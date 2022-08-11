The Reserve Bank of India on August 10 released a new regulatory framework to govern digital lending including lending through online platforms and mobile apps “based on the principle that lending business can be carried out only by entities that are either regulated by the Reserve Bank or entities permitted to do so under any other law.” The framework adopts many of the recommendations made by the Working Group on Digital Lending (WGDL), which presented its report in November 2021.

“Recently, innovative methods of designing and delivery of credit products and their servicing through Digital Lending route have acquired prominence. However, certain concerns have also emerged which, if not mitigated, may erode the confidence of members of public in the digital lending ecosystem. The concerns primarily relate to unbridled engagement of third parties, mis-selling, breach of data privacy, unfair business conduct, charging of exorbitant interest rates, and unethical recovery practices.” — RBI press release

Classification of digital lenders

RBI has classified digital lenders into three categories:

Entities regulated by the RBI and permitted to carry out lending business: This includes banks and non-banking financial companies (NBFCs) that fall under RBI’s purview, which are collectively referred to as Regulated Entities (REs). The central bank’s framework is focused on these REs and the Lending Service Providers (LSPs) that are engaged by them. Entities authorised to carry out lending as per other laws but not regulated by RBI: With regards to the entities falling in this second category, RBI recommended that the respective regulator may consider formulating appropriate regulations on the recommendations of WGDL. Entities lending outside the purview of any statutory or regulatory provisions: As for the entities in this category, the Working Group has suggested “specific legislative and institutional interventions for consideration by the Central Government to curb the illegitimate lending activity being carried out by such entities,” RBI noted.

What are the new rules for digital lenders?

RBI has accepted the following recommendations by the Working Group for immediate implementation, which are to be followed by REs, their LSPs, Digital Lending Apps (DLAs) of REs, DLAs of LSPs engaged by REs:

Data protection and technology rules

Data collected should be need- and consent-based, with no access to the contact list of borrowers: Data collected by DLAs should be need-based, should have clear audit trails, and should be only done with the prior explicit consent of the borrower. “In any case, DLAs should desist from accessing mobile phone resources such as files and media, contact lists, call logs, telephony functions, etc. One-time access can be taken for the camera, microphone, location or any other facility necessary for the purpose of onboarding or KYC requirements only with the explicit consent of the borrower,” RBI noted. REs must also ensure that LSPs engaged by them do not store personal information of borrowers except for some basic minimal data such as name, address, contact details of the customer, etc., that may be required to carry out their operations. “Responsibility regarding data privacy and security of the customer’s personal information will be of the RE,” RBI stated. Data must be stored in India: “REs to ensure that all data is stored in servers located within India while ensuring compliance with statutory obligations or regulatory instructions,” RBI noted. Option to accept or deny consent must be provided: “The borrower should be provided with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect his personal data and if required, make the app delete or forget the data,” RBI stated. DLAs must have a comprehensive privacy policy: REs should ensure that DLAs have a comprehensive, publicly displayed privacy policy compliant with applicable laws and regulations. “Details of third parties that are allowed to collect personal information through the DLA shall also be disclosed in the privacy policy. Further, explicit consent of the borrower shall be taken before sharing personal information with any third party, except for cases where such sharing is required as per statutory or regulatory requirement,” RBI noted. Clear guidelines on the storage of data: DLAs must disclose clear guidelines regarding the storage of customer data including the type of data that can be held, the length of time data can be held, restrictions on the use of data, data destruction protocol, standards for handling security breach, etc. “No biometric data should be stored/ collected in the systems associated with the DLA of REs/ their LSPs unless allowed under extant statutory guidelines,” RBI added. Cybersecurity standards: Compliance with various technology standards requirements on cybersecurity stipulated by RBI or other agencies will be a pre-condition to offering digital lending by the REs and LSPs.

Customer protection rules

Loan exchange only between the bank of borrower and RE, no third parties: REs have to ensure that loan disbursements are always made into the bank account of the borrower and repayments into the bank account of the RE without any pass-through account or pool account of any third party. “Exceptions would be considered for disbursals covered exclusively under statutory or regulatory mandate, the flow of money between REs for co-lending transactions, and disbursals where loans are mandated for specified end-use as per regulatory guidelines of RBI or of any other regulator,” RBI said. Fees to LSPs must be paid by RE, not the borrower: Any fees, charges, etc., payable to LSPs in the credit intermediation process should be paid directly by RE and not the borrower. Disclosure of APR: All-inclusive cost of digital loans in the form of Annual Percentage Rate (APR) should be disclosed to the borrowers upfront. Cooling-off period must be provided: A cooling-off or look-up period during which the borrowers can exit digital loans by paying the principal and the proportionate APR without any penalty should be provided as part of the loan contract. Key Fact Statement must be provided to the borrower: A standardised Key Fact Statement (KFS) must be provided to the borrower before executing the loan contract and any fees or charges not mentioned in the KFS cannot be charged by the REs to the borrower. The KFS, apart from other necessary information, should contain the following: Details of APR

