THE NEW DIGITAL LENDING REGULATIONS-DECODING THE WAY
FORWARD
Authors: Vineetha
MG, Partner; Neha
Mirajgaokar, Partner; Pratik Patnaik, Principal Associate
(I) BACKGROUND
The
Reserve Bank of India (“RBI”) which regulates inter alia credit
systems and markets in India has been considering the regulatory ecosystem
around ‘digital lending[1]’ (“Digital
Lending”) for some time now. It had constituted a Working Group on ‘digital
lending including lending through online platforms and mobile apps’ led by
one of its executive directors, Mr. Jayant Kumar Dash (“Working Group”)
which had submitted a set of recommendations to the RBI on November 21, 2021 (“WG
Report”). The WG Report included a host of recommendations to the RBI and
the central government vis-à-vis the required changes to the digital
lending ecosystem.
Now some
of those recommendations have been accepted and the RBI has issued a press
release on August 10, 2022 (“Press Release”). The Press Release contains:-(a)
recommendations from the WG Report which are up for immediate implementation;
(b) recommendations from the WG Report which have been accepted in-principle
but require further examination; and (c) recommendations that require wider
engagement with the central government and other stakeholders in view of the
technical complexities, setting up of institutional mechanism and legislative
interventions.
It is
important to note that the Press Release states that detailed instructions will
be issued separately. However, the timing of these detailed instructions is
suspect. In this update, we have focused on (a) above, i.e., the
recommendations which are being implemented immediately.
(II)
APPLICABILITY & EFFECTIVE DATE
Applicability
i. The Press Release is applicable to all regulated entities (“REs”) of the RBI including banks, non-banking financial companies (“NBFCs”) carrying out Digital Lending either-
(a) through lending service providers, i.e., an agent of a regulated entity who for a fee from the RE, carries out one or more of the lender’s functions in customer acquisition, underwriting support, pricing support, disbursement, servicing, monitoring, collection, recovery of specific loan or loan portfolio (“LSPs”); OR
|
Note: - In our view, this would cover all digital
lending platforms, aggregators, business correspondents, and outsourcing
partners providing credit facilitation services as set out above. The entity
in question need not provide all services as set out above to be covered by
the Press Release but providing one or more of the services will bring the
entity under the purview of the Press Release. |
(b) Through their own digital lending apps-mobile and web-based applications with user interface that facilitate borrowing by a borrower from a digital lender. DLAs will include apps of the REs as well as those operated by LSPs which are engaged by REs for extension of any credit facilitation services (“DLAs”).
|
Note: - The Press Release clearly indicates any kind of
outsourcing arrangement involving a RE and LSPs/DLAs shall be subject to the
extant guidelines on outsourcing, i.e., Guidelines on Managing Risks and Code
of Conduct in Outsourcing of Financial Services by Banks dated November 3,
2006 (“Outsourcing Directions for Banks”) in case banks and Directions
on Managing Risks and Code of Conduct in Outsourcing of Financial Services by
NBFCs dated November 9, 2017 (“Outsourcing Directions for NBFCs”) in
case of NBFCs. There was a view taken in the market that pureplay technology service
providers will not fall under the purview of the abovementioned outsourcing
guidelines, however, now in the light of the Press Release even a technology
service provider who creates/manages a DLA for a RE may fall within the
purview of outsourcing guidelines irrespective of the fact that if such
service provider provides any credit facilitation services or not. This will
require that the REs will need to monitor the activities of such technology
service provider. |
ii. Entities carrying out lending activities that are not regulated by the RBI including Housing Finance Companies etc. are not affected by this Press Release.
Effective
Date
The Press
Release does not mention any effective date and in fact, indicates that the
implementation will be ‘immediate’,
however, it states that detailed instructions will follow separately.
|
Note: - In
our view, wherever no specific implementation/effective date is mentioned, it
should be considered to be effective immediately. However, in the past, it
has been seen that the RBI usually issues a notification after a press
release setting out the detailed instructions. |
(III) KEY COMPLIANCES[2]
|
Sl No. |
Compliance |
Rationale |
Our Views |
|
1. |
Fund Flow: REs to
ensure that all loan servicing, repayment, etc., shall be executed directly
in the RE’s bank account without any pass-through account/ pool account of
any third party.
