The Reserve Bank of India (“RBI”) which regulates inter alia credit systems and markets in India has been considering the regulatory ecosystem around ‘digital lending [1]’ (“Digital Lending”) for some time now. It had constituted a Working Group on ‘digital lending including lending through online platforms and mobile apps’ led by one of its executive directors, Mr. Jayant Kumar Dash (“Working Group”) which had submitted a set of recommendations to the RBI on November 21, 2021 (“WG Report”). The WG Report included a host of recommendations to the RBI and the central government vis-à-vis the required changes to the digital lending ecosystem.

Now some of those recommendations have been accepted and the RBI has issued a press release on August 10, 2022 (“Press Release”). The Press Release contains:-(a) recommendations from the WG Report which are up for immediate implementation; (b) recommendations from the WG Report which have been accepted in-principle but require further examination; and (c) recommendations that require wider engagement with the central government and other stakeholders in view of the technical complexities, setting up of institutional mechanism and legislative interventions.

It is important to note that the Press Release states that detailed instructions will be issued separately. However, the timing of these detailed instructions is suspect. In this update, we have focused on (a) above, i.e., the recommendations which are being implemented immediately.

APPLICABILITY & EFFECTIVE DATE

Applicability

  1. The Press Release is applicable to all regulated entities (“REs”) of the RBI including banks, non-banking financial companies (“NBFCs”) carrying out Digital Lending either-
    1. through lending service providers, i.e., an agent of a regulated entity who for a fee from the RE, carries out one or more of the lender’s functions in customer acquisition, underwriting support, pricing support, disbursement, servicing, monitoring, collection, recovery of specific loan or loan portfolio (“LSPs”); [2] OR
    2. Through their own digital lending apps-mobile and web-based applications with user interface that facilitate borrowing by a borrower from a digital lender. DLAs will include apps of the REs as well as those operated by LSPs which are engaged by REs for extension of any credit facilitation services (“DLAs”). [3]
  2. Entities carrying out lending activities that are not regulated by the RBI including Housing Finance Companies etc. are not affected by this Press Release.

Effective Date

The Press Release does not mention any effective date and in fact, indicates that the implementation will be ‘immediate’, however, it states that detailed instructions will follow separately. [4]

KEY COMPLIANCES [5]

Sl No. Compliance Rationale Our Views
1 Fund Flow:

REs to ensure that all loan servicing, repayment, etc., shall be executed directly in the RE’s bank account without any pass-through account/ pool account of any third party. The disbursals shall always be made into the bank account of the borrower.

In case of borrowers not having a bank account, monies can be disbursed only into fully compliant PPIs of the borrower.

Exceptions- (a) disbursals covered exclusively under statutory or regulatory mandate; (b) flow of money between REs for co-lending transactions; and (c) disbursals where loans are mandated for specified end-use as per regulatory guidelines of RBI or of any other regulator.

In the WG Report, RBI had raised concerns about the transparency of the process/disbursals where monies are disbursed by the lender to the LSP and then the LSP disburses the same to the borrower and similarly where the LSP collects the repayment amount on its own bank account and then sends it to the lender. This is in line with recent changes in other regulatory regimes including SEBI’s banning of pooling of monies in relation to mutual funds as well. The systemic risk that the regulator is looking at is that there could be a possibility of fund mix-up and also a concern if the LSP undergoes a moratorium or insolvency proceedings as there could be a confusion about which assets (cash) belongs to the entity and what assets are only being held as in trust.

Another reason for this suggestion is to ensure that the loans flow from the accounts of the actual balance sheet lender to the borrower for de-risking the lending market, reduce dependency on the unregulated LSPs, and increase regulatory compliance on REs.

One of the major disruptive effects of this recommendation is that many of the REs and LSPs use payment aggregators/escrow banks for administrative convenience will need to be relooked at.

However, in our view, possible lender-specific escrow structures could be evaluated which should pass the regulatory muster.

Due to exception (b), platforms (such as CredAvenue) that facilitate co-lending between REs could be exempted.

