The directions do not ban device-disabling by lenders. Instead, they draw a careful boundary around when it is permitted, how it must be carried out, and — crucially — what rights a borrower retains throughout the process. Whether you are a first-time phone-loan customer, a seasoned borrower, or a bank compliance officer designing recovery workflows, this article explains every dimension of the new framework.
What Is RBI's Proposed Remote Device Disabling Framework?
For years, lenders offering device-financing loans — typically Buy Now Pay Later (BNPL) schemes or equated monthly instalment (EMI) plans for smartphones and tablets — have used technology-based mechanisms to restrict a non-paying borrower's device. In the absence of clear rules, practices varied wildly: some lenders imposed complete lock-outs from day one of a missed EMI; others sent threats; a few exploited access to the device to harvest personal data. Borrowers had no consistent legal recourse.
The 2026 Amendment Directions change that entirely. Under paragraph 454Q of the revised Responsible Business Conduct Directions, a commercial bank may use a technology-based mechanism to restrict or disable the functionalities of a mobile device only if a strict, multi-condition gateway is cleared. Outside that narrow gateway, device disabling as a recovery tool is prohibited outright.
The Core Rule (Para 454Q)
A bank shall NOT deploy any technology-based mechanism which restricts or disables any functionalities of a mobile device of a borrower as a recovery tool — EXCEPT to recover loan dues arising specifically from the financing of that device.
In plain language: if you borrowed money to buy the phone in your hand, and you stop paying, the bank may — after following prescribed steps — restrict that specific device. If you borrowed money for any other purpose (a personal loan, a home loan, a car loan), the bank cannot touch your phone, tablet, or any other mobile device. The rule is device-financing specific.
Which Loans and Devices Are Covered Under the Proposal?
The scope question has two dimensions: which lenders are bound by these directions, and which borrower-device combinations are within the disabling framework.
On the lender side, the directions apply to all commercial banks other than Small Finance Banks, Payments Banks, Regional Rural Banks, and Local Area Banks. This covers the major public-sector banks (State Bank of India, Bank of Baroda, Punjab National Bank, etc.) and large private-sector banks (HDFC Bank, ICICI Bank, Axis Bank, Kotak Mahindra Bank, and others). While NBFCs and fintech lenders are not directly bound by this particular framework, it is important to note that the RBI issued parallel draft amendments covering NBFCs, Small Finance Banks, and Payments Banks on the same day — meaning the same substantive rules are set to apply across all these entities under their respective regulatory frameworks as well.
On the device-and-loan side, all four of the following conditions must be simultaneously satisfied before a bank can even consider restricting the device:
The specific mobile device (phone, tablet, etc.) must have been purchased using a loan from that bank.
The loan contract must expressly and unambiguously authorise device restriction — with precise details of trigger events, notice methods, graduated steps, the time allowed to cure default, and the grievance mechanism all spelled out in the agreement.
A first notice must have been issued after the loan becomes 60 Days Past Due (DPD), giving the borrower at least 21 days to repay.
A second, follow-up notice must have been issued after the first notice period expires, giving the borrower at least another 7 days.
Only after all four conditions are met — meaning the loan is at least 90 DPD and two separate notices have been served without the default being cured — may restriction begin. This 90-day grace period is a meaningful buffer compared to market practice, where some lenders were imposing restrictions within days of a missed EMI.
Quick Eligibility Check: Is your device at risk? Only if: (1) your bank specifically financed that device, AND (2) your loan contract says restriction is permitted, AND (3) you have received two notices and at least 28 days have elapsed since the first, AND (4) you are 90+ days past due. If any of these is absent, your bank cannot legally restrict your device under these rules.
What Are Your Rights as a Borrower Under Indian Law?
The directions contain an impressive suite of borrower protections — arguably the most comprehensive set of recovery-related rights codified in a single RBI circular. Here is a structured breakdown.
1. The Graduated Restriction Principle
Para 454R(1) prohibits banks from disabling the device outright from the start. They must adopt a graduated approach — restricting functionalities incrementally. Think of it as a dimmer switch, not a hard off-button. What this means practically is that your bank must start with limited restrictions (e.g., blocking access to entertainment apps) rather than immediately rendering the device inoperable.
2. Certain Functions Can Never Be Disabled
Para 454R(2) creates a list of permanently protected device functionalities that no bank can ever restrict, regardless of how long a borrower has been in default:
This protection reflects a basic recognition that a mobile device is no longer just a convenience — it is a lifeline. Being locked out of emergency services or cut off from incoming calls could endanger lives, and the RBI has drawn a hard line here.
3. The Right to Cure and Instant Reversal
The moment a borrower pays up — whether partially or in full to cure the default — the bank must reverse all restrictions within one hour (para 454R(3)). If the bank fails to do so, para 454R(4) triggers automatic compensation: the bank must pay the borrower ₹250 per hour for every hour the device remains wrongfully restricted after the default is cured. This is a powerful, self-executing remedy that does not require the borrower to file a lawsuit or wait for regulatory intervention.
4. The Unconditional Right to Prepay
Para 454R(6) explicitly preserves the borrower's right to prepay the loan — partly or fully — at any stage. Banks cannot use device restrictions as a lever to prevent prepayment or to impose prepayment penalties not already agreed to in the contract. If you can come up with the money, you can always pay off the loan and reclaim your device.
