Digital Lending no more morphing of images & data scrapping
Digital Lending no more morphing of images & data scrapping
Digital Lending involves lending through web
platforms or mobile apps, utilizing technology for authentication and credit
evaluation.
Historically, lending has been a transaction in which the lender gives
money to the borrower in exchange for a return (interest) on the money.
Traditionally, this sector was highly disorganized. It has evolved over
time from pawnbrokers lending money in exchange for collateral to a more
structured procedure involving banks and/or financial institutions. Rapid
advancements in cloud computing, artificial intelligence, and blockchain, as
well as faster and more affordable internet connectivity, have fuelled the rise
of FinTech start-ups, and lending has also transformed and become
"digital."
DIGITAL LENDING
Over 190 million Indian adults don't have any kind of bank account
thereby representing a huge opportunity. Over the years, the digital lending
market in India has significantly expanded. The value of digital lending rose
from USD 33 billion in FY15 to USD 150 billion in FY20 and is projected to
reach USD 350 billion by FY23.
FUTURE OF LENDING IS DIGITAL
The industry has been alerted by Covid-19 to the tremendous potential of
digital transformation. As customer demand for contactless transactions rises,
more lenders will adopt technology to provide borrowers with maximum
convenience. Even traditional banks and non-banking financial companies (NBFCs)
are realizing the need to digitize processes such as customer onboarding, risk
assessment, loan underwriting, disbursement, and repayment in order to reduce
operational costs and enhance the customer experience.
In the coming years, technology will continue to disrupt the digital
lending ecosystem, with a renewed emphasis on delivering an improved end-to-end
customer experience. Thus, it was high time for Reserve Bank of India, to
regulate this growing sector to safeguard the interest of both borrowers and
lenders.
The regulatory framework introduced by the RBI is based on the principle
that lending businesses can only be carried out by RBI regulated entities (“REs”)
or entities who are permitted to do so under any other law.
1. Credit Reporting
As per new regulations in place now it is mandatory that all
lending sourced through digital lending applications (“DLAs”) must
be reported to credit information companies (“CICs”). The DLAs may be
those operated by an RE, such as a bank or non-banking financial company, or an
LSP.
Additionally, all new digital lending products extended by REs
through merchant platforms involving short term credit or deferred payments
must be reported to CICs.
2. Data Privacy and Localisation
Data collection and storage: All
REs must store data on servers located within India. It also stipulates
that data collected by DLAs must be (i) need based; (ii) have clear audit
trails; and (iii) should only be done with explicit consent of the
borrowers. Additionally, borrowers must be permitted to (i) accept or deny
consent for the use of specific data or sharing of data with third
parties; (ii) revoke previously granted consent; and (iii) be given an
option to delete data collected from DLAs and LSPs.
Further, DLAs are prohibited from accessing mobile phone resources
such as file and media, contact list, call logs, telephony functions etc.
One-time access may be taken by a DLA for camera, microphone, location or other
facility necessary for on- boarding/KYC requirements (subject to explicit
consent by the borrower). However, no biometric data should be stored/collected
in systems associated with DLAs unless allowed by the regulatory guidelines.
Privacy policy and disclosures:
REs must ensure that all DLAs (including DLAs of LSPs) have
comprehensive publicly available privacy policies. Details of third parties
that are allowed to collect third party information through the DLA must be
disclosed. Further, clear policy guidelines regarding storage of customer data
(including the type of data that can be held, retention period,
use-restrictions relating to the data, destruction protocol and standards for
handling security breaches) must be disclosed prominently on the DLAs’ websites
and applications.
The purpose of obtaining borrowers’ consent must also be disclosed at
each stage of interface with the borrowers. Additionally, REs must ensure that
the DLAs contain links to the REs’ websites where further/detailed information
about the loan products, lenders, LSPs, customer care details, Sachet portal
and privacy policy may be accessed by borrowers.
3. Customer Protection and Disclosure Issues
Fund flow: All
loan servicing, repayment etc. must be done directly between lenders and
borrowers without any pass-through account/pool account of any third
party. Disbursements must always be made into the bank account of a
borrower. However, exceptions would be considered for (i) disbursals
covered exclusively under statutory or regulatory mandate; (ii) flow of
money between REs for co-lending transactions; and (iii) disbursals where
loans are mandated for specified end-use as per RBI guidelines (or
guidelines issued by any other regulator). Notably, REs must ensure that
any fees, charges etc. payable to LSPs are paid directly by REs and not
charged by the LSP to the borrower directly.