2 Payment of Fees to LSPs

REs to ensure that any fees, etc. payable to LSPs are paid directly by REs and are not charged by LSP to the borrower directly.

This is in line with existing guidelines on business correspondents, wherein charging the borrower directly by the business correspondents is prohibited. In our view, this should not affect the provision of separate services by the LSPs to the customer/borrower and charge them separately for the same.
3 Disclosure of APR

The all-inclusive cost of digital loans as an Annual Percentage Rate [6] (APR) is to be disclosed upfront by REs.

In the WG Report, the Working Group had recommended that the total costs of the borrowing (including contingent costs) should be fairly disclosed to the borrower. It had recommended that RBI should establish standard definitions for the cost of digital short-term consumer credit/ micro-credit as Annual Percent Rate (APR).

The disclosure should include the monetary and non-monetary impact of early, partial, late, or non-repayment of the loan (contingent costs).

This is a customer-focused suggestion for disclosure of costs in a clear and understandable way and adequate disclosure may, according to the WG Report, improve repayment performance.

RBI in the Press Release has not set out the standard measures for APR contrary to the recommendation of the WG Report but has put in a blanket requirement on REs to disclose the all-inclusive cost as an APR.

Lenders could consider disclosing a range for the APR starting from an APR which would not include any penalties and other contingent charges and only captures the fixed APR up to a rate of APR which could include all contingent charges.

4 Grievance Officer & Grievance Redressal

REs to ensure that LSPs appoint a nodal grievance redressal officer (“GOs”) to deal with all complaints in relation to the Digital Lending or the DLAs. The GO’s contact details are to be displayed on-(a) RE’s website; (b) LSP’s website; (c) the DLA, and (d) the key fact sheet (“KFS”) (discussed later).

The DLA and the website shall contain the mode of lodging a complaint. If any complaint is not resolved by the RE within 30 (thirty) days, the borrower can lodge a complaint over the Complaint Management System (CMS) portal or other prescribed modes under RB-IOS.

In line with the extant guidelines on outsourcing, the intent of this is that the end customer should not be restricted in any manner from raising his/her grievance as in a Digital Lending scenario, a lot of the times, the end customers confuse the lending platform with the back-end lender. This recommendation is in line with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”). Under the Intermediary Rules, the definition of intermediary [7], in any case, would include a LSP requiring the appointment of a grievance officer.

However, since RBI cannot directly govern the LSPs, the obligation is cast on the REs to ensure that the LSPs comply with this obligation. It has been clarified that the responsibility of the grievance redressal will continue to be with the RE.

5 Key Fact Sheet

REs to provide a key fact statement before the execution of the contract in a standardized format for all digital lending products including- (a) details of the APR; (b) terms of the loan; (c) details of the grievance officer; and (d) cooling-off/look-up period (discussed later).

Any fee which are not mentioned in the KFS shall not be charged.

The intent of the RBI is to ensure that the uninitiated/young and the less financially literate customers have all the relevant information in one place, especially as the loan documents can be verbose, such customers may lose out on important details of the loan if all critical information is not simplified. It has been recommended that till the time RBI does not come up with a specific KFS format for Digital Lending, the format available under Master Direction – Reserve Bank of India (Regulatory Framework for Microfinance Loans) Directions, 2022 dated March 14, 2022, can be used.
6 Flow of Information

REs to ensure that all digitally signed documents supporting important transactions through DLAs- (a) KFS; (b) summary of the product; (c) sanction letter; (d) terms and conditions; (e) account statements; (f) privacy policies of the LSPs with respect to borrowers’ data, etc., shall automatically flow from the lender to the registered/ verified email/ SMS of the borrower upon execution of the loan contract.

This is done to ensure that the borrowers have copies and knowledge of all relevant documents. We understand that currently all such information especially the privacy policy of the LSP etc. is not sent to the customer upon execution. Currently, customers can view some of these documents after logging in to the portal of the LSP. Going forward, all documents as identified have to be shared with the customer.

There may be significant monetary and operational outflow for REs and LSPs to put this into effect. The stamp duty implications will also need to be ascertained.

