Digital Lending

Mandatory Norms under RBI Regulations on Digital Lending

The Reserve Bank of India, on August 10, 2022, released detailed norms relating to the digital lending sector of the country. The regulatory framework issued by the RBI aims to implement the recommendations of its Working Group constituted in January 2021. The WG was constituted to study the rampant issues relating to digital lending activities undertaken in the country via mobile applications and digital platforms. The primary objective of the RBI regulations is to safeguard the interest of borrowers and minimise the growing issue relating to digital frauds and unlawful lending activities in India. This article is a detailed analysis of the RBI regulations on digital lending that are in implementation effective immediately and their operational implications on Regulated Entities (REs).

Key Highlights of RBI Regulations on Digital Lending

• The complete onus of compliance with the regulations has been shifted to NBFCs and Banks engaged in digital lending activities.
• There is no limit on the number of Digital Lending Apps (DLAs) to be operated by an NBFC/Bank. Regulated Entities (REs) can partner with LSPs and their DLAs and display their name on their website.
• There is no cap on the interest rate or processing fee that REs can charge; however, the same must be disclosed in the Loan Agreement or KFS.
• Loan Agreements executed digitally on DLAs between borrowers and REs need to be signed via OTP on email.
• A cooling-off/look-up period has been provided to borrowers during which they can pay off their digital loans with principal loan amount and part interest applicable with any additional penalties.
• REs have to ensure that the borrower’s personal information and privacy are protected and secured right from the time of borrower onboarding/sign-up. For this, the REs also need to have a comprehensive data privacy policy^[1].
• REs shall have to notify their borrowers regarding the name of their collection agencies engaged by them from time to time.
• DLAs of REs shall require explicit consent from the borrowers to obtain any access to information. Further, the DLAs cannot access the contact list, media, call logs, etc. of the borrower. The borrower will also have the right to reject the request for such access or revoke such consent.
• REs shall also lay down a detailed privacy policy as per the applicable laws and regulations to disclose all information.

Applicability of the RBI Regulations on Digital Lending

As per the latest RBI regulations, the ambit of the term ‘digital lenders’ comprises three kinds of lenders:

1. Entities as regulated by the RBI and allowed to operate a lending business;
2. Entities not regulated by the RBI but are allowed to operate a lending business in accordance with other regulatory or statutory provisions;
3. Entities that have been carrying out lending activities but are not regulated by any statutory or regulatory provisions.

The RBI regulations on digital lending are applicable to the digital lending activities performed by the first category, i.e., the Regulated Entities (REs), with the Annex-I of the press release having an immediate and mandatory effect on them. Further, the regulations also cover Lending Service Providers (LSPs) that are engaged by REs to extend their digital lending services. Along with REs and LSPs, the mandatory framework laid down under Annex-I is also applicable to the Digital Lending Apps (DLAs) and DLAs of LSPs involved with REs.

However, the regulations are not applicable to the second category mentioned above, and they will be regulated by the framework implemented by the appropriate authorities. Further, the press release provides various legislative and institutional interventions for the Government of India to consider for dealing with the increasing issue of unlawful lending activities undertaken by the third category.

Demystification of the Mandatory RBI Regulations on Digital Lending

The Annex-I of the press release lays down the recommendations of the Working Group that have been accepted for immediate implementation. The mandatory framework covers the following aspects of the digital lending landscape in the country:

1. Measures to Protect Borrowers’ Interest
2. Technology and Data Privacy 
3. Regulatory Requirements

Measures to Protect Borrowers’ Interest

Loan Disbursals

All loan disbursal and repayment activities shall only be executed directly in the bank account of the lender without any involvement of a third party’s pool account or pass-through account. Such disbursals shall only be made directly into each borrower’s bank account. 

However, the framework provides exceptions to the following:

• Disbursals that are covered separately under any statutory/regulatory mandate;
• Monetary transactions in co-lending arrangements; 
• Disbursals where loans are authorised for any end-use, particularly laid down under any regulatory guidelines by the RBI or other regulatory authorities.  

