The Reserve Bank of India (RBI) has issued the Guidelines on Digital Lending on September 02, 2022 ("Guidelines") laying down the directions on matters covered in Annex-1 of the press release titled 'Recommendations of the Working group on Digital Lending - Implementation' dated August 10, 2022 (Press Release).

Key highlights

  1. Applicability and timelines

The Guidelines are applicable to regulated lending entities (RE), such as Commercial Banks, Primary (Urban) Co-operative Banks, State Co-operative Banks, District Central Co-operative Banks and Non-Banking Financial Companies (including Housing Finance Companies). For existing customers availing fresh loans and new customers getting onboarded with effect from September 02, 2022; and for existing digital loans REs are given time till November 30, 2022, to comply with the Guidelines in both in 'letter and spirit'.

Comment: By requiring REs to comply with the Guidelines in both 'letter and spirit', the RBI appears to have kept room open for interpretation to analyse any structure that may circumvent the legislative intent of the Guidelines, an approach not typically explicitly expressed by the RBI in its regulations. This may lead to REs taking conservative calls in supporting new fintech models.

  1. Disbursement and repayment of loan

All loan disbursals and repayments are required to be executed only between the bank accounts of borrower and the RE. Any passthrough/ pool account of the lending service providers (LSP) or any third party is not permitted. Limited exceptions are provided for the rule to disbursals covered exclusively under statutory or regulatory mandate, flow of money between REs for co-lending transactions; and disbursals for specific end use, provided the loan is disbursed directly into the bank account of the end-beneficiary.

Comment: The RBI clarification on exemption for disbursement with a specific end use will bring relief to some BNPL, supply-chain financings and other digital lending where the end use is specified provided that the loan amount is disbursed only in the bank account of the 'end-beneficiary', i.e., the merchant, supplier or seller, and not routed through any third-party account, including the bank account of the LSP or any intermediary.

The restriction introduced by RBI may also restrict disbursement and recollection through payment aggregators. A good portion of payment aggregators' business came from managing payouts and collections for REs/LSPs and the Guidelines may impact such business offerings from payment aggregators. Interestingly, the RBI guidelines on outsourcing of financial services by REs permit REs to appoint collection agents to collect loan repayments from borrowers on behalf of the REs. One may question, why would then RBI prohibit regulated payment aggregators, which are entities licensed by RBI to collect and settle payments on behalf of third parties, from collecting repayments from borrowers in an escrow account?

  1. Cooling-off period

A cooling off/ look-up period as determined by the board of RE is required to be given to borrowers for exiting digital loans, by paying the principal and proportionate APR without any penalty. The cooling-off period cannot be less than three days for loans having tenor of seven days or more, and one day for loans having tenor of less than seven days. For borrowers continuing with the loan even after cooling-off period, pre-payment is permitted as per extant RBI guidelines.

Comment: The requirement of a minimum cooling-off period and prepayment of loans is an additional clarification from the Press Release. This will ensure a reasonable cooling-off period and allow borrowers to prepay loans in accordance with RBI guidelines.

  1. Data collection, processing and sharing

Collection: Any collection of data by DLAs is permitted on a need-based and with prior and explicit consent of the borrower which can be audited, if required. DLAs are not permitted to access mobile phone resources such as file and media, contact list, call logs, telephony functions, etc. A one-time access can be taken for camera, microphone, location or any other facility necessary for the purpose of on-boarding/ KYC requirements only with the explicit consent of the borrower.

Consent: The borrower is required to be provided with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect his personal data and if required, make the app delete/ forget the data. Explicit consent of the borrower is required to be taken before sharing personal information with any third party, except for cases where such sharing is required as per statutory or regulatory requirement. The purpose of obtaining borrowers' consent is required to be disclosed at each stage of interface with the borrowers.

Comment: RBI has specifically discouraged DLAs from having access to mobile phones for accessing media files, contact list, other resources etc., event with explicit customer consent, and this may affect the ability of DLA driven credit assessments and other product offerings that were being made to customers.