7 Credit Limit

REs to ensure that automatic increases in credit limits are prohibited unless explicit consent of the borrower is taken on record for each such increase.

The intent is to ensure that the less financially literate customers do not fall into a debt trap. It has to be ensured, that explicit consent has to be taken from the borrower before their credit limit is extended. Such consent should be recorded and preserved.
8 List of LSPs on REs Website

REs shall publish the list of LSPs (and DLAs, if any) engaged by them along with the details of the activities for which they have been engaged, on their website.

This is to ensure transparency and for the customer to know the association/relationship. Usually, the existence and nature of engagements between REs and LSPs were not publicly known. This will put an additional regulatory burden on the REs to maintain an updated list on their website.
9 Credit Assessment of each Borrower

REs may capture the economic profile of the borrowers (age, occupation, income, etc.,) before extending any loans over DLAs, with a view to assess the borrower’s creditworthiness in an auditable way.

The WG Report stated how debt trap protection works in jurisdictions such as the US. Some of the customers may take loans without having the financial wherewithal to repay the same or may be exposed to certain immediate risks on account of the burden of the interest and repayment of the loan. To counter the same, the Press Release makes it mandatory for the lenders to determine the ability of the borrowers to repay the amounts and to assess the creditworthiness of each of the borrowers. In our view, auto-approved limits/pre-approved loans where each of the customers is not individually assessed may have to be stopped.

The economic profile of each of the customers has to be collected and creditworthiness has to be accessed and the audit trails of the same have to be maintained prior to initiating lending.

10 Cooling-off/Look-up Period

A board-determined ‘Cooling-off/Look-up Period’ has to be prescribed by the RE within which time, the borrower will be able to exit the loan without paying a prepayment penalty but only paying the principal amount and a proportionate APR.

This is being done to ensure that the customer is protected from over-burdening himself/herself with loans and is not disincentivized from prepaying a loan if he/she is able to. Globally cooling-off period (as noted in the WG Report) varies from 3-14 days. A board-approved policy should be made and such cooling-off/look-up period to be set out.
11 Disclosure during onboarding

The DLAs or DLAs of the LSPs at the onboarding/sign-up stage prominently display information relating to the product features, loan limit, cost, etc. so as to make the borrowers aware of these aspects.

Consumer awareness and transparency. The sign-up and subsequent disbursement could be made conditional upon ticking off a consent radio box with terms and conditions offered for all loan products.
12 Relationship between REs and DSPs

Enhanced due diligence by the balance sheet lenders before entering into a partnership with LSPs. Communication from the lender to the borrower about the details of LSPs who have sourced the loans and prior communication about the LSP entrusted with recovery. Periodic review of the conduct of LSPs engaged in recovery.

Since partnerships with the customer-facing LSPs is a dominant model, oversight should be extended to LSPs by the REs. As such being unregulated service providers, LSPs are under minimum oversight. Focus by the RBI on the activities undertaken by the LSPs is a game changer. This will increase the regulatory burden on the REs to ensure LSPs’ compliance with the current regulations.
13 Consumer Data

