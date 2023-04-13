1. Fund Flow : REs to ensure that all loan servicing, repayment, etc., shall be executed directly in the RE's bank account without any pass-through account/ pool account of any third party. The disbursals shall always be made into the bank account of the borrower. In case of borrowers not having a bank account, monies can be disbursed only into fully compliant PPIs of the borrower. Exceptions - (a) disbursals covered exclusively under statutory or regulatory mandate; (b) flow of money between REs for co-lending transactions; and (c) disbursals where loans are mandated for specified end-use as per regulatory guidelines of RBI or of any other regulator. In the WG Report, RBI had raised concerns about the transparency of the process/disbursals where monies are disbursed by the lender to the LSP and then the LSP disburses the same to the borrower and similarly where the LSP collects the repayment amount on its own bank account and then sends it to the lender. This is in line with recent changes in other regulatory regimes including SEBI's banning of pooling of monies in relation to mutual funds as well. The systemic risk that the regulator is looking at is that there could be a possibility of fund mix-up and also a concern if the LSP undergoes a moratorium or insolvency proceedings as there could be a confusion about which assets (cash) belongs to the entity and what assets are only being held as in trust. Another reason for this suggestion is to ensure that the loans flow from the accounts of the actual balance sheet lender to the borrower for de-risking the lending market, reduce dependency on the unregulated LSPs, and increase regulatory compliance on REs. One of the major disruptive effects of this recommendation is that many of the REs and LSPs use payment aggregators/escrow banks for administrative convenience will need to be relooked at. However, in our view, possible lender-specific escrow structures could be evaluated which should pass the regulatory muster. Due to exception (b), platforms (such as CredAvenue) that facilitate co-lending between REs could be exempted.

2. Payment of Fees to LSPs REs to ensure that any fees, etc. payable to LSPs are paid directly by REs and are not charged by LSP to the borrower directly. This is in line with existing guidelines on business correspondents, wherein charging the borrower directly by the business correspondents is prohibited. In our view, this should not affect the provision of separate services by the LSPs to the customer/borrower and charge them separately for the same.

3. Disclosure of APR The all-inclusive cost of digital loans as an Annual Percentage Rate3 (APR) is to be disclosed upfront by REs. In the WG Report, the Working Group had recommended that the total costs of the borrowing (including contingent costs) should be fairly disclosed to the borrower. It had recommended that RBI should establish standard definitions for the cost of digital short-term consumer credit/ micro-credit as Annual Percent Rate (APR). The disclosure should include the monetary and non-monetary impact of early, partial, late, or non-repayment of the loan (contingent costs). This is a customer-focused suggestion for disclosure of costs in a clear and understandable way and adequate disclosure may, according to the WG Report, improve repayment performance. RBI in the Press Release has not set out the standard measures for APR contrary to the recommendation of the WG Report but has put in a blanket requirement on REs to disclose the all-inclusive cost as an APR. Lenders could consider disclosing a range for the APR starting from an APR which would not include any penalties and other contingent charges and only captures the fixed APR up to a rate of APR which could include all contingent charges.

4. Grievance Officer & Grievance Redressal REs to ensure that LSPs appoint a nodal grievance redressal officer ("GOs") to deal with all complaints in relation to the Digital Lending or the DLAs. The GO's contact details are to be displayed on-(a) RE's website; (b) LSP's website; (c) the DLA, and (d) the key fact sheet ("KFS") (discussed later). The DLA and the website shall contain the mode of lodging a complaint. If any complaint is not resolved by the RE within 30 (thirty) days, the borrower can lodge a complaint over the Complaint Management System (CMS) portal or other prescribed modes under RB-IOS. In line with the extant guidelines on outsourcing, the intent of this is that the end customer should not be restricted in any manner from raising his/her grievance as in a Digital Lending scenario, a lot of the times, the end customers confuse the lending platform with the back-end lender. This recommendation is in line with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("Intermediary Rules"). Under the Intermediary Rules, the definition of intermediary4, in any case, would include a LSP requiring the appointment of a grievance officer. However, since RBI cannot directly govern the LSPs, the obligation is cast on the REs to ensure that the LSPs comply with this obligation. It has been clarified that the responsibility of the grievance redressal will continue to be with the RE.

