INTRODUCTION

The latest era of the fintech revolution in India has seen a spurt of digital lending apps enter the market and offer easy access to affordable credit facilities to consumers. While this has led to an exponential growth of the digital financial services sector, there have been serious concerns over breach of data privacy, unethical business conduct and unregulated operations, arising due to greater reliance by lenders on third-party online service providers mis-selling to unsuspecting customers. These third-party technology companies tie-up with regulated lending entities (Banks/ NBFCs) and act as agents of the lenders and carry out one or more of the lender's functions in customer acquisition, underwriting support, pricing support, disbursement, servicing, monitoring, collection, liquidation of specific loan or loan portfolio, for compensation from the lender, i.e., they act as 'Lending Service Providers' ("LSPs"). However, there have been instances of LSPs extending lending products to consumers directly, without being authorized to undertake lending activities, which has led to blurring of regulated and unregulated financial institutions/ activities.

In view of the continued rapid growth of fintech companies, and the increasing risk of customers being exposed to unethical practices, the Reserve Bank of India ("RBI") constituted a Working Group ("Working Group") to study all aspects of digital lending activities so than an appropriate regulatory mechanism can be developed. On November 18, 2021, the Working Group issued a report on digital lending (the "Report"). The Report proposes recommendations to protect the integrity of the financial system against entities that are not regulated and not authorized to carry out lending business. The Report proposes to regulate the digital lending ecosystem by ensuring that third-party lending service providers are subject to a standard protocol of business conduct, which would be enforced by the regulated lending entities that they would tie-up with. The recommendations in the Report further envisage an institutional mechanism to ensure a basic level of customer suitability, appropriateness and protection of data privacy.

RECOMMENDATIONS OF THE WORKING GROUP

We have listed below the salient recommendations proposed by the Working Group.

A. Regulatory & Policy-Oriented Recommendations

1. A nodal agency, Digital India Trust Agency (DIGITA), should be set up to verify the technological credentials of Digital Lending Apps before such apps are distributed to the public through app stores. Only the apps carrying the verification mark by DIGITA should be considered as authorized apps. DIGITA should maintain a list of all verified apps and would have the power to revoke the 'verified' status of apps on account of non-compliance.

A Digital Lending App (DLA) is defined as a mobile and web-based application with user interface that facilitates borrowing by a financial consumer from a digital lender.

2. Short Term Consumer Credit (STCC) is identified as the practice of lending small amounts of money to consumers for short periods (for example - from a few days up to 12 months) and at an annual percentage rate considered high compared with other credit products generally available to consumers. STCC is proposed to be regulated, with digital lending included in its ambit, in a similar manner as Micro Finance Institutions (MFIs). Alternatively, the extant framework regulating MFIs could be amended to include STCCs to have a single framework governing short term lending.

3. A separate framework should be developed by RBI on Agency Financial Service Regulation (AFSR) to regulate all customer-facing, fully outsourced activities of regulated entities, including services provided by LSPs.

4. A Self-Regulatory Organization (SRO) covering DLAs and LSPs should be set up. The SRO would develop a code of conduct for Recovery Agents as part of AFSR, including provisions for the SRO to maintain a list of erring members.

5. The Central Government should formulate a legislation titled "Banning of Unregulated Lending Activities (BULA) Act" to regulate / ban lending entities not regulated or authorized by the RBI for undertaking lending business or entities not registered under any other law for specifically undertaking public lending.

6. A separate forum to address specific grievances of consumers related to financial services called National Financial Consumer Protection Regulation should be developed under the Consumer Protection Act, 2019.

7. The Registrar of Companies should identify shell finance companies and finance companies with proxy directors or opaque beneficial owners and share such data with the RBI on a real-time basis. This would enable RBI to take suitable action with respect to association of such companies across banks and NBFCs.

8. TRAI should be inducted as a member or need-based invitee of the authorities governing SLCC and the financial sector due to the key role of mobile phones and mobile phone networks in the digital lending ecosystem.