Lending Service Providers

• The Working Group, in its report dated November 18, 2021, has defined Lending Service Providers as the agents of a balance sheet lender who undertake one or more of the lender’s functions. These functions include customer acquisition, underwriting support, pricing support, disbursement, servicing, monitoring, collection, and liquidation of specific loan or loan portfolios for compensation from the balance sheet lender. 
• Based on the Working Group’s recommendations, the RBI regulations on digital lending require REs to conduct an enhanced due diligence process before they enter into a partnership with an LSP for digital lending. During such due diligence, the RE must consider factors such as the LSP’s data privacy policies, storage systems, technical abilities, conduct with borrowers and compliance with applicable statutes and regulations.
• Further, the REs shall also ensure that the LSPs they partner with do not have any provisions for storing the personal data of the borrowers, with exceptions relating to the borrower’s name, contact details and address, which are necessary to execute their activities. The onus to ensure data privacy and security of the borrower’s personal details shall also be on the RE.
• The RE shall also have to inform the borrower about the LSP that shall act as the recovery agent on its behalf and is authorised to contact the borrower for recovery of the loan amount. Such information shall be shared with the borrower at the time of the loan sanction and whenever such LSP is appointed as the recovery agent. Additionally, the RE shall have to periodically assess the conduct of the LSP authorised by it for such purposes.
• All REs also need to provide guidance to their recovery agent LSPs to ensure that they execute their duties in a responsible and ethical manner. The RBI shall issue the guidelines relating to fair recovery practices for the REs until the proposed Self-Regulatory Organisation (SRO) and the RBI frame a standardised code of conduct for recovery.

Fees and Charges

• The RBI regulations on digital lending also state that any fees that the Regulated Entities need to pay to LSPs shall be paid directly by the latter. REs have to ensure that the borrowers are not charged directly by the LSP for such fees.
• Further, all REs have to disclose the all-inclusive cost of digital loans in the form of Annual Percentage Rate (APR) up front. APR is the annual rate charged on borrowing a loan, including the processing fees, penalties and all other fees/charges applicable to the loan lifecycle.

Grievance Redressal

• The Regulated Entities and their LSPs shall appoint a dedicated Nodal Grievance Redressal Officer to handle the complaints and grievances raised by borrowers regarding FinTech or digital lending. The GRO shall also be responsible for handling grievances relating to the Digital Lending Apps (DLAs).
• The borrower shall have the option to file a complaint through the Complaint Management System (CMS) portal or other channels under the Reserve Bank-Integrated Ombudsman Scheme (RB-IOS) if the RE fails to resolve the complaint within the 30-day time period.

Key Disclosures

• Under the RBI regulations on digital lending, REs shall also be required to display the contact details of the GRO on their websites. It shall also ensure that its LSPs and DLAs also make such disclosure, along with providing such details in the KFS provided to the borrower. The REs shall also provide the details of different modes or channels of filing a complaint on their website as well as their DLA.
• All REs shall also have to publish the list of their LSPs and DLAs on their website for the borrowers to peruse. This shall also include the details of the activities relating to the loan facilitation that such entities are engaged in with the REs.
• The DLAs of the RE or LSP also need to clearly lay down the details relating to the features of the lending products, loan limits, costs, and other key details at the time of customer onboarding or sign-up. This must be done to ensure that the borrower has all the transparency about the digital lending product before making their decision.

Key Fact Statement (KFS)

The RBI regulations on digital lending require the REs to provide a Key Fact Statement (KFS) to the borrower before any contract is executed for any digital lending product. The KSF shall include all the fees, charges, etc., applicable to the borrower. An RE cannot implement any fee or other charges which are not stated in the KFS. The KFS shall also include the following information:

1. Information on Annual Percentage Rate (APR)
2. Stipulations relating to the recovery mechanism of the lender
3. Information of the Grievance Redressal Officer appointed to handle matters relating to digital lending or FinTech
4. Cooling-off or look-up period

The issued regulations do not provide any format for the KFS. However, the press release states that the format provided in Annex II to the Master Direction – Reserve Bank of India (Regulatory Framework for Microfinance Loans) Directions, 2022, can be used till such format is provided.

