By Akhileshwari Anand, Aaron Kamath & Huzefa Tavawalla
Abstract
This article discusses the RBI’s Guidelines on Digital Lending Guidelines, released in September 2022, and the FAQs to the Guidelines released in February 2023. The article provides a brief summary of the Guidelines, discusses compliance and disclosure requirements for regulated entities, digital lending apps and lending service providers, and discusses the impact on various business models and entities such as payment aggregators, buy-now-pay-later platforms, and first-loss default guarantee arrangements
I. Introduction
Digital lending, via websites and apps, has changed the way customers borrow money, by combining technological advancement with traditional banking services. This has led to seamless borrowing, faster loan disbursal with minimum paperwork, and expanded access to credit to a larger group of people, with digital lending growing multi-fold during the Covid-19 pandemic. For example, various non-bank websites and apps offer instant loans, with loans being disbursed in less than 10 minutes and without any collateral. ’Pay-later‘ platforms have also helped people shop online without having to make upfront payments.
The Reserve Bank of India (“RBI”) chose to examine the functioning of digital lending apps and websites due to concerns of mis-selling to unsuspecting customers, data privacy breaches, misuse of data collected, hidden costs, unethical business conduct (including recovery agents resorting to harassment) and illegitimate operations. The RBI Working Group was set up in January 2021 (“Working Group”). The Working Group identified three major issues: conduct, technology and charges, based on which the Working Group released its recommendations in November 2021 (“Recommendations”).
The RBI Implementation of the Recommendations was released in August 2022, and on September 2, 2022, the RBI released the Digital Lending Guidelines (“Guidelines”). The Guidelines have been issued under the Banking Regulation Act, 1949, the Reserve Bank of India Act, 1934, the National Housing Bank Act, 1987, the Factoring Regulation Act, 2011 and the Credit Information Companies (Regulation) Act, 2005. Subsequent to this, the RBI published Frequently Asked Questions to the Guidelines on February 15, 2023 (“FAQs”).
This article explores the provisions of the Guidelines and its industry impact on ‘buy now pay later’ and first-loss default guarantee models and payment aggregators.
II. Brief Overview of the Guidelines
1. Applicability
The Guidelines are applicable to digital lending services extended by banks and non-banking financial companies (including housing finance companies) (“Regulated Entities” or “REs”). It is clarified that the scope of digital lending would extend to lending activities that involve some physical interface with the borrowers, such as in customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service.
The Guidelines also refer to Digital Lending Apps (“DLA”) and Lending Service Providers (“LSP”). DLAs are mobile and web-based applications with a user interface that facilitates digital lending services, (for example, the mobile banking app of a bank that enables a user to avail of a loan through their phone). A DLA can either be operated by an LSP or by an RE directly. LSPs are intermediaries between the RE and the borrower. LSPs are entities that act as an agent of the RE and carry out one or more of the RE’s functions, such as customer acquisition, underwriting support, pricing support, servicing, monitoring, recovery of specific loans or loan portfolios.
The Guidelines reiterate that any outsourcing by an RE to an LSP or a DLA does not diminish the RE’s obligations to conform to the existing RBI guidelines on outsourcing. In addition, REs also need to ensure that LSPs and DLAs comply with the Guidelines.
The Guidelines are applicable to fresh loans to existing customers and new customers, who are onboarded from September 2, 2022. For existing digital loans, that is, the loans that have been sanctioned as on September 2, 2022, REs were given time until November 30, 2022, to put in place adequate systems and processes to ensure compliance with the Guidelines.
2. Customer Protection
The Guidelines state that the loan disbursal and repayment cannot occur through an account of any third party, such as a pass-through account or a pool account, including accounts of LSPs and DLAs. The disbursals and repayments shall be made directly between the RE and the borrower’s bank account, except in the following cases:
Disbursals covered exclusively under statutory or regulatory mandate,
Money flow between REs for co-lending transactions, for both priority and non-priority sector lending,
Disbursals for specific end use, provided the loan is disbursed directly into the bank account of the end-beneficiary,
When physical interface may be used for recovery of delinquent loans (only where absolutely necessary), or
Repayment of loans issued as advances against salary, wherein the corporate employer of the borrower deducts the EMI amount from the salary payable, and repays the instalment directly to the RE.