The disbursals shall always be made into the bank
account of the borrower. In case
of borrowers not having a bank account, monies can be disbursed only
into fully compliant PPIs of the borrower. Exceptions- (a) disbursals covered exclusively under statutory
or regulatory mandate; (b) flow of money between REs for co-lending
transactions; and (c) disbursals where loans are mandated for specified
end-use as per regulatory guidelines of RBI or of any other regulator. |
In the
WG Report, RBI had raised concerns about the transparency of the
process/disbursals where monies are disbursed by the lender to the LSP and
then the LSP disburses the same to the borrower and similarly where the LSP
collects the repayment amount on its own bank account and then sends it to
the lender. This is in line with recent changes in other regulatory regimes
including SEBI’s banning of pooling of monies in relation to mutual funds as
well. The systemic risk that the regulator is looking at is that there could
be a possibility of fund mix-up and also a concern if the LSP undergoes a
moratorium or insolvency proceedings as there could be a confusion about which
assets (cash) belongs to the entity and what assets are only being held as in
trust. Another
reason for this suggestion is to ensure that the loans flow from the accounts
of the actual balance sheet lender to the borrower for de-risking the lending
market, reduce dependency on the unregulated LSPs, and increase regulatory
compliance on REs. |
One of
the major disruptive effects of this recommendation is that many of the REs
and LSPs use payment aggregators/escrow banks for administrative convenience
will need to be relooked at. However,
in our view, possible lender-specific escrow structures could be evaluated
which should pass the regulatory muster. Due to
exception (b), platforms (such as CredAvenue) that facilitate co-lending
between REs could be exempted. |
|
2. |
Payment of Fees to LSPs REs to
ensure that any fees, etc. payable to LSPs are paid directly by REs and are
not charged by LSP to the borrower directly. |
This is
in line with existing guidelines on business correspondents, wherein charging
the borrower directly by the business correspondents is prohibited. |
In our
view, this should not affect the provision of separate services by the LSPs
to the customer/borrower and charge them separately for the same. |
|
3. |
Disclosure of APR The
all-inclusive cost of digital loans as an Annual Percentage Rate[3]
(APR) is to be disclosed upfront by REs. |
In the
WG Report, the Working Group had recommended that the total costs of the
borrowing (including contingent costs) should be fairly disclosed to the
borrower. It had recommended that RBI should establish standard definitions
for the cost of digital short-term consumer credit/ micro-credit as Annual
Percent Rate (APR). The
disclosure should include the monetary and non-monetary impact of early,
partial, late, or non-repayment of the loan (contingent costs). This is
a customer-focused suggestion for disclosure of costs in a clear and
understandable way and adequate disclosure may, according to the WG Report,
improve repayment performance. |
RBI in
the Press Release has not set out the standard measures for APR contrary to
the recommendation of the WG Report but has put in a blanket requirement on
REs to disclose the all-inclusive cost as an APR. Lenders
could consider disclosing a range for the APR starting from an APR which
would not include any penalties and other contingent charges and only
captures the fixed APR up to a rate of APR which could include all contingent
charges. |
|
4. |
Grievance Officer & Grievance Redressal REs to
ensure that LSPs appoint a nodal grievance redressal officer (“GOs”)
to deal with all complaints in relation to the Digital Lending or the DLAs.
The GO’s contact details are to be displayed on-(a) RE’s website; (b) LSP’s
website; (c) the DLA, and (d) the key fact sheet (“KFS”) (discussed
later). The DLA
and the website shall contain the mode of lodging a complaint. If any
complaint is not resolved by the RE within 30 (thirty) days, the borrower can
lodge a complaint over the Complaint Management System (CMS) portal or other
prescribed modes under RB-IOS. |
In line
with the extant guidelines on outsourcing, the intent of this is that the end
customer should not be restricted in any manner from raising his/her
grievance as in a Digital Lending scenario, a lot of the times, the end
customers confuse the lending platform with the back-end lender. |
This
recommendation is in line with the Information Technology (Intermediary
Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”).
