By Trisha Shreyashi and Krishna Pardeshi
FinTech-led innovation, which played a minor supporting role just a few years ago, is now central to how financial goods and services are designed, priced, and delivered. The fusion of technology in the financial sector has been embraced as a positive trend, especially under the regulatory sandbox regime. However, these initiatives frequently combine positive aspects with certain perils. The growth and acceptance of mobile lending apps and online lending platforms (together referred to as “digital lending”) have sparked several major questions with systemic repercussions. The legislative environment must be balanced to foster innovation while upholding data security, privacy, secrecy, and consumer protection.
According to the RBI, lending via digital mode compared to physical mode is still in its infant stage in the case of banks (Rs 1.12 trillion via digital mode versus Rs 53.08 trillion via physical mode), whereas a higher percentage of lending (Rs 0.2 lakh via digital mode versus Rs 1.93 lakh via physical mode) occurs for NBFCs.
The RBI established a Working Group (WG) in January 2021 to examine digital lending governance concerns and consumer complaints about the rapid loan-offering digital lending companies that have proliferated as a result of the pandemic.
In light of this backdrop, the Reserve Bank of India (RBI) issued the Digital Lending norms, 2022, to govern the credit facilities offered by such institutions. The new regulations are founded on the idea that only organisations that are either governed by the central bank or are legally licensed to do so may engage in lending and credit facilitation activities.
The norms bifurcate the digital lending institutions under two broad categories:
(i) Entities that fall under the RBI’s jurisdiction and are authorized to engage in lending, known as ‘regulated entities’ (REs). (ii) Organisations that are permitted to conduct lending under other statutory or regulatory laws but are not subject to RBI regulation, and organizations that don’t fall within the jurisdiction of any laws or regulations, are known as ‘unregulated entities’.
These norms are primarily applicable to regulated entities. However, these norms enable the governance of unregulated entities by the central government, RBI, and a controlling body. It mandates that all loan disbursements must always be made into the borrower’s bank account and that repayments must be carried out directly in the bank accounts of regulated entities (banks, NBFCs, and microfinance institutions) in order to ensure that the RBI has an eye on the movement of money through the lending chain. This would ensure that no money enters or exits any third-party pool accounts.
REs are now required to give a key fact statement (KFS) to the borrower before the execution of the contract relating to digital lending products. KFS must include information on the total cost of digital loans, terms and conditions of the recovery mechanism, the details of grievance redressal officer, cooling-off, and look-up periods. The regulator has made it clear that credit limits cannot be automatically increased without the borrower’s specific on-record approval. The borrower cannot be charged any fees, charges, etc. that are not specified in the KFS at any point during the loan’s tenure.
The guidelines further said that REs must make sure that any lending conducted through Digital Lending Applications (DLAs), regardless of its type or duration, must be reported to Credit Information Companies (CICs). The Buy Now Pay Later (BNPL) style of lending must also be notified to CICs.
However, objections to these norms have been raised on grounds of data security and privacy. Addressing these allegations, RBI has mandated that the DLAs collect only the requisite data. The DLAs are now forbidden to seek access to media files, contact lists, call records, and other mobile applications. The camera, microphone, location, or any other facility required for onboarding or KYC requirements can be accessed only once with the borrower’s express authorization. The authorities can audit such data thus collected, as per the regulatory requirement.
One must not be oblivious to the fact that India does not have robust and comprehensive legislation that governs data protection. With the recent withdrawal of the Personal Data Protection Bill from Parliament, it will be an uphill task to mitigate concerns regarding personal data privacy. The onus lies on those who challenged the bill as inadequate and are today in complete loss of any safeguard at all.
One may ponder: “How can access to data by private entities with questionable credibility and reliability be justified against access to data by the regulatory authority whose very preamble mandates it to ensure customer safety?” It is an established principle of efficient governance that pro bono Publico; i.e. public good, be preferred over pro privato comodo; i.e. private convenience.
In this instance, it is an absolute necessity for RBI to oversee data collection and retention by DLAs so that it can safeguard the mass consumer interests against any breach of data, exorbitant interest level, digital lending frauds, etc by a handful of entities. These norms reduce the role of the third party and prevent any misappropriation or misuse of data. The regulatory body comes into play only so to aid in the prudent and sustainable expansion of the digital lending ecosystem while safeguarding consumer interests.
(The authors: Trisha Shreyashi is a legal professional & panelist at HBR, and Krishna Pardeshi is a law officer at a REIT. Views expressed are personal.)
