In recent years, the Indian financial system has seen a large rise in the
proportion of digital lending, which provides both consumers and enterprises
easy access to credit. The absence of rules and consumer protection measures has
given rise to various concerns surrounding the digital lending space.
In order to regulate the same, the Reserve Bank of India ("RBI") has taken
various actions to tighten the regulatory framework for digital lending. In
order to do so, RBI first set up a Working Group on Digital Lending (the
"Working Group") and published a list of recommendations for regulating the
digital lending framework for the feedback of several stakeholders.
On August 10, 2022 RBI also published a paper titled "Recommendation of the
Working Group on Digital Lending � Implementation", setting out the
implementation methods for the recommendations provided by the Working Group
Finally on September 02, 2022, RBI issued its final
Digital Lending Guidelines which aim at protecting the users of the digital
lending applications and set forth the disclosure, operational and grievance redressal compliances. Recently on February 14, 2023 RBI issued its first set of
FAQs on the Digital Lending Guidelines.
This note aims to provide a broad overview of the legal framework governing
Digital Lending: Meaning
Digital Lending is a remote and automated lending process, largely by use of
seamless digital technologies for customer acquisition, credit assessment, loan
approval, disbursement, recovery, and associated customer service. The main
characteristics that are essential to distinguish digital lending from
conventional lending are:
- Use of digital technologies;
- Credit assessment and loan approval;
- Loan disbursement;
- Loan repayment;
- Customer service.
The digital lending landscape in India is still developing and offers a
patchy picture. As of now Non-Banking Financial Companies ("NBFCs") have been at
the forefront of partnering digital lending while banks have been implementing
more and more innovative techniques in digital operations. From the standpoint
of digital lending, these loans come in two varieties: (i) platform lending,
also known as Market Place Lending ("MPL"), and (ii) Balance Sheet Lending ("BSL").
- Recommendations Of The Working Group
RBI with the broad approach has established the Working Group for the purpose of
formulating digital lending laws in India. The paper issued by RBI in this
context has covered the aspect of digital lending through websites and mobile
applications. The paper aims to improve customer safety, secure the digital
lending ecosystem, and promote innovation.
In furtherance to this, RBI set out
certain recommendations related to digital lending applications having to comply
with some minimum technical standards should be created, and compliance with
those standards should be a must before providing digital lending solutions. The
group suggests that every activity a user takes on the application should be
recorded in auditable logs, and that each financial application should be
securely signed and authenticated.
- Implementation Paper - An Overview
Consequent to the Working Group, the RBI issued its Implementation Paper
focusing on innovative methods of designing and delivery of credit products and
their servicing through digital lending route. This Implementation Paper aimed
at mitigating concerns relating to unbridled engagement of third parties, mis-selling,
breach of data privacy, unfair business conduct, charging of exorbitant interest
rates, and unethical recovery practices. The RBI's Regulated Entities ("REs")
and the Lending Service Providers ("LSPs") contract to extend various permitted
credit facilitation services are the focus of the regulatory framework of the
The Implementation paper largely covers the following concepts:
- Customer Protection and Conduct Issues;
- Technology and Data Requirements;
- Regulatory Framework.
The above-mentioned aspects of the Implementation Paper were discussed in detail
in the digital lending guidelines dated September 02, 2022 issued by the RBI
immediately after the Implementation Paper.
- Guidelines On Digital Lending ("Guidelines"): September 02, 2022
Application:The Guidelines are applicable to digital lending services extended by all:
- (i) Commercial Banks,
- (ii) Primary (Urban) Co-operative Banks, State Co-operative Banks, District Central Co-operative Banks; and
- (iii) NBFCs (including Housing Finance Companies).
- Annual Percentage Rate ("APR"): APR is the effective annualised rate charged to the borrower of a digital loan. APR shall be based on an all-inclusive cost and margin including cost of funds, credit cost and operating cost, processing fee, verification charges, maintenance charges, etc., and exclude contingent charges like penal charges, late payment charges, etc.