Additionally, every RE should have and should ensure that their LSPs have a nodal grievance officer for addressing any issues with respect to digital lending, fintech and DLAs. If a complaint lodged by the borrower against an RE or LSP engaged by the RE is not resolved by the RE within 30 days, the borrower can lodge a complaint on the Complaint Management System portal under the RBI-Integrated Ombudsman Scheme (“RB-IOS”), or for entities currently not covered under RB-IOS, as per the grievance redressal mechanism prescribed by the RBI.
3. Disclosures
The Guidelines mandate that the RE must provide a Key Fact Statement (“KFS”) in a standard format. The KFS is required for all digital lending products, and must include the all-inclusive cost of the digital loan shown as an annual percentage rate, recovery mechanism, and details of the grievance redressal officer designated to deal with digital lending and fintech-related matters. Any charge or fee not mentioned in the KFS cannot be charged to the borrower.
The KFS shall also include the right of a borrower to have a cool-off/lookup period, during which the borrower can exit the digital loan by paying back the principal and proportionate annual percentage rate (that may include a one-time processing fee) without any penalty. REs are required to ensure that digitally signed documents on the letterhead of the RE, such as the KFS, the sanction letter, etc., shall be sent automatically to borrowers on their registered and verified email or phone numbers as SMSs, upon execution of the loan contract or transaction.
REs are required to ensure that any charges payable to the LSPs are paid by the RE to the LSP, and not charged by the LSP to the borrower. Further, any penal interest or charges levied on borrowers by the RE should be based on the loan’s outstanding amount, and the rate of such penal charges should be disclosed upfront in the Key Fact Statement.
REs must publish the list of LSPs and DLAs engaged by them, and the details of their activities, on the RE’s website. DLAs of REs and LSPs shall prominently display product and loan-related information at the on-boarding stage, to ensure borrower awareness. REs shall provide the borrower with the details of the LSP acting as its recovery agent, at the time of loan sanction and while passing on the recovery responsibilities to an LSP or changing of an LSP. If the borrower fails to repay the loan and a recovery agent has been assigned to the borrower, the RE must communicate the recovery agent’s contact information to the borrower before the recovery agent contacts the borrower. REs must ensure that DLAs of the REs and LSPs have links (in a prominent, single place on their websites) to the REs’ website where detailed information about the loan products, the lender, the LSP, particulars of customer care, etc., can be accessed by the borrowers.
The reasoning behind introducing such disclosure-related compliances is: (1) to ensure customers are informed about all charges applicable to them, and (2) for customers to be able to identify recovery agents of the RE, and ensure recovery agents may be held accountable for unethical practices. The concern with digital lending platforms was primarily the hidden charges in loans offered, with news reports stating that certain platforms charged 35-40% as platform fees, service charges and processing fees. The concern appears to continue to post the Guidelines as well, as the Ministry of Electronics and Information Technology has blocked over 94 loan apps.
4. Data Protection
Data collection by LSPs should be need-based, with the explicit consent of the borrower at every stage. Explicit consent is required from the user for sharing their information with third parties. Most personal information collected by LSPs and DLAs should not be stored, except some basic minimal data such as name, address, and contact details of the customer that may be required to carry out the LSP and DLA operations. Further, phone data of the borrower, such as files, media, contact list, call logs, etc. must not be accessed. However, one-time access for the camera, microphone, location or any other facility necessary for on-boarding and/or KYC requirements is permitted, only with the explicit consent of the borrower. Further, no biometric data can be stored or collected in the systems of the DLA and LSP of REs.
The RE also has the responsibility to ensure that all the DLAs and LSPs that they engage have a comprehensive privacy policy, including details of third parties that may be allowed to collect personal information through the DLAs, the type of data that can be stored, length of storage, limitation of use of data, etc., and that the privacy policy is prominently disclosed by the DLAs and LSPs of the RE on their website or apps. All the data collected must be localized, i.e., it should be stored in servers located within India. Lastly, REs have the responsibility to ensure the privacy and security of the customer’s personal information.
The RBI historically has included data protection and localization related provisions in its regulations, and this trend continues in the Guidelines. The restriction on data collected and the localization requirement under the Guidelines are due to:
Excessive data and permissions collected from borrowers by DLAs/LSPs, including by legitimate Indian fintechs offering digital lending. For example, several apps require users to provide permissions to access location, camera and contacts to use the app, although such permissions are not relevant to the services offered by the apps.
