Acknowledgements

The Working Group expresses its gratitude to the Governor, Reserve Bank of India, Shri Shaktikanta Das for entrusting the responsibility on the Group to comprehensively study all aspects of digital lending activities to enable an appropriate policy approach.

The Group invited inputs and held virtual interactions with various stakeholders including financial institutions, government bodies, law enforcement agencies, academicians, and FinTech associations/ groups. The diverse interactions and different perspectives helped the Group in getting a holistic view of the nascent digital lending ecosystem. The Group would like to place on record its appreciation for all their valuable inputs, which have immensely helped in shaping this Report.  

The Group would like to commend the rigorous work put in by the core secretarial team of the Department of Regulation, RBI, led by Shri Chandan Kumar, General Manager and consisting of Shri Anuj Sharma, AGM; Shri Lakshmana Koyya, Shri B G Gowtham Kumar Naik, and Shri Aditya Sood, Managers.

The Group would also like to acknowledge and appreciate the contribution of the secretarial teams from Department of Supervision (Shri Susheel Raina, DGM; Shri A G Giridharan, DGM; Shri Nethaji B, DGM; Shri Varun Yadav, AGM; and Ms. Tricha Sharma, AGM) and Department of Payment and Settlement Systems (Shri Anuj Ranjan, GM and Shri Brijesh Baisakhiyar, AGM). The Group would also like to express gratitude to the Legal Department (Ms. Manisha Ranvah, ALA) and all the Regional Offices of Reserve Bank of India for the inputs provided.

Abbreviations

Glossary

Application Programming Interface: A set of rules and specifications followed by software programs to communicate with each other, forming an interface between different software programs that facilitates their interaction.

Artificial Intelligence: Information technology (IT) systems that perform functions requiring human capabilities. AI can ask questions, discover and test hypotheses, and make decisions automatically based on advanced analytics operating on extensive data sets.

Annual Percentage Rate: The annual rate that is charged for borrowing a loan and includes processing fees, penalties and all other charges that are applicable to the loan throughout its life.

Balance Sheet Lending: Financial service involving extension of monetary loans, where the lender retains the loan and associated credit risk of the loan on its own balance sheet.

Balance Sheet Lenders: Lenders who undertake balance sheet lending.

Blackbox AI: A system for automated decision making often based on machine learning (deep learning) over big data mapping the users’ features into classes predicting their behavioral traits which cannot be interpreted/ explained by even those who design it.

Buy Now Pay Later: A point of sale financial product where a borrower is allowed to purchase products on deferred payment basis and pays in a predetermined number of installments.

Caveat Emptor: The principle that the buyer alone is responsible for checking the quality and suitability of goods before a purchase is made.

Consumer Protection Risk: Derived from the definition of misconduct risk, consumer protection risk is the risk that the behaviour of a financial services entity, throughout the product life cycle, will cause undesired effects and impacts on customers.

Cooling-off Period: A period of time from the date of purchase of good or service from a distance (e.g., online, over phone or email order) within which the purchaser can change her/ his mind with return or cancellation of the purchase, as a part of Terms and Conditions of the purchase contract.

Cyber Security: Protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification, or destruction.

Digital Lending: A remote and automated lending process, majorly by use of seamless digital technologies in customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service.

Digital Lending Apps: Mobile and web-based applications with user interface that facilitate borrowing by a financial consumer from a digital lender.

Embedded Credit: The lending services generated from the embedding of credit products into non-financial digital platforms.

FinTech (Financial Technology): A broad category of software applications and different digital technologies deployed by the intermediaries that provide automated and improved financial services competing with traditional financial services.

First Loss Default Guarantee: An arrangement whereby a third party compensates lenders if the borrower defaults.

Key Fact Statement: A comprehension tool in the pre-contract stage of credit process consisting of a standardized form listing all the fees, charges and other key credit information that a financial consumer needs to make informed decision which promotes transparency and healthy competition.

Glass Box Model: In a Glass Box model of AI, all input parameters and the algorithm used by the model to come to its conclusion are known imparting it better interpretability. Explainable AI (X-AI) allows humans to understand and trust the output better.

Lending Service Provider: Lending Service Provider is an agent of a balance sheet lender who carries out one or more of lender’s functions in customer acquisition, underwriting support, pricing support, disbursement, servicing, monitoring, collection, liquidation of specific loan or loan portfolio for compensation from the balance sheet lender. (A balance sheet lender must have continuing ability to handle the above functions and the lender, not the LSP, must be able to demonstrate that it exercises day-to-day responsibility for the same, when LSPs are engaged.)

Loan Flipping: The process of raising cash periodically through successive cash-out refinancings.

Loan Stacking: The process of taking out multiple loans/ credit limits by a borrower from various sources within a short period in order to reach a financial goal, both legitimate and illegitimate.

Machine Learning: A method of designing problem-solving rules that improve automatically through experience. ML algorithms give computers the ability to learn without specifying all the knowledge a computer would need to perform the desired task. The technology also allows computers to study and build algorithms that they can learn from and make predictions based on data and experience. ML is a subcategory of AI.

Market Place Lending: Use of online platform to connect financial consumers or businesses, who seek to borrow money, with investors/ lenders who are willing to buy or invest in such loans/ lend to such borrowers.

Open Texture Rules/ Standards: Those rules/ standards that allow practices to be judged on the basis of broad, flexible requirements and are commonly used as a consumer protection tool.

Pacing Problem: Time and capability gap between technological innovation/ advancement and the mechanism to regulate it.

Payday Loans: A short-term, low value, high-cost loan to cover immediate cash needs typically repayable on borrower’s next pay day or when income is received from any other source and granted without considering other financial obligations.

Payment Gateway: Payment Gateways are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.

Payment Rails: Established networks or back-end systems involved in processing of cashless payments. (Examples: pre-paid wallets/ card rails, bank real time payment rails, bank batch/ bulk payment rails, card rails, carrier billing rail, check imaging rail, etc.)

Personal Identifiable Information: Information that when used alone or with other relevant data can identify an individual.

Problematic Repayment Situation: A problematic repayment situation is one when the consumer is not able to repay the debt within a reasonable time, and/ or the consumer is only able to repay it in an unsustainable way, e.g., by cutting back on essential living expenses or by defaulting on other loans.

Regulated Entity: Entities regulated by Reserve Bank of India.

Responsibilization: Subjecting financial service providers to a broad duty to treat consumers fairly but not specifying in detail how it is to be done.

Short Term Consumer Credit: The practice of lending to consumers, amounts of money that are small relative to other forms of credit in the market for short period, say, from a few days up to12 months, at an annual percentage rate considered high compared with other credit products available to consumers.

Step-in Risk: In the context of the report, Step-in Risk refers to the risk that a balance sheet lender assumes by providing support to the LSP beyond the contractual obligations, both from reputational and substitutability point of view.

Synthetic Identity: A synthetic identity is a combination of information that is real and fake information fabricated credentials where the implied identity is not associated with a real person.

TechFin: As opposed to FinTech where traditional financial services are delivered by use of technology, TechFin is where an entity that has been delivering technology solutions launches new way to deliver financial services. In other words, FinTech takes the original financial system and improves its technology, TechFin is to rebuild the system with technology.