Disclosures: REs
must disclose upfront the all-inclusive cost of digital loans as an annual
percentage rate (“APR”). Additionally, REs must provide a key fact
statement (“KFS”) to borrowers before execution of the contract in
a standardized format for all digital lending products (specified in Annex
II of the Master Direction – Reserve Bank of India (Regulatory Framework
for Microfinance Loans) Directions, 2022).
The KFS must contain (i) the APR; (ii) terms and conditions of
recovery mechanism; (iii) details of the grievance redressal officer; and
(iv) cooling-off period. It specifies that any fees, charges etc. which
are not mentioned in the KFS cannot be charged by the RE at any time
during the term of the loan. REs must also publish a list of LSPs and DLAs
engaged by them along with the details of the activities for which they
have been engaged, on their websites. Notably, REs must ensure that
digitally signed documents supporting important transactions through DLAs,
such as (i) KFS; (ii) summary of product; (iii) sanction letter; (iv)
terms and conditions; (v) account statements; and (vi) privacy policies of
LSPs with respect to borrowers’ data will automatically flow from the
lender to the registered/verified email or SMS of the borrower, upon
execution of the loan contract/transactions.
Customer grievances: REs
must ensure that they and all their LSPs have nodal grievance redressal
officers to deal with FinTech/digital lending related complaints or issues
raised by borrowers. REs and LSPs must display the contact details of such
nodal grievance officers on their websites and DLAs along with information
on the mode of lodging a complaint. If complaints are not resolved by the
nodal grievance officers within 30 (thirty) days, complainants may lodge a
complaint through the ‘Reserve Bank Integrated Ombudsman Scheme’.
Credit worthiness: REs
are permitted to capture the economic profile of borrowers (age,
occupation, income etc.) before extending any loans over DLAs, in order to
assess a borrower’s credit worthiness in an auditable manner. However, REs
must ensure that automatic increases in credit limits are subject to
explicit borrower consent.
Cooling off/look-up period: A
cooling off/look-up period (determined by the board of each RE) must be
given to borrower for exiting digital loans in case the borrower decides
not to continue with the loan during that period, by paying the principal
and APR without any penalty.
LSP due diligence and restrictions: REs must conduct an enhanced due diligence process on each
LSP prior to engaging them and periodically thereafter taking into account
the LSP’s technical abilities, data privacy policies and storage systems,
fairness in conduct with borrowers and ability to comply with regulations
and statutes. REs must ensure that their LSPs do not store personal data
of borrowers, with the exception of minimal data (such as name, address,
contact details etc.) that may be required to carry out their operations.
The identity of the LSP acting as recovery agent (or any change in such
LSP) must be informed to borrowers as well.
However, the action on following is also awaited.
First-loss-default-guarantee (“FLDG”): The Report had recommended that REs be prohibited from
entering into any arrangements involving synthetic lending structures such
as FLDG where their balance sheets are used by unregulated entities in any
form to assume credit risk. While the RBI has accepted this recommendation
in principle, it is currently under review and has not yet been
implemented by the Press Release.
Baseline technology and data requirements: The RBI is formulating baseline technology standards for DLAs
which will include (i) secure application logic; (ii) keeping auditable
logs of every action that a user performs along with their IP address and
device information; (iii) monitoring of transactions being undertaken
through the DLA; and (iv) multi-step approval for critical activities
undertaken on the DLA.
Self-regulatory organisation (“SRO”): The Report had recommended that an SRO be set up to cover
REs, DLAs and LSPs in the digital lending ecosystem. While the RBI has
accepted this recommendation in principle, it is currently under review
and has not yet been implemented.
Banning of unregulated BSLs: The
Report had recommended that only REs be permitted to undertake lending
businesses as BSLs through DLAs. The RBI has stated that this
recommendation requires engagement with the Government of India and
stakeholders.
Digital India Trust Agency (“DIGITA”): The Report had recommended the setting up of a nodal agency
i.e., DIGITA, to verify the technological credentials of DLAs and maintain
a public register of verified DLAs on its website. The report also
recommended that applications which do not carry a ‘verified’ signature by
the DIGITA be considered unauthorized for the purpose of law enforcement.
The RBI has stated that this recommendation requires engagement
with the Government of India and stakeholders.
Dr. Ajay Kummar Pandey
( LLM, MBA, (UK), PhD, AIMA, AFAI, PHD Chamber, ICTC, PCI, FCC, DFC, PPL, MNP, BNI, ICJ (UK), WP, (UK), MLE, Harvard Square, London, CT, Blair Singer Institute, (USA), Dip. in International Crime, Leiden University, the Netherlands )
Advocate & Consultant, Supreme Court of India & High Courts