Regulatory updates

Digital lending witnessed a sharp increase during the COVID-19 pandemic. Banks and Non-Banking Financial Companies (NBFCs) have been lending either directly through their own digital platforms or through a digital lending platform under an outsourcing arrangement. Such outsourcing arrangements are usually entered into with Lending Service Providers (LSP)/Digital Lending Applications (DLAs).

Until recently, there were no set of regulations that governed the ‘digital lending’ business, which resulted in various concerns such as unbridled engagement of third parties (LSPs), misselling, over indebtedness of customers, breach of data privacy, unfair business conduct, exorbitant interest rates and unethical recovery practices. Accordingly, on 2 September 2022, RBI notified the guidelines on digital lending (the guidelines).

Applicability

The guidelines would be applicable to all Regulated Entities (REs) (i.e., commercial banks, primary (urban) cooperative banks, state co-operative banks, district central cooperative banks and NBFCs (including housing finance companies)) providing loans through the digital lending platforms. The REs would also need to ensure that the LSPs engaged by them, and the digital lending apps of the REs and of the LSPs engaged by the REs comply with the said guidelines.

Effective date The guidelines are applicable on an immediate basis (i.e., from 2 September 2022) to:

• The existing customers availing fresh loans and
• To new customers getting onboarded

REs have been given time till 30 November 2022 to put in place adequate systems and processes to ensure that existing digital loans comply with the guidelines.

The guidelines reiterate that outsourcing arrangements entered into by REs with the LSPs/DLAs do not diminish an REs’ obligations, and it should continue to conform to the extant guidelines on outsourcing prescribed by RBI. Additionally, it would be the REs’ responsibility to ensure that the guidelines are conformed with by the LSPs and the DLAs.

The guidelines focus on three main areas:

• Customer protection and conduct requirement
• Technology and data requirement
• Regulatory framework

The key takeaways under each of these areas is discussed below:

Key takeaways under the three main areas

1. Customer protection and conduct requirements: Some of the important areas covered in the guidelines pertaining to customer protection and conduct requirements include:

1. Loan disbursal, servicing and repayment directly through RE account: REs must ensure that all disbursements are made to a bank account of the borrower without any pass-through account/pool account of any third party (including LSPs/DLAs)²⁵, similarly all repayments should be made by a borrower directly into the REs’ bank account (and not a third party/pool account)
2. Enhanced disclosures to the borrowers: REs should make sure that various information such as key facts statement, digitally signed documents, product-related information, etc. is available to the borrowers
3. Fees/charges: Fees, charges, etc. should be paid directly by the RE to the LSP, and these should not be charged to the borrower. Additionally, the penal interest should be charged on the outstanding amount of the loan, and the annual penal interest rate should be disclosed in the key fact statement
4. Grievance redressal mechanism: The responsibility of grievance redressal would remain with the RE. Additionally, various grievance redressal provisions have been introduced which include having in place a suitable nodal grievance redressal officer with the LSPs to deal with digital lending related complaints/issues raised by the borrowers, complaint mechanism under Reserve BankIntegrated Ombudsman Scheme (RB-IOS) etc.
5. Cooling-off/look-up period: The guidelines have introduced a cooling-off/look-up period, wherein borrowers are given an option to exit digital loans by paying the principal and proportionate Annual Percentage Rate (APR)²⁶ without any penalty. This period needs to be determined by the board of directors of the RE, however the minimum cooling-off period has been prescribed by the guidelines.
6. Enhanced due diligence of LSPs and assessment of borrower’s creditworthiness: REs should conduct enhanced due diligence before entering into a partnership with an LSP, taking into account its technical abilities, data privacy policies, storage systems, etc.

REs must also capture the economic profile of the borrowers to assess the borrower’s creditworthiness in an auditable way and also ensure that there is no automatic increase in the credit limit, unless explicit consent of the borrower is taken on record for such an increase.

1. Technology and data requirement: The key provisions pertaining to technology and data requirement, as introduced by the guidelines include the following:

1. Collection, usage and sharing of data with third parties: With regard to personal information of the borrowers, the REs should ensure that only need-based data is collected from borrowers, access to a borrowers’ mobile phone apps should be limited, borrower should be able to manage his/her data collected by the DLA, purpose of obtaining borrower’s consent should be disclosed, and explicit consent of the borrower should be obtained before sharing of personal information, etc.
2. Storage of data: REs should establish and disclose clear policy guidelines regarding storage of customer data- such as type of data, length of time it can be stored, etc. REs should also ensure that basic minimal data of the customer is stored by it, no biometric data is stored, and all data is stored in servers located within India.
3. Privacy policy and technology standards: The REs should ensure that the DLAs and LSPs engaged by them have a comprehensive privacy policy, which is in compliance of the applicable laws, associated regulations and RBI guidelines. Additionally, REs should ensure that the REs and LSPs engaged by them comply with various technology standards, including requirements on cybersecurity.

1. Regulatory framework: From a regulatory perspective, RBI has prescribed the following requirements for digital lending:

1. Reporting to Credit Information Companies (CICs): REs should ensure that any lending done through their DLAs and/or DLAs of LSPs engaged by them, is reported to Credit Information Companies (CICs) irrespective of its nature/tenure. This will contribute towards reduced dependence on alternative data for financial consumers, as more and more of them would develop formal credit history for themselves
2. Provisions relating to loss sharing arrangement in case of default: Various LSPs provide certain credit enhancement features such as first loss guarantee up to a pre-decided percentage of loans generated by it. The guidelines issued require the REs entering into financial contracts including a clause on First Loss Default Guarantee (FLDG) to comply with the Securitisation Guidelines, especially the provision relating to synthetic securitisation²⁷. Also, RBI, vide a press release issued in August 2022 has stated that the recommendation pertaining to FLDG is under examination and further guidance is expected in near future.

---

25. Certain exceptions to this include disbursals covered exclusively under statutory or regulatory mandate (of RBI or of any other regulator), flow of money between REs for co-lending transactions and disbursals for specific end use, provided the loans is disbursed directly into the bank.
26. APR is an effective annualised rate that is charged to a borrower of a digital loan. It represents the all-inclusive cost- including cost of funds, credit cost, operating cost processing fee, verification charges, maintenance charges, etc.
27. Synthetic securitisation is an arrangement where the credit risk of an underlying pool of loan exposures is hedged by the originator through credit derivatives or credit guarantee arrangements

To access the text of the guidelines, please click here