.
Note: Management teams must review these draft guidelines and optionally submit feedback to the RBI via the ‘Connect 2 Regulate’ portal by May 31, 2026, before finalizing internal implementations.