The misuse of borrower data by several DLAs/LSPs. News reports state that over 300 digital lending apps were used by cybercriminals in India to access user data and to harass borrowers.
5. Reporting and Due Diligence
REs shall ensure that any lending through DLAs and/or LSPs of the REs is reported to Credit Information Companies (“CIC”), irrespective of the nature of the loan or its tenor. Digital lending products offered by REs or their LSPs over merchant platforms, involving short-term, unsecured or secured credits, or deferred payments, need to be reported to CICs by the REs as well.
REs are required to conduct enhanced due diligence before partnering with a LSP for digital lending. This diligence should include the LSP’s technical abilities, data privacy policies, storage systems, fairness in conduct with borrowers and ability to comply with regulations and statutes. REs are also required to undertake periodic reviews of the conduct of LSPs, and guide LSPs on how to act responsibly if they are acting as recovery agents.
These due diligence provisions come in the light of several lending apps operating with harsh and predatory lending and recovery practices. By imposing the obligation on REs to vet the LSP before partnering with them, the instances of such lenders operating in the digital lending industry may become significantly lower.
III. Industry Concerns
The Guidelines and the FAQs appear to plug the gaps identified in relation to the regulation of digital lending. However, the Guidelines in terms of practical implementation, require further details or clarifications. The industry-related concerns can be categorized as follows:
1. First Loss Default Guarantee
First Loss Default Guarantee (“FLDG”) is an arrangement between a fintech and an RE, wherein the RE issues the loan to the borrower, and the fintech promises to compensate the RE to a certain extent if the borrower defaults in repayment. FLDG is provided at a certain pre-decided rate. Until the Guidelines, REs such as banks and NBFCs would lend through fintechs and rely on the fintech’s underwriting for the FLDG.
The FLDG cover motivated REs to offer more loans, which has previously put banks in a tight spot at the time of recovery, with over 10% loans not being repaid on time in 2020. It appears that the Guidelines would require REs accepting such FLDGs to adhere to the provisions of the RBI Master Direction on Securitisation Of Standard Assets, specifically on synthetic securitization. The provision appears to prohibit any transfer of risk by an RE to a third party in relation to lending.
This issue has not been clarified in the FAQs. The industry, including LSPs, continues to await RBI clarifications on whether FLDGs can be offered to REs or not. The industry is exploring alternative models such as revenue sharing based on repayment proficiency of loan portfolios, and revenue sharing of interest income between the fintech and the RE.
2. Payment Aggregators
PAs, as per the RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways, are “entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own.” PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer the payments to the merchants after a particular time period.
The issue faced by PAs in relation to the Guidelines is that some PAs have also been performing the functions of LSPs. For instance, the PAs were facilitating loans and pooling funds for disbursal and acceptance, including facilitating equated monthly installments (“EMI”) on e-commerce and digital platforms. The Guidelines have now restricted PAs (as PAs are not REs) from pooling money from borrowers and lenders. Thus, funds cannot pass through the accounts of PAs. This has been confirmed by the FAQs, which state that PAs performing the role of an LSP must comply with the Guidelines, and no express exception has been provided for PAs to handle funds in the digital lending process.
For example, in a “pay-later” option offered while making a payment on an e-commerce website, if the PA were handling funds directly, the transaction would have included a pass-through of funds through the PA account at the time of loan disbursal and repayment by the borrower-purchaser. The model so far was that some e-commerce platforms had an arrangement with REs for capital; when a customer opted for the pay later option, a digital loan could be availed immediately through banks or NBFCs, and loans would be disbursed through the PA’s pooling account. Post the Guidelines and FAQs, money cannot pass through the PA’s account.
Certain PAs may also offer both: (1) PA services to merchants, and (2) digital lending services to merchants (through partner banks or NBFCs). In this model, the partner bank or NBFC may directly disburse loans to the merchants. The PA collects money from the merchant’s customers. The money collected is then apportioned by the PA between: (1) the merchant’s account with the PA (for settlement of money collected from customers), and (2) the merchant’s loan account with the bank or NBFC, as repayment of the merchant’s loan. In this model, the issue that arises is that the PA may handle funds directly in loan repayment. Post the introduction of the Guidelines and the FAQs, the PA cannot handle the funds directly in the loan repayment.
