Mobile App for an NBFC: We Shipped a Full Loan-Origination App in 9 Weeks (DPDP-Compliant From Day 1)

A Pune-based NBFC with a ₹140-crore loan book asked us to build a personal-loan origination mobile app. Their existing flow was a web form that customers filled in branch, with a separate KYC wallet, separate bank statement reader, and a separate underwriting system. End-to-end loan origination took 4-7 days. They wanted under 24 hours. The catch: the [RBI Digital Lending Directions, 2025](https://www.argus-p.com/updates/updates/rbi-digital-lending-directions-2025-an-overview/) had tightened the compliance bar significantly, and the [DPDP Act consent requirements](https://www.mondaq.com/india/privacy-protection/1733676/dpdp-act-compliance-for-physical-and-digital-lending-nbfcs) made retrofitting compliance into a generic LOS a non-starter. We shipped a React Native app with Setu KYC + Karza bank-statement analysis + DigiLocker document fetch in 9 weeks. End-to-end loan in 47 minutes (median). DPDP and RBI compliant from day 1. This is what we built. ## The Answer in 60 Words React Native (Expo SDK 51) app. KYC via Setu (DigiLocker + PAN + Aadhaar) + Karza (selfie liveness + bank statement parser). Underwriting in a Postgres-backed Node.js service. Disbursement via partner bank API with NACH e-mandate. RBI Digital Lending Directions 2025: every screen logs consent. DPDP Act: every data field maps to a purpose, retention period, and deletion path. Cost: ₹26 lakh build, ₹74,000/month run. ## Why This Matters Now (For Indian NBFCs) The [RBI Digital Lending Directions, 2025](https://www.argus-p.com/updates/updates/rbi-digital-lending-directions-2025-an-overview/), issued May 8 2025, consolidated the 2022 Guidelines on Digital Lending and the 2023 Default Loss Guarantee rules into a single compliance framework. Every Digital Lending App must be reported to the [RBI's CIMS portal](https://www.lawrbit.com/article/reserve-bank-of-india-digital-lending-directions-2025/) by June 15, 2025. Even when an LSP (Lending Service Provider) handles KYC, collection, or onboarding, the RE (Regulated Entity — the bank or NBFC) is fully accountable. This means generic loan-origination apps that lack auditable consent trails are now actively risky to use, even from established vendors. The [DPDP Act 2023](https://www.mondaq.com/india/privacy-protection/1733676/dpdp-act-compliance-for-physical-and-digital-lending-nbfcs) sets enforceable substantive provisions effective May 13, 2027 — but the consent-flow design must be in place from build day, not retrofitted. Penalties run up to ₹250 crore for serious security failures. NBFCs cannot afford to ship an app that needs a compliance rewrite in 18 months. The technology decision space has narrowed. Setu, Karza, IDfy, HyperVerge, and Pine Labs all offer competitive India-stack KYC APIs in 2025. The differentiation is now in compliance design and user experience, not in primitive APIs. ## The Client (Specific Details) - Sector: NBFC (RBI-registered, base layer ML-2 NBFC) - Location: Pune HQ, branches in Mumbai + Hyderabad + Chennai - Loan book: ₹140 crore as of August 2025 - Loan products: Personal loan (₹50K–₹5L, 6-36 mo), business loan (₹2L–₹50L, 12-60 mo), loan against property (separate workflow, not in scope) - Existing tech: Web form + manual KYC + Microsoft Excel underwriting + email-to-bank for disbursement (yes, really) - Volume: ~620 loan applications/month, ~280 disbursed (45% approval rate) - The trigger: RBI on-site audit in September 2025 flagged the legacy flow on three counts: missing consent audit trail, no purpose limitation on data collection, and the LSP relationship with their email-to-bank disbursement was not formally papered. The CFO gave us 9 weeks and a brief: "the next audit cannot find these issues." ## The Architecture (DPDP + RBI From Day 1) ## The Stack (And Why) | Layer | Choice | Why | |---|---|---| | Mobile framework | React Native + Expo SDK 51 | Single codebase. Expo OTA for compliance hotfixes without app-store review. | | State | TanStack Query + Zustand | TanStack handles server state with caching; Zustand for UI state. Avoided Redux. | | KYC: PAN + Aadhaar | Setu | [Setu's DigiLocker integration](https://setu.co/data/kyc/digilocker/) ships with verified document fetch in one SDK call. | | KYC: Bank statement | Karza | Their classifier is the most accurate we tested for Indian bank PDFs (94% transaction-classification accuracy). | | KYC: Selfie liveness | HyperVerge | Slight edge over IDfy on Indian skin-tone false-rejects in our test. | | Backend | Node.js 20 + Fastify + Postgres 16 | Fastify's request lifecycle hooks made consent logging straightforward. | | Hosting | AWS ap-south-1 (Mumbai) | Data residency required. Aurora Postgres + ECS-on-EC2. | | Auth | Aadhaar OTP via UIDAI | Standard Indian customer