  1. Types of Data to be collected: Data of the customer collected should be need-based and should only be collected only with prior explicit consent which should be auditable. REs to ensure that LSPs do not store personal information of borrowers except for some basic minimal data (viz. name, address, contact details of the customer, etc.) that may be required to carry out their operations. DLAs should not access mobile phone resources such as files and media, contact lists, call logs, telephony functions, etc. One-time access can be taken for the camera, microphone, location, or any other facility necessary for the purpose of onboarding/ KYC requirements only with the explicit consent of the borrower.
  2. Explicit Consent Requirement: Required for-
    1. Consent to the DLAs access and use to the customer’s mobile phone/other electronic device resources – camera, contact list, audio, location, stored documents and images, etc.
    2. Type of specific data that is collected (personal information for the purposes of KYC, income and credit information, etc.)
    3. To disclose to third parties.
    4. For any retention.
  3. Right to Revoke/Purge: Right to revoke consent + right to purge personal data from the App.
  4. Privacy Policy: Privacy policy to be in place including- details of the third parties who collect data + type of data stored + duration for storage + restriction of use.
  5. Other Policies: Data destruction protocol + standards of handling security breaches.
  6. Biometric Data: No biometric data should be collected/stored in the systems associated with DLAs and LSPs.
  1. Types of Data to be collected: One of the major concerns raised by the WG Report is the consumers’ privacy violations and abuse. One of the extreme examples cited in the report is that some of the LSPs use the access to the contact list of the customer’s phone to call up their relatives and friends when such customer failed to pay any installment. Such access to contact list is taken at the time of onboarding at which it may have seemed to be a harmless permission given by the customer. Accordingly, purpose limitation (need based collection) has been imposed under the Press Release.
  2. Explicit Consent Requirement: The other contentious issue discussed in the WG Report is the lack of explicit consent. Accordingly, the Press Release has set out the actions for which explicit customer consent will be required. Focus on ensuring that disclosure to third parties is explicitly consented by the borrower as there were instances of cross-selling and bundling of third-party products.
  3. Right to Revoke/Purge: While the right to revoke consent is already provided under the SPDI Rules, the right to purge the data provided is newly added. The rationale seems to be alignment with GDPR norms and avoid personal data to sit with LSPs when the transaction is completed and there is no ongoing transaction.
  4. Privacy Policy: While privacy policy is already a requirement under the Intermediary Rules and SPDI Rules, the Press Release has reiterated some of these requirements.
  5. Other Policies: Separate policies on data destruction protocol + standards of handling security breaches are required under the Press Release, looking at the global trend of major and minor data breaches.
  6. Biometric Data: This is in-line with the existing regulations.
  1. Types of Data to be collected: The Press Release has severely limited the kinds of personal information/data can be collected and stored by the LSPs. Only such data which is needed to carry out services can be collected and stored. LSPs have to access the personal information/data that are absolutely needed for carrying out their services and accordingly should list down such data types in their privacy policy and have the customers consent to the same explicitly. Access to media, contact lists, call logs, and telephony functions have to be stopped. For KYC purposes, one-time access can be taken.
  2. Explicit Consent Requirement: The Press Release at various places requires the customers to provide explicit consent. One way to demonstrate explicit consent is to have an OTP-based verification which requires the customer to key-in the OTP. Further, the consent procured should be maintained and should be auditable. Right to consent or deny specific data can be covered by listing the categories of data to be collected and having the customer tick off the radio box for each category. To comply with the requirements relating to disclosure to third parties, the types/categories of third parties to whom such data is disclosed have to be listed in the privacy policy and the customers should be given an option to allow such disclosure.
  3. Right to Revoke/Purge: Right to purge data should be provided. However, data that are required to be maintained pursuant to law, such as KYC data etc., need not be purged.
  4. Privacy Policy: The existing privacy policies of the LSPs should be relooked at and it must be ensured that they are available publicly.
  5. Other Policies: Data destruction protocol and standards for handling breaches of data can be covered by way of a separate data breach policy. A link of the same can be provided in the privacy policy for the customer to view the same.
  6. Biometric Data: Restrictions on biometric data collection to be followed.

The Personal Data Protection Bill has been withdrawn and the government has stated that they will come up with a comprehensive legal framework regarding digital privacy law. All the above mechanisms may need to be re-looked at the stage of issuance of a fresh bill.

14 Data Localisation

REs to ensure that all the data is stored in servers located within India.

The aim is to ensure that the data is localized, to ensure a nationalized data economy and also for easy accessibility to the data by government agencies in case of investigations etc. LSPs who are foreign entities will need to ensure that they have an Indian entity and store data locally. There seems to be a contradiction herewith the Outsourcing Directions for Banks and Outsourcing Directions for NBFCs that allow foreign outsourcing partners to act on behalf of banks/NBFCs (as applicable). However, with this new limitation, the outsourcing guidelines have to be accordingly read.

Foreign LSPs have to ensure that they incorporate Indian entities and also ensure that the data is stored in India and does not flow through to entities outside India.

This is in line with the increasing RBI monitoring for ensuring data is stored locally, for e.g., storage of payment data by system providers.