- Cooling off/look-up period: If a borrower decides not to continue with the loan, they will be given a window of time, as set by the Board of the RE, during which they can quit their digital loan.
- Digital Lending: An automated and remote lending procedure that heavily relies on seamless digital technology for customer acquisition, credit scoring, loan approval, disbursement, recovery, and related customer support.
- Digital Lending Apps/Platforms ("DLAs"): User-friendly mobile and online applications that support digital lending services. Applications run by Res as well as LSPs hired by Res for providing any credit facilitation services in accordance with current outsourcing standards outlined by the Central Bank will be included in DLAs.
- Lending Service Provider ("LSP"): An agent of a Regulated Entity who, in accordance with the RBI's current outsourcing guidelines, performs one or more of the lender's functions�or portions thereof�in customer acquisition, underwriting support, pricing support, servicing, monitoring, and recovery of a particular loan or loan portfolio�on behalf of Res.
3. Key Highlights of the Digital Lending Guidelines:
- Loan Disbursal, Servicing and Repayment: The borrower must execute all loan servicing, repayment, etc. directly into the RE's bank account without using a pass-through account or pool account of any other party, as required by REs. Except for disbursals covered exclusively by statutory or regulatory mandate (of the RBI or of any other regulator), flow of funds between REs for co-lending transactions, and disbursements for specific end uses, provided the loan is disbursed directly into the bank account of the end-beneficiary, all disbursements must always be made into the borrower's bank account. Except as specified in these guidelines, REs must make sure that no disbursal is ever made to a third-party account, including the accounts of LSPs and their DLAs.
- Collection of fees, charges, etc:
- Payment of Fees/Charges: REs must make sure that any fees, charges, etc., due to LSPs are paid by them (REs) directly and not by LSPs directly to the borrower.
- Penal Interest/ Charges: The amount of the loan that is still owed
will be the basis for any penal interest or charges that are assessed
against the borrowers. Additionally, the yearly rate of such penal costs
must be stated upfront to the borrower in Knowledge Fact Statement (KFS).
- Disclosures to borrowers:
- APR: APR, which represents the total cost of digital loans for the borrower, must be disclosed up front by REs and included in the Important Fact Statement.
- KFS: Before the contract is signed, REs must give the borrower a KFS in a uniform manner for all digital lending products. In addition to other relevant information, the KFS must include information about the APR, the recovery procedure, the grievance redressal officer assigned particularly to handle issues relating to digital lending and fintech, as well as the cooling-off and look-up periods. The REs is not permitted to charge the borrower any fees, charges, etc. that are not specified in the KFS at any time throughout the loan's term.
- Digitally signed documents: As soon as the loan contract or transaction is completed, REs must make sure that digitally signed documents (on the RE's letterhead), such as the KFS, summary of the loan product, sanction letter, terms and conditions, account statements, and privacy policies of the LSPs/DLAs with regard to the data of the borrowers, automatically flow to the borrowers on their registered and verified email or SMS.
- List of LSPs: On their websites, REs must prominently disclose a list of their DLAs, the LSPs they have employed, and the DLAs of those LSPs, along with information on the activities for which they have been hired.
- Product Information: To ensure that borrowers are aware of the product features, loan limit, cost, etc., REs must make sure that their DLAs or the DLAs of their LSPs prominently display this information at the onboarding/sign-up stage.
- Details of recovery agent: When a loan is approved and when recovery duties are transferred to another LSP or when that LSP changes, REs must inform the borrower of the identity of the LSP acting as recovery agent who has permission to contact the borrower for recovery.
- Link to website: REs must make sure that DLAs of REs and LSPs link to REs' website so that borrowers can get additional/detailed information about the loan products, the lender, the LSP, details of customer support, a link to Sachet Portal, privacy rules, etc. For ease of access, it must be assured that all such information is placed prominently in one location on the website.
