Digital Lending no more morphing of images & data scrapping

Digital Lending no more morphing of images & data scrapping

Digital Lending involves lending through web platforms or mobile apps, utilizing technology for authentication and credit evaluation.

Historically, lending has been a transaction in which the lender gives money to the borrower in exchange for a return (interest) on the money.

Traditionally, this sector was highly disorganized. It has evolved over time from pawnbrokers lending money in exchange for collateral to a more structured procedure involving banks and/or financial institutions. Rapid advancements in cloud computing, artificial intelligence, and blockchain, as well as faster and more affordable internet connectivity, have fuelled the rise of FinTech start-ups, and lending has also transformed and become "digital."

DIGITAL LENDING

Over 190 million Indian adults don't have any kind of bank account thereby representing a huge opportunity. Over the years, the digital lending market in India has significantly expanded. The value of digital lending rose from USD 33 billion in FY15 to USD 150 billion in FY20 and is projected to reach USD 350 billion by FY23.

FUTURE OF LENDING IS DIGITAL

The industry has been alerted by Covid-19 to the tremendous potential of digital transformation. As customer demand for contactless transactions rises, more lenders will adopt technology to provide borrowers with maximum convenience. Even traditional banks and non-banking financial companies (NBFCs) are realizing the need to digitize processes such as customer onboarding, risk assessment, loan underwriting, disbursement, and repayment in order to reduce operational costs and enhance the customer experience.

In the coming years, technology will continue to disrupt the digital lending ecosystem, with a renewed emphasis on delivering an improved end-to-end customer experience. Thus, it was high time for Reserve Bank of India, to regulate this growing sector to safeguard the interest of both borrowers and lenders.

The regulatory framework introduced by the RBI is based on the principle that lending businesses can only be carried out by RBI regulated entities (“REs”) or entities who are permitted to do so under any other law.

1. Credit Reporting

As per new regulations in place now it is mandatory that all  lending sourced through digital lending applications (“DLAs”) must be reported to credit information companies (“CICs”). The DLAs may be those operated by an RE, such as a bank or non-banking financial company, or an LSP.

 Additionally, all new digital lending products extended by REs through merchant platforms involving short term credit or deferred payments must be reported to CICs.

2. Data Privacy and Localisation

1. Data collection and storage: All REs must store data on servers located within India. It also stipulates that data collected by DLAs must be (i) need based; (ii) have clear audit trails; and (iii) should only be done with explicit consent of the borrowers. Additionally, borrowers must be permitted to (i) accept or deny consent for the use of specific data or sharing of data with third parties; (ii) revoke previously granted consent; and (iii) be given an option to delete data collected from DLAs and LSPs.

 Further, DLAs are prohibited from accessing mobile phone resources such as file and media, contact list, call logs, telephony functions etc. One-time access may be taken by a DLA for camera, microphone, location or other facility necessary for on- boarding/KYC requirements (subject to explicit consent by the borrower). However, no biometric data should be stored/collected in systems associated with DLAs unless allowed by the regulatory guidelines.

Privacy policy and disclosures:

 REs must ensure that all DLAs (including DLAs of LSPs) have comprehensive publicly available privacy policies. Details of third parties that are allowed to collect third party information through the DLA must be disclosed. Further, clear policy guidelines regarding storage of customer data (including the type of data that can be held, retention period, use-restrictions relating to the data, destruction protocol and standards for handling security breaches) must be disclosed prominently on the DLAs’ websites and applications.

The purpose of obtaining borrowers’ consent must also be disclosed at each stage of interface with the borrowers. Additionally, REs must ensure that the DLAs contain links to the REs’ websites where further/detailed information about the loan products, lenders, LSPs, customer care details, Sachet portal and privacy policy may be accessed by borrowers.

