The digital lending landscape in India has undergone a major shift, incorporating technological innovation with traditional banking services. This evolution of traditional banking services for loan disbursal to quick loan disbursals with the help of technology has significantly expanded credit access to borrowers in India, especially during the COVID-19 pandemic.

However, it was observed that the convenient digital lending system brought along with it concerns such as mis-selling, data privacy breaches, hidden costs, and unethical practices which prompted the Reserve Bank of India ("RBI") to establish a working group in January 2021. Pursuant to this, the RBI officially released guidelines on digital lending namely "Guidelines on Digital Lending[1]", which is applicable to Scheduled Commercial Banks, Non-Banking Financial Companies ("NBFCs") including Housing Finance Companies on September 2, 2022, redefining the landscape of digital lending in India. The object of these guidelines was to foster responsible and secure digital lending practices, reduce the illegal activities, mitigate risk and protect the data of customers.

Guidelines on Digital Lending: An Overview
Applicability
The guidelines issued by the RBI on digital lending services are applicable to both banks and NBFCs, including housing finance companies, collectively referred to as Regulated Entities ("REs"). The scope of digital lending includes activities such as customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service. The guidelines specifically mention that Digital Lending Apps ("DLAs") i.e., mobile and web-based applications facilitating digital lending services and Lending Service Providers ("LSPs") should be in conformity with extant outsourcing guidelines issued by the RBI.

LSPs act as intermediaries between REs and borrowers, carrying out various functions on behalf of the RE. The LSPs are generally FinTech companies whom REs appoint as intermediaries, and by a plain reading of the guidelines, it could be inferred that these guidelines also apply to FinTech companies or LSPs along with banks and NBFCs. REs need to ensure that LSPs and DLAs comply with the guidelines.

The guidelines states that any outsourcing by an RE to an LSP or a DLA does not diminish the RE's obligations to conform to the existing RBI guidelines on outsourcing.

Customer Protection
The guidelines emphasize the protection of customers in digital lending transactions. Loan disbursal and repayment must occur directly between the RE and the borrower's bank account, except in specific cases mentioned in the guidelines. REs shall ensure that in no case, disbursal is made to a third-party account, including the accounts of LSPs and their DLAs, except as provided for in these guidelines.

Each RE and its LSPs must appoint a nodal grievance officer to address issues related to digital lending and fintech. Borrowers can escalate unresolved complaints through the Complaint Management System portal under the RBI-Integrated Ombudsman Scheme. Various scenarios where exceptions to direct transactions are allowed, such as statutory mandates, co-lending transactions, and specific end-use disbursements are outlined in the guidelines.

Disclosures
To enhance transparency, REs are required to provide a Key Fact Statement (KFS) in a standard format for all digital lending products. The KFS includes the annual percentage rate, recovery mechanism, and details of the grievance redressal officer. Any charges or fees not mentioned in the KFS cannot be imposed on the borrower. Borrowers have the right to a cool-off/lookup period, during which they can exit the digital loan without penalty. REs must ensure that digitally signed documents, including the KFS, are sent automatically to borrowers.

Moreover, REs must publish the list of LSPs and DLAs engaged by them, along with the details of their activities on the RE's website. DLAs of REs and LSPs shall prominently display product and loan-related information at the on-boarding stage, to ensure borrower awareness.

Data Protection
Data protection measures focus on need-based data collection with explicit borrower consent. LSPs should only store basic minimal data necessary for operations such as name, address, and contact details of the customer. Certain personal information, like phone data, must not be accessed. Further, one-time access for onboarding and KYC requirements is permitted with explicit consent of the customer.

Biometric data collection is prohibited under the guidelines. REs must ensure that DLAs and LSPs have comprehensive privacy policies, and all collected data must be localized within India. The responsibility for ensuring the privacy and security of customer information lies with the RE. The RBI has included data protection and localization related provisions in its regulations, and this trend continues in the guidelines.

Reporting and Due Diligence
REs must report any lending through DLAs and/or LSPs to Credit Information Companies ("CIC"), regardless of the nature or tenor of the loan. Digital lending products offered by REs or their LSPs over merchant platforms, involving short-term, unsecured or secured credits, or deferred payments, must be reported to CICs by the REs as well.

As per the guidelines, enhanced due diligence is required before partnering with an LSP, including assessments of technical abilities, data privacy policies, fairness in conduct, and compliance with regulations. Periodic reviews of LSP conduct and guidance on responsible actions, especially when acting as recovery agents, are mandatory by REs under the guidelines. These due diligence provisions aim to mitigate the risks associated with predatory lending and recovery practices in the digital lending industry.

Guidelines on Default Loss Guarantee in Digital Lending
The Reserve Bank of India has bolstered the digital lending sector with its Guidelines on Default Loss Guarantee[2] ("DLG") in Digital Lending, issued on June 8, 2023. These guidelines focus on First Loss Default Guarantee ("FLDG") arrangements, empowering REs including banks and NBFCs to engage with lending service providers i.e., Fintech Companies or other REs for a guarantee compensating for losses due to defaults in loans which is capped at 5% of the outstanding loan portfolio under the guidelines.

The DLG can take the form of cash deposits, fixed deposits with scheduled commercial banks or bank guarantees. As per the guidelines, invocation of DLG by REs is allowed within a maximum overdue period of 120 days. The DLG agreement must remain in force for a time period at least as much as the longest tenor of the loan in the underlying loan portfolio. Moreover, REs are mandated to disclose DLG details on their websites and establish a Board-approved policy for due diligence in DLG arrangements.

Further, the RBI emphasizes that DLG should not replace credit appraisal requirements and robust credit underwriting standards, marking a crucial step in shaping a disciplined digital lending landscape with enhanced credit penetration. The impact of the 5% cap on DLG remains to be observed in influencing the digital lending space.

End-Notes:

1. RBI/2022-23/111 DOR.CRE.REC.66/21.07.001/2022-23
2. RBI/2023-24/41 DOR.CRE.REC.21/21.07.001/2023-24