- Grievance Redressal:
- Nodal grievance redressal officer - The REs must make sure that they and the
LSPs they have hired have a qualified nodal grievance redressal officer to
handle any complaints or difficulties borrowers may have regarding FinTech or
digital lending. The complaints against their respective DLAs would also be
handled by this grievance redressal officer. On the websites of the RE, its LSPs,
and DLAs, as well as in the KFS given to the borrower, contact information for
grievance redressal authorities must be prominently displayed. Furthermore, the
DLA and the aforementioned website will also have a complaint filing option. It
is stated once more that the RE will continue to be in charge of resolving
- The borrower has the right to file a complaint through the Complaint
Management System ("CMS") portal under the Reserve Bank-Integrated Ombudsman
Scheme if any grievances brought forth by the borrower against the lender or
the LSP employed by the lender are not resolved by the lender within the allotted
time frame (currently 30 days) (RB-IOS). Complaints may be filed by entities
that are currently not covered by RB-IOS in accordance with RBI's prescribed
grievance redressal procedure.
- Assessing the borrower's creditworthiness:
- Before extending any loan over their own DLAs and/or through LSPs they have
hired, REs shall record the economic profile of the borrowers (age, occupation,
income, etc.) in order to assess the borrower's creditworthiness in an auditable
- REs must make sure that no credit limit is automatically increased unless
the borrower's express approval is obtained and recorded for each such increase.
- Cooling off/look-up period: A borrower must be provided the option to
explicitly cancel a digital loan by paying down the principal and the
proportionate APR during this time without incurring any penalties. The
Board of the RE will choose the cooling-off period. For loans with a length
of seven days or longer, the period cannot be fewer than three days; for
loans with a term of less than seven days, it cannot be less than one day.
Pre-payment shall still be permitted in accordance with current RBI
standards for borrowers who continue making loan payments even beyond the
- Due diligence and other requirements with respect to LSPs:
- When forming a partnership with an LSP for digital lending, REs must perform
expanded due diligence, taking into account the LSP's technical prowess, data
protection policies and storage systems, fairness in dealing with borrowers,
and capacity to adhere to laws and regulations.
- REs shall perform routine reviews of the behaviour of the LSPs they have
employed. REs shall provide the required direction to LSPs serving as recovery
agents to ensure that they carry out their responsibilities responsibly and in
accordance with the applicable instructions.
- Collection, usage and sharing of data with third parties:
- REs must make sure that any data collection by their DLAs and the DLAs of
their LSPs is based on a legitimate purpose and has an audit trail with the
borrower's prior and unambiguous consent. In any scenario, REs must make sure
DLAs stop using their mobile devices to access data and media, contact lists,
call records, telephony features, etc. With the explicit permission of the
borrower, a one-time access may be granted for the camera, microphone, location,
or any other facility required for on-boarding/KYC needs only.
- The borrower will have the choice of granting or denying consent for the
use of specified data, restricting disclosure to third parties, limiting
data retention, revoking previously granted consent to collect personal
data, and, if necessary, requesting that the app erase or forget the data.
- At each level of the borrower interaction, the reason for seeking their
approval must be made clear.
- Personal information about borrowers will not be shared with any other
party without their express authorization, unless a legislative or
regulatory requirement calls for it.
- Storage of data
REs must make sure that the LSPs/DLAs they hire do not retain any borrower
personal information above the very minimum needed to conduct business, such as
name, address, and customer contact information. The RE shall be responsible for
data privacy and security of the customer's personal information.
- REs must make sure that there are clear policy guidelines regarding the
storage of customer data, including the kind of data that can be stored, how
long it can be stored, restrictions on its use, data destruction protocol,
standards for handling security breaches, etc. These guidelines must also be
disclosed by the DLAs of the REs and of the LSP the RE has contracted with
prominently on their websites and application at all times.
