Why a single product no longer covers a lending startup
Two RBI rulebooks have reshaped the risk profile of every digital lending startup operating as a Lending Service Provider (LSP) or co-lender. On 8 May 2025 the RBI (Digital Lending) Directions, 2025 folded the scattered 2022 digital lending guidelines and the 2023 default loss guarantee (DLG) circular into one consolidated framework. Three months later the RBI (Co-Lending Arrangements) Directions, 2025 arrived, with a hard effective date of 1 January 2026 (a regulated entity could adopt earlier under its own policy). Together they fix how risk is shared, how much an LSP can guarantee, and how granular the reporting must be.
The headline most founders fixate on is the 5 percent prudential cap on DLG, measured against the underlying loan portfolio. That cap is a regulatory ceiling on contractual credit guarantee. It is not, and was never meant to be, a description of the startup's total exposure. A digital lender that originates, underwrites with its own score, services collections and holds borrower data carries a stack of operational, conduct and balance-sheet risks that sit entirely outside the DLG arithmetic.
For brokers, this is the opening line of every conversation with a lending-startup CFO in 2026. The borrower already has collateral cover and credit-life. The bank partner has its own protections. The question nobody had answered cleanly is what protects the startup's own books when an employee colludes with a fraud ring, when the loan management system is breached, when a co-lending counterparty disputes a reconciliation, or when the startup's algorithm misprices a cohort and a class of borrowers alleges unfair lending. None of those losses is a default. None is capped at 5 percent. And none is covered by a single off-the-shelf policy.
The placement answer is a small portfolio: crime/fidelity, cyber, professional indemnity (PI), and where receivables are warehoused, trade-credit. This post walks each layer against the new directions.
What the 5 percent DLG cap actually leaves on the table
Start with what the DLG is. Under the 2025 directions a DLG is a contractual arrangement where an LSP (or another regulated entity acting as an LSP) compensates the lender for default losses up to a percentage of the portfolio agreed upfront. The prudential cap is 5 percent of that underlying portfolio. The RBI permits the guarantee in only three forms: cash deposited with the lender, a lien-marked fixed deposit with a scheduled commercial bank, or a bank guarantee. It must be invoked within 120 days of an account turning overdue, and it cannot be set off against individual loans because NPA recognition stays with the lender.
Notice what that structure does to the startup's balance sheet. The 5 percent is funded and ring-fenced. The cash or FD is already gone from working capital the moment the deal is signed. So the credit risk the startup chose to retain is not just a number on a term sheet, it is locked collateral. That is the opposite of an insurable risk, and no insurer will indemnify a contractual credit guarantee that is meant to be funded by design.
The losses that are insurable are the ones that arrive uninvited and are not credit defaults at all:
- A relationship manager who waives KYC and books ghost loans to a syndicate. That is fidelity loss, not default.
- A breach of the loan origination platform that exfiltrates borrower PII and triggers CERT-In reporting plus regulatory action. That is cyber and privacy liability.
- An automated underwriting model that systematically rejects or overprices a protected cohort, drawing a conduct claim. That is professional/technology liability.
- A co-lending partner alleging the startup mis-stated portfolio quality in the monthly data shared under the directions. That is PI and, depending on facts, management liability.
Crime and fidelity: the loss insurers see most in lending books
Across digital lending books, the most frequent insured loss is not a cyberattack from outside. It is internal or collusive fraud. The economics are obvious. A lending startup moves money to strangers at speed, on the strength of automated checks, with staff incentivised on disbursal volumes. That is a textbook environment for fidelity loss.
The placement here is a commercial crime / fidelity guarantee policy, and brokers should resist the urge to treat it as a tick-box rider on a management package. Three coverage triggers matter for a lender:
- Employee dishonesty / infidelity. Losses from an employee acting alone or in collusion to cause the firm a wrongful financial gain. For a lender this includes booking fictitious borrowers, diverting collections, or manipulating the underwriting workflow to push through ineligible loans.
