By Akhileshwari Anand, Aaron Kamath & Huzefa Tavawalla
Abstract
This article discusses the RBI’s Guidelines on Digital Lending Guidelines, released in September 2022, and the FAQs to the Guidelines released in February 2023. The article provides a brief summary of the Guidelines, discusses compliance and disclosure requirements for regulated entities, digital lending apps and lending service providers, and discusses the impact on various business models and entities such as payment aggregators, buy-now-pay-later platforms, and first-loss default guarantee arrangements
I. Introduction
Digital lending, via websites and apps, has changed the way customers borrow money, by combining technological advancement with traditional banking services. This has led to seamless borrowing, faster loan disbursal with minimum paperwork, and expanded access to credit to a larger group of people, with digital lending growing multi-fold during the Covid-19 pandemic. For example, various non-bank websites and apps offer instant loans, with loans being disbursed in less than 10 minutes and without any collateral. ’Pay-later‘ platforms have also helped people shop online without having to make upfront payments.
The Reserve Bank of India (“RBI”) chose to examine the functioning of digital lending apps and websites due to concerns of mis-selling to unsuspecting customers, data privacy breaches, misuse of data collected, hidden costs, unethical business conduct (including recovery agents resorting to harassment) and illegitimate operations. The RBI Working Group was set up in January 2021 (“Working Group”). The Working Group identified three major issues: conduct, technology and charges, based on which the Working Group released its recommendations in November 2021 (“Recommendations”).
The RBI Implementation of the Recommendations was released in August 2022, and on September 2, 2022, the RBI released the Digital Lending Guidelines (“Guidelines”). The Guidelines have been issued under the Banking Regulation Act, 1949, the Reserve Bank of India Act, 1934, the National Housing Bank Act, 1987, the Factoring Regulation Act, 2011 and the Credit Information Companies (Regulation) Act, 2005. Subsequent to this, the RBI published Frequently Asked Questions to the Guidelines on February 15, 2023 (“FAQs”).
This article explores the provisions of the Guidelines and its industry impact on ‘buy now pay later’ and first-loss default guarantee models and payment aggregators.
II. Brief Overview of the Guidelines
1. Applicability
The Guidelines are applicable to digital lending services extended by banks and non-banking financial companies (including housing finance companies) (“Regulated Entities” or “REs”). It is clarified that the scope of digital lending would extend to lending activities that involve some physical interface with the borrowers, such as in customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service.
The Guidelines also refer to Digital Lending Apps (“DLA”) and Lending Service Providers (“LSP”). DLAs are mobile and web-based applications with a user interface that facilitates digital lending services, (for example, the mobile banking app of a bank that enables a user to avail of a loan through their phone). A DLA can either be operated by an LSP or by an RE directly. LSPs are intermediaries between the RE and the borrower. LSPs are entities that act as an agent of the RE and carry out one or more of the RE’s functions, such as customer acquisition, underwriting support, pricing support, servicing, monitoring, recovery of specific loans or loan portfolios.
The Guidelines reiterate that any outsourcing by an RE to an LSP or a DLA does not diminish the RE’s obligations to conform to the existing RBI guidelines on outsourcing. In addition, REs also need to ensure that LSPs and DLAs comply with the Guidelines.
The Guidelines are applicable to fresh loans to existing customers and new customers, who are onboarded from September 2, 2022. For existing digital loans, that is, the loans that have been sanctioned as on September 2, 2022, REs were given time until November 30, 2022, to put in place adequate systems and processes to ensure compliance with the Guidelines.
2. Customer Protection
The Guidelines state that the loan disbursal and repayment cannot occur through an account of any third party, such as a pass-through account or a pool account, including accounts of LSPs and DLAs. The disbursals and repayments shall be made directly between the RE and the borrower’s bank account, except in the following cases:
Disbursals covered exclusively under statutory or regulatory mandate,
Money flow between REs for co-lending transactions, for both priority and non-priority sector lending,
Disbursals for specific end use, provided the loan is disbursed directly into the bank account of the end-beneficiary,
When physical interface may be used for recovery of delinquent loans (only where absolutely necessary), or
Repayment of loans issued as advances against salary, wherein the corporate employer of the borrower deducts the EMI amount from the salary payable, and repays the instalment directly to the RE.