5. Key Fact Sheet REs to provide a key fact statement before the execution of the contract in a standardized format for all digital lending products including- (a) details of the APR; (b) terms of the loan; (c) details of the grievance officer; and (d) cooling-off/look-up period (discussed later). Any fee which are not mentioned in the KFS shall not be charged. The intent of the RBI is to ensure that the uninitiated/young and the less financially literate customers have all the relevant information in one place, especially as the loan documents can be verbose, such customers may lose out on important details of the loan if all critical information is not simplified. It has been recommended that till the time RBI does not come up with a specific KFS format for Digital Lending, the format available under Master Direction - Reserve Bank of India (Regulatory Framework for Microfinance Loans) Directions, 2022 dated March 14, 2022, can be used.

6. Flow of Information REs to ensure that all digitally signed documents supporting important transactions through DLAs- (a) KFS; (b) summary of the product; (c) sanction letter; (d) terms and conditions; (e) account statements; (f) privacy policies of the LSPs with respect to borrowers' data, etc., shall automatically flow from the lender to the registered/ verified email/ SMS of the borrower upon execution of the loan contract. This is done to ensure that the borrowers have copies and knowledge of all relevant documents. We understand that currently all such information especially the privacy policy of the LSP etc. is not sent to the customer upon execution. Currently, customers can view some of these documents after logging in to the portal of the LSP. Going forward, all documents as identified have to be shared with the customer. There may be significant monetary and operational outflow for REs and LSPs to put this into effect. The stamp duty implications will also need to be ascertained.

7. Credit Limit REs to ensure that automatic increases in credit limits are prohibited unless explicit consent of the borrower is taken on record for each such increase. The intent is to ensure that the less financially literate customers do not fall into a debt trap. It has to be ensured, that explicit consent has to be taken from the borrower before their credit limit is extended. Such consent should be recorded and preserved.

8. List of LSPs on REs Website REs shall publish the list of LSPs (and DLAs, if any) engaged by them along with the details of the activities for which they have been engaged, on their website. This is to ensure transparency and for the customer to know the association/relationship. Usually, the existence and nature of engagements between REs and LSPs were not publicly known. This will put an additional regulatory burden on the REs to maintain an updated list on their website.

9. Credit Assessment of each Borrower REs may capture the economic profile of the borrowers (age, occupation, income, etc.,) before extending any loans over DLAs, with a view to assess the borrower's creditworthiness in an auditable way. The WG Report stated how debt trap protection works in jurisdictions such as the US. Some of the customers may take loans without having the financial wherewithal to repay the same or may be exposed to certain immediate risks on account of the burden of the interest and repayment of the loan. To counter the same, the Press Release makes it mandatory for the lenders to determine the ability of the borrowers to repay the amounts and to assess the creditworthiness of each of the borrowers. In our view, auto-approved limits/pre-approved loans where each of the customers is not individually assessed may have to be stopped. The economic profile of each of the customers has to be collected and creditworthiness has to be accessed and the audit trails of the same have to be maintained prior to initiating lending.

10. Cooling-off/Look-up Period A board-determined 'Cooling-off/Look-up Period' has to be prescribed by the RE within which time, the borrower will be able to exit the loan without paying a prepayment penalty but only paying the principal amount and a proportionate APR. This is being done to ensure that the customer is protected from over-burdening himself/herself with loans and is not disincentivized from prepaying a loan if he/she is able to. Globally cooling-off period (as noted in the WG Report) varies from 3-14 days. A board-approved policy should be made and such cooling-off/look-up period to be set out.

11. Disclosure during onboarding The DLAs or DLAs of the LSPs at the onboarding/sign-up stage prominently display information relating to the product features, loan limit, cost, etc. so as to make the borrowers aware of these aspects. Consumer awareness and transparency. The sign-up and subsequent disbursement could be made conditional upon ticking off a consent radio box with terms and conditions offered for all loan products.

12. Relationship between REs and DSPs Enhanced due diligence by the balance sheet lenders before entering into a partnership with LSPs. Communication from the lender to the borrower about the details of LSPs who have sourced the loans and prior communication about the LSP entrusted with recovery. Periodic review of the conduct of LSPs engaged in recovery. Since partnerships with the customer-facing LSPs is a dominant model, oversight should be extended to LSPs by the REs. As such being unregulated service providers, LSPs are under minimum oversight. Focus by the RBI on the activities undertaken by the LSPs is a game changer. This will increase the regulatory burden on the REs to ensure LSPs' compliance with the current regulations.