3. Customer Protection and Disclosure Issues

1. Fund flow: All loan servicing, repayment etc. must be done directly between lenders and borrowers without any pass-through account/pool account of any third party. Disbursements must always be made into the bank account of a borrower. However, exceptions would be considered for (i) disbursals covered exclusively under statutory or regulatory mandate; (ii) flow of money between REs for co-lending transactions; and (iii) disbursals where loans are mandated for specified end-use as per RBI guidelines (or guidelines issued by any other regulator). Notably, REs must ensure that any fees, charges etc. payable to LSPs are paid directly by REs and not charged by the LSP to the borrower directly.
2. Disclosures: REs must disclose upfront the all-inclusive cost of digital loans as an annual percentage rate (“APR”). Additionally, REs must provide a key fact statement (“KFS”) to borrowers before execution of the contract in a standardized format for all digital lending products (specified in Annex II of the Master Direction – Reserve Bank of India (Regulatory Framework for Microfinance Loans) Directions, 2022).
3. The KFS must contain (i) the APR; (ii) terms and conditions of recovery mechanism; (iii) details of the grievance redressal officer; and (iv) cooling-off period. It specifies that any fees, charges etc. which are not mentioned in the KFS cannot be charged by the RE at any time during the term of the loan. REs must also publish a list of LSPs and DLAs engaged by them along with the details of the activities for which they have been engaged, on their websites. Notably, REs must ensure that digitally signed documents supporting important transactions through DLAs, such as (i) KFS; (ii) summary of product; (iii) sanction letter; (iv) terms and conditions; (v) account statements; and (vi) privacy policies of LSPs with respect to borrowers’ data will automatically flow from the lender to the registered/verified email or SMS of the borrower, upon execution of the loan contract/transactions.
4. Customer grievances: REs must ensure that they and all their LSPs have nodal grievance redressal officers to deal with FinTech/digital lending related complaints or issues raised by borrowers. REs and LSPs must display the contact details of such nodal grievance officers on their websites and DLAs along with information on the mode of lodging a complaint. If complaints are not resolved by the nodal grievance officers within 30 (thirty) days, complainants may lodge a complaint through the ‘Reserve Bank Integrated Ombudsman Scheme’.
5. Credit worthiness: REs are permitted to capture the economic profile of borrowers (age, occupation, income etc.) before extending any loans over DLAs, in order to assess a borrower’s credit worthiness in an auditable manner. However, REs must ensure that automatic increases in credit limits are subject to explicit borrower consent.
6. Cooling off/look-up period: A cooling off/look-up period (determined by the board of each RE) must be given to borrower for exiting digital loans in case the borrower decides not to continue with the loan during that period, by paying the principal and APR without any penalty.
7. LSP due diligence and restrictions: REs must conduct an enhanced due diligence process on each LSP prior to engaging them and periodically thereafter taking into account the LSP’s technical abilities, data privacy policies and storage systems, fairness in conduct with borrowers and ability to comply with regulations and statutes. REs must ensure that their LSPs do not store personal data of borrowers, with the exception of minimal data (such as name, address, contact details etc.) that may be required to carry out their operations. The identity of the LSP acting as recovery agent (or any change in such LSP) must be informed to borrowers as well.
8. However, the action on following is also awaited.
9. First-loss-default-guarantee (“FLDG”): The Report had recommended that REs be prohibited from entering into any arrangements involving synthetic lending structures such as FLDG where their balance sheets are used by unregulated entities in any form to assume credit risk. While the RBI has accepted this recommendation in principle, it is currently under review and has not yet been implemented by the Press Release.
10. Baseline technology and data requirements: The RBI is formulating baseline technology standards for DLAs which will include (i) secure application logic; (ii) keeping auditable logs of every action that a user performs along with their IP address and device information; (iii) monitoring of transactions being undertaken through the DLA; and (iv) multi-step approval for critical activities undertaken on the DLA.
11. Self-regulatory organisation (“SRO”): The Report had recommended that an SRO be set up to cover REs, DLAs and LSPs in the digital lending ecosystem. While the RBI has accepted this recommendation in principle, it is currently under review and has not yet been implemented.
12. Banning of unregulated BSLs: The Report had recommended that only REs be permitted to undertake lending businesses as BSLs through DLAs. The RBI has stated that this recommendation requires engagement with the Government of India and stakeholders.
13. Digital India Trust Agency (“DIGITA”): The Report had recommended the setting up of a nodal agency i.e., DIGITA, to verify the technological credentials of DLAs and maintain a public register of verified DLAs on its website. The report also recommended that applications which do not carry a ‘verified’ signature by the DIGITA be considered unauthorized for the purpose of law enforcement.
14. The RBI has stated that this recommendation requires engagement with the Government of India and stakeholders.

 

Dr. Ajay Kummar Pandey