The RBI's outsourcing guidelines require that every Lending Service Provider relationship is subject to annual due diligence — a documented review of the LSP's financial health, regulatory standing, data security posture, and conduct record. For an NBFC with 8 to 15 active LSP relationships, this is 8 to 15 annual reviews that consume weeks of compliance team time, involve coordination with external parties, and produce documentation that the RBI expects to be available for inspection. The LSP Governance AI runs every annual review from a structured checklist, collects the required documentation, scores each LSP, and flags any vendor whose score requires Board-level remediation — automatically.
The RBI's outsourcing guidelines require that every Lending Service Provider relationship is subject to annual due diligence — a documented review of the LSP's financial health, regulatory standing, data security posture, and conduct record. For an NBFC with 8 to 15 active LSP relationships, this is 8 to 15 annual reviews that consume weeks of compliance team time, involve coordination with external parties, and produce documentation that the RBI expects to be available for inspection. The LSP Governance AI runs every annual review from a structured checklist, collects the required documentation, scores each LSP, and flags any vendor whose score requires Board-level remediation — automatically.
What the RBI's outsourcing guidelines require for LSP due diligence
The RBI's circular on outsourcing of financial services (DNBR.CC.PD.No.059/03.10.001/2015-16) and subsequent updates require NBFCs to: conduct due diligence before engaging any LSP; review the due diligence annually thereafter; maintain a register of all LSPs with their functions, contract terms, and due diligence status; and ensure that the Board is informed of significant LSP relationships and any material deterioration in an LSP's risk profile.
The due diligence must cover: the LSP's financial stability (ability to continue operations), regulatory compliance record (licences, RBI interactions, complaints received), data security and privacy posture (especially for LSPs who handle borrower data), business continuity and contingency arrangements, and conduct compliance — whether the LSP's collection agents, sales agents, or customer-facing staff comply with FPC requirements when acting on behalf of the institution.
"An LSP that the institution cannot demonstrate it reviewed annually is, from the regulator's perspective, an LSP the institution is not managing. The LSP Governance AI generates the evidence of management."
The annual due diligence checklist: what gets assessed and how
Section 1 — Financial Health and Stability
6 checks · Data: MCA, GST, credit bureau, financial statements
01
Company registration and active status confirmedLSP's CIN verified as active in MCA21 registry. Any changes to registered directors or registered address since last review flagged. Dissolution, strike-off, or winding-up proceedings would be an immediate termination trigger.→ Source: MCA21 API · Auto-checked · Alert: any status change since last review
Auto
02
GSTIN active and filing compliantLSP's GSTIN verified as active. GSTR-3B filing regularity for the last 8 quarters checked — consistent late filing may indicate operational distress. If the LSP is GST-registered but shows significant gaps in filings, the AI flags for financial health review.→ Source: GSTN API · Auto-checked · Flag: 2+ consecutive quarters of late or nil filing
Auto
03
Audited financial statements for last 2 years reviewedLSP required to submit its last 2 years' audited financials. The LSP Governance AI parses the submitted financials for: revenue trend, net profit margin, debt levels, current ratio, and whether the auditor's report contains any qualifications. A qualified auditor's report is a material flag.→ Source: LSP submission · Document request sent automatically 60 days before due diligence date
Requires LSP doc
04
No current legal proceedings that could impair operationsMinistry of Corporate Affairs and NCLT records checked for any ongoing insolvency, winding-up petition, or significant litigation involving the LSP. Publicly available court records searched. LSP required to disclose any material litigation not appearing in public records.→ Source: MCA + NCLT records + LSP disclosure · Flag: any insolvency proceedings or winding-up petition
Auto + disclosure
Section 2 — Regulatory Standing
5 checks · Licences, RBI interactions, complaints received
05
Required licences and registrations currentFor collection agents: IBA recovery agent certification for all field agents. For DSAs: AMFI/SEBI registration if relevant. For fintechs: RBI payment aggregator licence if relevant. The required licences depend on the LSP's function — the LSP Governance AI maintains a licence requirement matrix per LSP category and checks each against the current registry.→ Source: IBA, AMFI, RBI registries · Auto-checked · Alert: expired or suspended licence
Auto
06
No adverse RBI findings or enforcement actions in last 2 yearsRBI's published enforcement actions (on its website) are monitored for the LSP's name. Any penalty imposed by the RBI, SEBI, or state financial regulators in the last 2 years is a material flag. The LSP is also required to disclose any regulatory inquiry or examination that has not yet resulted in a public finding.→ Source: RBI enforcement database · Monthly monitoring · Annual formal check
Auto
07
Complaints filed against LSP with RBI Ombudsman or consumer forumsConsumer forum filings (NCDRC, state CDRCs), RBI Ombudsman decisions involving the LSP, and online complaint platform data (for digital LSPs) are monitored. A spike in consumer complaints is an early warning signal for conduct deterioration that may not yet have reached regulatory enforcement.→ Source: Public consumer forum databases · NCDRC portal · Flag: significant complaint volume increase