Terms and Conditions of recovery mechanism,

Details of grievance redressal officer designated specifically to deal with digital lending

Cooling-off/look-up period. No automatic increase in credit limit: There should not be any automatic increases in credit limits unless explicit consent of the borrower is taken for each such increase. Appointment of nodal grievance redressal officer: REs must ensure that they and the LSPs engaged with them have a suitable nodal grievance redressal officer to deal with digital lending-related complaints, including complaints against their respective DLAs. The details of the officer and the mechanism for lodging complaints should be prominently indicated on the website of the RE, its LSPs and on DLAs. Copy of documents to be sent to the borrower: REs must ensure that digitally signed documents supporting important transactions, such as KFS, a summary of the product, sanction letter, terms and conditions, account statements, privacy policies of the LSPs with respect to borrowers’ data, etc., should automatically flow from the lender to the verified email or SMS of the borrower upon execution of the loan contract. List of LSPs and DLAs must be published online: REs should publish the list of LSPs and DLAs (if any) engaged by them, along with the details of the activities for which they have been engaged, on their website. Economic profile of borrowers: REs are allowed to capture the economic profile of the borrowers (age, occupation, income etc) in an auditable way before extending any loans over DLAs to assess the borrower’s creditworthiness. Information to provide in the onboarding stage: REs must ensure that their DLAs or DLAs of their LSPs prominently display information relating to the product features, loan limit and cost, etc. at the onboarding stage, to make the borrowers aware of these aspects. Due diligence of LSPs: REs must conduct an “enhanced due diligence process” before entering into a partnership with an LSP for digital lending, taking into account its technical abilities, data privacy policies and storage systems, fairness in conduct with borrowers, etc. REs should also carry out a periodic review of the conduct of the LSPs engaged by them Details of recovery agent: REs must communicate to the borrower, at the time of sanctioning of the loan and also at the time of passing on the recovery responsibilities to an LSP, the details of the LSP who is authorised to approach the borrower for recovery. REs shoulda also impart guidance to LSPs acting as recovery agents to discharge their duties responsibly. “Further, a standardized code of conduct for recovery is envisaged to be framed by the proposed SRO in consultation with RBI. Till the time SRO is set up, guidance on fair recovery practices to be issued to REs by RBI,” the central bank noted. SLCC meetings will cover illegal apps: “There shall be a regular agenda at State Level Coordination Committee (SLCC) meetings covering reports on unauthorised apps in the market involved in digital lending/ illegal recovery and such other types of activities,” RBI noted.

Reporting of information to credit companies

Reporting to credit companies: Any lending sourced through DLAs should be reported to Credit Information Companies (CICs) by REs irrespective of its nature or tenor. Reporting must be done for new products as well: New digital lending products by REs over a merchant platform involving short-term, unsecured/secured credits or deferred payments need to be reported to credit bureaus by the REs.

Recommendations by WGDL that have been accepted in principle, but require further examination

RBI noted that the following recommendations have been accepted in principle, but require further examination before they can be implemented:

Data protection and technology recommendations

Monitoring of IP address: Banks should monitor accounts regularly operated from a different or overseas IP address which is not consistent with the KYC profile of the account holder. Baseline technology standards for DLAs: RBI should lay down baseline technology standards for DLAs which will include: Technical specifications of the DLA to ensure the security of applications running on mobile phones, proper authentication, measures to ensure the protection of sensitive data, etc.

Keeping an auditable log of every action that user performs along with their IP address and device information

Monitoring of transactions being undertaken through DLA

Multi-step approval for critical activities conducted on the DLA Fairness of underwriting algorithm: “REs should ensure that the algorithm used for underwriting is based on extensive, accurate and diverse data to rule out any prejudices. Further, the algorithm should be auditable to point out minimum underwriting standards and potential discrimination factors used in determining credit availability and pricing,” the WG suggested. Ethical AI: Digital lenders should adopt ethical AI which focuses on protecting customer interest, and promotes transparency, inclusion, impartiality, responsibility, reliability, security and privacy. Privacy practices of SMS service providers: REs should ensure measures related to data privacy and security at the end of SMS gateways or SMS service providers before onboarding them. Travel rules: Travel rules, which refer to the narration of payment transactions through any digital mode i.e. information collected, retained and involved in fund transfer transactions initiated on behalf of the customer, need to be refined for better comprehension of the payment transaction.

Customer protection recommendations

Credit enquiry: Each enquiry of credit information by any RE or LSP from Credit Information Companies should be conveyed to the borrower through email or SMS. Digital lending awareness: Scope of the Financial Literacy Centres, Centre for Financial Literacy and Electronic Banking Awareness and Training Programmes (E-baat) to be expanded to include digital lending.

