RBI loan recovery draft 2026: New rules on recovery agents, borrower protection, and device locking

On May 20, 2026, the Reserve Bank of India (RBI) released a revised draft of new rules. The rules cover how lenders and their recovery agents can chase overdue loans. They are open for public comment until May 31, 2026.

The draft does two main things. First, it sets clear rules for how lenders and agents must treat borrowers during recovery. Second, it sets limits on a growing practice in digital lending: using technology to lock or disable a borrower's phone from far away.

Here is the part most headlines miss. The draft does not ban phone-locking in every case. It bans it for normal loans. But it still allows it for one narrow case: loans that paid for the phone itself. And even then, it adds strict conditions to protect the borrower.

That difference is the whole point. It changes how you build, price, and document any product that uses a phone as collateral. Let's break it down.

Is the RBI loan recovery draft final yet?

No. The current version is still a draft.

On February 6, 2026, RBI announced that it would review and consolidate its rules on loan recovery and recovery agents. It released the first draft on February 12, 2026, and invited public comments.

After receiving stakeholder feedback, including feedback on whether lenders should be allowed to restrict financed devices during default, RBI updated the draft.

The revised version was released on May 20, 2026 for another round of consultation.

So, these rules are not final yet. But this is the second draft, which means the broad direction is now much clearer. Lenders should treat this as a signal to start preparing.

RBI loan recovery norms 2026: banks, NBFCs, HFCs, and other lenders covered

The draft applies across multiple types of RBI-regulated lenders.

RBI has issued nine separate draft amendment directions under the larger theme of “Responsible Business Conduct.” These cover:

1. Commercial Banks
2. Small Finance Banks
3. Local Area Banks
4. Regional Rural Banks
5. Urban Co-operative Banks
6. Rural Co-operative Banks
7. All India Financial Institutions
8. Non-Banking Financial Companies (NBFCs)
9. Housing Finance Companies (HFCs)

The rules are not exactly the same for every category, but the main recovery conduct rules and device-locking rules appear across all of them.

So, if you are an RBI-regulated lender, or a fintech working with one, these rules matter. The responsibility does not stop with the lender’s internal team. It also extends to recovery partners, digital lending partners, and other third parties involved in the loan recovery process.

This is the same web of shared responsibility seen in RBI's co-lending model that ties NBFCs, HFCs, and banks together.

RBI recovery agent rules: what lenders can and cannot do during recovery

The draft pulls those older rules into one place and makes them stricter.

• Lenders, NBFCs, and their agents cannot use threats, abuse, or public shaming against borrowers.
• They cannot use social media to shame or humiliate borrowers.
• Recovery agents can only call borrowers between 8 AM and 7 PM, unless the borrower says otherwise.
• Agents cannot call again and again. They also face limits on contacting a borrower's family, friends, or coworkers.
• Agents must be trained and certified. The draft says they need a certificate from the Indian Institute of Banking and Finance (IIBF), or from an institute tied up with IIBF.
• Lenders must have a board-approved recovery policy. They must also have a way to handle complaints and keep close watch over any outside recovery vendors.

Most of this matches RBI's August 2022 circular on recovery agents. What is new is the way it is brought together into one clear, board-level framework, applied the same way across all nine types of lenders.

RBI device locking rules explained

This is the part that needs careful reading.

The general rule is clear: lenders cannot use technology to lock or disable a borrower’s phone as a way to recover dues.

For normal loans, such as personal loans, vehicle loans, or home loans, remote phone-locking is not allowed.

But there is one exception.

The draft allows limited device restriction only when the loan was taken to buy that specific device. For example, if a borrower took a loan to buy a mobile phone, the lender may be allowed to restrict that phone in case of default.

Even then, the lender must follow strict safeguards.

In simple terms, RBI is not giving lenders a shortcut to lock phones. It is allowing a narrow, last-resort option only for device-financing loans.

And even there, the process must be documented, disclosed, time-bound, reversible, and borrower-protected.

Can lenders lock phones under the RBI loan recovery draft?

The common headline, "RBI bars lenders from blocking devices," is true for most loans. But it misses the one case where locking is still allowed. Both of these are true at the same time, just for different loans:

• For normal loans, the draft bans phone-locking as a recovery tool.
• For phone-financing loans, the draft allows limited phone restriction under strict rules.

For most loans, no.

The draft bans phone-locking as a recovery method for regular loans.

But for phone-financing loans, RBI has allowed limited device restriction under strict conditions.

So the real takeaway is not that phone-locking is completely dead. The real takeaway is that phone-locking can only be used in a very specific case, with a detailed process around it.

If a lender has been relying on phone-locking for regular loan recovery, that process will need to change.

If a lender offers mobile financing, the contract, notice process, repayment tracking, restriction controls, unlock timelines, and grievance process will all need to be reviewed.

Existing RBI loan recovery guidelines behind the 2026 draft

The 2026 draft is not coming from nowhere. It builds on earlier RBI rules around fair recovery, outsourcing, and digital lending.

RBI’s August 12, 2022 circular already made lenders responsible for the conduct of recovery agents. It banned harassment, restricted recovery calls outside permitted hours, and prohibited social media shaming.

Earlier RBI recovery agent guidelines and Fair Practices Code requirements also covered agent training, borrower treatment, and lender responsibility.

On the digital lending side, RBI first issued Guidelines on Digital Lending in September 2022. In May 2025, it brought out the Reserve Bank of India (Digital Lending) Directions, 2025.

These rules already made lenders responsible for their digital lending partners and apps, including how recovery is handled.

The 2026 draft brings these strands together. It also adds specific rules for device-locking, which older frameworks did not address in this level of detail.

What lenders should do before the RBI loan recovery rules are finalized

The comment window closes on May 31, 2026. The broad shape of the rules is already clear. Here are practical steps worth taking.

Check your recovery practices against the conduct rules. Look at your calling hours, agent scripts, escalation steps, and any use of messaging or social channels. If anything comes close to the banned list, fix it now.

Review agent certification. Make sure your agents and outside vendors hold IIBF certification, or are on track to get it. Add this to your vendor contracts.

Refresh your board-approved policies. The draft expects a board-approved recovery policy and a complaint process built for recovery. If yours is old, update it.

Rebuild the full process for phone-financing products. If you offer or partner on phone financing, your loan contracts need a clear, disclosed restriction clause. Your systems need the 60-day notice, the 21-day fix window, the second 7-day notice, the protected features, the one-hour reversal, and the Rs 250 per hour fine logic. This is a real engineering and paperwork project, not a small note.

Tighten control over digital lending partners. Lenders stay responsible for their partners. So the conduct and phone rules pass down to them. Contracts, monitoring, call logs, and in-app reminders all need to stay within the new limits.

Send your feedback before May 31. If any rule will be hard to follow, this is the round to say so. RBI has already shown it updates the draft based on the feedback it accepts.

How better KYC workflows like Signzy help loan recovery

Rules like these make one thing clear: lenders need cleaner, more traceable processes.

Signzy's identity checks at onboarding can reduce fraud and impersonation risk early in the journey. Better KYC can also help lenders maintain cleaner borrower records, reduce disputes, and support more responsible recovery later.

Clear digital workflows also make it easier to prove that recovery stayed within the rules. This includes call records, notice timelines, borrower communication, grievance handling, and, where applicable, device restriction and unlock logs.

Signzy helps banks, NBFCs, and fintechs build this kind of verification and compliance infrastructure across onboarding, identity checks, and financial services workflows.

As RBI tightens recovery expectations, weak controls will no longer be just an operational issue. They can become a regulatory and reputational risk too.