15 Reporting to CICs

REs to ensure that any lending done through DLAs is reported to CICs irrespective of its nature/ tenor including short-term, unsecured/ secured credits, or deferred payments needs to be reported to credit bureaus.

This is to ensure that BNPL loans that are at times not reported are brought into the regulatory ambit. To be accordingly implemented.

FIRST LOSS DEFAULT GUARANTEE

Even though the recommendation pertaining to first loss default guarantee (“FLDG”) as set out in the WG Report is accepted, however, it is subject to further examination by the RBI, this update discusses FLDG due to its criticality and widespread use in digital lending. The in-principle recommendation of RBI is that REs are required to ensure that financial products involving contractual agreement, in which a third party guarantees to compensate up to a certain percentage of default in a loan portfolio of the RE, should adhere to the extant guidelines laid down in Master Direction – Reserve Bank of India (Securitization of Standard Assets) Directions, 2021 dated September 24, 2021 (“Master Direction”). It is not clear whether this requirement is for immediate implementation or for future implementation, while this is part of Annexure-II which is for later implementation however the inclusion of the word “meanwhile”, gives us a sense that the RBI could be looking to implement this immediately.

The WG Report had laid down risks of FLDG agreements with unregulated entities whereby LSPs are able to do artificial lending by participating in credit risk by way of FLDG without maintaining regulatory capital. The other concern is that FLDG costs are often passed on to the customer. Reference to Master Direction means that akin to originators under the Master Direction (See Direction E of Chapter II, Limit on Total Retained Exposures by Originators), where the total exposure of an originator to the securitization exposures belonging to a particular securitization structure or scheme is limited, it seems that the intent of the regulator is to limit the total exposures of LSPs to the loans to 20%.  However, the foregoing may not be the only way in which the Master Direction is applicable to Digital Lending, and in the absence of detailed instructions, the ways in which the Master Direction can be applicable remain unclear.

CONCLUSION

In our view, a lot of clarity is required on how some of the compliances set out in the Press Release will have to be adhered to. The issuance of detailed instructions as promised by the regulator may bring in the much-needed clarity on the issue as the devil is always in the detail. Though the intention seems to be to regulate the digital lending space, but the final word from RBI will tell us if it is a step forward or two steps backwards.


[1] A remote and automated lending process, majorly by use of seamless digital technologies in customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service.

[2] In our view, this would cover all digital lending platforms, aggregators, business correspondents, and outsourcing partners providing credit facilitation services as set out above. The entity in question need not provide all services as set out above to be covered by the Press Release but providing one or more of the services will bring the entity under the purview of the Press Release.

[3] The Press Release clearly indicates any kind of outsourcing arrangement involving a RE and LSPs/DLAs shall be subject to the extant guidelines on outsourcing, i.e., Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks dated November 3, 2006 (“Outsourcing Directions for Banks”) in case banks and Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs dated November 9, 2017 (“Outsourcing Directions for NBFCs”) in case of NBFCs.

There was a view taken in the market that pureplay technology service providers will not fall under the purview of the abovementioned outsourcing guidelines, however, now in the light of the Press Release even a technology service provider who creates/manages a DLA for a RE may fall within the purview of outsourcing guidelines irrespective of the fact that if such service provider provides any credit facilitation services or not. This will require that the REs will need to monitor the activities of such technology service provider.

[4] In our view, wherever no specific implementation/effective date is mentioned, it should be considered to be effective immediately. However, in the past, it has been seen that the RBI usually issues a notification after a press release setting out the detailed instructions.

[5] Please note that the list of compliances below is not meant to be exhaustive but only sets out the major compliances under the Press Release. Kindly reach out to us separately for a more focused/detailed review of the Press Release.

[6] The annual rate that is charged for borrowing a loan and includes processing fees, penalties and all other charges that are applicable to the loan throughout its life.

[7] Under the Information Technology Act, 2000, an ‘intermediary’ with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.


Authors: Vineetha MG, Partner; Neha Mirajgaokar, Partner; Pratik Patnaik, Principal Associate

More from Samvad Partners