Reserve Bank of India Guidelines on Digital Lending, 2022  

Posted On - 7 September, 2022 • By - Manisha Singh

2022 Digital Lending Guidelines RBI

The Reserve Bank of India (RBI) has issued a new set of guidelines to govern digital lending. The RBI commissioned a working group to swot up the digital lending industry in January 2021 to establish the lay of the land. The working committee submitted a blueprint to the RBI for drafting regulations in November 2021. The RBI took the first move toward providing an implementation framework on August 10th 2022 vide a press release. Finally, on September 2nd 2022, the RBI issued Digital Lending Guidelines for immediate implementation. 

Regulated Entities (RE) that work in an outsourced relationship with a Lending Service Provider (LSP) or Digital Lending Application (DLA) are not excluded from these guidelines and must comply with them. REs have been given until November 30th 2022, to meet the systematic standards and processes necessary to guarantee that existing digital loans comply with these criteria. These REs under the guidelines are all commercial banks, Primary (Urban) Co-operative Banks, State Co-operative Banks, District Central Co-operative Banks, and Non-Banking Financial Companies. The guidelines have been divided into 3 parts:  

I. Customer Protection and Conduct requirements 
II. Technology and Data Requirements 
III. Regulatory Framework 

I. Customer Protection and Conduct requirements 

Under this section, the guidelines concern the following:  

  1. Loan disbursal, servicing, and repayment 
  2. Collection of fees & charges 
  3. Disclosures to borrowers 
  4. Grievance redressal mechanisms 
  5. Assessing the borrower’s creditworthiness 
  6. Cooling off/look-up period 
  7. Due diligence and other requirements concerning LSPs 
Loan disbursal, servicing, and repayment 
  • All loan-related transactions are required to happen directly between the RE’s bank account and the borrower. No third party should be involved.  
  • In case of disbursements, they should be made to the bank account of the borrower directly and no third party should be involved, except for disbursals in cases of: 

    a) When they are covered exclusively under the statutory or regulatory mandate of the RBI.
    b) The flow of money between REs for co-lending transactions.
    c) Disbursals for specific end use (provided the loan is disbursed directly into the bank account of the end-beneficiary) .

Collection of fees & charges 
  • REs should directly pay the LSPs and the borrower should not be charged by the LSPs directly in any case. 
  • The penal interest/charges levied on the borrowers shall be based on the outstanding amount of the loan. Further, the rate of such penal charges shall be disclosed upfront on an annualized basis to the borrower in the Key Fact Statement (KFS). 
Disclosures to borrowers 
  • Annual Percentage Rate (APR) is an effective annualized rate charged to the borrower for the digital loan. It should be disclosed upfront to the borrowers by the REs. The KFS should constitute the APR too. 
  • KFS should be provided before the contract for the digital loan is executed. Annexure II of the guidelines should be referred to for the format of a KFS. It should have the relevant details such as the APR, the recovery mechanism, details of the grievance redressal officer designated specifically to deal with digital lending/FinTech-related matters, and the cooling-off/ look-up period. Any charges not mentioned under the same cannot be charged by the REs. 
  • Any document which is signed digitally such as KFS, privacy policies, a summary of loan product, etc. should be sent to the verified email/SMS upon execution of the loan contract. 
  • The REs must publish the list of all the DLAs & DLAs of LSPs that are involved with them, on their website. 
  • The REs must ensure that their DLAs and DLAs of LSPs at the onboarding/sign-up stage, prominently display information relating to the product features, loan limit, cost, etc., to make the borrowers aware of these aspects. 
  • REs are required to communicate all the relevant details regarding the recovery agent i.e., LSPs to the borrowers.  
  • REs must guarantee that DLAs and DLAs of LSPs include links to RE’s websites where borrowers can obtain more/detailed information about the loan products, the lender, the LSP, customer service details, a link to Sachet Portal, privacy rules, and so on. It must be assured that all such information is presented in a conspicuous single location on the website for ease of access. 
Grievance redressal mechanism
  • It is mandatory for the REs to engage a nodal grievance redressal officer to deal with digital lending-related complaints & issues raised by the borrowers against the DLAs & DLAs of LSPs. The borrowers should have a facility to complain on the DLAs website as well.  
  • In case, a complaint is not resolved within 30 days, the borrower can complain to the Complaint Management System portal under the Reserve Bank-Integrated Ombudsman Scheme. 
Assessing the borrower’s creditworthiness 
  • It is mandatory for REs to maintain an economic profile record of the borrowers before sanctioning the loan. This record will contain details such as age, income, occupation, etc. 
  • REs shall ensure that there is no automatic increase in credit limit unless explicit consent of the borrower is taken on record for each such increase. 
Cooling off/look-up period 
  • A cooling off/ look-up period is the time window as determined by the Board of the RE which shall be given to borrowers for exiting digital loans, in case a borrower decides not to continue with the loan.  
  • The borrowers should have such an option, provided they are paying the principal along with the proportionate APR without any penalty during this period. 
  • The cooling-off period should not be less than 3 days for loans having a tenor of 7 days or more and 1 day for loans having a tenor of fewer than 7 days. 
Due diligence and other requirements concerning LSPs 
  • It is mandatory for the REs to conduct proper due diligence of the LSPs before entering into a partnership. The due diligence can be based on various factors such as technical abilities, data privacy policies and storage systems, fairness in conduct with borrowers and the ability to comply with regulations and statutes.
  • REs have to conduct periodic reviews of their LSPs. 