9. The payment system regulations should be revised to refine 'travel rules' for OTP and SMS/e-mail alerts sent to users, and should display, at minimum, details such as transaction amount, available balance, name of receiver/beneficiary, as returned by the receiver's bank and not provided by the sender. Travel Rule is defined as the information required to be collected, retained and be included in every fund transfer transaction initiated by one financial institution on behalf of a customer that should travel (be passed along) to each successive financial institution in the funds transfer chain.

B. Digital Lending Oversight Recommendations

1. Balance sheet lending through DLA's should be restricted to entities regulated and authorized by the RBI, or entities registered under any other law specifically for undertaking lending business.

2. All loan servicing or repayments should be made directly in the bank account of the balance sheet lenders and disbursements should be made directly into the bank account of the borrower, without any pass-through account/ pool account of any third party.

3. Any fees and other amounts payable to the LSPs in accordance with the arrangement with the lenders should be paid only by the lenders and should not be paid by the borrower.

4. New digital lending products which involve short term/unsecured or secured credit, such as Buy Now Pay Later, should be treated as balance sheet lending which is undertaken only by regulated entities.

5. All lending activities carried out through DLAs should mandatorily be reported to Credit Information Companies by the lenders.

6. Regulated entities should not allow their balance sheets to be used by unregulated entities in any form to assume credit risk.

7. First Loss Default Guarantee arrangements between unregulated entities assuming credit risk and regulated entities (such as NBFCs and banks) should not be permitted unless the unregulated entity complies with prudential norms.

8. In order to thwart the practice of "rent-a-license" by certain inactive NBFCs, the Certificate of Registration (CoR) issued to NBFCs containing permission for digital lending, who have not been carrying out such activity for a reasonably long period of time, may be reviewed and revised.

9. Banks should monitor accounts regularly operated from different/overseas IP addresses, which are not consistent with the KYC profile of the account holder, for suspicious activities.

10. The Working Group noted that many regulated entities engage in push marketing and unsolicited offers which encourage and increase borrowing without any specific purpose. To limit such type of lending, the Working Group has recommended that such regulated entities should have higher prudential norms applicable to them based on past behaviour of customers availing such push credits.

C. Technology Related Recommendations

1. 'Digital banks'/ 'Neo banks' which are solely digital in nature and do not have any physical branches should be brought under the purview of the RBI.

2. DLAs should provide links to their own secured website on the app where further information about itself and about the loans, the lender, customer care particulars, link to Sachet Portal etc. can be accessed by the prospective borrowers. Alternately, this information could be made available on the app itself.

3. The DLAs should have a feature which allows all transaction documents to automatically flow to the email address of the borrower upon execution of such documents.

4. DLAs and LSPs should appoint a nodal officer to address fintech issues.

5. Baseline technology standards for DLAs should be formulated. This should include secure application logic and secure application code, keeping a log of every action that the users perform along with their geolocation, IP address, and device information, multi-step approval process for critical activities and monitoring of transactions passing through the App in an auditable manner.

6. DLAs should store all their data in servers located in India, which would be monitored by DIGITA.

7. DLAs are encouraged to use glass-box models of AI which provide the rationale of processing the request to enhance transparency and acceptability of algorithms. Lenders should also assume the "duty of explanation" and ensure that outputs from such algorithms are explainable, transparent, and fair.

D. Data Protection Recommendations

1. DLAs should have a publicly available privacy policy, and users should be permitted to seek additional details on the information that is collected. Further, details of any third parties which collect personal information through DLAs, should be disclosed.

2. Data should be collected with prior informed and explicit consent of the customer which can be audited, if required.

3. The customers should be provided with an option to revoke consent granted to collect their personal data and if required, make the app delete or forget the data. After uninstallation of the app, there should not be any trace of access permission from the phone.

4. Consumers should be able to provide or deny consent for the use of specific data, its use, disclosure to outside entities (private, public or legal), and its retention and destruction. Consumers should be able to issue separate consent for each type of data that LSPs are accessing.