- Third-party / social engineering fraud. Where an outsider impersonates a vendor, a co-lending partner or a senior executive to redirect a payout. The crime market in India increasingly offers this, often sub-limited. Push for a meaningful sub-limit because the loss frequency is real.
- Funds transfer fraud. Direct theft via the disbursal rails.
Watch the prior-acts and discovery mechanics. Fidelity losses are slow to surface; a collusion scheme may run for months before reconciliation catches it. A policy that responds only to acts committed and discovered within the period leaves a hole. Negotiate a retroactive date that reaches back to the start of operations and a discovery extension on non-renewal.
Underwriters will price against your controls: maker-checker on disbursals, segregation between sourcing and approval (which the Co-Lending Directions now formalise by killing the discretionary rejection model and assigning roles to each regulated entity), dual authorisation on bank mandates, and audit of the loan management system. A startup that can evidence these is a different risk from one that cannot, and the premium difference is large. Brokers add the most value by translating the firm's operational reality into the proposal form so the rating reflects actual controls, not a generic NBFC template. See our crime insurance note for quick-commerce operators for how the same triggers behave in a high-velocity payout business.
Cyber and privacy: borrower data is the asset and the liability
A digital lender is, functionally, a data company that happens to lend. It holds Aadhaar-linked KYC, bank statements pulled through the Account Aggregator framework, bureau pulls, device and behavioural data, and repayment histories. The 2025 Digital Lending Directions tighten data localisation, consent and the prohibition on storing borrower data beyond what is needed. That regulatory posture raises both the breach exposure and the cost of a breach.
The cyber placement for a lender has to do two jobs. First-party cover pays the startup's own costs: forensics, breach counsel, notification, CERT-In reporting support, business interruption when the lending platform is down, and cyber-extortion. Third-party cover responds to claims by borrowers and regulators for privacy violation and failure to safeguard data. The second is where lenders are most exposed, because a single platform breach affects the entire book at once, not one customer.
Three wording points deserve a broker's attention:
- Regulatory investigation and penalties. Confirm the policy covers the costs of responding to an RBI or data-protection inquiry, and where insurable by law, the penalties. India's data-protection regime makes this live.
- Outsourced and cloud dependency. Most lending startups run on third-party core lending suites and cloud infrastructure. A breach or outage at a critical vendor should trigger the policy. Check the dependent business interruption wording and the waiting period.
- Aggregation with the crime policy. Social engineering and funds-transfer fraud can fall between the cyber and crime towers. Map which policy responds to which loss so a claim is not orphaned in the gap. Our piece on coordinating a cyberattack across multiple policies shows how that coordination actually plays out at claim stage.
The broader pricing context is favourable. Capacity has returned to the Indian cyber market and rates softened through 2026, so a well-controlled lender can buy a sensible limit without the renewal pain of two years ago. That makes 2026 a good year to right-size the tower rather than under-buy.
Professional indemnity and the conduct risk in automated underwriting
The risk that lending founders most often miss sits in the model itself. When you underwrite with a proprietary score, set the price with an algorithm, and service the loan through software, every one of those is a professional service that can be alleged to have been performed negligently. That is the home of professional indemnity (often written as technology PI or tech errors and omissions for a software-led lender).
What does a PI claim look like for a digital lender? A borrower or class alleges the pricing model discriminated. A co-lending partner alleges the startup's portfolio scoring was negligently constructed and caused it to fund bad loans. A regulator finds the algorithm breached fair-lending norms. A coding error in the disbursal logic over-lends to a cohort. In each case the loss is the consequence of a professional error, not a borrower default, and it is exactly what the DLG does not touch.
The Co-Lending Directions 2025 sharpen this. By assigning explicit, disclosed roles to each regulated entity for sourcing, underwriting, servicing and customer interface, the rules make it far easier to pin a specific failure on a specific party. If the startup owns underwriting in the arrangement and the model is later shown to be flawed, the contractual and regulatory trail points straight at it. That is a PI exposure created by the regulation itself.
Brokers should check three things in the PI wording:
- A definition of professional services broad enough to include algorithmic underwriting, scoring and platform operation, not just advice. Many older PI forms were written for consultants and do not obviously reach software-delivered services.
