You can check whether a loan app is legitimate in about 60 seconds, using RBI's own records: find the lender the app names, look the app up in RBI's Digital Lending Apps (DLA) directory, confirm that lender on RBI's NBFC or bank lists - and install the app only from the link on the lender's own website. A legitimate lending app in India lends on behalf of an RBI-regulated entity - a bank or an NBFC - and must tell you which one; an app that names no lender, or wants a payment to "release" your loan, fails the check before you ever share a document. One caveat most articles miss: the DLA directory is self-reported by lenders and is not verified by RBI - a listing is a lender's claim, not RBI approval. And if you are already being harassed: if you did not borrow, do not pay; if you did borrow, pay only real dues through the lender's official channel - collect evidence and report (helpline 1930, cybercrime.gov.in). Harassment does not erase a valid debt, and off-channel payments to a harasser do not count toward closing a loan.
Loan app verification at a glance
| First thing to find | The lender's name - a specific RBI-regulated bank or NBFC. No name, no deal. |
|---|---|
| Official app directory | RBI's "Digital Lending Apps" directory, live since 1 July 2025 |
| Where it is | rbi.org.in > Citizen's Corner > DLAs deployed by Regulated Entities |
| Does RBI verify entries? | No. Lenders self-report; RBI publishes without validating. Listing = a lender claims the app, not RBI approval. |
| Verify an NBFC lender | RBI's downloadable NBFC list (Excel/PDF, updated to 31 March 2026) |
| Verify a bank lender | RBI's "Websites of Banks in India" page |
| Before you sign | A Key Fact Statement with the all-in APR, fees, and repayment schedule is mandatory |
| Contacts / gallery access | Barred for regulated lending apps; one-time camera/mic/location access for KYC only, with consent |
| Fraud helpline | 1930 and cybercrime.gov.in (report fast if money just moved) |
| Complaint portals | RBI Sachet (online loan apps) and RBI CMS (against regulated lenders) |
The 60-second check
Since 2025, RBI's digital lending rules - now part of the entity-wise Credit Facilities Directions for banks and NBFCs - have made this verification genuinely doable by an ordinary borrower. Run all four steps before sharing your Aadhaar, PAN, or bank details, and before granting the app any permission.
Step 1: find the named lender. A loan app is never itself "RBI-registered". It is a storefront that must lend on behalf of a regulated entity - a bank or an NBFC - and RBI's rules require that the lender be named to you in the loan offer, with the same name in the Key Fact Statement before you sign. Look for that name. If you cannot find a specific bank or NBFC named anywhere, stop here and walk away.
Step 2: look the app up in RBI's DLA directory. Go to rbi.org.in, open Citizen's Corner, and select "DLAs deployed by Regulated Entities". This directory has been live since 1 July 2025 and lists the lending apps that regulated lenders have reported to RBI, against each lender's name. One honest caveat, which most articles get wrong: RBI does not verify or validate these entries - lenders self-report them through RBI's reporting system, and the list is published automatically. So a listing proves a regulated lender claims the app; it is not an RBI stamp of approval. Absence from the directory, though, is a serious warning sign for any app that claims a lender partnership.
Step 3: verify the lender itself. If the named lender is an NBFC, download RBI's official list of registered NBFCs (an Excel or PDF file, updated to 31 March 2026) and search the exact company name in it. The same page also carries the list of NBFCs whose registration was cancelled - worth a glance: a company on that list is no longer authorised to lend. If the named lender is a bank, check it on RBI's Websites of Banks in India page, which lists private, public sector, small finance, payments, regional rural, and foreign banks. The company name on these lists must match the lender the app names - not roughly, exactly.
Step 4: make sure your copy of the app is the real one. The first three steps prove a legitimate app exists; they cannot prove the thing on your phone is it. A clone can copy an app's name and a real lender's name. RBI requires lenders to publish the list of their digital lending apps and lending partners on their own websites - so open the named lender's official website, find that list, and install the app only from the store link given there. On the store listing itself, check that the developer name matches the lender or its named partner before you install. An APK that arrives as a file or link, bypassing the store, fails this step automatically.
Red flags that end the conversation
- Pay-to-unlock: you are asked to send money to a personal account, a third-party account, or a UPI ID to "release" or "activate" the loan. Regulated lenders deduct disclosed fees from the disbursal or bill them through official channels - they do not collect advance payments into someone's personal UPI.
- No named lender: no specific bank or NBFC appears in the app listing, the offer screen, or the loan documents. This alone is disqualifying.
- Contact-list or gallery demands: RBI's rules require lending apps of regulated lenders to desist from accessing your files and media, contact list, call logs, and telephony functions. A one-time camera, microphone, or location access is allowed only for KYC onboarding, with your explicit consent. An app that insists on your contacts is telling you how it plans to collect.
- Ultra-short tenure, outsized cost: 5-7 day loans whose fees translate to enormous effective annual rates are a pattern that shows up again and again in complaints about unregulated apps.