Auto
Section 3 — Data Security and Privacy
4 checks · DPDP Act compliance · ISO 27001 · Data handling audit
08
ISO 27001 certification current or equivalent data security standardFor any LSP who handles borrower personal or financial data — which includes all DSAs, technology vendors, and collection agencies — ISO 27001 certification (or equivalent) is a required standard under RBI outsourcing guidelines and DPDP Act provisions. Certificate expiry and surveillance audit status are checked annually.→ Source: LSP certificate submission · Alert: certificate expired or surveillance audit overdue
Requires LSP doc
09
Data processing agreement aligned with DPDP ActThe data processing terms in the LSP agreement must comply with the Digital Personal Data Protection Act 2023: data minimisation, purpose limitation, retention policy, and sub-processor disclosure. The LSP Governance AI checks the current agreement against the DPDP compliance checklist and flags any clauses that need updating for LSP agreements signed before the DPDP Act came into force.→ Source: Current LSP agreement · DPDP compliance matrix · Flag: agreement pre-dates DPDP Act without amendment
Requires review
10
Data breach history — any notifiable breach in last 12 monthsLSP required to disclose any data security breach in the last 12 months that involved borrower data belonging to the institution or other financial services clients. A disclosed breach triggers an enhanced review and may require the LSP to provide a third-party security audit report. An undisclosed breach that subsequently comes to light is a contract termination trigger.→ Source: LSP disclosure · Flag: any breach involving borrower PII · Termination trigger if undisclosed
LSP disclosure required
Section 4 — Conduct Compliance
4 checks · FPC conduct · Agent certification · Complaint record
11
All field agents trained and certified per RBI FPC requirementsFor collection LSPs: all field agents must hold current IBA recovery agent certification. The LSP must provide a certification register — the list of all agents deployed in the institution's accounts, with their certification dates and renewal status. Agents whose certification has lapsed are not permitted to operate on the institution's accounts.→ Source: LSP certification register · Cross-check against IBA registry · Flag: any lapsed certification
LSP register required
12
Complaints attributed to this LSP in the institution's grievance systemThe Grievance Redressal AI's complaint database is queried for all complaints in the last 12 months where the LSP's agents were identified. The pattern of complaints (Cat B collection conduct, Cat A unauthorised debit) is reviewed. More than 3 Cat B complaints in 12 months is a conduct review trigger regardless of the individual complaint outcomes.→ Source: Grievance AI database · Auto-queried · Flag: 3+ Cat B in 12 months → enhanced review
Auto
The annual due diligence scorecard: a vendor example
Annual Due Diligence Scorecard — Credence Collections Pvt Ltd · Nov 14, 2025
Collection LSP · Karnataka territory · Due diligence cycle: Nov 2025 · Prior score: 82/100
Section 1 — Financial Health
Company registration active
MCA21 confirmed — active, no changes to directors
Pass
GSTIN filing regularity
1 late GSTR-3B filing (Q1 FY2025) — minor flag
−5 pts
Audited financials review
FY24 financials received — revenue ₹8.4Cr, net margin 12%, no auditor qualification
Pass
Section 2 — Regulatory Standing
IBA certification — all agents
94% of agents certified — 3 pending renewal (Nov 28 deadline)
Pass
Adverse regulatory findings
No adverse RBI findings in 2 years · No enforcement actions
Pass
Consumer complaint volume
Complaint volume up 18% vs prior year — above average growth rate
−8 pts
Section 3 — Data Security
ISO 27001 certification
Certificate valid until Mar 2026 — surveillance audit Oct 2025 passed
Pass
DPDP Act compliance
Data processing agreement pre-dates DPDP Act — amendment required by Jan 2026
−10 pts
Data breach history
No breaches in 12 months — confirmed by LSP disclosure
Pass
Section 4 — Conduct Compliance
Agent certification — current
94% certified · 3 pending renewal · All 3 operating under supervision only until renewed
Pass
Grievance complaints (Cat B)
4 Cat B complaints in 12 months (threshold: 3) · All resolved · Pattern: timing violation
−8 pts
Due diligence score69 / 100
Prior year: 82 / 100 · Declining trend
OutcomeContinued — with conditions
DPDP amendment + conduct review required before Mar 2026
12Due diligence checks across 4 sections — financial health, regulatory standing, data security, conduct compliance
Auto9 of 12 checks automated — public registry, government API, internal data · 3 require LSP document submission
69Credence Collections score — 13-point decline vs prior year · 3 action items · Board notified of trend
AnnualScheduled cycle for every LSP — document requests sent 60 days before due date · No compliance team coordination required
Due diligence that is documented is evidence of management — due diligence that is not is evidence of neglect
The RBI does not require that every LSP relationship is perfect — it requires that the institution demonstrates it reviewed the relationship, identified any issues, and took documented action. An LSP whose due diligence score declines from 82 to 69 is not a compliance failure — it is a risk management challenge that the institution has identified. An LSP whose due diligence was never conducted, or whose file shows no documentation, is a regulatory exposure. The LSP Governance AI generates the documented evidence of management: a timestamped scorecard, a list of identified issues, assigned action items with deadlines, and Board notification where the decline is material. That is what the regulator needs to see — not perfect LSPs, but managed ones.