Further, lending platforms have been struggling to comply with the Guidelines to route loan repayments directly to the RE’s account. As the model is dependent on customers, i.e. it requires linkage of the customer’s bank accounts with the RE’s account, this has been difficult for fintechs and REs to implement.
Against the backdrop of the Guidelines, the Payments Council of India (“PCI”) has made a representation to the RBI to exempt PAs from the norm of the Guidelines that restricts fund flow of loan disbursals and repayments through pass-through accounts. PCI’s reasoning was that PAs are regulated by the RBI, and the movement of funds is also through a regulated escrow account of PAs; hence, PAs should have the right to disburse loans and collect loan repayments through their regulated accounts. The PCI had also stated that the new Guidelines would hamper the operations of REs and increase their operational costs. However, the FAQs have clarified that while PAs offering only PA services would remain outside the ambit of the Guidelines, any PA performing the role of an LSP is required to comply with the Guidelines. No exemption, as sought by the PCI, is provided to PAs.
The significance of the restriction of pass-through of funds through the accounts of PAs is that several fintechs are now restricted from offering services that involve pass-through of funds through their pool accounts. Although the Guidelines are for lending activities, it appears to place a restriction on licensed PAs from participating in the process. Though PAs are RBI-authorised companies, this pass-through account restriction is not exempt for PAs under the RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways, 2021.
3. ’Buy Now Pay Later’ Apps
Prior to the Guidelines, the RBI circular on Prepaid Payment Instruments (“PPIs”) and credit lines (June 2022) banned the loading of non-bank PPIs such as prepaid cards and wallets from credit lines. Credit lines are pre-approved borrowing amounts provided by banks or NBFCs (as lenders), that allow individuals and businesses to access credit anytime without further approval within the pre-approved borrowing limit. Basis the RBI’s Master Direction on PPIs, PPIs such as e-wallets may only be loaded and reloaded using cash, debits to a bank account, and credit and debit cards, thus confirming that PPIs may not be loaded through credit lines.
This credit lines restriction affected several ’Buy Now Pay Later’ (“BNPL”) platform providers, as the BNPL platforms offered credit to their users through non-bank issued PPIs, that used pre-approved credit-lines to load the PPIs. Prior to the restriction, loans were offered in real time or within minutes of the borrower’s request, as the credit-lines were pre-approved and the borrower did not require further approval at the time of availing the BNPL service.
The RBI restriction on credit lines led BNPL companies to move to a model of fresh sanction of a loan for every lending transaction undertaken by the borrower on the platform. The new model requires the loan to be approved, disbursed and subsequently loaded into the PPI at each instance. This has led to a change in the operations of several such BNPL platforms.
The Guidelines further required changes by BNPL platforms to ensure there was no pass-through of loan disbursal or repayment through the BNPL platform account or any other intermediary account. The double whammy of the credit lines circular and the Guidelines has rendered the operations of BNPL companies in their erstwhile form virtually impossible. This has led to several such fintech companies having to undertake drastic pivots, and in certain cases, shutdown.
IV. Conclusion
Despite the Guidelines being comprehensive in relation to customer and data protection, there remain industry-level concerns that require clarification for effective implementation. The clarification on the role of PAs has brought much-awaited clarity, and the RBI’s stance is that pass-through of funds for digital lending through PAs and BNPL platforms is not permitted. Limited exemptions for corporate employers and physical recovery of loans have been provided, as explained above.
Industry players expect RBI to issue further clarifications on the Guidelines, especially for the exemptions on offering FLDGs. Such a clarification would help the industry devise the right model to operate effectively and within the confines of the law. The pertinent factor for devising models relating to FLDGs is how REs may be motivated to lend digitally through LSPs/DLAs, if REs are not permitted to enter into FLDG arrangements with fintechs. Apart from industry bodies, the new Department of Fintech could liaise with fintechs and represent them before other relevant RBI departments to achieve a quick resolution on the FLDG issue.
Akhileshwari Anand, Aaron Kamath & Huzefa Tavawalla - Fintech Law & Regulatory Practice Group, Nishith Desai Associates
