ARTICLE
2 December 2024

RBI's Directions On Digital Lending Signal A Major Overhaul In IT Outsourcing

AP
AK & Partners

Contributor

AK & Partners logo
AK & Partners is a full-service law firm, whose expertise spans diverse practice areas, including Banking and Finance, Dispute Resolution, Transaction Advisory and Funds, Data Privacy, Tax, and regulatory compliance. Our services are offered across different legal forums and jurisdictions, including the USA, the UK, Singapore, Italy, Spain, Sri Lanka, etc.
As technology revolutionises the lending landscape, data privacy compliance has emerged as a critical obligation for lenders. Accordingly, the Reserve Bank of India ("RBI")...
India Privacy

I. Prioritising Data Privacy: RBI's Guidelines on Digital Lending Compliance

As technology revolutionises the lending landscape, data privacy compliance has emerged as a critical obligation for lenders. Accordingly, the Reserve Bank of India ("RBI") issued 'Guidelines on Digital Lending' ("Guidelines")1 on September 02, 2022, aimed at ensuring that digital lending practices prioritise data privacy. These Guidelines apply to Regulated Entities ("RE") like commercial banks, co-operative banks, non-banking financial companies ("NBFCs"), and lending service providers ("LSPs") to establish consistent data privacy standards. The principles governing borrower data collection, usage, and sharing are central to data privacy compliance.

  1. Data Privacy and Consent: The Guidelines mandate that any personal data collected by RE DLAs and LSPs DLAs must be need-based, with the borrower's prior explicit consent recorded through an auditable process. Borrowers must have the option to give or deny consent to the use of specific personal data elements, restrict sharing with third parties, withdraw consent previously granted, and request deletion of their data. Sharing of borrower's personal information with third parties requires their explicit approval, except when required by law.2
  2. Safeguarding Data Storage: LSPs and DLAs engaged by RE can only store basic minimal borrower details necessary for operations, not complete personal information. They must transparently disclose their policies covering data retention periods, usage limitations, security breach response, and data disposal procedures on websites and apps. Collection or storage of biometric data is prohibited unless explicitly permitted by law. All borrower data must be stored exclusively on servers located within India.3
  3. Privacy Policy Transparency: LSPs and DLAs engaged by RE are required to publicly maintain a comprehensive, legally compliant privacy policy specifying their practices around the collection of borrowers' personal data. Any third parties allowed to access such data through the DLA must be disclosed in the privacy policy.4 RE shall provide the borrowers with a digitally signed Key Fact Statement (KFS) containing the privacy policy and other necessary details upon loan execution.5
  4. Due Diligence on LSPs: RE are tasked with conducting periodic due diligence on LSPs before entering into partnerships. This due diligence process is critical for assessing the technical capabilities, data privacy policies, fairness in conduct with borrowers, and overall regulatory compliance of the LSPs.6

II. Regulating Data Management: RBI's Directions for Outsourced IT Services

The RBI issued 'RBI (Outsourcing of Information Technology Services) Directions, 2023' ("Directions")7 on April 10, 2023, to regulate how Regulated Entities ("REs") which include commercial banks, urban co-operative banks (UCBs), NBFCs, credit information companies (CICs), and all India financial institutions (AIFIs) manage data and IT systems when outsourcing. These Directions aim to curb risks like data breaches by holding REs accountable for outsourced activities and customer data protection. Despite outsourcing, REs are ultimately responsible for ensuring compliance and handling grievances. Key data privacy and compliance requirements from the Directions include:

  1. Customer Data Residency: In digital lending, customer data outsourced to third parties must be stored exclusively in India, with REs ensuring stringent controls for data confidentiality and integrity.8
  2. Restrictions on Cross-Border Data Flows: Cross-border outsourcing poses risks, REs must monitor government policies and legal environments, and with contingency plans for secure data repatriation during disruptions.9
  3. Customer Rights and Grievance Handling: Outsourcing should not compromise customer rights; REs must maintain robust grievance mechanisms specifically for outsourced lending services.10
  4. Oversight, Audits and Monitoring: Digital lenders must inventory outsourced services, mapping data flows and risks. Governance frameworks must identify, assess, and mitigate outsourcing risks through audits and monitoring.11
  5. Outsourcing Agreements and Exit Strategy: Legally binding agreements must clearly define requirements like service levels, data handling protocols, audit rights, reporting obligations for the service provider, and an exit strategy to transfer activities back in-house or to another provider to ensure business continuity.12
  6. Data Security Practices: Agreements must adhere to global data security standards, covering access controls, encryption, incident response, and periodic security testing by service providers.13

Conclusion

The RBI's Guidelines and Directions represent a holistic regulatory framework governing data privacy and outsourcing in digital lending. Their integration is vital as RE and REs increasingly outsource lending functions while remaining accountable for customer data protection. By mandating stringent data practices, comprehensive due diligence of service providers, and robust governance mechanisms, these regulations ensure innovation and operational efficiency do not compromise customer privacy and transparency. RE and REs need to follow both regulations as doing so helps build trust, reduces risks, and allows digital lending to reach its full potential in a safe way.

Footnotes

1. Guidelines on Digital Lending, Reserve Bank of India (RBI), dated September 02, 2022, available at: GUIDELINESDIGITALLENDINGD5C35A71D8124A0E92AEB940A7D25BB3.PDF (rbi.org.in).

2. Clause 10 of Guidelines on Digital Lending (RBI), dated September 02, 2022.

3. Clause 11 of Guidelines on Digital Lending (RBI), dated September 02, 2022.

4. Clause 12 of Guidelines on Digital Lending (RBI), dated September 02, 2022.

5. Clause 5 of Guidelines on Digital Lending (RBI), dated September 02, 2022.

6. Clause 9.1 of Guidelines on Digital Lending (RBI), dated September 02, 2022.

7. Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023, Reserve Bank of India (RBI), dated April 10, 2023, available at: 102MDITSERVICES56B33FD530B1433187D75CB7C06C8F70.PDF (rbi.org.in).

8. Chapter V, Section 16 (g) of Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023, dated April 10, 2023.

9. Chapter IX of Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023, dated April 10, 2023.

10. Chapter II, Section 7 of Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023, dated April 10, 2023.

11. Chapter III, IV, VII of Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023, dated April 10, 2023.

12. Chapter V, VI of Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023, dated April 10, 2023.

13. Chapter V, Section 16 of Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023, dated April 10, 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More