
Compliance teams at NBFCs and fintech lenders have spent the better part of two years building processes around the RBI’s Digital Lending Directions. Most of that work focused on disbursal flows, data minimisation, and the Key Fact Statement. Device locking sat quietly outside the main compliance conversation, treated by many teams as an operational tool rather than a regulated activity.
That assumption no longer holds. RBI’s May 2026 draft on loan recovery conduct brings device locking directly into the regulatory perimeter, and compliance teams who have not yet mapped their existing practices against it are working against a deadline that is closer than it looks.
What the New Draft Actually Says
On May 20, 2026, the RBI issued a revised draft amendment covering the conduct of regulated entities in loan recovery and the engagement of recovery agents, with comments invited through the end of that month. The draft applies across nine categories of regulated entities, spanning banks, NBFCs, housing finance companies, and cooperative banks, which means almost no lender financing consumer devices sits outside its reach.
The device locking provision is narrow by design. Lenders may restrict only specific functions of a financed mobile device, and only in relation to the loan taken for that particular device. A blanket lock that disables the phone entirely, or one applied to enforce repayment on an unrelated personal loan, falls outside what the draft permits. Restriction must also be graduated rather than immediate, and essential services have to remain accessible throughout.
For compliance teams, the practical reading is straightforward. This is being formally recognised as a legitimate recovery mechanism for device financing specifically, not as a general-purpose enforcement tool that any lender can repurpose for any product.
Why “Graduated” is the Word to Build Around
An implementation flipping from full access to full restriction the moment an EMI is missed will not survive scrutiny. The insistence on a graduated approach means the borrower journey needs distinct stages built into the product itself, not bolted on as an afterthought.
The table below sets out how that sequence typically needs to be structured to satisfy the draft’s requirements:
| Stage | What Happens | Compliance Requirement |
|---|---|---|
| Pre-restriction | Borrower receives reminders and notice of the upcoming consequence | Communication must be logged and timestamped |
| Partial restriction | Specific functions of the financed device are limited | Restriction confined to the loan for that device only |
| Full restriction | Broader functional limits applied, essential services preserved | Documented opportunity to respond must precede this stage |
Each stage needs to be logged, timestamped, and auditable, because the recovery conduct framework places heavy emphasis on documentation across the board.
Recovery agents engaged in any part of this process also fall under tightened obligations. The draft requires certification through the Indian Institute of Banking and Finance, conduct norms, and public disclosure of the recovery agencies a lender uses. If your workflow hands off to a human collection step at any stage, that step now carries its own compliance burden layered on top of the locking mechanism itself.
Consent Documentation is Not Optional Anymore
The draft is explicit that any restriction of a financed device requires consent and notice. This sits alongside the data minimisation obligations already in force under the 2025 Digital Lending Directions, which prohibit lending apps from accessing phone contacts, file storage, and call logs without need-based justification and explicit consent carrying an audit trail.
Compliance teams reviewing device locking vendors need to confirm two things independently:
- The consent captured at loan origination specifically and unambiguously covers this as a recovery mechanism, not just general loan terms.
- The application itself does not collect or access data beyond what is strictly necessary to verify payment status, regardless of what the underlying device permissions technically allow.
Building the Audit Trail Before October
The proposed effective date for the recovery conduct framework is October 1, 2026. That gives lenders a defined window, not an open runway, to align existing deployments with the restriction requirement, the consent standard, and the recovery agent obligations running in parallel.
Lenders treating this purely as a legal exercise are missing the point. The draft is, in effect, a product specification. Device locking platforms that already log every stage transition, capture consent with a clear audit trail, and preserve essential functionality by default will need comparatively light adjustment. Platforms built without that structure face a meaningfully heavier lift before October arrives.
Conclusion
This has moved from an operational convenience to a regulated recovery mechanism with specific, documented requirements attached to it. The draft framework does not ban the practice. It defines the boundaries within which it can continue, and those boundaries are considerably narrower than how many lenders have been running device locking until now.
Compliance teams that treat the May 2026 draft as the final word on requirements, rather than waiting for the notified version, will be the ones with a working framework in place when the deadline actually arrives.