Recently, the Reserve Bank of India (“RBI”) released guidelines on digital lending (“Guidelines”)[1]. The guidelines came amid concerns about data privacy breaches, unethical business practices and mis-selling to vulnerable customers by digital lenders. The guidelines apply from the date of the circular to existing customers wishing to take out new loans and to new customers.
Background
Digital lending has benefited greatly from technological developments. Digital lenders provide cash injections to individuals. The demand for online loans has increased significantly in recent years. However, a wide range of issues have arisen due to the increased reliance on third party loan service providers. The digital lending space is not large enough to threaten financial stability, but its rapid expansion raises serious concerns.
In this context, the RBI has formed a Digital Lending Task Force (“Work group”)[2] on January 13, 2021. After receiving recommendations from the task force, RBI has published these guidelines.
Digital Lending Guidelines
The working group had recommended classifying digital lenders into three categories:
- Entities regulated by the RBI and authorized to engage in lending transactions
- Entities which are authorized to make loans by other regulatory/statutory provisions and which are not regulated by the RBI
- Entities that lend without any legal/regulatory approval
The guidelines apply to the first category, regulated entities (“RE”). Outsourcing agreements entered into by REs do not diminish their obligations. REs should ensure that Loan Service Providers (“LSP”), Digital Lending Apps (“DLA”), and the DLAs of the LSPs comply with the Guidelines. Lending Service Providers are RE agents who perform one or more of their lending functions. Lending functions include pricing support, customer acquisition, tracking, servicing, loan collection, among others. DLAs facilitate digital loan transactions with mobile and web applications. They include applications of REs as well as LSPs.
ROEs are granted until November 30, 2022, to ensure that all existing digital loans as of the date of the Guidelines comply with these Guidelines.
1. Consumer Protection and Conduct Requirements
To increase transparency and avoid operational gray areas, REs should ensure that loan disbursements are made directly to the borrower’s bank account. Exceptions are provided in cases where the disbursement is made due to (a) a co-lending transaction which is an arrangement with the joint contribution of a risk and reward sharing credit facility; a legal or regulatory mandate; and loan disbursements for a specific end use. The exemption for end-use specific assistance to facilitate immediate purchase and subsequent payment (“BNPL”) as they allow REs/LSPs/DLAs to disburse the loan amount directly to the merchant.
All loan services, repayments, etc. must be made through the RE’s bank account with no pool or 3rd party transfer account.
2. Statement of Key Facts
REs must prepare a Key Fact Statement (“KFS”) and return it to the borrower before the execution of the loan agreement. KFS must have all the necessary information, including details of the annual percentage rate of charge (“APR”) which is the effective annualized rate charged to the borrower; the recovery mechanism; grievance officer contact details; and the reflection period.
3. Cooling off period
ERs must provide a cool down period which is an exit window provided to the borrower by which they can repay the digital loan with the proportional APR without penalty. For digital loan terms of seven days or more, the cooling-off period must be at least three days and for digital loans with a term of less than seven days, the cooling-off period must not be less than one day. Even after this period, the prepayment option should be allowed.
4. Fees/Fees
REs should ensure that fees, charges, etc. paid to LSPs are paid by them and not charged to the borrower. In addition, any charges or penalty interest will be levied on the basis of the outstanding loan amount. The KFS must contain the annualized penalty rate.
5. Digitally signed documents
All documents signed using a digital signature, including loan product summary, KFS, sanction letter, privacy policies, etc. must be provided to the borrower by SMS/e-mail. Additionally, ERs should ensure that they publish a list of their DLAs, LSPs, and LSP DLAs on their website.
6. List of language service providers and product information
To increase transparency and protect the interests of borrowers, REs along with their LSPs, DLAs or LSP DLAs must provide full product details such as APR, product features, etc. at the time of registration and integration. In addition, ERs should ensure that DLAs have links to ER websites where borrowers can access detailed information on loan products, privacy policies, link to RBI Complaint Portal (Bag)[3]etc
7. Grievance Mechanism
RBI has mandated the requirement for a nodal grievance officer who specifically deals with complaints and issues related to digital lending. The agent’s contact details should be posted on the RE, LSP and DLA website, as well as in the KFS. If a complaint to the Grievance Officer is not resolved within 30 (thirty) days, the complaint may be registered on the RBI Complaint Management System (CMS) portal. In addition, on the websites of REs, LSPs and DLAs, the possibility of filing complaints must be present.