5. LSPs should inform consumers of their data policies, especially with respect to monetising consumer data.

6. DLAs would have to notify consumers about detection of any privacy breaches that may leave their data vulnerable and suggest ways for consumers to respond to those breaches.

E. Consumer Protection Recommendations

1. The DLAs must have "opt-in" and "opt-out" options for sending consumers/customers marketing messages. The default option should be "opt-out".

2. DLAs should provide mandatory user education about the product features and computation of loan limit and cost at the user on-boarding stage.

3. All disclosures about the proposed credit facility should be available to the borrower upfront in an easily understandable manner to facilitate comparison. Each lender should provide a key fact statement in a standardized format for all digital lending products.

4. Responding to consumers with the reasons for decline of a credit application made through DLAs should be mandatory.

5. Lenders should capture customers economic profile when conducting customer due diligence. The digital lenders distributing products such as one-click loans will be duty-bound to assess the consumer's creditworthiness in an auditable way.

6. All DLAs should refrain from employing predatory lending practices that push the borrowers to unsustainable levels of personal debt. Lenders should formulate a publicly available Anti-Predatory Lending Policy.

7. Interest amount must be charged in arrears and never charged or debited in advance. Any other fee should not be included as outstanding principal for compounding purpose.

8. Regulated Entities should ensure that LSPs are prohibited from employing abusive debt-collection practices including the use of false statements, practices akin to or constituting harassment, or giving of false or unauthorized credit information to third parties.

9. The lenders should carry out periodic review of the conduct of the LSPs engaged in recovery and scan for their name in any 'negative' list or report its name to the 'negative' list if there is a significant breach of any code. In order to check the activities of dubious LSPs, an easier mechanism should be made available to lodge complaints about harsh treatment by such entities. The 'negative list' of LSPs should be maintained by the SRO and should be meticulously followed for compliance.

10. Specific lending norms for STCC lenders may be formulated and shall include affordability rules and restrictions on the number of concurrent short-term loans or multiple loans that a consumer can hold at a point in time or over a given period.

11. Lenders providing STCC products should consider the structural/ long term liability profile of the borrower rather than the borrower's short-term liability profile when determining the borrower's creditworthiness. Further, STCC customers should be mandatorily taken to a financial education website page designed in vernacular languages to acquaint the prospective borrowers of the risk and consequences of high-cost loans and alternatives available, if any.

12. Restrictions may be imposed on loan flipping when high-cost loans are refinanced without demonstrating any benefit to the borrower.

13. Penal rate of interest should not be levied for prepayment of STCCs in full or part except a nominal administrative fee, if at all. The pre-payment penalty should be suitably factored in while computing the annual percentage rate (APR) and the APR with a pre-payment penalty clause should be demonstrably lower than what the APR would have been without a pre-payment penalty clause

ANALYSIS

The boom in digital lending and recent instances of fraudulent activities by online lending platforms has led to the Working Group recommending strict regulations on the digital lending sector to ensure consumer protection and to avoid any operational grey areas. The recommendations have proposed imposing various restrictions and compliances on LSPs, DLAs and regulated entities. The recommendations have an underlying theme of consumer protection and an insecurity of not having sufficient control or regulation over DLAs and LSPs. While the consumer protection measures are welcome, the overreaching regulations on DLAs and LSPs seem excessive to some extent. The recommendations proposed by the Working Group in the Report have been formulated keeping in mind that the digital lending sector has a capacity for high innovation and given the rapid scale of growth of such digital lending service providers, they should be brought within the regulatory ambit, which can be viewed as slightly regressive in nature. However, regulating the underwriting done by the unregulated fintech entities seems sensible to protect the integrity of the lending ecosystem.

CONCLUSION

Given the enormous fintech boom India has witnessed over the past few years, the regulator should ideally take a more balanced approach in regulating LSPs which have the potential to be a global leader in this space. The industry should also take heed from the recommendations in the Report and should function in a manner which respects the customer and does not infringe on the basic ethos of regulated financial services.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.