RBI’s debut guidelines on digital lending hits the right notes on protecting borrowers

The Reserve Bank of India’s first set of guidelines for digital lending, issued Wednesday, largely addresses concerns consumers had raised with regard to digital lending platforms.

While one industry expert called the guidelines “a culmination of months of listening to consumer grievances and inputs on the operations of the digital lending sector”, others said it hit all the right spots in defining best-in-class industry practices.

Broadly, the notification focusses on three main things:

  1. Regulating the entire lending chain
  2. Providing transparency to borrowers
  3. Defining good data privacy practices

Regulating the lending chain

To ensure that the central bank has visibility on the movement of money through the lending chain, RBI has stipulated that all loan disbursements always be made into the bank account of the borrower, and repayments be executed directly in the bank accounts of regulated entities (banks/NBFCs/microfinance institutions). No money should flow or pass through any third-party pool accounts, RBI says.

This is mainly to establish a clear audit trail, prevent money laundering, and for the central bank to have clear visibility on how the money has flowed in case the consumer raises any issues during a loan’s lifecycle.

In the entire digital lending equation, RBI does not want money to flow through any dark accounts where it cannot see how the funds have moved; it wants to be able to track the movement of each rupee so that it can protect the consumer if anything goes awry.

Providing transparency to borrowers

The framework asks for regulated entities to disclose, in easy-to-understand language, everything about the loan that a borrower is signing up for, including:

  • Total annual percentage rate (APR), which comprises the total interest rate on a loan, fees, origination charges, agency fees, and any other charges related to servicing the loan
  • The Key Fact Statement (KFS)
  • Details of the grievance redressal officers at the regulated entity (RE), the lending service provider (LSP), and the digital lending applications (DLA)
  • All fees and service charges
  • Terms and conditions of the loan recovery mechanism, including the details of the lending service provider that will act as the recovery agent

RBI Governor Shaktikanta Das

The central bank emphasises that the key fact statement must disclose everything related to the loan to the borrower, including details of the APR, names, and contact details of grievance redressal officers, and the cooling-off period. This follows a recent study by policy research institution Dvara Research that showed that BNPL, or ‘buy now, pay later’ players did not always disclose facts such as pricing, customer obligations, and penalties in their KFS.

These disclosures to borrowers are also important so that they can make an informed decision before signing a loan contract.

“With the guidelines, it’s clear that RBI is trying to balance regulation and governance,” Kunal Varma, CEO and co-founder of neobank platform Freo, told YourStory. “There’s nothing stopping fintechs from innovating as long as it’s within the guardrails of regulation. This notification focuses on all the right things and practices the industry needs to adopt, at large.”

The need for these guardrails has become even more important since the proliferation of predatory, unregulated lending apps that charge extremely high interest rates and use reprobate means including harassment, threats to life and brute force to recover loans.

RBI has also said that regulated entities need to disclose to borrowers all the lending service providers and digital lending platforms they work with, with details of the activities for which they have been engaged.

Digital lending platforms have to prominently display information relating to the product features, including loan limit, costs, etc., as well as explain how any data captured in the loan process will be used.

Privacy practices

In this ‘data-is-the-new-oil’ age where everything one puts on the internet is “sellable” or “monetisable”, RBI has put together stringent data privacy practices that preclude regulated entities, lending service providers, digital lending applications, and any other platforms involved in the lending equation from using a borrower’s data for anything but the specific function it was meant for.

These guidelines are as follows:

  • Regulated entities, or REs, have to conduct due diligence around their LSP/DLA partners’ data privacy and storage policies before they enter into a partnership with them.
  • REs have to ensure the entities they engage with do not store borrowers’ personal data, except basic information such as name, address, contact details, etc.
  • Any collection of data has to be need-based, auditable, trackable by the RBI, and with the prior, explicit consent of the borrower.
  • Lenders cannot access borrowers’ mobile phone resources such as files and media, contact lists, call logs, and telephony functions.
  • One-time permission to access a borrower’s camera, microphone, and location, among other necessary facilities, can be taken, but only for the purpose of onboarding and KYC requirements.
  • Borrowers should be given the option to deny consent for use of specific data, revoke consent already granted, and, if required, make the app delete or forget his/her data
  • The purpose for obtaining and accessing a borrower’s data has to be disclosed at each stage to the borrower
  • For sharing any data with third parties, explicit consent has to be taken, unless it’s a statutory or a regulatory requirement
  • Digital lenders have to prominently display on their websites the type of data they will access, the length of time that data will be held, how it will be destroyed, and how the platform will handle security breaches
  • No biometric data should be stored or collected by the DLA
  • All data must be stored in servers located within India
  • All new digital lending products need to be reported to credit bureaus by regulated entities

To ensure that RBI has each borrower’s data, it has asked banks, NBFCs, and other regulated entities to disclose any lending done through DLAs to credit information companies.

The various checks and balances with respect to data privacy will go a long way in ensuring predatory or illegal lending applications don’t have access to anything they can use to open non-consensual lines of credit to customers—which has happened in the past, several times where people have discovered random loans to their names when checking their credit history with CIBIL.

The framework laid out by the RBI has been immediately implemented.

The central said it is also considering other guidelines currently, such as:

  • Expanding the scope of financial literacy centres to include digital lending.
  • Informing borrowers via email or SMS each time a RE or lending service provider wants to access their credit information
  • Laying down baseline technology standards for DLAs, including ensuring the application is secure, keeping a log of every action that a user performs, device information etc.
  • Ensuring the algos used by REs to underwrite loans are extensively tested on diverse datasets to rule out any prejudices.
  • Digital lenders should adopt ethical AI which focuses on protecting borrowers’ interests, promotes transparency, inclusion, and sloughs away impartiality.

The central bank added it is also considering a framework pertaining to first loss default guarantees (FLDG), loan products aggregators, and self-regulatory organisations.

“The central bank’s end-goal honestly is to protect end-consumers. The latest guidelines address market conduct practices, and are very reassuring for the industry. It solves a lot of customer issues we’ve seen come up in the last two-three years… all angles have been covered,” Sugandh Saxena, CEO of Fintech Association for Consumer Empowerment (FACE) told YourStory.

RBI’s classification of digital lenders

The central bank sorts digital lenders into three primary groups:

  1. Entities regulated and allowed by RBI to carry out lending business
  2. Entities not regulated by RBI, but authorised by other statutory/regulatory provisions to carry out lending
  3. Entities lending outside the purview of any statutory/regulatory provisions; ie not regulated by the RBI or any other bodies

For the third category, i.e., entities outside the purview of any regulators, RBI says it has written to the Central Government listing specific interventions that will help it curb illegitimate lending activity, including framing legislation to ban unregulated lending activities, setting up an independent body to ensure that only authorised and trusted DLAs are used by consumers, and setting up a National Financial Crime Record Bureau, among other things.

“True to its reputation of being a forward-looking financial regulator that successfully balances the needs of financial innovation with the constraints of securing the integrity and stability of the financial system, the RBI has provided a nuanced blueprint that will help the digital lending ecosystem to continue to grow in a responsible and sustainable manner,” the Digital Lending Authority of India said in a statement.

“At the same time the RBI has clearly addressed the need to stamp out incipient trends that are antithetical to the best practices related to customer protection and data security,” it added.

Action on pending, or items that have only been accepted in principle by the central bank is expected to be firmed up in the next 2-3 months, FACE’s Sugandh said.