Travel Rule: Information required to be collected, retained and be included in every fund transfer transaction initiated by one financial institution on behalf of a customer that should travel (be passed along) to each successive financial institution in the funds transfer chain.

Vulnerable Consumers: Those consumers who are at a disadvantage in exchange relationships where that disadvantage is attributable to characteristics that are largely not controllable by them at the time of the transaction. (Andreasen and Manning, 1990)

Executive Summary

Technological innovations have led to marked improvements in efficiency, productivity, quality, inclusion and competitiveness in extension of financial services, especially in the area of digital lending. However, there have been unintended consequences on account of greater reliance on third-party lending service providers mis-selling to the unsuspecting customers, concerns over breach of data privacy, unethical business conduct and illegitimate operations. While the current share of digital lending in overall credit pie of the financial sector is not significant for it to affect financial stability, the growth momentum has compelling stability implications. It is believed that ease of accessing digital financial services, technological innovations and cost-efficient business models will eventually lead to meteoric rise in the share of digital lending in the overall credit.

The larger issue here is protecting the customers from widespread unethical practices and ensuring orderly growth. As has been seen during the pandemic-led growth of digital lending, unbridled extension of financial services to retail individuals is susceptible to a host of conduct and governance issues. Mushrooming growth of technology companies extending and aiding financial services has made the regulatory role more challenging. In view of the ease of scalability, anonymity and velocity provided by technology, it has become imperative to address the existing and potential risks in the digital lending ecosystem without stifling innovation.

Further, on a larger canvas and on a medium to long term horizon, digital innovations along with possible entry of BigTech companies may alter the institutional role played by existing financial service providers and regulated entities. A fallout of this may get reflected in blurring of regulated and unregulated financial institutions/ activities. Such developments spurred by mere commercial considerations would pose regulatory challenges in ensuring monetary and financial stability and in protecting interests of the customers. The recommendations and suggestions are aimed at addressing issues posed by digital evolution of the financial activities/ products/ institutions while ensuring ways to reap the benefits of digital innovation at the same time.

The WG recommendations would act at three levels: regulated entities of the RBI; other regulated/ authorised entities; and unregulated entities including third-party service providers functioning in the digital financial realm. The recommendations seek to protect the integrity of the system against entities that are not regulated and not authorized to carry out lending business. The onus of subjecting third-party lending service providers to a standard protocol of business conduct would lie with the regulated entities to whom they are attached. Further, an institutional mechanism is envisaged to ensure the basic level of customer suitability, appropriateness and protection of data privacy. The report further seeks to ensure that there is orderly growth in the digital lending ecosystem without it being unduly disruptive towards the existing players in the ecosystem. The idea is that the existing players in the digital lending realm should follow recommended standards of appropriateness to address conduct/ technological issues.

The approach adopted in this Report is guided by the following three principles:

• Technology Neutrality: Neutrality towards technological differentials or business models while encouraging competition to maximize the benefits to the financial system.

• Principle Backed Regulation: Instead of a rule-based regime, a principle-backed approach to provide sufficient scope for innovation and adaptability in a dynamic environment.

• Addressing Regulatory Arbitrage: Addressing the arbitrage between different sets of entities in the digital lending ecosystem to ensure level playing field and market integrity.

To achieve these principles in a holistic manner, the WG has recommended a three-pronged measure on a near to medium term. Some of the key recommendations of the Working Group are enumerated below:

a) Legal & Regulatory Recommendations

Near Term (up to one year)

• A nodal agency should be set up which will primarily verify the technological credentials of DLAs of the balance sheet lenders and LSPs operating in the digital lending ecosystem. It will also maintain a public register of the verified apps on its website.

• Balance sheet lending through DLAs should be restricted to entities regulated and authorized by RBI or entities registered under any other law for specifically undertaking lending business. A suitable notification in this regard should be issued by the appropriate authority.

• An SRO should be constituted covering the participants in the digital lending ecosystem.

• All loan servicing, repayments, etc. should be executed directly in a bank account of the balance sheet lender and disbursements should always be made into the bank account of the borrower. However, borrowers having only PPI account and no bank account can be disbursed loan if the PPI accounts are fully KYC compliant.

Medium Term (above one year)

• Central Government may consider bringing in a legislation to prevent illegal lending activities by introducing the ‘Banning of Unregulated Lending Activities Act’.

• RBI should develop a separate framework styled as Agency Financial Service Regulation (AFSR) for all customer-facing/ fully outsourced activities of REs including LSPs.

b) Recommendations related to Technology

Near Term

• Compliance with the prescribed baseline technology standards should be a pre-condition to offer digital lending by the REs and by LSPs providing support to REs.

• Each DLA should have publicly available policies regarding data storage, its usage and privacy.

• Data should be stored in servers located in India.

• REs should document the rationale for the algorithmic features aiding lending decisions that should ensure necessary transparency.

• Data should be collected from the borrower/ prospective borrower with prior information on the purpose, usage and implication of such data and with explicit consent of the borrower in an auditable way.

Medium Term

• An adaptive comprehensive regulatory framework for FinTechs and TechFins.

• Algorithm used for underwriting should be auditable and lenders shall ensure that outputs from such algorithms are knitted in ethical AI design.

c) Recommendations related to Financial Consumer Protection

Near Term

• Each lender should provide a key fact statement in a standardized format.

• A look-up period of certain days should be provided for all digital loans with the option of exit by paying proportionate APR without any penalty.

• Use of unsolicited commercial communications for digital loans should be governed by a Code of Conduct.

Medium Term

• An anti-predatory lending policy should be framed by each lender based on the characteristics to be defined by RBI/ proposed SRO.

Besides recommending concrete action points, the WG has also made several suggestions. The suggestions would require wider consultation with stakeholders and further examination by the regulators and government agencies. A gist of recommendations and suggestions along with the implementation agency is provided at the end of the report. All entities operating in the digital lending ecosystem do not come under the regulatory purview of the Reserve Bank. For entities other than regulated entities (REs) of the Reserve Bank, concerned authorities are expected to put in place similar measures as recommended/ suggested for the REs of the Reserve Bank. This would ensure holistic compliance with the recommendations/ suggestions contained in this report.

Section 1: Introduction

1.1 Constitution of the Working Group

Recent spurt of disruptive innovations and consumerization of online lending apps (‘digital lending’), both mobile and web-based, have reshaped the way financial services are structured, provisioned and consumed. In its evolution, riding on other digital cousins such as digital payment and social media, certain actors could use it for their own ends, with unintended consequences for the nascent ecosystem. Against this backdrop, the Reserve Bank had constituted a Working Group (WG) on digital lending on January 13, 2021 to study all aspects of digital lending activities in the regulated financial sector as well as by unregulated players so that an appropriate regulatory approach can be put in place. The terms of reference and names of the members of the WG are as under:

Terms of Reference

1. Evaluate digital lending activities and assess the penetration and standards of outsourced digital lending activities in RBI regulated entities;

2. Identify risks posed by unregulated digital lending to financial stability, regulated entities and consumers;

3. Suggest regulatory changes, if any, to promote orderly growth of digital lending;

4. Recommend measures, if any, for expansion of specific regulatory or statutory perimeter and suggest the role of various regulatory and government agencies;

5. Recommend a robust Fair Practices Code for digital lending players, insourced or outsourced;

6. Suggest measures for enhanced consumer protection; and

7. Recommend measures for robust data governance, data privacy and data security standards for deployment of digital lending services.