5. Absolute Data Privacy Protection
Para 454S is one of the strongest provisions in the entire framework. It categorically bars banks from accessing, using, obtaining, or retaining any data stored on the borrower's device — for loan recovery or any other purpose, under any circumstances. Lenders cannot raid your photo gallery, read your messages, or extract contact information from the device, even if they have technological capability to do so. Violations of this provision would be a serious regulatory breach.
6. Right to Uninstallation After Full Repayment
Para 454R(5) requires the bank to uninstall the technology-based restriction mechanism from the device soon after the loan is fully repaid. The device must be returned to the borrower completely clean, with no residual surveillance or control software left running in the background.
7. Protection From Aggressive Recovery Agents
While not unique to device-financing loans, the broader recovery code embedded in the directions (paras 454V–454X) applies to all default recovery. Recovery agents may only visit between 8 AM and 7 PM. They must carry an identity card, an authorisation letter from the bank, and a copy of the notice served to the borrower. Banks must give you at least one day's prior notice before a recovery agent visits your home or office. The directions explicitly list prohibited practices, including:
Use of abusive or threatening language
Public shaming via social media
Intimidating family members, colleagues, or referees
Calling outside permitted hours
Making anonymous or threatening calls
Making false statements about the extent of debt or legal consequences
8. Dedicated Grievance Redressal
Para 454Y requires banks to maintain a dedicated grievance mechanism for recovery-related complaints. The name, email, phone number, and address of the bank's grievance redressal officer must appear in your loan agreement and in every recovery communication you receive. If a grievance is pending, para 454M prohibits the bank from assigning your case to a recovery agency until the grievance is resolved. This gives borrowers with legitimate disputes a meaningful shield against aggressive action.
How to Avoid Default and Protect Your Devices: A Practical Guide
Understanding the rules is valuable, but avoiding default in the first place is always preferable. Here is a practical roadmap for device-loan borrowers:
Before You Sign the Loan Agreement
Read the device restriction clause carefully. From October 1, 2026, restriction cannot happen unless the contract explicitly permits it and details the mechanism. If you do not see a clear clause, ask the bank in writing whether the loan includes device-disabling capability.
Understand the trigger timeline. The contract must state what events lead to a notice being issued and the graduated restriction steps.
Check the grievance officer details. Make sure the contract names a specific grievance redressal officer with contact information, not just a generic helpline number.
If You Miss an EMI
Act immediately. Contact your bank proactively. Most banks offer restructuring options, moratoriums, or payment plan adjustments — especially if you engage early.
Document everything. Keep records of all communications — emails, SMS messages, call logs, and letters. These are invaluable if a dispute arises.
Request a detailed account statement. Confirm the exact outstanding amount, any accrued interest, and the Days Past Due (DPD) count. Errors in DPD calculation are common.
If Your Device Has Been Restricted
Check whether the bank has complied with the notice requirements. Under the new rules, two separate written notices must have been sent — the first after 60 DPD (giving 21 days), the second after that period expires (giving 7 more days). If these were not received, the restriction may be unlawful.
Verify that emergency functions remain active. Internet access, incoming calls, and SOS features must not be disabled. If they are, file an urgent grievance immediately.
If you can pay, pay and track the time. The bank must restore functionality within one hour of your payment. If it does not, you are entitled to ₹250 per hour compensation — document the exact payment timestamp.
File a formal grievance with the bank's named grievance redressal officer. If unresolved within 30 days, escalate to the RBI Banking Ombudsman.
After Full Repayment
Confirm the restriction software has been uninstalled. Run a device security scan. If you find unfamiliar apps with device-admin permissions, contact the bank and request written confirmation of uninstallation.
Obtain a No Dues Certificate. This is always good practice and serves as evidence that the loan relationship is fully closed.
The Bigger Picture: Why These Rules Matter
The RBI's 2026 amendment directions represent a significant maturation of India's consumer-lending regulatory architecture. By codifying rules around device disabling — a practice that had grown rapidly with the explosion of device-financing apps and BNPL schemes — the regulator is signalling that technological innovation in lending must be matched by technological discipline in recovery.
For borrowers, the key takeaway is that the new rules do not prohibit banks from using recovery technology, but they do create a meaningful procedural wall: a 90-day minimum DPD threshold, a two-notice requirement, graduated restrictions, inviolable emergency access, one-hour reversal on repayment, ₹250/hour compensation for wrongful restriction, absolute data privacy, and mandatory post-loan uninstallation. These are not aspirational guidelines — they are legally binding directions issued under Sections 21 and 35A of the Banking Regulation Act, 1949.
For banks and compliance officers, the operational implications are equally significant. Loan contracts for device-financing products will need to be comprehensively redrafted before October 1, 2026. Recovery systems must be configured to enforce the DPD thresholds and graduated restriction logic. Grievance mechanisms must be upgraded, and compensation-tracking systems must be built to handle wrongful-restriction claims automatically.
In a country where the smartphone is increasingly the primary interface for work, banking, healthcare, and social connection, getting the balance right between creditor rights and borrower dignity is not just a regulatory question — it is a question of fundamental fairness. The RBI appears to understand that.
Key Dates to Remember
The Amendment Directions come into effect on October 1, 2026. Loan contracts signed on or after that date for device-financing must include the required clauses. Existing device-financing contracts should be reviewed: banks may need to amend terms or seek fresh consent from borrowers before deploying restriction mechanisms.
Disclaimer: This article is based on the Draft RBI (Commercial Banks — Responsible Business Conduct) Amendment Directions, 2026, as published for public comment. Final directions may differ. This article is for informational purposes only and does not constitute legal or financial advice. Consult a qualified legal professional for advice specific to your situation.