All REs also have to ensure that the documents relating to key lending transactions performed through the DLAs that are signed by the borrowers digitally flow automatically from the lender to the verified or registered SMS/email of the borrower once the transaction or loan contract is executed. These documents may include a summary of the digital lending product, Key Fact Statement, Sanction Letter, Terms and Conditions, Privacy Policy of the LSPs regarding the borrowers’ data and Account Statements.

Increase in Credit Limit

No RE can automatically increase the credit limit unless the borrower provides their explicit consent on record for every such increase. The same shall be applicable in multiple or top-up loans by the same borrowers, where no such credit limit extension shall be allowed unless the borrower agrees to it.

Borrower Creditworthiness

The RBI regulations on digital lending also include the WG’s suggestion regarding the assessment of the borrowers’ creditworthiness. As per the new framework, REs can capture the economic profile of a borrower, including details such as their income, age, occupation, etc., before extending a loan to them through their digital lending app. By doing this, they can assess the borrower’s creditworthiness in an auditable way. 

Cooling Off/Look-Up Period

The new regulations also provide an option to the borrowers to pay the principal loan amount and proportionate APR without any penalty. For this, the RE shall provide a cooling off/ look-up period (as approved by its Board) to the borrower for their existing digital loans. During this cooling-off/ look-up period, the borrower can decide if they do not wish to continue with the loan. However, such a cooling-off/ look-up period does not affect the loan pre-payment option of the borrower in case they wish to continue with the loan beyond the look-up period. Such pre-payment options shall be provided under the extant RBI guidelines. This means that once the cooling-off period is complete, the borrower will still have to pre-pay their entire loan amount along with the applicable interest upon payment of necessary fees/charges.

State Level Coordination Committee (SLCC) meetings

State Level Coordination Committee (SLCC) meetings shall be conducted with regular agenda to cover reports on unlawful digital lending, recovery and other such lending-relating applications in the market. Further, the RBI may send a need-based invitation to TRAI for such SLCC meetings.

Technology and Data Privacy 

Data Collection and Usage

As per the RBI regulations on digital lending, any data collection function of the DLAs should only be need-based. To undertake such collection activity, the DLA shall obtain prior and clear consent from the borrower. Further, the data collection mechanism must be auditable, if necessary. No DLA should undertake activities such as accessing the file and media storage, contact list of the user, call logs, or telephonic functions.

However, the DLA may obtain one-time access via explicit consent from the borrower for using the camera, microphone, GPS or other such facility required for KYC/onboarding activities. The RE must also disclose the purpose of obtaining borrowers’ consent at all stages of the DLA interface.

The DLA should provide the borrower with the option to provide or reject the consent for using certain critical data, disclosure to third-party apps or data retention. The borrower should also be provided with the option to revoke the consent previously provided to use their personal data and make the digital lending app delete or forget their stored information.

 Privacy Policy

The DLA of REs or LSPs shall have a detailed Privacy Policy in accordance with the applicable laws, regulations and the RBI’s guidelines. Such policy shall be made available to the public by the DLA to access and collect the personal information of the borrowers.

The policy must also define the details of all third parties that can collect the personal information of the borrower through the DLA. The app must also obtain explicit consent from the borrower before sharing any personal information with a third party. However, these RBI regulations on digital lending come with an exception for matters where such information needs to be shared as per any regulatory or statutory requirements.

Additional Disclosures

The DLA also needs to have clear policy guidelines on customer data storage, including the kind of data that the DLA can hold, the time period of such hold, restrictions on data usage, a mechanism for data destruction and a mechanism for handling security breaches. Such guidelines must be clearly accessible on the DLA’s website and mobile app. Any biometric data shall not be stored or collected in any system of the DLA unless permitted under any extant statutory guidelines.