Members

Internal Members

1. Shri Jayant Kumar Dash, Executive Director, RBI (Chairman)

2. Shri Ajay Kumar Choudhary, Chief General Manager-in-Charge, Department of Supervision, RBI (Member)

3. Shri P. Vasudevan, Chief General Manager, Department of Payment and Settlement Systems, RBI (Member)

4. Shri Manoranjan Mishra, Chief General Manager, Department of Regulation, RBI (Member Secretary)

External Members

1. Shri Vikram Mehta, Former Associate of Monexo FinTech (Member)

2. Shri Rahul Sasi, Cyber Security Expert & Founder of CloudSEK (Member)

The Group conducted four meetings between January 19, 2021 and April 01, 2021 which were attended by all members and the secretarial team.

1.2 Foreground

In recent periods, a spate of digital micro-lending by various fringe entities and their dubious business conduct were flagged to RBI, Law Enforcement Agencies (LEAs), and reported in public domain. Such incidents were grappled by various LEAs at State level, albeit in non-uniform manner, after certain clarifications on identity of regulated entities were rendered by RBI, followed up by awareness drives. This undesirable experience was the imminent prompt for constitution of the Working Group to recommend a framework to address such issues holistically.

1.3 Processes Followed

The WG adopted a four-pronged process towards the report:

(a) Discussions with Stakeholders: Formal and informal inputs were sought from academicians, regulated entities, FinTech advocacy groups, consumer interest groups, industry bodies, FinTechs, app stores, LEAs, and central and state governments. The WG received inputs from thirty-six such stakeholders and their feedback covered various aspects - legal, regulatory, technological, code of conduct, fair practices, grievance redressal, etc. A brief synopsis of such inputs is presented at Annex A. A total of ten formal interfaces were also held with important stakeholders in the digital lending arena to elicit their views on the subject. Details of interfaces and list of entities that provided their inputs to the WG are provided at Annex B.

(b) Survey and Data Analysis: A representative survey was conducted to collect data on certain aspects of digital lending in which sample data was collected from 76 Scheduled Commercial Banks (SCBs) and 75 NBFCs, out of which 48 SCBs and 13 NBFCs stated that they are not engaged in digital lending. As per the data furnished by the remaining 28 SCBs and 62 NBFCs, digital lending constituted 75 per cent and 10 per cent of total assets of banks and NBFCs respectively as on March 31, 2020. The extracts of the survey data are appended at Annex C.

(c) Review of Extant Regulatory / Supervisory Framework and Industry Practices: A detailed review was carried out covering the extant regulatory framework, prevailing practices followed by DLAs, ancillary functions performed by various outsourcing agencies and FinTechs (e.g., sourcing, appraisal, payments, collection, etc.).

(d) Review of Global Practices and Literature: The WG also reviewed internationally published literature on the subject, the global developments, approaches adopted in other jurisdictions, and the evolving views of global standard-setting bodies and assessed their suitability for Indian system.

1.4 Broad Approach

1.4.1 The WG kept in view three broad tenets while considering the best fit approach for crafting FinTech appropriate regulation for digital lending.

(a) Technology Neutrality: Regulatory approach should be neutral towards technological differentials or business models; rather be encouraging healthy competition among all players that maximize the benefits to the financial system. Technology neutrality theory would imply that what is not legal offline, cannot be legal online. Many of the trouble spots around the fringe digital lending were considered identical to the known types of undesirable lending practices in the conventional lending landscape, albeit in a digital edition. A proportionate approach of ‘same activity, same risk, same rule’ principle for the entire lending ecosystem, digital or otherwise, required up-linking of a few recommendations to the original guidelines already issued or those in the context of broader FinTech that could be prospectively issued, rather than limiting these to narrow confines of digital lending. This should also be seen to have forward compatibility in the context of approach to regulations of broader digital financial services as and when it evolves. Harmonizing market conduct rules and oversight for all comparable credit offerings for all providers and channels would also fall under this tenet. The proportionate regulatory framework for smaller players in certain key areas such as cyber security/ IT risk should have similar regulatory frameworks to avoid the ‘weakest-link’ problem that could pose risks to the payment and settlement systems.

(b) Principle Backed Regulations: A graded approach to any regulation generally moves through minimum regulation, light precautionary regulation, and strong precautionary regulation phases. As the report covers three distinctive regulatory dimensions of digital lending, it blends all the grades of regulations. For a smooth integration, a principle-backed approach has been preferred to a rule-based regime as it affords flexibility in terms of its actual application to innovations, rather than a stifling over-prescriptive regime. While a commensurate construct for the equilibrium trinity of innovation, regulation and stability for digital lending has been attempted in the report, maintaining flexibility, adaptability and continuous learning in a rapidly evolving and dynamic environment is what should be attempted in its implementation. It is rightly argued that consumer protection regulation should follow an approach of open texture rules/ standards and responsibilization rather than being a ‘command and control’ type. However, for the present context in India, the regulatory approach should include, among others, moving beyond mere disclosure and fair practice framework to more regulatory guardrails, particularly in respect of recurring issues.

(c) Addressing Regulatory Arbitrage: A sine qua non for an effective regulatory regime is to prevent the emergence of regulatory gaps and arbitrages that might arise from appearance of new service providers, innovative products, etc., which are like those being regulated in respect of the incumbent players. A level playing field is key to ensure not only fair competition but also consumer protection. The same regulatory conditions and supervision should apply to all actors who seek to innovate and compete on FinTech: incumbent banks, FinTech start-ups and BigTech firms. These efforts should be towards better consumer protection and market integrity.

1.4.2 The WG recognizes the increasing significance of ‘digital lending’ in the financial ecosystem, particularly in the realms of financial inclusion, access and SME financing spawning a compulsive case for an ecosystem of partnership. Like any emerging business models, there are bound to be structural gaps and operating issues in digital lending ecosystem. The inevitability of its growth to match the nonpareil maturation of digital payment systems in India, warrants a shift from minimum-regulation approach in nascent stage to align to the truism that financial sector cannot be left to self-regulation. Given the maturity level of the evolving ecosystem for digital lending and potential grey areas for regulatory/ legal arbitrageurs, the WG determined that there may be a need for multiple agency approach/ frameworks required to address the issues in entirety, supported by central legislations/ notifications wherever required. Hence, the recommendations essentially capture the issues in perspective and seek to create an environment where the agency roles can be more transparent with necessary identifiers to shine light on the bad actors. In the absence of laws with specific provisions to address the issues, regulation should measure up for mitigating the risks.

1.4.3 Recognizing the tradeoff between consumer convenience, the leitmotif of digital financial services, and consumer protection, the need for a very fine balance while laying clear ground rules has also been weighed in. Responsible lending will remain a distant goal without customer awareness and watchful enforcement. However, while recommending regulations, on balance, protection of financial consumers’ interest would always weigh heavier than the interest of innovation. Although the digital lending canvas is much larger, the focal problem points in the recent digital lending (‘one-click credits’) episodes have been small value (nano/ micro) unsecured/ non-income generating loans to financial consumers. There is a lack of a comprehensive regulatory framework in consumer lending through DLAs from origination to debt collection and its administration including the business of providing credit references.