Additionally, every RE should have and should ensure that their LSPs have a nodal grievance officer for addressing any issues with respect to digital lending, fintech and DLAs. If a complaint lodged by the borrower against an RE or LSP engaged by the RE is not resolved by the RE within 30 days, the borrower can lodge a complaint on the Complaint Management System portal under the RBI-Integrated Ombudsman Scheme (“RB-IOS”), or for entities currently not covered under RB-IOS, as per the grievance redressal mechanism prescribed by the RBI.
3. Disclosures
The Guidelines mandate that the RE must provide a Key Fact Statement (“KFS”) in a standard format. The KFS is required for all digital lending products, and must include the all-inclusive cost of the digital loan shown as an annual percentage rate, recovery mechanism, and details of the grievance redressal officer designated to deal with digital lending and fintech-related matters. Any charge or fee not mentioned in the KFS cannot be charged to the borrower.
The KFS shall also include the right of a borrower to have a cool-off/lookup period, during which the borrower can exit the digital loan by paying back the principal and proportionate annual percentage rate (that may include a one-time processing fee) without any penalty. REs are required to ensure that digitally signed documents on the letterhead of the RE, such as the KFS, the sanction letter, etc., shall be sent automatically to borrowers on their registered and verified email or phone numbers as SMSs, upon execution of the loan contract or transaction.
REs are required to ensure that any charges payable to the LSPs are paid by the RE to the LSP, and not charged by the LSP to the borrower. Further, any penal interest or charges levied on borrowers by the RE should be based on the loan’s outstanding amount, and the rate of such penal charges should be disclosed upfront in the Key Fact Statement.
REs must publish the list of LSPs and DLAs engaged by them, and the details of their activities, on the RE’s website. DLAs of REs and LSPs shall prominently display product and loan-related information at the on-boarding stage, to ensure borrower awareness. REs shall provide the borrower with the details of the LSP acting as its recovery agent, at the time of loan sanction and while passing on the recovery responsibilities to an LSP or changing of an LSP. If the borrower fails to repay the loan and a recovery agent has been assigned to the borrower, the RE must communicate the recovery agent’s contact information to the borrower before the recovery agent contacts the borrower. REs must ensure that DLAs of the REs and LSPs have links (in a prominent, single place on their websites) to the REs’ website where detailed information about the loan products, the lender, the LSP, particulars of customer care, etc., can be accessed by the borrowers.
The reasoning behind introducing such disclosure-related compliances is: (1) to ensure customers are informed about all charges applicable to them, and (2) for customers to be able to identify recovery agents of the RE, and ensure recovery agents may be held accountable for unethical practices. The concern with digital lending platforms was primarily the hidden charges in loans offered, with news reports stating that certain platforms charged 35-40% as platform fees, service charges and processing fees. The concern appears to continue to post the Guidelines as well, as the Ministry of Electronics and Information Technology has blocked over 94 loan apps.
4. Data Protection
Data collection by LSPs should be need-based, with the explicit consent of the borrower at every stage. Explicit consent is required from the user for sharing their information with third parties. Most personal information collected by LSPs and DLAs should not be stored, except some basic minimal data such as name, address, and contact details of the customer that may be required to carry out the LSP and DLA operations. Further, phone data of the borrower, such as files, media, contact list, call logs, etc. must not be accessed. However, one-time access for the camera, microphone, location or any other facility necessary for on-boarding and/or KYC requirements is permitted, only with the explicit consent of the borrower. Further, no biometric data can be stored or collected in the systems of the DLA and LSP of REs.
The RE also has the responsibility to ensure that all the DLAs and LSPs that they engage have a comprehensive privacy policy, including details of third parties that may be allowed to collect personal information through the DLAs, the type of data that can be stored, length of storage, limitation of use of data, etc., and that the privacy policy is prominently disclosed by the DLAs and LSPs of the RE on thei