RBI issues new digital lending guidelines for banks, lenders to protect borrowers (2024)

The Reserve Bank of India (RBI) has issued guidelines to all lenders including banks to protect the data of borrowers using digital lending apps from being misused. As per the guidelines issued by the RBI, the regulated entities cannot store borrowers' data except for some basic minimal information. As per the guidelines, a lender can store information such as the name, address, contact details of the customer etc. that are required to process and disburse the loan and repayment of it. Biometric information of the borrower cannot be stored by digital lending apps

The guidelines issued are applicable to existing customers availing fresh loans and to new customers getting onboarded from the date of this circular (September 2, 2022). "However, in order to ensure a smooth transition, Regulated Entities shall be given time till November 30, 2022, to put in place adequate systems and processes to ensure that ‘existing digital loans’ (sanctioned as on the date of the circular) are also in compliance with these guidelines in both letter and spirit", says the central bank

The guidelines issued by the RBI cover the following regulated entities - All Commercial Banks, Primary (Urban) Co-operative Banks, State Co-operative Banks, District Central Co-operative Banks; and Non-Banking Financial Companies (including Housing Finance Companies).

Here's how the RBI guidelines on digital lending aim to protect borrowers:

• The guidelines explicitly state that digital lending apps cannot access mobile phone resources such as file and media, contact lists, call logs, telephone functions, etc. One-time access can be taken for camera, microphone, location or any other facility necessary for the purpose of onboarding/ KYC requirements only, with the explicit consent of the borrower.
• The borrowers must be informed about the storage of customer data including the type of data that can be stored, the length of time for which data can be stored, restrictions on the use of data, data destruction protocol, standards for handling security breach, etc. The information must be provided on their website and the apps at all times.
• At the time of disbursing the loans using digital apps, a key Fact Statement (KFS) to the borrower before the execution of the contract in a standardized format for all digital lending products.
• The borrower must be informed about the all-inclusive cost of digital loans and should also be a part of the Key Fact Statement.
• The penal interest/charges levied, if any, on the borrowers shall be based on the outstanding amount of the loan. Further, the rate of such penal charges shall be disclosed upfront on an annualized basis to the borrower in the Key Fact Statement.
• Any fees charges etc. payable to lending service providers must be paid by the regulated entities and borrowers must not be charged for this.
• The Key fact statement should contain the details of the annual percentage rate, the recovery mechanism, details of grievance redressal officer designated specifically to deal with digital lending/FinTech-related matters and the cooling-off/ look-up period. The cooling-off/look-up period is the amount of time given to the borrower for exiting digital loans, in case a borrower decides not to continue with the loan.
• Any charges that are not mentioned in the Key Fact Statement are not chargeable to borrowers at any stage during the loan term.
• The information shall be sent to the borrowers on their verified email/SMS on the successful execution of loan contract/transaction. The information must be sent on the letterhead of the regulated entity (bank) and must contain a Key Fact statement, a summary of loan product, sanction letter, terms and conditions, account statements, privacy policies of the LSPs/DLAs with respect to borrowers data, etc.
• At the time of the sign-up/onboarding stage, information related to product features, loan limit and cost, etc., must be informed to the borrowers.
• The banks, and NBFCs must publish the list of their digital lending apps, and lending service providers, engaged by them on their websites.
• Details of nodal grievance redressal officer must be displayed on the websites of banks, NBFCs, lending service providers, digital lending apps and also on the key fact statement.
• Digital lending apps and websites must allow a borrower to lodge their complaint.
• If the complaint lodged by the borrower is not resolved within 30 days, then he/she can lodge a complaint on the Complaint Management System (CMS) portal under the Reserve Bank-Integrated Ombudsman Scheme (RB-IOS). For entities currently not covered under RB-IOS, a complaint may be lodged as per the grievance redressal mechanism prescribed by the Reserve Bank.
• The banks, NBFCs must capture the economic profile of the borrowers covering (age, occupation, income, etc.), before extending any loan over their own Digital Lending Apps and/or through Lending Service Providers engaged by them, with a view to assessing the borrower’s creditworthiness in an auditable way.
• There shall be no automatic increase in credit limit unless explicit consent of the borrower is taken on record for each such increase.
• During the cooling-off/look-up period, the borrower shall be given an explicit option to exit the digital loan by paying the principal and the proportionate APR without any penalty during this period. The cooling-off period shall be determined by the Board of the bank, NBFC. The period so determined shall not be less than three days for loans having tenor of seven days or more and one day for loans having tenor of less than seven days. For borrowers continuing with the loan even after look-up period, pre-payment shall continue to be allowed as per extant RBI guidelines.
• The borrower shall be provided with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data and if required, make the app delete/ forget the data.
• Explicit consent of the borrower shall be taken before sharing personal information with any third party, except for cases where such sharing is required as per statutory or regulatory requirements.
• No biometric data is stored/ collected in the systems associated with the Digital Lending Apps of regulated entities / their Lending Service Providers unless allowed under extant statutory guidelines.
• The banks and NBFCs shall ensure that any lending done through their Digital Lending Apps and/or Digital Lending Apps of Lending Service Providers is reported to Credit Information Companies (such as CIBIL) irrespective of its nature/ tenor.
• Any extension of structured digital lending products by banks, NBFC and/or Lending Service Providers engaged by them over a merchant platform involving short-term, unsecured/ secured credits or deferred payments, need to be reported to Credit Information Companies.
• The regulated entities shall ensure that all loan servicing, repayment, etc., shall be executed by the borrower directly in the regulated entities’ bank account without any pass-through account/ pool account of any third party. The disbursem*nts shall always be made into the bank account of the borrower except for disbursals covered exclusively under statutory or regulatory mandate (of RBI or of any other regulator), flow of money between regulated entities for co-lending transactions and disbursals for specific end use, provided the loan is disbursed directly into the bank account of the end-beneficiary. Regulated entities shall ensure that in no case, disbursal is made to a third-party account, including the accounts of Lending Service Providers and their Digital Lending Apps, except as provided for in these guidelines.

Anurag Reddy, Vice President of Product and Chief of Staff, Dinero says, "The regulations around user consent for storage and usage of personal data are in line with global standards such as the GDPR, and our Draft Personal Data Protection Bill. RBI is ensuring the financial services and fintech ecosystem stays ahead of the curve in protecting sensitive personal data, even before it is mandated by law. The guidelines will also lead to a clean-up in the ecosystem. Lending businesses with good intent will thrive. The regulations are a welcome move to drive customer-centric innovation in the ecosystem – whether it is protecting personal data, addressing customer grievances or reducing asymmetry in information"

Dr Ravi Modani, Founder and CEO at 121 Finance says, "This move will discourage ambiguity and bad practices and will lead all genuine players to responsibly practise lending. Responsibility on the REs will generate transparency in the system, which always leads to trust and eventually to the growth of the sector as well. This restructured relationship between LSPs and REs will also end up safeguarding the eventual borrower from the harassment they face today."

In Video: RBI releases detailed guidelines on digital lending

...moreless

...moreless