Section 2: Digital Lending Landscape

The world has been talking about Bank 4.00 since 2014 indicating arrival of 4th generation in evolution of financial services comprising FinTech, online/ mobile banking, virtual global market and questioning the sustainability of conventional banking. The book “Bank 4.00” by Brett King published in 2018 carried the sub-title “Banking Everywhere, Never at a Bank”. India has been whetting its appetite for digital transformation in financial services, slowly but steadily. Digital lending is one of the most prominent off-shoots of FinTech in India. The digital/ FinTech lending has to be seen in the overall context of the FinTech eco system per se, stylised in the following diagram.

It’s another matter that the trend of Bank 5.0¹ has already been set in motion, riding on cognitive banking, embedded banking, decentralised finance, robo-advisors, hybrid robo-advisors and bots, responsible banking.

2.1 Meaning: Digital Lending

Financial Stability Board (FSB) has defined FinTech as “technologically enabled innovation in financial services that could result in new business models, applications, processes or products with an associated material effect on financial markets and institutions and the provision of financial services”. In the absence of a universally acceptable definition of the term ‘digital lending’, FSB definition of the term ‘FinTech credit²’ as all credit activity facilitated by electronic platforms whereby borrowers are matched directly with lenders comes close. This definition has been loosely explained by FSB to include market place lending i.e., lending financed mostly from wholesale sources and non-loan obligations, such as, invoice trading. FSB has also classified ‘peer-to-peer lending’ and ‘loan-based crowdfunding’ as the main components of FinTech credit. Taking cognizance of the lack of a universally acceptable comprehensive definition of ‘FinTech credit’ or ‘digital lending’, this report has not attempted to define this term, as new models and approaches are still evolving. One generally accepted feature of digital lending is that it means ‘access of credit intermediation services majorly over digital channel or assisted by digital channel’. For the purpose of this report, the characteristics that are essential to distinguish digital lending from conventional lending are use of digital technologies, seamlessly to a significant extent, as part of lending processes involving credit assessment and loan approval, loan disbursement, loan repayment, and customer service.

2.2 Digital Lending Eco-System

In India, digital lending ecosystem is still evolving and presents a patchy picture. While banks have been increasingly adopting innovative approaches in digital processes, NBFCs have been at the forefront of partnered digital lending. From the digital lending perspectives, such lending takes two forms, viz. balance sheet lending (BSL) and market place lending (MPL), aka platform lending. The difference between BSL and MPL lies where the lending capital comes from and where the credit risks of such loans reside. Balance Sheet Lenders are in the business of lending who carry the credit risk in their balance sheet and provide capital for such assets and associated credit risk, generated organically or non-organically. Market Place Lenders (MPLs) or Market Place Aggregators (MPAs) are those who essentially perform the role of matching the needs of a lender and borrower without any intention to carry the loans in their balance sheet. While P2P lending in India is a clear example of MPL, many other players who are in the business of originating digital loans, (e.g., MPAs, FinTech platforms or the so called ‘neo banks’ or BNPL players) with the intention of transferring such digital loans to BSLs, can also be bracketed with MPLs/ MPAs. These categories of market players form part of the broader class of Lending Service Providers (LSPs).

An illustration of digital lending taxonomy in a universal context is provided in Figure 2.2 below.

Another noteworthy development in recent years has been the entry of technology service providers of various forms, in addition to the existing ones, into the financial sector creating a larger universe for the ecosystem (Fig 2.3).

For this report, the ecosystem of entities engaged in digital lending has been broadly segregated into two categories, viz. (i) Balance Sheet Lenders (BSLs) and, (ii) Lending Service Providers (LSPs). The latter category encompasses both the services being provided and the service providers. An entity can perform the roles of both BSL as well as LSP, as is usually the case of traditional lenders.

2.3 Global Scene

Post global financial crisis, financial markets around the world have undergone a significant transformation driven by technological innovation. In credit segment, P2P lending platforms have emerged as a new category of intermediaries, which are either providing direct access to credit or facilitating access to credit through online platforms. Besides, there are companies primarily engaged in technology business which have also ventured into lending either directly or in partnership with financial institutions. Such companies include ‘BigTechs’, e-commerce platforms, telecommunication service providers, etc. In digital lending space, we have global examples of Person-to-Person (P2P), Person-to-Business (P2B), Business-to-Person (B2P), Business-to-Business (B2B) lending models.

A paper³ published by BIS has estimated total global alternative credit (i.e., credit through FinTechs and BigTechs) in 2019 at USD 795 billion in which share of FinTechs and BigTechs is around USD 223 billion and USD 572 billion respectively. China, USA and UK are the largest markets for FinTech credit. BigTech has exhibited rapid growth in Asia (China, Japan, Korea and Southeast Asia), and some countries in Africa and Latin America. The largest market for both FinTech credit and BigTech credit is China, although of late, it has shown signs of contraction due to certain market and regulatory developments. While USA is the second largest market for FinTech credit, its share in BigTech credit is comparatively small. In BigTech credit, Japan is the second largest market with USD 23.5 billion lending in 2019. In UK, FinTech credit volumes are estimated at USD 11.5 billion in 2019 (up from USD 9.3 billion in 2018). The BIS paper has highlighted that FinTech credit volumes are growing decently in European Union, Australia and New Zealand while these have stagnated in USA and UK and declined in China. In many emerging market and developing countries, FinTech lenders are attaining economic significance in specific segments such as small and medium-sized enterprises.

2.4 Indian Scene

2.4.1 Digital Lending vis-à-vis Physical Lending

Based on data received from a representative sample of banks and NBFCs (representing 75 per cent and 10 per cent of total assets of banks and NBFCs respectively as on March 31, 2020), it is observed that lending through digital mode relative to physical mode is still at a nascent stage in case of banks (₹1.12 lakh crore via digital mode vis-à-vis ₹53.08 lakh crore via physical mode) whereas for NBFCs, higher proportion of lending (₹0.23 lakh crore via digital mode vis-à-vis ₹1.93 lakh crore via physical mode) is happening through digital mode.

In 2017, there was not much difference between banks (0.31 per cent) and NBFCs (0.55 per cent) in terms of the share of total amount of loan disbursed through digital mode whereas NBFCs were lagging in terms of total number of loans with a share of 0.68 per cent vis-à-vis 1.43 per cent for banks. Since then, NBFCs have made great strides in lending through digital mode.

2.4.2 Share of Digital Lending

Overall volume of disbursement through digital mode for the sampled entities has exhibited a growth of more than twelvefold between 2017 and 2020 (from ₹11,671 crore to ₹1,41,821 crore).

Private sector banks and NBFCs with 55 per cent and 30 per cent share respectively are the dominant entities in digital lending ecosystem. Also, share of NBFCs has increased from 6.3 per cent in 2017 to 30.3 per cent in 2020 indicating their increasing adoption of technological innovations. During the same period, public sector banks have also increased their share significantly from 0.3 per cent to 13.1 per cent. The prominent role of NBFCs in fostering digital mode of lending is reflective of the flexible regulatory regime (vis-à-vis banks) meant for NBFCs.