Under the Intermediary Rules, the definition of intermediary[4],
in any case, would include a LSP requiring the appointment of a grievance
officer. However,
since RBI cannot directly govern the LSPs, the obligation is cast on the REs
to ensure that the LSPs comply with this obligation. It has been clarified
that the responsibility of the grievance redressal will continue to be with
the RE. |
|
5. |
Key Fact Sheet REs to
provide a key fact statement before the execution of the contract in a
standardized format for all digital lending products including- (a) details
of the APR; (b) terms of the loan; (c) details of the grievance officer; and
(d) cooling-off/look-up period (discussed later). Any fee
which are not mentioned in the KFS shall not be charged. |
The
intent of the RBI is to ensure that the uninitiated/young and the less financially
literate customers have all the relevant information in one place, especially
as the loan documents can be verbose, such customers may lose out on
important details of the loan if all critical information is not simplified. |
It has
been recommended that till the time RBI does not come up with a specific KFS
format for Digital Lending, the format available under Master Direction -
Reserve Bank of India (Regulatory Framework for Microfinance Loans) Directions,
2022 dated March 14, 2022, can be used. |
|
6. |
Flow of Information REs to
ensure that all digitally signed documents supporting important transactions
through DLAs- (a) KFS; (b) summary of the product; (c) sanction letter; (d)
terms and conditions; (e) account statements; (f) privacy policies of the
LSPs with respect to borrowers’ data, etc., shall automatically flow from the
lender to the registered/ verified email/ SMS of the borrower upon execution
of the loan contract. |
This is
done to ensure that the borrowers have copies and knowledge of all relevant
documents. |
We
understand that currently all such information especially the privacy policy
of the LSP etc. is not sent to the customer upon execution. Currently,
customers can view some of these documents after logging in to the portal of
the LSP. Going forward, all documents as identified have to be shared with
the customer. There
may be significant monetary and operational outflow for REs and LSPs to put
this into effect. The stamp duty implications will also need to be
ascertained. |
|
7. |
Credit Limit REs to
ensure that automatic increases in credit limits are prohibited unless explicit
consent of the borrower is taken on record for each such increase. |
The
intent is to ensure that the less financially literate customers do not fall
into a debt trap. |
It has
to be ensured, that explicit consent has to be taken from the borrower before
their credit limit is extended. Such consent should be recorded and
preserved. |
|
8. |
List of LSPs on REs Website REs
shall publish the list of LSPs (and DLAs, if any) engaged by them along with
the details of the activities for which they have been engaged, on their
website. |
This is
to ensure transparency and for the customer to know the association/relationship.
|
Usually,
the existence and nature of engagements between REs and LSPs were not
publicly known. This will put an additional regulatory burden on the REs to
maintain an updated list on their website. |
|
9. |
Credit Assessment of each Borrower REs may
capture the economic profile of the borrowers (age, occupation, income,
etc.,) before extending any loans over DLAs, with a view to assess the
borrower’s creditworthiness in an auditable way. |
The WG
Report stated how debt trap protection works in jurisdictions such as the US.
Some of the customers may take loans without having the financial wherewithal
to repay the same or may be exposed to certain immediate risks on account of
the burden of the interest and repayment of the loan. To counter the same,
the Press Release makes it mandatory for the lenders to determine the ability
of the borrowers to repay the amounts and to assess the creditworthiness of
each of the borrowers. |
In our
view, auto-approved limits/pre-approved loans where each of the customers is
not individually assessed may have to be stopped. The
economic profile of each of the customers has to be collected and
creditworthiness has to be accessed and the audit trails of the same have to
be maintained prior to initiating lending. |
|
10. |
Cooling-off/Look-up Period A
board-determined ‘Cooling-off/Look-up Period’ has to be prescribed by the RE
within which time, the borrower will be able to exit the loan without paying
a prepayment penalty but only paying the principal amount and a proportionate
APR. |
This is
being done to ensure that the customer is protected from over-burdening
himself/herself with loans and is not disincentivized from prepaying a loan
if he/she is able to. |
Globally
cooling-off period (as noted in the WG Report) varies from 3-14 days. A board-approved
policy should be made and such cooling-off/look-up period to be set out. |
|
11. |
Disclosure during onboarding The
DLAs or DLAs of the LSPs at the onboarding/sign-up stage prominently display
information relating to the product features, loan limit, cost, etc. so as to
make the borrowers aware of these aspects. |
Consumer
awareness and transparency. |
The
sign-up and subsequent disbursement could be made conditional upon ticking
off a consent radio box with terms and conditions offered for all loan
products. |
|
12. |
Relationship between REs and DSPs Enhanced
due diligence by the balance sheet lenders before entering into a partnership
with LSPs. Communication from the lender to the borrower about the details of
LSPs who have sourced the loans and prior communication about the LSP
entrusted with recovery. Periodic review of the conduct of LSPs engaged in
recovery. |
Since partnerships with the customer-facing LSPs is
a dominant model, oversight should be extended to LSPs by the REs. |
As such being unregulated service providers, LSPs
are under minimum oversight. Focus by the RBI on the activities undertaken by
the LSPs is a game changer. This will increase the regulatory burden on the
REs to ensure LSPs’ compliance with the current regulations. |
|
13. |
Consumer Data (a) Types of Data to be collected: Data
of the customer collected should be need-based and should only be
collected only with prior explicit
consent which should be auditable. REs to ensure that LSPs do not store
personal information of borrowers except for some basic minimal data (viz.