- Sideloaded APK: the app is not on the Play Store or App Store and arrives as a link or file. Store absence is a red flag - though store presence is not proof of legitimacy either; fraudulent apps do get through review. The verification steps above are the test, not the store.
- No grievance officer, no address: regulated lending requires a named grievance redressal officer with visible contact details. Nothing but a chat window is a bad sign.
- Manufactured urgency: countdown timers, "offer expires in 10 minutes", pressure to decide before you can check anything.
Your rights when the lender is regulated
These protections come from RBI's digital lending rules - set out in the Digital Lending Directions of May 2025 and since consolidated into the RBI (Commercial Banks - Credit Facilities) Directions, 2025 and the RBI (Non-Banking Financial Companies - Credit Facilities) Directions, 2025. One scoping point matters more than any single right: they bind RBI-regulated lenders and the apps working for them. A rogue app with no regulated lender behind it is not following these rules - which is exactly why the verification above comes first.
- Key Fact Statement (KFS): before you sign, you get a KFS stating the all-in Annual Percentage Rate, fees, and repayment schedule, and it must automatically flow to your verified email or SMS - if you have no documents, something is wrong.
- A cooling-off window: your lender's board sets a cooling-off period - at least one day - during which you can exit the loan by paying the principal and the proportionate APR, without penalty. The lender may keep only a reasonable one-time processing fee, and only if it was disclosed upfront in the KFS.
- Permission limits: as above - no contacts, media, call logs, or telephony access; one-time KYC access only, with consent.
- Direct money flow: as a rule, loan disbursal and repayment move directly between your bank account and the lender's - not through a pool account of the app or its agents.
- A grievance path with teeth: the lender and its app must display a grievance redressal officer's contact details. If your complaint is rejected or unresolved for 30 days, you can escalate to RBI's Complaint Management System under the Integrated Ombudsman Scheme.
- Recovery conduct rules: RBI's conduct rules for lenders and their recovery agents restrict contact to 8:00 AM to 7:00 PM and prohibit intimidation, threats, abusive language, and public humiliation. The lender remains accountable for its agents' behaviour.
Two calculators are worth 30 seconds before any borrowing decision: know the exact EMI a loan implies, and if the reason you are borrowing is credit card debt, see what the minimum-payment trap actually costs before replacing one debt with another. The credit card payoff calculator shows the payoff timeline at different monthly payments.
💳Already stuck or being harassed? Do this now
First, the payments rule, because threats are designed to make you pay wrongly: if you did not borrow, do not pay. If you did borrow, do not send extra or off-channel payments in response to threats. Verify what you legitimately owe with the named lender and pay only through its official channel. Harassment does not erase a valid debt - and an off-channel payment to a harasser does not count toward closing the loan and leaves you with no receipt you can rely on.
Collect evidence: screenshots of chats and threats, call recordings or logs, the app's store listing, and your UPI or bank transaction trail. Do this before uninstalling anything.
- Money moved recently? Call 1930 (the national cyber fraud helpline) or file at cybercrime.gov.in immediately - prompt reporting improves the chance that the receiving account can be blocked before the money moves on; it is not guaranteed.
- Harassment or extortion: file a complaint at cybercrime.gov.in and an FIR at your local police station or cyber cell. Keep copies of everything.
- Unregulated app: report it on RBI's Sachet portal - it accepts complaints about online loan apps and unregulated lending, and routes them to the appropriate regulator.
- Regulated lender misbehaving: its grievance officer first; after 30 days or a rejection, RBI's CMS portal.
And the part harassed borrowers most need to hear: threats to shame you through your contact list, morphed photos, and abusive recovery calls are prohibited under RBI's conduct rules and potentially criminal depending on the conduct - extortion, criminal intimidation, and privacy offences are police matters, whatever the state of the loan. Owing money, or being made to feel you owe money, does not license any of it. Report it; do not negotiate with it.
One adjacent habit that protects you here: keeping your identity documents out of random apps entirely. Our guide to DigiLocker safety covers how to share government documents without handing over originals.
Sources
- Reserve Bank of India (Commercial Banks - Credit Facilities) Directions, 2025, as amended through 2026 - the digital lending chapter for banks.
- Reserve Bank of India (Non-Banking Financial Companies - Credit Facilities) Directions, 2025 (28 November 2025) - the digital lending chapter for NBFCs.
- Reserve Bank of India (Digital Lending) Directions, 2025 - RBI/2025-26/36, 8 May 2025. Origin of the DLA directory and the borrower protections above, since consolidated into the entity-wise Credit Facilities Directions.
- RBI Digital Lending Apps directory - rbi.org.in, Citizen's Corner, operational 1 July 2025. RBI states the reported data is published in an automated manner and is not verified or validated by RBI.
- RBI List of NBFCs (registered and cancelled) - list updated to 31 March 2026.
- Websites of Banks in India - rbi.org.in.
- RBI conduct rules for recovery agents (contact hours, prohibited practices) - RBI circular on Responsibilities of Regulated Entities employing Recovery Agents (12 August 2022).
- RBI Sachet portal. National Cybercrime Reporting Portal and helpline 1930 (Ministry of Home Affairs, I4C).