2.4.3 Product Profile

2.4.3.1 Product mix based on loan purpose

The major products disbursed digitally by banks are personal loans followed by SME loans. A few private sector banks and foreign banks are also offering Buy Now Pay Later (BNPL) loans. Loans under ‘others’ category for banks comprise mostly of small business and trade loans, home loans and education loans.

Majority of loans disbursed digitally by NBFCs are personal loans followed by ‘others’ loans. In case of NBFCs, ‘others’ loans primarily include consumer finance loans. Even though the amount disbursed under BNPL loans is only 0.73 per cent (SCBs) and 2.07 per cent (NBFCs) of the total amount disbursed, the volumes are quite significant indicating a large number of small size loans for consumption.

2.4.3.2 Product mix based on loan tenure

One difference between banks and NBFCs is in terms of tenure of loans disbursed through digital channels. While around 87 per cent of loans amounting to ₹0.98 lakh crore disbursed by banks have tenure of more than one year, for NBFCs only 23 per cent of the loans amounting to ₹0.05 lakh crore fall under this bucket.

On the contrary, loans with tenure of less than 30 days have maximum share in case of NBFCs (37.5 per cent amounting to ₹0.9 lakh crore) vis-à-vis 0.7 per cent amounting to ₹0.007 lakh crore for banks.

2.4.4 Source of DLAs among Regulated Entities

While public sector banks and foreign banks have been observed to largely depend on their own apps/ websites for disbursal of digital loans, the dependency of private sector banks on outsourced/ third-party apps is significantly higher. Credit offered through digital channels by public sector banks is mostly secured whereas for private sector banks and foreign banks, most of the digital lending portfolio is unsecured and specifically, the third-party app sourced loans in private sector banks are unsecured. In case of NBFCs, there is not much difference between disbursal through own digital channels and third party digital channels with some skew towards own channels (57 per cent).

2.4.5 Density of DLAs and illegal players

2.4.5.1 As per the findings of the WG, there were approximately 1100 lending apps available for Indian Android users across 80+ application stores (from January 01, 2021 to February 28, 2021). Details are as under:

2.4.5.2 Complaints against DLAs – Sachet, a portal established by the Reserve Bank under State Level Coordination Committee (SLCC) mechanism for registering complaints by public, has been receiving significantly increasing number of complaints against digital lending apps (around 2562 complaints from January 2020 to March 2021). Majority of the complaints pertain to lending apps promoted by entities not regulated by the Reserve Bank such as companies other than NBFCs, unincorporated bodies and individuals. Another significant chunk of complaints pertains to lending apps partnering with NBFCs especially smaller NBFCs (asset size of less than ₹1000 crore). Geographical and time-line wise distributions of these complaints are provided in following tables:

Post issuance of the press release⁶ dated December 23, 2020 by the Reserve Bank cautioning public against unauthorised digital lending platforms/ mobile apps and creating awareness to register complaints against such lenders on Sachet, a significant increase in complaints was observed with December 2020 recording the maximum number of complaints at over 35 per cent of the total complaints. These are still early days, but the trends are indicating a steady decline in complaints since January 2021.

2.4.5.3 Actions taken by google play store against digital lending apps reported by the enforcement authorities are given below:

2.5 Trends and Future

If past performance is key to predict the future, then it can be unambiguously stated that digital lending is the way to go. In not-so-distant future, lending in general and especially retail and MSME lending through physical mode may be rendered obsolete as is the case with operational banking today. It makes sense for banking transactions to take newer shape as purchases, payments and record-keeping go digital. The growth in digital lending over last five years, when other enabling factors and supporting infrastructure were still evolving, has been phenomenal and it is time for digital lending to operate in full swing, enabled by support and participation from all stakeholders. As per a Report⁷, India had highest FinTech adoption rate of 87 per cent as of 2020. This report values Indian FinTech market at ₹8.35 lakh crore by 2026 in comparison to ₹2.3 lakh crore in 2020 thus expanding at a compound annual growth rate of ~24.56 per cent.

Section 3: Regulatory Policy Approach to Digital Lending

From a regulatory policy outlook, the FinTech landscape can be divided into two spheres, viz. Incrementalistic FinTech and Futuristic FinTech⁸. The former uses new data, algorithm, software applications to perform traditional financial service provisions without significant change in the underlying functions. The latter disrupts the financial markets in manners that effectively supersede regulation. The work of the WG is generally centered around the first sphere of FinTech which is under current focus.

3.1 Extant Indian Legal Regimes

In India, lending activity, online or otherwise, is governed by following laws, in addition to various regulatory instructions issued by RBI for its regulated entities:

3.1.1 Banking Regulation (BR) Act, 1949: Business of banking as defined in Section 5(b) of the BR Act, includes providing loans inter alia by a banking company, through online mode or otherwise. All banks (public and private sector) including small finance banks, regional rural banks and co-operative banks are required to get themselves registered with the Reserve Bank for undertaking digital lending.

3.1.2 Reserve Bank of India (RBI) Act, 1934: Besides banks, NBFCs, complying with principal business criteria are required to be registered with RBI as per provisions of RBI Act. For this purpose, an NBFC is defined as a company registered under the Companies Act whose principal business is financial activity i.e. business of loans and advances, acquisition of shares/ stocks/ bonds/ debentures/ securities issued by Government or local authority or other marketable securities of a like nature, leasing, hire-purchase, insurance business, chit business. This does not include any institution whose principal business is agriculture activity, industrial activity, purchase or sale of any goods (other than securities) or providing any services and sale/ purchase/ construction of immovable property.

Further, financial activity is treated as principal business when a company’s financial assets constitute more than 50 per cent of the total assets and income from financial assets constitute more than 50 per cent of the gross income. A company fulfilling both these criteria is required to get itself registered as an NBFC with RBI. The term 'principal business' is not defined under the RBI Act. RBI has defined it to ensure that only companies predominantly engaged in financial activity are subject to its regulation and supervision. Hence, if there are companies engaged in agricultural operations, industrial activity, purchase and sale of goods, providing services or purchase, sale or construction of immovable property as their principal business and are doing some financial business in a small way, they are not required to get themselves registered with RBI.

To obviate dual regulation, certain categories of NBFCs, regulated by other regulators, have been exempted from the requirement of registration with RBI, viz. alternative investment fund companies/ merchant banking companies/ stock exchanges/ stock broking companies registered with SEBI, insurance companies registered with IRDAI, Nidhi companies/ mutual benefit companies under Companies Act, and chit companies under Chit Funds Act.

3.1.3 Companies Act, 2013: Companies, which are not meeting principal business criteria for registration as an NBFC with RBI, can also undertake lending activities subject to applicable provisions of the Companies Act, 2013 such as Section 186⁹ of the Companies Act, 2013 which prescribes certain restrictions on the loan amount and minimum interest rate for such loans. Besides, there are nidhi companies/ mutual benefit companies which are permitted to receive deposits from and lending to their members as per provisions of Section 406 of the Companies Act, 2013 and ‘Nidhi Rules, 2014’.