name, address, contact details of the customer, etc.) that may be required to
carry out their operations. DLAs should not access mobile phone resources
such as files and media, contact lists, call logs, telephony functions, etc.
One-time access can be taken for the camera, microphone, location, or any
other facility necessary for the purpose of onboarding/ KYC requirements only
with the explicit consent of the borrower. (b) Explicit Consent Requirement: Required for- (i)
Consent to the DLAs access and use to the customer’s
mobile phone/other electronic device resources – camera, contact list, audio,
location, stored documents and images, etc. (ii)
Type of specific data that is collected
(personal information for the purposes of KYC, income and credit information,
etc.) (iii)
To disclose to third parties. (iv)
For any retention. (c) Right to Revoke/Purge: Right to revoke consent
+ right to purge personal data from the App. (d) Privacy Policy: Privacy policy to be in place including- details
of the third parties who collect data + type of data stored + duration for
storage + restriction of use. (e) Other Policies: Data destruction protocol + standards of handling
security breaches. (f) Biometric Data: No biometric data should be collected/stored in
the systems associated with DLAs and LSPs. |
(a) Types of Data to be collected: One of the major concerns raised by the WG Report is the consumers’
privacy violations and abuse. One of the extreme examples cited in the report
is that some of the LSPs use the access to the contact list of the customer’s
phone to call up their relatives and friends when such customer failed to pay
any installment. Such access to contact list is taken at the time of
onboarding at which it may have seemed to be a harmless permission given by
the customer. Accordingly, purpose limitation (need based collection) has
been imposed under the Press Release. (b) Explicit Consent Requirement: The other contentious issue discussed in the WG Report is the lack of
explicit consent. Accordingly, the Press Release has set out the actions for which explicit customer
consent will be required. Focus on ensuring that disclosure to third parties is
explicitly consented by the borrower as there were instances of cross-selling
and bundling of third-party products. (c) Right to Revoke/Purge: While the right to
revoke consent is already provided under the SPDI Rules, the right to purge
the data provided is newly added. The rationale seems to be alignment with
GDPR norms and avoid personal data to sit with LSPs when the transaction is
completed and there is no ongoing transaction. (d) Privacy Policy: While privacy policy is already a requirement under the Intermediary
Rules and SPDI Rules, the Press Release has reiterated some of these
requirements. (e) Other Policies: Separate policies on data destruction protocol +
standards of handling security breaches are required under the Press Release,
looking at the global trend of major and minor data breaches. (f) Biometric Data: This is in-line with the existing regulations. |
1. Types of Data to be collected: The
Press Release has severely limited the kinds of personal information/data can
be collected and stored by the LSPs. Only such data which is needed to carry
out services can be collected and stored. LSPs have to access the personal information/data that are
absolutely needed for carrying out their services and accordingly should list
down such data types in their privacy policy and have the customers consent
to the same explicitly. Access to media, contact lists, call logs, and
telephony functions have to be stopped. For KYC purposes, one-time access can
be taken. 2. Explicit Consent Requirement: The
Press Release at various places requires the customers to provide explicit
consent. One way to demonstrate explicit consent is to have an OTP-based
verification which requires the customer to key-in the OTP. Further, the
consent procured should be maintained and should be auditable. Right
to consent or deny specific data can be covered by listing the categories of
data to be collected and having the customer tick off the radio box for each
category. To
comply with the requirements relating to disclosure to third parties, the
types/categories of third parties to whom such data is disclosed have to be
listed in the privacy policy and the customers should be given an option to
allow such disclosure. 3. Right to Revoke/Purge: Right to purge data
should be provided. However, data that are required to be maintained pursuant
to law, such as KYC data etc., need not be purged. 4. Privacy Policy: The existing privacy
policies of the LSPs should be relooked at and it must be ensured that they
are available publicly. 5. Other Policies: Data destruction protocol and standards for
handling breaches of data can be covered by way of a separate data breach
policy. A link of the same can be provided in the privacy policy for the
customer to view the same. 6. Biometric Data: Restrictions on biometric data collection to be
followed. The Personal Data Protection Bill has been withdrawn