- Coverage for breach of contract claims by counterparties, since a co-lending partner's claim will often be framed contractually.
- The interaction with management liability. Where the allegation reaches the founders or board (a regulator action, an investor claim that the lending model was misrepresented), a directors and officers policy carries it. Many growth-stage lenders already buy D&O around their ESOP and funding rounds; our note on D&O and ESOP liability for Indian tech companies covers how that layer fits. The PI and D&O towers should be bought as a pair, with the broker confirming there is no gap where a claim names both the firm and its directors.
Warehouse receivables and trade-credit: the secured-lending overlay
A growing slice of new-economy lending is secured against goods, not salaries. Agri-fintechs and supply-chain lenders advance against commodities held in warehouses, using electronic negotiable warehouse receipts (e-NWRs) issued under the WDRA framework as collateral. Co-lending against these receivables expanded into 2026 as banks and larger NBFCs partnered with originating platforms. This changes the insurance picture in two ways.
First, the collateral itself must be insured, and the lender needs to be sure of it. The goods in the warehouse are exposed to fire, flood, pest, theft and the slow risk of quality deterioration. If the borrower defaults and the lender enforces against the stock, the value has to actually be there. Brokers placing for a warehouse-receivable lender should verify that the underlying stock cover names the lender's interest, that the sum insured tracks the commodity value (not a stale figure), and that the storage location is on a rated warehouse. Our analyses of transit-cum-storage warehouse cover and warehouse fire risk prevention set out what good looks like on the physical side.
Second, and more relevant to the startup's own balance sheet, is trade-credit insurance on the receivables the platform itself carries. Where a supply-chain lender funds invoices or holds receivables on its books before a co-lending partner takes its share, a buyer default crystallises a loss the platform absorbs. Trade-credit cover indemnifies that non-payment, and it is a different instrument from the DLG. The DLG is the platform guaranteeing the lender; trade-credit is an insurer guaranteeing the platform. Read together with our trade-credit cover for SaaS and platform receivables, the point is that a lending startup can sit on both sides of a guarantee and needs to insure the side it actually retains.
A warehouse-receivable lender effectively runs two risk books at once: the physical collateral book and the credit book. Map both. A fire policy on the godown does nothing for a buyer default, and trade-credit cover does nothing for a warehouse that burns down.
How brokers should structure and sequence the placement
Bringing the layers together, the practitioner job is to sequence the placement so the lender buys in the right order and the towers fit without gaps. A workable structure for a Series A or later digital lender looks like this.
- Crime / fidelity first. It is the highest-frequency insured loss in lending and the cheapest large limit to buy. Set the limit against the largest plausible collusion scheme over a multi-month window, not a single transaction.
- Cyber next, sized to a full-book breach plus business interruption. Use the softer 2026 market to buy a real limit rather than a token one, and align the social-engineering and funds-transfer language with the crime policy.
- PI / technology liability, with a services definition that explicitly captures algorithmic underwriting and platform operation. Confirm contractual-liability cover for co-lending counterparty claims.
- D&O around the founders and board, bought in tandem with PI so a dual-named claim is not orphaned.
- Trade-credit and collateral covers where the model is secured against receivables or warehoused goods.
Three cross-cutting points. Reconcile the towers against the co-lending contract. The directions force explicit role allocation between the startup and its regulated-entity partners; the insurance should mirror who owns sourcing, underwriting and servicing, because that allocation determines who gets sued. Watch the regulatory-cost overlap. A single breach can trigger CERT-In reporting, an RBI inquiry and a data-protection action at once, hitting cyber, PI and D&O together. Confirm there is one clear responding policy for each cost head. Build the proposal around real controls. Maker-checker, segregation of duties, dual bank mandates and loan-management-system audit are now partly mandated by the directions, so a lender that documents them well prices materially better. The broker who maps the regulation to the wording, rather than selling a generic NBFC package, is the one who closes the gap the 5 percent DLG cap leaves open.