8. Requirements before engaging the LSP
Before engaging an LSP, ERs should perform comprehensive due diligence to verify their technical capability, data privacy policy, fairness in conduct, and whether they can comply with applicable laws and regulations. In addition, ERs should periodically review the operations of LSPs. Finally, REs should provide advice to financial service providers on loan recovery and ensure that financial service providers act responsibly and comply with the circular on “outsourcing of financial services – Responsibilities of Regulated Entities Employing Regulators »[4].
9. Data collection
The task force report noted that there have been numerous complaints where high-risk data is collected by DLAs and used to harass borrowers and their contacts. To address the issue, the RBI has ordered that data collection by REs, LSPs and DLAs be needs-based and with explicit consent prior to such data collection. Mobile phone data such as contacts, files, media, etc. should not be accessible. For KYC purposes, a single authorization for microphone, camera, location, etc. can be taken. When obtaining consent, the borrower must be informed of the reasons for which it is taken.
The borrower must have the possibility to refuse the use of specific data, to revoke his consent and to restrict the disclosure of data to third parties. Not only that, but borrowers should have the ability to delete data that DLAs have. In the event that personal data is to be shared with third parties, explicit consent must be taken.
10. Data Collection and Privacy Policy
LSPs or DLAs should only store minimal data, sufficient to perform operations. REs are responsible for data privacy and the security of customer personal information. A clear and comprehensive data policy indicating what data may be stored, restrictions on use, protocol for destruction, etc. must be in place and disclosed on the ROE website and applications. Along with the data policy, a comprehensive privacy policy containing details of the third party who may collect data must be in place and publicly available. Data shall be stored on servers located in India and in accordance with applicable laws and regulations. Finally, REs should ensure that unless permitted by law, biometric data should not be collected or stored.
ERs should ensure that the LSPs and DLAs they have engaged have a comprehensive privacy policy that complies with applicable laws, regulations and guidelines. In order to access and collect borrowers’ private information, DLAs engaged by ERs/LSPs must make the privacy policy publicly available. The privacy policy should contain details of third parties who may collect personal information through the DLAs.
11. Reporting to Credit Reporting Companies (“CIC”)
Any loans made through LSPs, DLAs or DLAs of LSPs must be reported to CIC. In addition, the extension of digital loan products must be reported to the CIC.
12. Restrictions on Loss Sharing Agreements
The task force report examined the risk posed by synthetic structures such as first-loss default guarantees (“FLDG”). This is an arrangement in which LSPs provide guarantees of up to a percentage on the loans, while an NBFC would advance the loan through the LSP. That way, the loans would stay on the LSP’s balance sheet and the LSP could swell its books without maintaining regulatory capital. So, effectively, financial service providers were engaging in balance sheet lending while remaining outside of regulation.
RBI has advised compliance with Master Direction – Reserve Bank of India (Securitization of Standard Assets) Guidelines, 2021 dated 24th September 2021[5]. The Master Direction prohibits synthetic securitization. If the RBI makes the notice mandatory, it will have the effect of not allowing REs to engage in synthetic securitization like FLDG and transfer risk to a pool of exposures, in part or in full.
Conclusion
Digital lending is expected to grow exponentially in the future. As such, it has become imperative for the RBI to issue guidelines to protect consumer interests, prevent unethical business practices and regularize the industry. However, the main concern with digital loans remains. According to RBI, there are 600 (six hundred) illegal digital loan applications[6] operating in India. RBI Complaints Portal – Sachet received 2562 (two thousand five hundred and sixty two) complaints between January 2020 and March 2021, most against illegal digital lending applications. RBI has not found a way to curb the rise of illegal digital lenders who exploit borrower vulnerabilities by charging exorbitant rates and harassing borrowers for non-repayment.