3.1.4 State Money Lenders Acts: The Constitution of India has conferred the power to legislate on matters relating to money lending and moneylenders to the States. Most of the states have their respective money lenders legislations in place (Annex D). Many of these are comprehensive legislations providing detailed and stringent provisions for regulation and supervision of the money lending business. These legislations contain provisions aimed at protecting the borrowers from malpractices of the moneylender. Some of the salient aspects of these laws are as below:

1. Registration requirement for carrying on the business of money lending in the State

2. Maintaining and providing statement of accounts to the debtors

3. Powers to prescribe maximum interest rate

4. Penalties for carrying on business without licence and for intimidating the debtors or interfering with their day-to-day activities, including the cognizability of such offences

5. Dispute resolution mechanism

3.1.5 Chit Funds Act, 1982: Chit Fund companies are regulated under the Chit Funds Act, 1982, which is a Central Act, and is implemented by the State Governments. Those chit funds, which are registered under this Act, can legally carry on chit fund business which involves contributions by members in instalments by way of subscription to the chit and each member of the chit receives the chit amount by rotation.

3.1.6 Others: In addition to the above, there are other entities carrying out lending activities which are governed by their specific Acts (and other applicable laws) such as State Finance Corporations, Regional Rural Banks, Life Insurance Corporation of India and Credit Societies.

3.2 Global Regulatory Practices

3.2.1 A comparative study of global regulatory practices in respect of ‘FinTech platform financing’ has been undertaken by Bank for International Settlements (BIS) in its publication released in August, 2020¹⁰. FinTech platform financing has been defined as a mechanism for intermediating financing over the internet using an electronic platform. However, this does not include banks (deposit-taking institutions that are members of a deposit insurance scheme), for which this activity has been separately classified as digital banking. FinTech platform financing is further bifurcated under following sub-categories:

(i) FinTech balance sheet lending: This has been defined as electronic platforms using their own balance sheet in the ordinary course of business to intermediate between borrowers and lenders.

(ii) Crowdfunding: This has been defined as matching persons/ entities needing funds with those who are willing to provide these funds for a financial return. Depending on the type of funding, it is further distinguished between loan crowdfunding and equity crowdfunding. Crowdfunding facilitates establishment of individual contracts between those seeking funds and those seeking to invest/ lend, and the platform, by itself, does not undertake risk transformation.

3.2.2 Most jurisdictions do not have any specific regulatory framework for FinTech balance sheet lending and it is governed by regulations applicable to other non-bank lending institutions as described below:

(i) Banking license: Some jurisdictions require every entity engaged in lending money and concluding loan agreements to necessarily hold a banking license e.g., Austria and Germany. These jurisdictions classify commercial lending as a regulated banking business. However, regulatory requirements are applied in a proportionate manner.

(ii) Non-bank license: For non-bank lenders, there are several frameworks which include regulation of those entities which are primarily engaged in lending business as well as those which undertake lending along with other activities. A brief about these frameworks is as below:

a) Money lenders: In Hong Kong Special Administrative Region (Hong Kong SAR), any person/ corporation providing loans is required to get a money lender’s licence. Similarly, in Japan, any non-bank lender must register itself as a money lending business operator.

b) Non-bank financial intermediaries/ lenders: In Italy, non-bank financial intermediaries are required to obtain authorization from the Bank of Italy for providing financing in any form and are subject to a prudential supervisory framework akin to banks. In the United States, non-bank lenders are required to comply with applicable state laws regulating money lending.

c) Investment funds: In the European Union, alternative investment fund managers using investment funds for lending are subject to authorization requirements under the ‘Alternative Investment Fund Managers Directive’.

(iii) No license requirement: In some jurisdictions, lending business of non-bank entities is not regulated under any specific financial law, and they are subject to requirements of applicable commercial law. Besides, there are usury laws mandating limits on interest rates e.g., lending by non-banks in Peru is not regulated but subject to an interest rate ceiling that is established by the Peruvian Central Bank.

3.2.3 In Brazil, regulations¹¹ have been prescribed for direct credit companies (called Sociedades de Crédito Direto, SCD) which can carry out lending business exclusively through an electronic platform. In addition to balance sheet lending, SCDs are also permitted to (i) provide credit analysis to third parties; (ii) undertake collection for third parties; and (iii) act as insurance representatives and electronic money issuer in accordance with relevant regulations as applicable for these activities. SCDs are not allowed to raise funds from the public, except by issuing shares, and must operate from their own capital.

3.2.4 The China Banking and Insurance Regulatory Commission (CBIRC) and the People's Bank of China (PBoC) have jointly released interim rules¹² on online micro loan business for feedback on November 2, 2020. These rules, inter alia, cover following aspects: a) requiring online micro lending company (MLC) to operate only in the province of their registration; b) approval of CBIRC for any cross-provincial business operation; c) criteria on registered capital (starting from RMB 1 billion going up to RMB 5 billion for cross-provincial operations), and controlling shareholders, d) relevant limits in terms of amount, purpose, and joint lending (minimum 30 per cent of the total loan amount to be contributed by MLCs for loans lent jointly with banks), e) measures to strengthen management, standardize equity management, fund management, and consumer rights protection, f) setting out supervisory rules and measures, etc.

3.2.5 In most jurisdictions, regulatory framework for crowd-funding platforms includes registration requirement, a minimum amount of paid-in capital, list of permitted activities, governance norms, business continuity planning, and disclosure requirements.

3.3 The Case for Regulatory/ Supervisory Review in India

In recent times, technological innovations have brought about growth in digital financial services, including digital lending, at exponential rate. While the regulator-led developments in India, such as that in payment space, come with a basic regulatory perimeter around it ab initio, market-led innovations always reveal certain initial regulatory and enforcement lags which need to be verged upon. Globally, in digital lending, an ex-post approach is preferred to an ex-ante approach for a more proportionate intervention, which supports both innovation and competition. The WG identified cases for regulatory/ supervisory interpositions in three areas of digital financial services. While the current section deals with regulations around digital financial services, the following two sections deal with technology and consumer protection issues respectively.

3.3.1 Regulatory Perimeter

3.3.1.1 The assumption that because something is technologically possible, it should be allowed, is flawed and needs to be challenged: the law or regulation cannot just be wished away¹³. Lending activity, whether online or otherwise, by any legitimate lender is governed by the respective applicable legislation. Apart from these legitimate lenders engaged in balance sheet lending organically, there are essentially two types of entities operating in the digital lending ecosystem which require attention:

(i) Lending Service Providers (LSPs): In the context of digital lending, these are essentially technology-centric entities which act as both core and ancillary lending service providers. The services provided by LSPs include providing a marketplace for the lenders as well as the borrowers, loan sourcing, underwriting, collection services for repayments, data aggregation & analysis, rating services, etc. Within LSPs, there are two types of entities:

a) Entities regulated by the financial sector regulators such as credit information companies, NBFC-Account Aggregator (NBFC-AA), NBFC-Peer to Peer Lending Platform (NBFC-P2P) regulated by RBI; and credit rating agencies regulated by SEBI

b) Entities not specifically regulated by any financial sector regulator

Technically, LSPs are not undertaking ‘business of a financial institution’ as defined under the RBI Act and the loans, which are sourced, appraised or serviced by them, are not their assets. Generally, LSPs are acting in partnership with a bank or an NBFC and therefore, their activities are governed by the guidelines on outsourcing of financial services issued for banks/ NBFCs by RBI. However, similar guidelines on outsourced activities by other balance sheet lenders (i.e., excluding banks/ NBFCs) are not in place thus precluding LSPs partnering with them from any specific scrutiny.