13. Consumer Data Types of Data to be collected : Data of the customer collected should be need-based and should only be collected only with prior explicit consent which should be auditable. REs to ensure that LSPs do not store personal information of borrowers except for some basic minimal data (viz. name, address, contact details of the customer, etc.) that may be required to carry out their operations. DLAs should not access mobile phone resources such as files and media, contact lists, call logs, telephony functions, etc. One-time access can be taken for the camera, microphone, location, or any other facility necessary for the purpose of onboarding/ KYC requirements only with the explicit consent of the borrower. Explicit Consent Requirement : Required for-

Consent to the DLAs access and use to the customer's mobile phone/other electronic device resources – camera, contact list, audio, location, stored documents and images, etc. Type of specific data that is collected (personal information for the purposes of KYC, income and credit information, etc.) To disclose to third parties. For any retention. Right to Revoke/Purge : Right to revoke consent + right to purge personal data from the App. Privacy Policy : Privacy policy to be in place including- details of the third parties who collect data + type of data stored + duration for storage + restriction of use. Other Policies : Data destruction protocol + standards of handling security breaches. Biometric Data : No biometric data should be collected/stored in the systems associated with DLAs and LSPs. Types of Data to be collected: One of the major concerns raised by the WG Report is the consumers' privacy violations and abuse. One of the extreme examples cited in the report is that some of the LSPs use the access to the contact list of the customer's phone to call up their relatives and friends when such customer failed to pay any installment. Such access to contact list is taken at the time of onboarding at which it may have seemed to be a harmless permission given by the customer. Accordingly, purpose limitation (need based collection) has been imposed under the Press Release. Explicit Consent Requirement: The other contentious issue discussed in the WG Report is the lack of explicit consent. Accordingly, the Press Release has set out the actions for which explicit customer consent will be required. Focus on ensuring that disclosure to third parties is explicitly consented by the borrower as there were instances of cross-selling and bundling of third-party products. Right to Revoke/Purge : While the right to revoke consent is already provided under the SPDI Rules, the right to purge the data provided is newly added. The rationale seems to be alignment with GDPR norms and avoid personal data to sit with LSPs when the transaction is completed and there is no ongoing transaction. Privacy Policy : While privacy policy is already a requirement under the Intermediary Rules and SPDI Rules, the Press Release has reiterated some of these requirements. Other Policies : Separate policies on data destruction protocol + standards of handling security breaches are required under the Press Release, looking at the global trend of major and minor data breaches. Biometric Data : This is in-line with the existing regulations. Types of Data to be collected: The Press Release has severely limited the kinds of personal information/data can be collected and stored by the LSPs. Only such data which is needed to carry out services can be collected and stored. LSPs have to access the personal information/data that are absolutely needed for carrying out their services and accordingly should list down such data types in their privacy policy and have the customers consent to the same explicitly. Access to media, contact lists, call logs, and telephony functions have to be stopped. For KYC purposes, one-time access can be taken. Explicit Consent Requirement: The Press Release at various places requires the customers to provide explicit consent. One way to demonstrate explicit consent is to have an OTP-based verification which requires the customer to key-in the OTP. Further, the consent procured should be maintained and should be auditable.

Right to consent or deny specific data can be covered by listing the categories of data to be collected and having the customer tick off the radio box for each category.

To comply with the requirements relating to disclosure to third parties, the types/categories of third parties to whom such data is disclosed have to be listed in the privacy policy and the customers should be given an option to allow such disclosure. Right to Revoke/Purge : Right to purge data should be provided. However, data that are required to be maintained pursuant to law, such as KYC data etc., need not be purged. Privacy Policy: The existing privacy policies of the LSPs should be relooked at and it must be ensured that they are available publicly. Other Policies : Data destruction protocol and standards for handling breaches of data can be covered by way of a separate data breach policy. A link of the same can be provided in the privacy policy for the customer to view the same. Biometric Data : Restrictions on biometric data collection to be followed. The Personal Data Protection Bill has been withdrawn and the government has stated that they will come up with a comprehensive legal framework regarding digital privacy law. All the above mechanisms may need to be re-looked at the stage of issuance of a fresh bill.

14. Data Localisation REs to ensure that all the data is stored in servers located within India. The aim is to ensure that the data is localized, to ensure a nationalized data economy and also for easy accessibility to the data by government agencies in case of investigations etc. LSPs who are foreign entities will need to ensure that they have an Indian entity and store data locally. There seems to be a contradiction herewith the Outsourcing Directions for Banks and Outsourcing Directions for NBFCs that allow foreign outsourcing partners to act on behalf of banks/NBFCs (as applicable). However, with this new limitation, the outsourcing guidelines have to be accordingly read. Foreign LSPs have to ensure that they incorporate Indian entities and also ensure that the data is stored in India and does not flow through to entities outside India. This is in line with the increasing RBI monitoring for ensuring data is stored locally, for e.g., storage of payment data by system providers.