The Indian fintech sector is facing a reality check, and the focus has moved from unrestrained growth to survival.
This shift is due to regulatory changes introduced to protect investors’ and depositors’ money. These changes include the Reserve Bank of India’s (RBI) strict “activity-based” supervision and the stringent mandates of the Digital Personal Data Protection (DPDP) Act, 2023.
A summary of legal analysis in respect of certain critical issues and rising litigation risks currently blocking the retail lending ecosystem, along with key takeaways, is provided below.
FLDG revamp
The evolution of First Loss Default Guarantees (FLDG), now termed Default Loss Guarantees (DLG), remains the most significant structural hurdle. Initially, fintechs used to raise funds on the basis of the tech developed/proposed to be developed at a significant valuation. To enter the market with an NBFC licence they used to adopt a “renting” model, whereby 100% guarantees were provided to banks/NBFCs to underwrite loans without holding regulatory capital.
This loophole has been surely plugged by the RBI, as per its June 8, 2023, guidelines on DLG in digital lending.
The Impact: This regime imposes a strict 5% cap on the loan portfolio amount. While it legitimized the model, it destroyed the unit economics for “new-to-credit” segments—such as small-ticket BNPL—where default rates often exceed this 5%.
The “Recovery Waterfall” Difference and Conflict: A major legal conflict is dominating contract negotiations between regulated entities (such as banks) and lending service providers (such as fintechs), known as the “Recovery Waterfall”.
The Issue: When a borrower defaults and the fintech pays the DLG to the bank, who holds the right to subsequent recoveries?
Banks’ Position (Super-Priority): Banks argue they must recover all costs, including legal fees and penal interest, before the fintech recovers any funds.
Fintechs’ Position (Subrogation): Fintechs argue for “subrogation”—asserting that having paid the guarantee, they should step into the lender's shoes to recover the dues.
Current regulations are silent on this priority, leaving the matter to commercial leverage and creating fertile ground for future arbitration.
The “Loan Gateway” trap: Tech infrastructure built without application of economics
Several fintech entities in India tried creating tech infrastructure—similar to Open Network for Digital Commerce (ONDC) and Open Credit Enablement Network (OCEN)—to integrate their systems with banks, NBFCs and other financial institutions. The objective of building a “Loan Gateway” was to enable the unorganized and fragmented Direct Selling Agents (DSAs) to log in leads, which are then routed via the Application Programming Interfaces (APIs) to financial institutions. However, this model faces severe legal and economic headwinds.
The Valuation vs. Compliance Conflict: These platforms often act as cloud storage providers on a sub-rental basis, where sensitive personal information changes hands from the DSA to the tech provider, and finally to multiple banks. (For reference, see Section 2(i) (Data Fiduciary) and Section 2(k) (Data Processor) of the DPDP Act, 2023.)
The Ambiguity: There is often no clarity on who constitutes the data fiduciary and who is the data processor. If the tech platform decides which bank receives the lead based on an internal algorithm, it crosses the line from a passive conduit (processor) to an active decision-maker (fiduciary). This exposes the platform to the full penalty regime of the DPDP Act without the balance sheet to support it.
The “Predictive Modeling” Violation: To boost valuations, these “gateway” fintechs often retain sensitive personal data for years to build complex predictive models for “Next Best Offers” or pre-approved/pre-qualified (PAPQ) limits. (For reference, see Section 6 (Consent) and Section 9 (Processing of Personal Data of Children) of the DPDP Act, 2023.)
The Violation: Retaining data solely to train algorithms or ascertain the PAPQ status likely violates the principle of ‘Storage Limitation’. Furthermore, using data collected for one loan application to scrape and evaluate a borrower for future products without fresh consent is a direct violation of ‘Purpose Limitation’.
The Economic Dead End: Legally, this model is squeezed by market realities. Banks view API integration as a hygiene factor rather than a premium service and refuse to pay SaaS fees. Consequently, fintechs must rely on thin disbursement commissions shared with DSAs. Since the unorganized DSA sector operates on negligible margins, they cannot pay for tech adoption either. This makes the business unviable unless massive capital is burned to acquire DSAs, a strategy that is increasingly difficult as investors demand profitability over volume.
Emerging Litigation Frontiers
Beyond the FLDG and gateway issues, three “silent” legal risks are rapidly emerging for 2026:
A. “Dark Patterns” Liability: The Central Consumer Protection Authority (CCPA) is cracking down on UI/UX designs deemed as “Dark Patterns,” such as “False Urgency” (e.g., “Offer expires in 2 minutes”) or “Basket Sneaking” (auto-selecting insurance). (For reference, see Guidelines for Prevention and Regulation of Dark Patterns, 2023.)
Actionable Advice: Legal counsels must audit app interfaces, as these are no longer just “growth hacks” but potential statutory violations.
B. Vicarious Liability for “Predatory Recovery”: While the RBI guidelines hold the bank responsible for its agents, recent legal trends suggest a “piercing of the corporate veil”. (For reference, see RBI Guidelines on Digital Lending (Para 5: Conduct of Investigation etc.)
The Risk: Fintech directors and Key Managerial Personnel (KMPs) face potential personal liability if their recovery agents engage in harassment, as the "tech platform" defence is increasingly rejected by courts.
C. Algorithmic Accountability & Right to Grievance: Under the DPDP Act and evolving AI governance standards, users have a right to grievance redressal. (For reference, see Section 13 (Right to Grievance Redressal) of the DPDP Act, 2023.)
The Conflict: If a borrower is rejected based on an opaque “black box” score (e.g., SMS scraping), the fintech company faces litigation risk if it cannot explain the specific data point responsible for the denial. This clashes with the “Right to Correction”.
Conclusion
The “Loan Gateway” model is under siege. Squeezed between banks digitizing their own channels and a regulator demanding strict capitalization, the pure-play intermediary is becoming an endangered species. The legal counsel for 2026 is clear: entities must adapt to “activity-based” regulation or perish. The market has no room left for entities that seek the profits of lending while maintaining the liability profile of a tech company.
Rishabh G. Mastaram is founder of law firm RGM Legal. Views expressed in this article are personal.