(ii) Fringe lenders: These are shadow balance sheet lenders which operate without getting themselves registered for lending activities with the concerned authorities, thus creating an informal market. Considering the anonymity and velocity provided by technology, it is a challenging task to identify and monitor such fraudulent platforms/ applications on real time basis.

3.3.1.2 Rent-an-NBFC model by digital lenders: A synthetic structure enabling unregulated entities to lend without complying with prudential norms is through credit risk sharing arrangements by way of a “First Loss Default Guarantee (FLDG)” extended by the LSPs. Under this, the LSP provides certain credit enhancement features such as first loss guarantee up to a pre-decided percentage of loans generated by it. From the LSP’s perspective, offering FLDG acts as a demonstration of its under-writing skills whereas from the lender’s perspective, it ensures platform’s skin in the business. For all practical purposes, credit risk is borne by the LSP without having to maintain any regulatory capital. The loan portfolio backed by FLDG is akin to off-balance sheet portfolio of the LSP wherein the nominal loans sit in the books of the lender without having to partake in any lending process. In some cases, the LSP, as a non-banking non-financial company (NBNC) may be undertaking balance sheet lending in partnership with a bank/ NBFC or on stand-alone basis, while not satisfying the principal business criteria to remain outside regulation. Besides, there are higher operational risks which arise due to increasing reliance of lenders on third-party service providers. With increasing share of digital lending in retail/ personal space, there is a potential for risk build-up because of these platforms. This may also be adding to counterparty risks posed by the platform to its lending partners.

3.3.1.3 Shadow Lending: Conduct of financial service under digital anonymity and layering under regulated entities in varied forms is also a cause of concern. Many players operating in the digital lending ecosystem are not required to be registered with a financial sector regulator. This coupled with anonymity provided by internet, country of origin, involvement of different entities in the life-cycle of a loan and lack of clear demarcation between actual balance sheet lender and LSPs raise multiple strategic concerns besides those related to money laundering.

3.3.1.4 Payments Banks: The objective of setting up Payments Banks (PBs) with a structured licensing process was to provide small savings accounts and payments/ remittance services to migrant labor workforce, low-income households, small businesses, and other unorganized users. The PBs are eligible for conversion into a Small Finance Bank (SFB) after five years of operations. Since they are not permitted to lend, currently they act as LSP for other NBFCs/ banks.

3.3.2 Supervisory Enforcement Concerns

3.3.2.1 Supervisory enforcement in respect of the DLAs running afoul of expected conduct has been hobbled by three broad factors, viz. (i) majority of DLAs were neither regulated nor related/ linked to any regulated entity, (ii) NBFCs linked to certain DLAs were smaller ones, subject to light-touch supervision (iii) an effective deterrence would have involved multi-agency approach for which any established mechanism was absent. The challenges required agencies to police the boundaries between orthodox financial system and the world of digital lending, practically in a black box.

3.3.2.2 Some of the NBFCs holding CoR can undertake both physical and digital lending, but do not even have a website. It had been reported in media that certain ill-reputed foreign investors employ methods, such as “borrowing” an NBFC licence, or using a Variable Interest Entity (VIE) structure to circumvent Indian laws for digital lending.

3.3.2.3 Engagement of multiple entities in entire lending process without any audit trails also raises concerns around money laundering. There is a need to put a mechanism in place to distinguish between genuine and fraudulent operators. To monitor and report such entities on real-time basis, financial consumers need to be empowered with sufficient information and tools to do so.

3.3.2.4 Globally, the regulatory/ supervisory bandwidth to deal with digital lending has been under continuous upgradation. The experiment of FCA, UK, with the Bank of England to reduce the ‘compliance burden’ through digital regulatory reporting by regulated entities may be a natural fit for supervisors of digital lending in India as well. Through ‘TechSprints” events they are exploring Distributed Ledger Technology (DLT) and Natural Language Processing (NLP) technology to set standards and procedures in regulation, compliance as also in transactional applications and maintenance of databases of REs.

3.3.3 Financial Stability Linkages

3.3.3.1 Digital lending does improve financial stability from efficiency gains, disintermediation, diversification of credit market landscape and improving certain structural imbalances by directly tying up with investors with matching liquidity and risk bearing capacity. However, it has a flip side of equal proportion. Potential problems are magnified by operational weaknesses and insufficient disclosures paired with potential conflicts of interest, as well as a lack of dedicated resolution frameworks and limited regulatory oversight.

3.3.3.2 An article written by Prof. William Magnuson in Bloomberg in September 2017, titled “The Next Crisis Will Start in Silicon Valley: Forget Wall Street. Worry about FinTech” had drawn attention of financial sector regulators to the new vector for potential financial instability. Financial innovation and financial liberalisation have traditionally preceded stresses in the financial system. The sudden emergence of new types of players, outside proper regulatory perimeter, providing alternate lending services amount to financial liberalisation. Currently, the share of digital lending in overall credit is too small to have any significant impact on financial stability. However, given their ease of scalability, it may assume greater significance sooner than later. It is, therefore, pertinent to address existing and potential risks while leveraging on the benefits of emerging FinTechs.

3.3.3.3 Depending on the level of direct and indirect exposures of the traditional banking to online lending sector, a key financial stability risk is the potential spill over of losses originating in online lending to the broader financial system. Critical interdependence among each constituent of the digital lending ecosystem has potential for seamless transmission of risks, at times with amplifications, from unregulated entities to regulated entities. The determining factors of impact of digital lending, going forward, on financial stability, would include the following:

(i) Degree to which the traditional banking function of lending is driven through FinTech by entities which relatively lack banking experience as well as track record. During a cycle of downturn or stress, this could potentially affect stability by creating unknown system vulnerabilities.

(ii) Degree to which the FinTech behind digital lending creates interconnectedness through higher complexity and additional points of failures.

(iii) Degree to which digital lending affects concentration risk with rapid rise of alternate lending mechanism in certain market segments and level of their substitutability.

(iv) Degree to which it fragments the design and delivery of loan products across several providers and platforms, blurring the responsibility for operational risks, customer suitability, compensation, etc.

(v) Degree of over-reliance on automated credit under-writing involving opaque/ complex processes with rapid propagation of risks. AI/ ML may amplify systemic risk if more lenders adopt similar optimization algorithms to manage their risk management functions. The result may be a financial system that is increasingly procyclical when shocks materialize.

3.3.3.4 The LSPs largely depend on the data generated in their normal business or gathered from other sources to expand their outreach and their foray into financial arena raises certain concerns such as new forms of concentration risk, systemic risk, market power, regulatory arbitrage, customer protection, data privacy and cyber security. There is no doubt that emergence of TechFin entities contributes towards increasing competition, furthering financial inclusion, introducing innovation, and improving overall efficiency of financial services but the downside risks call for evaluating the need for a review of current regulatory framework applicable to their business. The broader debate on regulatory arbitrage focuses on two aspects. First, banks may shift capital-intensive activities to online lending platforms leading to regulatory leakage and, second, online lending platforms may continue to gradually adopt services which are at the core of bank-based financial intermediation.