The DLAs of the REs and LSPs must also have links to the websites of the REs that provide additional details about the loan offerings, the lending company, the LSP, details of the customer care, privacy policy and link to the Sachet Portal.

Compliance with Cybersecurity Standards

The REs and LSPs shall also comply with the different cybersecurity standards and requirements as defined by the RBI or other authorities from time to time. They also need to ensure that the data of the borrowers is stored in India-based servers and comply with the statutory requirements or regulatory guidelines for such storage.

Regulatory Requirements under RBI Regulations on Digital Lending

Reporting to CICs

Now, under the new RBI regulations on digital lending, the REs have to report all forms of their lending done through a digital lending app to the Credit Information Companies (CICs). The nature or tenor of the lending shall have no effect on such reporting. 

Further, the REs also need to report the extension of new digital lending products such as Buy Now Pay Later (BNPL) over a merchant platform that involves short-term secured/unsecured loans or deferred payments. The REs shall ensure compliance by LSPs with the RBI’s extant outsourcing guidelines as well as these new digital lending regulations in case of deferred payment credit products.

First Loss Default Guarantee (FLDG)

The recommendations relating to the regulatory framework for First Loss Default Guarantee (FLDG) are under examination, and the same have been accepted in-principal. Until the approval by the RBI, the financial products involving contractual agreement of REs shall adhere to the extant guidelines in Master Direction – Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021, where a third party guarantee is given to recover a particular percentage of default in the loan portfolio.

Upcoming RBI Guidelines on Digital Lending Businesses

In addition to the released regulations, the RBI, as well as the Central Government, may issue additional guidelines to further regulate the digital lending sector in India. These guidelines/laws may include:

• Laws relating to banning unauthorised digital lending applications (DLAs) in India. Such legislation for Banning of Unregulated Lending Activities (BULA) will be applicable to all entities that are not authorised by the RBI and are not registered under any other law to execute lending activities in the country.
• Setting up a Digital India Trust Agency (DIGITA) for the verification of DLAs before such applications are publicly distributed through app stores. The eligible apps that do not have the ‘verified’ signature of DIGITA may be considered unauthorised.
• Setting up a National Financial Crime Record Bureau along the lines of the National Crime Records Bureau. The NFCRB may have a data registry similar to the crime and criminal tracking network and systems as applicable to REs.
• Regulatory framework for loan web aggregators.

Gaps Identified in the RBI Regulations on Digital Lending

After a detailed assessment of the press release issued by the RBI, the following gaps can be identified, which may require additional guidelines by the authority:

Loan Disbursement Reconciliation

The regulations require disbursement and repayment of the loans in the Bank Account of the digital lending NBFC. The RBI has further regulated the use, role and responsibilities of the Payment Gateways during the different stages of the loan life cycle. However, from an operational point of view for NBFCs, tracking disbursement and repayment of small-ticket size loans via current accounts will be a challenge in terms of Reconciliation.

Need for DLA Licensing

Further, there is a need to regulate Lending Service Providers (LSPs) more stringently, with a proper licensing and registration procedure for such digital lending apps.

Regulation of App Stores

There is also a dire need to regulate Application stores (both Android and iOS) for such lending/finance business apps in India. At present, any individual or business operating or residing outside India can upload an APK to such stores and make their application live without any restrictions. The need is for proper regulations to identify and ban such unauthorised apps to ensure that such apps cannot be searched and marketed in India.

In Conclusion

The digital lending ecosystem is one of the most rapidly evolving fintech sectors in the country. The market has grown from US$ 9 billion in 2012 to almost US$ 110 billion in 2019, with an expected growth up to US$ 350 billion by 2023. However, with such growth, the issues relating to customer protection, data security and illegal digital lending activities have also increased in India. The latest RBI regulations on digital lending are a much-needed regulatory update for the sector in order to streamline the operations of the REs and LSPs and provide them with a proper operational mechanism that upholds the interest of the borrowers, while still ensuring growth and innovation in the digital lending landscape.

Read our Article:All About Digital Lending and Its Business Models