The Reserve Bank of India (“RBI“) has issued a press release on August 10, 2022 (“Press Release“) on implementation of the recommendations made by the Working Group on ‘digital lending, including lending through online platforms and mobile apps’ (“WGDL“) under the report issued by the WGDL on November 18, 2021.
- MANNER OF IMPLEMENTATION
Under the Press Release, the RBI has categorized the implementation of recommendations of the WGDL into the following: –
2.1 Category 1: The recommendations that RBI has accepted for immediate implementation.
2.2 Category 2: The recommendations that RBI has accepted at an in-principle level but have been marked for further examination.
2.3 Category 3: The recommendations that RBI has marked for wider engagement with the Government and other stakeholders.
While the Press Release sets out the implementation plan for recommendations made by the WGDL, the RBI has clarified that detailed instructions on this subject will be issued separately.
- Entities involved in Digital Lending
The RBI has classified the universe of digital lending in the following groups: –
3.1 Regulated Entities (“REs“): These are entities regulated by the RBI to conduct the lending business and include banks and non-banking financial companies.
3.2 Lending Service Providers (“LSPs“): REs engage these unregulated fintech players as outsourced service providers (which act as the agent of the RE) for credit and lending facilitation services / functions that include customer acquisition, underwriting support, pricing support, disbursement, servicing, monitoring, collection, recovery of specific loan or loan portfolio.
3.3 Digital Lending Apps (“DLAs“): The DLAs are web-based applications and mobile applications that provide user interface to facilitate borrowing by a borrower from a digital lender. The DLAs may be operated by REs or LSPs engaged by REs.
The Press Release outlines the compliance requirements for REs, LSPs and DLAs. However, the responsibility to ensure implementation of the requirements by the LSPs and DLAs has been entrusted with the REs.
- Key Highlights of the Implementation plan
Category 1 Recommendations
4.1 Disbursal and Repayment of Loans:
- All loan disbursals and repayments must be executed only between bank account of borrower and RE, without pass-through or pool account of LSPs or any third party. However, the Press Release indicates certain exceptions such as disbursals covered exclusively under a regulatory mandate or flow of funds between REs for co-lending transactions. As a result, loan disbursals even into fully know-your-customer (KYC) compliant prepaid payment instruments (PPIs) may not be permissible.
- The above conditionality is likely to necessitate alteration of the funds flow for a majority of the players who route the loans through the pool / nodal accounts of the LSP.
- Considering lending solutions typically involve multiple lenders providing credit through the same DLA, the industry may require innovative banking solutions to enable the disbursements to and repayments by borrowers. In certain instances, it is the LSPs that manage the entire loan disbursement as the merchant relationships are usually not with the lenders.
- It is not clear if the prohibition extends to pool accounts of payment aggregators (“PAs“), which are in the nature of escrow accounts, particularly in light of the exemption proposed for disbursals covered under regulatory mandates. This may affect the buy-now-pay-later (“BNPL“) industry, which normally works on a mechanism where the lender disburses funds to the escrow account of the PA for onward settlement with the merchants.
4.2 Handling of Data:
- The Press Release has also proposed a much more stringent and comprehensive data protection framework for data associated with digital lending in comparison to the framework under the Information Technology Act, 2000.
- A DLA is only permitted to collect data with explicit consent of the borrower, which must be specific and need-based. The borrower must also be provided the option to withdraw consent, restrict disclosure of data to third-parties or make the DLA delete the data. The purpose of consent of the borrower must be disclosed as each stage of the interface with the borrowers.
- DLAs must desist from accessing the borrower’s mobile phone resources, like files, media, contacts and call logs etc., and take one-time access for camera, microphone or location etc. for on-boarding and KYC.
- The REs are also required to store all data in servers located within India. In this regard, clarity may need to be sought from the RBI on the nature and categories of data that needs to be localised and if there are any exceptions around cross-border transfer of such data for processing, akin to payments data.
- 4.3 Key Fact Statement: A standardised Key Fact Statement (comprising of details such as annual percentage of rate (“APR“), terms of recovery, grievance redressal officer etc.) must be provided by the RE to the borrower before executing the loan contract. APR is an all-inclusive cost of digital lending that will include cost of funds, credit cost and operating cost, processing fee, verification charges, maintenance charges, etc.
4.4. Grievance Redressal Officer: REs and LSPs must appoint a suitable nodal grievance redressal officer to address digital lending complaints or complaints against DLAs of borrowers. The RBI’s Integrated Ombudsman Scheme will also be available to borrowers for recourses on digital lending complaints.
4.5 Increase in Credit Limit: An automatic increase in credit limit without borrower’s explicit consent has been prohibited.
4.6 Credit Reporting:
- All of the lending that a borrower has sourced through DLAs must be reported to Credit Information Companies (“CICs“) by REs.
- Also, REs must report all new digital lending products extended by REs over merchant platforms involving short-term credit or deferred payments, to CICs.
- This expressly brings all types of BNPL offerings and short-term loans within the gamut of reporting to CICs. Such reporting requirement may push borrowers away from these BNPL offerings, as the reporting BNPL loans can adversely impact a borrower’s credit score even on timely repayments, as one of the metrics used in credit-scoring is average credit age which will be low / short for the short duration of BNPL loans.
4.7 Underwriting: The Press Release specifies that REs may capture a borrower’s economic profile, which may include age, occupation, income etc., with a view to assess creditworthiness, in an auditable way.
Category 2 Recommendations
4.8 Use of Algorithms in underwriting: Algorithms that are used by REs for credit-scoring must be trained using accurate and diverse data. This will help prevent discriminatory outcomes. The algorithms must also be auditable to identify minimum underwriting standards and discrimination factors.
4.9 First-Loan-Default-Guarantees: Under the Press Release, RBI has indicated that REs need to ensure that first-loan-default-guarantees (FLDG) must comply with the guidelines for securitization of standard assets.
4.10 Self-Regulatory Organization: A self-regulatory organization is proposed to be set-up for digital lending industry, with the responsibilities of framing model agreements, codes of conduct, training and accreditation mechanisms, blacklists of errant entities and framing of standardised code of conduct for recovery, etc.
4.11 Technology Standards: RBI may propose baseline technology standards for the DLAs, for security of applications and monitoring of transactions.
4.12 Returns: REs must be required to furnish periodical returns and reports for digital lending data.
Category 3 Recommendations
4.13 Unregulated lending: Government may consider formulating a law to ban unregulated lending activities to cover lending by entities that are not authorized by the RBI.
4.14 FIU checks: The Financial Intelligence Network channel of the Financial Intelligence Unit – India (FIU-IND) may be explored to supplement the due diligence of borrowers by REs.