Regulatory recommendations

Default guarantees should comply with extant regulations: REs should ensure that financial products involving contractual agreement, in which a third party guarantees to compensate up to a certain percentage of default, should adhere to the extant guidelines laid down in Master Direction – Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021 dated September 24, 2021. Meanwhile, the recommendation pertaining to First Loss Default Guarantee (FLDG) is under examination, RBI noted. Framework for web-aggregators: Entities like web aggregators of loan products should be considered as LSPs and be subjected to discipline and code of conduct by the regulated entities to which they are attached, through a dedicated framework. Reviewing CoR given to NBFCs: “In order to pre-empt any unscrupulous practice by NBFCs, who have been granted Certificate of Registration with the provision of digital lending but who have not been carrying out such activity for a reasonably long period, their Certificate of Registration may be reviewed with an appropriate supervisory follow-up,” the WG suggested. Fraud-related data: Appropriate periodical returns from REs should include digital lending data and attempted frauds in the digital lending space.

Legal and institutional recommendations

Establishing an SRO: A Self-Regulatory Organisation (SRO) covering REs, DLAs, and LSPs in the digital lending ecosystem to be set up to take up the following functions: framing a code of conduct for recovery

framing a model standardised LSP agreement for balance sheet lenders

to put in place a Code of Conduct for responsible advertising and marketing standards, which DLAs should adopt

frame institutional mechanism for training and accreditation of recovery agents in consultation with RBI.

maintaining ‘negative list’ of LSPs which are non-compliant with regulatory and statutory provisions, engaged in unfair practices including but not limited to use of false statements, harassment, unauthorized sharing of credit information, etc. REs are required to report LSPs engaged in unfair practices or in breach of regulatory norms to SRO for inclusion in the negative list.

Recommendations by WGDL that require broader engagement with the government and other stakeholders

RBI noted that the following recommendations by the Working Group require broader engagement with the Government of India and other stakeholders in view of the “technical complexities, setting up of institutional mechanism, and legislative interventions”:

Banning of unregulated lending: Government may consider framing legislation for the Banning of Unregulated Lending Activities (BULA) which would cover all entities not authorized by RBI and not registered under any other law. Setting up of an independent body to verify DLAs: To ensure that only authorised and trusted DLAs are used by consumers, an independent body styled as Digital India Trust Agency (DIGITA) should be set up, which shall verify DLAs before they can be publicly distributed through app stores. Restrictions on balance sheet lending: Balance Sheet Lending using DLAs to be restricted to REs of RBI and to entities registered under any other law for specifically undertaking lending business. Increasing information sharing on unscrupulous lenders: To ensure information sharing on unscrupulous DLA and lenders, it is proposed that: Relevant inputs from the proposed Digital Intelligence Unit of Government, existing Telecom Analytics for Fraud Management and Consumer Protection, and Telecom Commercial Communications Customer Preference Regulations 2018 are made available to supervisors of digital lending segments of FinTech and their REs.

A National Financial Crime Record Bureau, like National Crime Records Bureau, with a data registry similar to crime and criminal tracking network and systems, which is accessible to REs, is set up.

The channel of the Financial Intelligence Network (FINNET) of Financial Intelligence Unit – India (FIU- IND) for supplementing the onboarding of borrowers and LSPs by REs is leveraged.

The local law enforcement or police agencies proactively carry out surveillance so that no unauthorized call centre operates in, or spoofing/ conversion of VoIP to GSM calls, etc. originate from sites under their jurisdictions. Strengthen KYC rigour for new SIM cards: The KYC rigour for the issuance of new or replacement SIM cards should be strengthened and the mobile network operators should be held accountable for any violations and shortcomings. Early identification of shell companies: For early identification of shell finance companies and finance companies with proxy directors or opaque beneficial owners, the Registrar of Companies may consider enhancing the use of digital technology and multiple data sources

making suitable arrangements for real-time data sharing with RBI on the de-listing of such shell companies

What prompted RBI to come out with these new norms?

Over the last three years, hundreds of unauthorised digital lending apps have popped up on Google’s Play Store targeting vulnerable Indian borrowers, charging them exorbitant interest rates, and resorting to extortion and blackmail tactics to collect payments. In more than a few cases, these practices have resulted in borrowers committing suicide.

Generally, third-party loan marketplaces and apps which work with regulated banks and non-bank lenders have to follow strict guidelines on interest rates and collection practices, but many of the predatory lending apps that have emerged in the last year either work with small non-bank lenders, which are licensed by the RBI, or they work outside any rules or regulatory framework.

Against this backdrop, the Reserve Bank of India constituted a Working Group (WG) in January to study all aspects of digital lending so that an appropriate regulatory approach can be put in place.