auth pattern. We do not store Aadhaar number; only the masked last-4. | | Disbursement | Partner bank API (named not for confidentiality) | NACH e-mandate setup before first disbursement. | | Logs + Audit | CloudWatch + S3 (Object Lock for immutability) | Object Lock means audit logs cannot be tampered with — critical for RBI inspection. | ## The 9-Week Plan ## The DPDP Consent Architecture (The Hard Part) This was the part nobody else was doing well. Most loan-origination apps in 2025 collect 12-15 data fields with a single "I accept" checkbox. The DPDP Act requires "specific, informed, and unambiguous" consent per purpose. We built it as separate toggles. The key insight: consent is checked at every API call, not just at form submission. This catches downstream bugs where a developer might pass customer data to a new feature without checking that the customer consented to that purpose. The compliance officer reviews the consent log monthly. ## The Cost Breakdown Run cost (steady state): AWS Mumbai ₹28,000, Setu KYC (per-call, ~620/month at ₹14/call) ₹8,680, Karza bank statement parser (per-call, ~620/month at ₹22/call) ₹13,640, HyperVerge selfie (per-call, ~620/month at ₹6/call) ₹3,720, Aadhaar e-sign (per-sign, ~280/month at ₹40/sign) ₹11,200, NACH e-mandate (per-mandate, ~280/month at ₹15/mandate) ₹4,200, monitoring + Sentry ₹2,400, BetterStack logs ₹2,160. Total: ~₹74,000/month. Per-loan-disbursed cost: ₹264. ## The Outcome ## The Pre-Launch Checklist (Refuse to Skip)

• DLA reported on RBI's CIMS portal with all required fields
• Consent matrix reviewed by external compliance counsel
• Data residency: every customer data field stored only in ap-south-1
• S3 Object Lock enabled on audit logs bucket — 7-year retention legal hold
• OWASP Mobile Top 10 pen-test completed by external firm; all P1/P2 findings resolved
• API rate limits tested under 10x peak load (we did 2,800 apps/min; deployed at 280)
• Aadhaar masking — only last-4 stored in our DB, full Aadhaar never touches our infrastructure
• Selfie liveness on-device only — no biometric data leaves the phone
• Customer-facing "my data" screen shows all collected fields with purpose + retention
• Deletion request workflow tested end-to-end (request → 30-day cool-off → permanent delete)
• NACH e-mandate fallback path tested for partner bank outages
• Disbursement reconciliation runs nightly; mismatched amounts flagged within 24 hours

## What We Deliberately Did Not Build 1. In-app insurance cross-sell. Several vendors pitched it in week 4. The DPDP Act's purpose-limitation rules make insurance cross-sell a separate consent flow. We pushed back: do not bundle a feature that creates compliance risk for a 6% revenue uplift. The CFO agreed in 14 minutes. 2. Account Aggregator (AA) integration for bank statement. Karza's PDF parser handles 94% of statements. AA would take statements to 99% but adds 6 weeks of engineering and a separate AA consent flow. v2 candidate, scheduled for Q2 2026. 3. Co-branded credit card acquisition. A partner bank pitched it. Out of scope for an LOS — different product, different compliance regime, different customer journey. Separate build if pursued. 4. AI chatbot for customer support. Recovery and customer service are inherently sensitive in a lending context. We pushed for human-only support in v1. Chatbot might come in v3, with very careful guardrails. ## Why We Said No To A Generic LOS We evaluated three off-the-shelf loan-origination systems (Lentra, NewGen, FinnOne). Each had genuine strengths but each came with a tradeoff that was unacceptable here: 1. Compliance retrofitting. All three were built before the RBI Digital Lending Directions 2025. Adapting them required vendor roadmap commitments we could not get in writing. 2. Audit-trail immutability. None of the three offered S3-Object-Lock-equivalent immutability for consent logs. RBI inspection wants this and will get it. 3. Per-loan licensing. All three priced per-loan-disbursed at ₹120-280/loan. At 280 loans/month, that is ₹33K-78K/month forever, with no path to in-house ownership. 4. Vendor lock-in on data. Customer data sits in vendor infrastructure, with extraction APIs that range from "okay" to "non-existent." The custom build payback is roughly 5 months versus the cheapest LOS option. Plus the NBFC owns the codebase, the data, and the roadmap. ## Common Mistakes (Each One Is A Compliance Risk) Symptom: "Consent collected once at sign-up, never re-checked." Cause: developer treats consent as a one-time form. Fix: the consent check belongs in your API middleware, not your UI form. Every API call that touches customer data must verify a current, granted, non-expired consent for that exact purpose. Symptom: "Audit log can be edited or deleted." Cause: logs in standard S3 or in CloudWatch with default retention. Fix: enable S3 Object Lock with retention period equal to your regulatory hold (typically 7 years for NBFCs). Symptom: "Aadhaar number stored in app database." Cause: developer convenience or copy-paste from older codebase. Fix: never store the full Aadhaar. Store the last-4 only, fetch full Aadhaar on-demand from DigiLocker via Setu when actually needed. Symptom: "DigiLocker fetch fails for customers with non-linked Aadhaar." Cause: the customer's Aadhaar is not linked to a mobile number, or DigiLocker account does not exist. Fix: gracefully fall back to manual document upload + offline KYC, with a "we will call you to verify" follow-up. Roughly 4-6% of our applications go through this path. Symptom: "Bank statement parser misclassifies salary credits." Cause: customer's salary is from a small employer not in Karza's reference list. Fix: ship a "review your income" screen that lets the customer correct classifications. Saves the underwriting team and improves Karza's classifier over time via feedback. ## A Detail That Saved Us On Day 12 of the Pilot In week 8 of the pilot, an internal staff member tried to apply for a ₹3 lakh loan at 11:42 pm. The app's selfie liveness check failed 4 times in low light. He filed a bug. We added a "use front-facing flash" prompt for low-light conditions and a manual override for staff (with an audit log entry). The fix shipped via Expo OTA in 11 minutes — no app store review. This was the first concrete win from choosing Expo over a bare React Native build. ## Where Mobile Fintech Fits In Our Wider Work We have shipped mobile builds for: - TalkDrill — our in-house voice-AI English app. The same React Native + Expo stack, the same on-device biometric/audio handling, applied to a different use case. - Radiant Finance's lead-management mobile companion. - The customer-portal companion for the 240-agent real-estate CRM we shipped in Dec 2025. If you are building a fintech mobile product in 2025-2026 India, the compliance design must lead the build. Generic LOS vendors will not do this for you; your compliance officer cannot retrofit it after launch. We have started every fintech engagement of the last 18 months with a compliance-first design week — and we recommend it as the cheapest insurance you can buy. ## FAQ ### Is React Native the right choice for a fintech app in 2025? Yes, for this use case. React Native + Expo with proper on-device biometric handling is comparable to native on UX, and dramatically faster to ship. We would pick native for an app that needs heavy AR/ML or specific iOS-only frameworks; for loan origination, RN wins on time-to-market. ### What about Account Aggregator vs PDF bank statement upload? AA is the long-term right answer. PDF parsing handles 94% of statements but the failure modes are messy. AA gives you structured, signed transaction data directly from the bank. We are integrating AA for v2 in Q2 2026. The hold-up is consumer adoption — most customers in our pilot did not know what AA was. ### How does the DPDP Act 2023 differ from the RBI's data localisation requirements? RBI's data localisation (the 2018 directive) requires payment data to be stored only in India. The DPDP Act adds purpose limitation, consent management, deletion rights, and breach notification on top. They are layered, not contradictory. We comply with both. ### What if the customer changes their mind and wants to delete their data? The "my data" screen has a "request deletion" button. The request enters a 30-day workflow. For customers with no active loan, deletion happens within 30 days. For customers with an active loan, deletion is suspended until loan closure (this is permitted under the DPDP Act for legal-obligation processing). Customer is notified at every step. ### How much does Setu's DigiLocker integration cost? Setu charges per-call. At our test volume (~620 applications/month), it works out to ~₹14 per DigiLocker fetch — roughly ₹8,680/month. [Their pricing page](https://setu.co/data/kyc/) is transparent and the SDK saves us roughly 3 weeks of engineering vs building DigiLocker integration directly. ### What about Account Aggregator pricing? Most AAs charge per-fetch (typically ₹15-25 per consent + ₹2-5 per ongoing fetch). Karza's bank-statement-via-AA flow is ₹38/fetch all-in. Comparable to PDF parsing economically. ### Can other NBFCs use this codebase? Yes, with adaptations. The compliance architecture is generic. The underwriting model and product configuration must be customised per NBFC. Typical adaptation engagement: 4-6 weeks. ### What was the team composition? Three engineers (one senior on the backend + compliance plumbing, one mid on the React Native app, one junior on the DPDP consent vault). One designer at 0.4 FTE for 6 weeks. Compliance specialist (external) at 12 hours total. QA + external pen-test for week 8.