  1. Data storing

Storage: LSPs are not permitted to store personal information of borrowers except for some basic minimal data (viz. name, address, contact details of the customer, etc.) that may be required to carry out their operations.

Comment: The RBI has given some leeway to the LSPs to store 'basic minimal' data on a need basis only with express written consent of the borrowers. However, this data cannot include biometric data. Till date, LSPs used to access, collect and store customer data with customer consent pursuant to provisions of the Information Technology Act, 2000 and Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Now, the RBI has imposed further stringent requirements where customer personal data, except to the extent permitted, cannot be stored by LSPs even with explicit customer consent.

Data localisation: All data is required to be stored in servers located within India while ensuring compliance with statutory obligations/ regulatory instructions.

Comment: It appears that RBI has gradually shifted towards localisation of all financial data in India. While the previous data localisation requirements under the RBI circular on 'Storage of Payment System Data' dated April 6, 2018, were limited to payment system data and payment system operators, now all REs and LSPs will have to store all data (both payments and non-payments data) in servers located in India and this will result in further cost implications for REs and LSPs.

  1. First loss default guarantees (FLDG)

The Guidelines state that in relation to the contractual arrangements for FLDGs (in which a third party guarantees to compensate up to a certain percentage of default in a loan portfolio of the RE), REs should comply with the provisions of the Master Direction – Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021 dated September 24, 2021 (Securitisation Directions), especially, directions on synthetic securitisation contained in the Securitisation Directions.

Comment: The Securitisation Directions define "synthetic securitisation" as a structure where credit risk of an underlying pool of exposures is transferred, in whole or in part, through the use of credit derivatives or credit guarantees that serve to hedge the credit risk of the portfolio which remains on the balance sheet of the lender. Pursuant to paragraph 6(c) of the Securitisation Directions, REs are not permitted to undertake or have any exposure towards synthetic securitisations.

Since the definition of synthetic securitisation is limited to hedging credit risk through 'credit derivatives' or 'credit guarantees', REs and LSPs could potentially argue that hedging of credit risk through security deposits and indemnities may not necessarily be restricted pursuant to this provision. However, paragraph 15 of the Guidelines seems very widely worded and uses the phrase "contractual arrangements, such as FLDGs, where a third party guarantees to compensate...." In the context of restricting FLDG arrangements, this could be viewed as a non-exhaustive restriction and could potentially include structures which result in compensation to the RE for a loss in loan portfolio of the RE- especially when the guidelines are to be implemented in 'letter and spirit'.

Under the Securitisation Directions, non-lender REs are permitted to provide credit enhancement facilities for securitisation transactions. Could it mean that third party NBFCs are permitted to issue credit comforts to the RE lender on behalf of an LSP for digital lending, subject to such NBFC maintaining adequate capital required under the Securitisation Directions? The working group report also recommended that issuance of FLDGs should be limited to REs. Could it mean that RBI has also accepted this recommendation from the working group report? If yes, this could benefit fintech entities housing an NBFC within the group.

If RBI's intention were to ban FLDGs in toto, why did it not say in unequivocal terms? Further, synthetic securitisations structures typically involve issuance of notes embedded with credit derivatives or backed by guarantees which is not the case in FLDG contractual arrangements. It appears that by a reference to Securitisation Directions, RBI seems to be suggesting that such synthetic structures were never permitted under the regulatory framework and thereby RBI can retrospectively discontinue FLDGs by requiring REs to comply with this restriction for existing digital loans by November 31, 2022.

Concluding remarks

While the RBI's intentions behind restricting FLDGs is well founded to protect customers from any imprudent recovery practices and to prevent RE's from taking comfort from overleveraged LSPs, such a blanket ban on FLDGs will likely be a death knell for the fintech industry which has developed on the footing of such FLDG arrangements. Limiting the quantum of the FLDGs for such digital lending arrangements (including prescribing capital adequacy for such LSPs) would have been better to address such risks. The fintech industry would expect that the RBI, while addressing the matters contained in Annex-II of the Press Release, recognises the key role of FLDG arrangements in digital lending models and issues detailed instructions on regulation of FLDGs after taking into account inputs from all stakeholders.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.