and the government has stated that they will come up with a comprehensive
legal framework regarding digital privacy law. All the above mechanisms may
need to be re-looked at the stage of issuance of a fresh bill. |
|
14. |
Data Localisation REs to
ensure that all the data is stored in servers located within India. |
The aim
is to ensure that the data is localized, to ensure a nationalized data
economy and also for easy accessibility to the data by government agencies in
case of investigations etc. |
LSPs
who are foreign entities will need to ensure that they have an Indian entity
and store data locally. There seems to be a contradiction herewith the
Outsourcing Directions for Banks and Outsourcing Directions for NBFCs that
allow foreign outsourcing partners to act on behalf of banks/NBFCs (as
applicable). However, with this new limitation, the outsourcing guidelines
have to be accordingly read. Foreign
LSPs have to ensure that they incorporate Indian entities and also ensure
that the data is stored in India and does not flow through to entities
outside India. This is
in line with the increasing RBI monitoring for ensuring data is stored
locally, for e.g., storage of payment data by system providers. |
|
15. |
Reporting to CICs REs to
ensure that any lending done through DLAs is reported to CICs irrespective of
its nature/ tenor including short-term, unsecured/ secured credits, or
deferred payments needs to be reported to credit bureaus. |
This is
to ensure that BNPL loans that are at times not reported are brought into the
regulatory ambit. |
To be accordingly
implemented. |
(IV) FIRST LOSS DEFAULT GUARANTEE
Even though the recommendation pertaining to first loss default guarantee (“FLDG”) as set out in the WG Report is accepted, however, it is subject to further examination by the RBI, this update discusses FLDG due to its criticality and widespread use in digital lending. The in-principle recommendation of RBI is that REs are required to ensure that financial products involving contractual agreement, in which a third party guarantees to compensate up to a certain percentage of default in a loan portfolio of the RE, should adhere to the extant guidelines laid down in Master Direction – Reserve Bank of India (Securitization of Standard Assets) Directions, 2021 dated September 24, 2021 (“Master Direction”). It is not clear whether this requirement is for immediate implementation or for future implementation, while this is part of Annexure-II which is for later implementation however the inclusion of the word “meanwhile”, gives us a sense that the RBI could be looking to implement this immediately.
The WG Report had laid down risks of FLDG agreements with unregulated entities whereby LSPs are able to do artificial lending by participating in credit risk by way of FLDG without maintaining regulatory capital. The other concern is that FLDG costs are often passed on to the customer. Reference to Master Direction means that akin to originators under the Master Direction (See Direction E of Chapter II, Limit on Total Retained Exposures by Originators), where the total exposure of an originator to the securitization exposures belonging to a particular securitization structure or scheme is limited, it seems that the intent of the regulator is to limit the total exposures of LSPs to the loans to 20%. However, the foregoing may not be the only way in which the Master Direction is applicable to Digital Lending, and in the absence of detailed instructions, the ways in which the Master Direction can be applicable remain unclear.
(V) CONCLUSION
In our view, a lot of clarity is required on how some of the compliances set out in the Press Release will have to be adhered to. The issuance of detailed instructions as promised by the regulator may bring in the much-needed clarity on the issue as the devil is always in the detail. Though the intention seems to be to regulate the digital lending space, but the final word from RBI will tell us if it is a step forward or two steps backwards.
[1]A remote and automated lending
process, majorly by use of seamless digital technologies in customer
acquisition, credit assessment, loan approval, disbursement, recovery, and
associated customer service.
[2] Please
note that the list of compliances below is not meant to be exhaustive but only
sets out the major compliances under the Press Release. Kindly reach out to us
separately for a more focused/detailed review of the Press Release.
[3] The annual rate that is charged
for borrowing a loan and includes processing fees, penalties and all other
charges that are applicable to the loan throughout its life.
[4] Under the Information Technology
Act, 2000, an ‘intermediary’ with
respect to any particular electronic records, means any person who on behalf of
another person receives, stores or transmits that record or provides any
service with respect to that record and includes telecom service providers,
network service providers, internet service providers, web-hosting service
providers, search engines, online payment sites, online-auction sites,
online-market places and cyber cafes