- REs must make sure that no biometric data is retained or collected in the
systems connected to their DLAs or their LSPs unless specifically permitted by
the law as it stands.
- REs must make sure that all data is kept on servers only in India and that
all legal and regulatory requirements are followed.
REs are required to make sure that the DLAs and LSPs they hire have a detailed
RBI guidelines. DLAs of REs/LSPs should make their detailed privacy policies
publicly accessible for borrowers' access and collecting of personal
(if appropriate) who are permitted to acquire personal information through the
- Technology Standards
When engaging in digital lending, REs must make sure that both they and the LSPs
they have hired abide by the different technical standards and cybersecurity
criteria outlined by the RBI and other agencies, as well as any other
requirements that may be periodically established.
- Reporting to Credit Information Companies (CICs):
- REs must make sure that all lending conducted through their DLAs and/or the
DLAs of LSPs is reported to CICs, regardless of its nature or tenor, in
accordance with the provisions of the Credit Information Companies (CIC)
(Regulation) Act, 2005, CIC Rules, 2006, CIC Regulations, 2006, and related
guidelines issued by RBI from time to time.
- REs must report to CICs any extensions of structured digital lending
products by REs and/or LSPs they have worked with over a merchant platform that
involve short-term, unsecured/secured credits or deferred payments. RBI has
released current outsourcing guidelines, and REs must make sure that LSPs, if
any, connected to such delayed payment credit products follow these
- Loss sharing arrangement in case of default:
As regards the industry practice of offering financial products involving
contractual agreements such as First Loss Default Guarantee ("FLDG") in which a
third party guarantees to compensate up to a certain percentage of default in a
loan portfolio of the RE, it is advised that REs shall adhere to the provisions
of the Master Direction - Reserve Bank of India (Securitisation of Standard
Assets) Directions, 2021 dated September 24, 2021.
Especially, synthetic securitisation contained in Para (6)(c). FLDG is a
financial product that provides a guarantee to lenders against losses arising
from the default of loans extended to borrowers. It is a form of credit risk
mitigation that aims to encourage lending to individuals or entities that may
have a higher risk of default.
Under the FLDG, a third-party guarantor, such as a bank or an insurance company,
guarantees a portion of the losses that the lender may incur in the event of a
default. The guarantor typically covers the first loss, up to a certain
percentage of the loan amount, while the lender bears the remaining losses.
The guidelines are expected to create a level playing field for both traditional
and digital lenders and ensure that customers are not taken advantage of by
unscrupulous lenders. With the growth of digital lending in India, it is
important to have strong regulations in place to protect the interests of all
stakeholders. The success of the guidelines will depend on their effective
implementation and enforcement.
It is also important for consumers to be aware of their rights and
responsibilities while borrowing from digital lenders. Overall, the digital
lending guidelines are a step in the right direction and are expected to have a
positive impact on the digital lending industry in India.
One area that the fintech industry is waiting for guidance on is the regulation
of peer-to-peer ("P2P") lending platforms. P2P lending platforms, which connect
borrowers with lenders directly, have seen rapid growth in India in recent
years. However, there is still some ambiguity around their regulatory framework,
and many players in the industry are awaiting further guidance from the RBI.
Another area of concern is the use of digital identities and e-KYC (know your
customer) for onboarding customers. While the DLG allows for the use of digital
identities and e-KYC for customer onboarding, there is still some uncertainty
around the specific requirements and processes for this. The fintech industry is
waiting for further clarity on this issue to streamline the customer onboarding
process and reduce operational costs.
In conclusion, the digital lending guidelines introduced by the RBI's are a
welcome step towards regulating the digital lending space in India. The
guidelines aim to promote responsible lending practices, protect consumers'
rights, and promote fair competition among lenders. The guidelines cover several
key areas, including customer data privacy, transparency in pricing and terms,
and grievance redressal mechanisms.