II. Technology and Data Requirements 

Under this section, the guidelines cover the following:  

  1. Collection, usage, and sharing of data with third parties & storage of data 
  2. Comprehensive privacy policy 
  3. Technology standards 
Collection, usage, and sharing of data with third parties & Storage of Data 
  • Unnecessary and irrelevant data such as phone resources like files and media, contact lists, etc., should not be collected by the DLAs of LSPs and DLAs’. Furthermore, it is also the duty of the REs to check that prior and explicit consent of the borrower has been taken for the same. The purpose of obtaining such consent is required to be disclosed at every stage of the process.  
  • However, in case of data sharing is mandatory due to regulatory or statutory requirements, then explicit consent is not mandatory. 
  • Furthermore, the borrower shall be provided with an option to give or deny the consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data and if required, make the application delete or forget the data. 
  • Personal information of the borrowers should not be stored, other than those which are required to carry out the operations for the digital loan such as name, address, etc. REs need to instruct their DLAs of LSPs and DLAs about the type of data they are allowed to store and the length of the time for which the data can be stored, along with the other restrictions over its use. 
  • It is not allowed to store and collected biometric data unless it is a statutory requirement. 
  • Lastly, it is mandatory to store the data only on Indian servers. 
Comprehensive privacy policy 
  • The REs must ensure that their DLAs and DLAs of LSPs have a comprehensive privacy policy in place and such policy should be publicly available. 

III. Regulatory Framework 

Under this section, the guidelines state the following:  

  1. Reporting to Credit Information Companies (CICs) 
  2. Loss-sharing arrangement in case of default 
Reporting to CICs 
  • REs need to ensure that any digital lending done through their DLAs and DLAs of LSPs should be reported to the CIC under the CIC Regulation Act, 2005, CIC Rules, 2006, and CIC Regulations, 2006.
  • In the case of outsourcing deferred payment products over a merchant platform for short-term, unsecured/secured credits or deferred payment, the REs have to ensure that their LSPs and DLAs of LSPs report it to the CIC. 
Loss sharing arrangement in case of default 
  • Regarding the industry practice of offering financial products involving contractual agreements such as the First Loss Default Guarantee (FLDG), in which a third party guarantees to compensate the RE for up to a certain percentage of default in a loan portfolio, it is recommended that REs follow the provisions of the Master Directions under the Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021, dated September 24th 2021, particularly synthetic securitisation. 

Looking Forward 

A review of the recommendations reveals that the report’s and the RBI’s strategy is based on regaining control over lending and returning the power and responsibility of lending to REs or other entities that are authorized to lend under existing statutes. Furthermore, it is necessary that the RBI regulates data gathering and retention by DLAs to protect the interests of the general public from any data breach, exorbitant interest rates, digital lending frauds, and so on by a few firms. These standards limit the involvement of the third party and prevent data misappropriation or misuse.

The regulatory organization is solely present to help with the wise and sustainable evolution of the digital lending ecosystem while protecting consumer interests. A robust method for effective model execution that includes liquidity and accountability might offer outstanding results in future implementation. Furthermore, promoting awareness and knowledge about issues affecting citizens’ daily lives should never stop.