3.3.3.5 The above concerns were more pronounced in the case of fringe digital lenders. However, the need for some of the regulated entities improving their behaviour on this front was also conspicuous. Hence, the report is more focused on consumer finance rather than business finance through digital lending. There may be certain other prudential regulatory concerns in digital lending models affecting the intermediaries themselves (e.g., holding structure, governance, risk management, operational resilience etc.), and financial stability risks (requiring data and information gathering and analysis, emerging regulatory intervention etc.), which have not been directly covered in this report.

3.3.4 Balancing Risks and Innovations

In a BIS paper published in February 2021¹⁴, it has been argued that public policy goals such as financial stability, market integrity and consumer protection should take precedence in the objectives of financial regulation in comparison to creating a level playing field. Further, complete homogenisation of the requirements to be satisfied by different types of players does not necessarily result in more and fair competition. In some areas, such as consumer protection, anti-money laundering/ combating the financing of terrorism (AML/ CFT), and conduct of business, an activity-based approach may be needed to achieve the primary policy goals whereas in others, such as financial stability, an entity-based approach would be more appropriate. While framing the regulations for the financial sector, Reserve Bank has always been conscious of the fact that the degree of regulation of a financial entity should be commensurate with the risk the entity poses to the financial system and the scale of its operations. This approach has also been advocated in the circular on ‘Scale Based Regulation (SBR): A Revised Regulatory Framework for NBFCs’ issued on October 22, 2021.

3.4 Recommendations and Suggestions on Statutory-Regulatory Approach

Besides recommending concrete action points, the WG has also made several suggestions. The suggestions would require wider consultation with stakeholders and further examination by the regulators and government agencies.

3.4.1 Calibrating Existing Regulations

3.4.1.1 Being a responsible activity and use of digital channel amplifying its impact velocity, balance sheet lending through DLAs should be restricted to entities regulated and authorized by RBI or entities registered under any other law for specifically undertaking lending business, for which a suitable notification may be issued by appropriate authority¹⁵.

(Recommendation - GoI)

Regulatory bodies for other authorized lenders such as credit societies, registered money lenders, non-banking non-finance companies (NBNCs), etc. may consider stipulating appropriate guidelines consistent/ proportionate with that of RBI, to prevent/ minimize environment of regulatory arbitrage in the businesses of digital lending.

(Suggestion - GoI)

3.4.1.2 Partnership between LSPs and BSLs in digital lending is a ground reality and should be encouraged with appropriate transparency in the interest of consumers.

(a) In order to avoid creation of operational grey areas in the process and for the sake of better transparency, all loan servicing, repayment, etc., should be executed directly in a bank account of the balance sheet lenders without any pass-through account/ pool account of any third party. The disbursements should always be made into the bank account of the borrower. Use of pre-paid instruments (PPIs) (cards/ wallets), in addition to bank accounts, may be permitted when full inter-operability among PPIs is implemented. However, borrowers having only PPI account and no bank account can be disbursed loan if the PPI accounts are fully KYC compliant. Any fees, etc., payable to LSPs as per agreement with lender, should be paid by the lenders, and not received by them directly from the borrower.

(Recommendation - RBI)

(b) The LSP agreement for the balance sheet lenders needs to be as per a uniform model to be brought out by the proposed SRO.

(Suggestion - RBI/ SRO)

(c) New digital lending products involving short term, unsecured/ secured credits going under the guise of deferred payments or the like, such as BNPL should be treated as part of balance sheet lending, if not in the nature of operational credit by merchants. Since these products do not meet the requirements of traditional credit facilities, a suitable notification may be issued by the Government of India in this regard.

(Suggestion - GoI)

3.4.1.3 There is a need to expand the reach of established/ formal digital channels for digital lending to crowd out the fringe lenders. Other entities, such as web aggregator of loan products, considered critical to digital lending should be considered as LSPs and may need to be subjected to discipline and code of conduct by the regulated entities to which they are attached.

(Suggestion - RBI/ SRO)

3.4.1.4 Broadening the coverage of credit reporting systems will enable lenders to make better credit decisions for a wider segment of consumers.

(a) Mandatory submission of information to Credit Information Companies (CICs) by a broader group of lenders will break the perpetuation of data marginalization of certain vulnerable groups. Reporting to CICs in respect of all lending carried out through DLAs should be ensured at a shorter interval compared to conventional reporting. This will ensure less dependence on alternate data for financial consumers as more and more of them would develop formal credit history for themselves. Further, it will offer wider choices/ competitive pricing for consumers. Lending done through DLAs must be reported to CICs irrespective of its nature/ tenure. In order to disincentivize lenders from delayed or non-reporting, non-adherence to timely credit reporting for a loan exposure to CICs can be a trigger for RBI to restrict certain activities at the post origination stage, like assignment/ securitization of specific loans or recovery enforcement process with regard to specific loans, etc. The onus of proof of appropriate reporting will lie with the balance sheet lender.

(Recommendation - RBI)

(b) In order to prevent loan targeting/ marketing by digital lenders based on credit reports obtained from Credit Institutions under Credit Information Companies (Regulation) Act (CICRA), appropriate regulatory changes may be made to allow only entities regulated by any financial sector regulator to act as agent on behalf of the borrower. Each access/ enquiry of credit information by any specified institution should be conveyed to the borrower through electronic channel.

(Recommendation - RBI)

3.4.2 Enhancing Statutory/ Regulatory Framework

3.4.2.1 In order to have a nodal agency to ensure that only authorised and trusted DLAs are used by consumers, it is desirable that an independent body styled as Digital India Trust Agency (DIGITA) should be set up. The agency may be set up in consultation with stakeholders including regulators, industry participants, representative bodies and the government. While encouraging innovation, it should discharge the function of verifying the digital lending apps (by extension, in future, other FinTech apps through which customers interact with the regulated financial system) before such apps can be publicly distributed through app stores or through any other digital means. Eligible apps not carrying the ‘verified’ signature of DIGITA should be considered as unauthorized for the purpose of law enforcement. A public register of ‘verified’ apps should be maintained by DIGITA with essential details on its website. Any subsequent changes in such apps for potential non-compliance should be surveilled by the Agency and it should have the power to revoke the ‘verified’ status of the apps. DIGITA should also support on an ongoing basis, digital market intelligence on potentially harmful public apps interacting with the regulated financial system.

(Recommendation - GoI/ RBI)

3.4.2.2 In order to devise granular/ stricter regulatory and supervisory framework, Short Term Consumer Credit (STCC) may be defined to include digital lending as is done in certain jurisdictions (Annex E) and appropriate regulations, on similar lines as that for MFIs can be framed. In view of the commonalities of concerns/ as an alternative to separate regulation, the extant / proposed regulatory framework/ codes of conduct for MFIs could be expanded to suitably include STCCs. This will make a single harmonized set of conduct rules for short term lending. Government may consider notifying the same to make it proportionately applicable to other entities (not falling under RBI’s regulatory domain) engaged in provision of similar financial services.

(Suggestion - GoI/ RBI)

3.4.2.3 Under current regulatory framework, regulation on all outsourced activities has been prescribed for compliance by REs of the Reserve Bank. Going by the increasing trend of business models leveraging the use of agents and third parties including LSPs for scale, reach and cost-effectiveness, RBI may develop a separate framework styled as Agency Financial Service Regulation (AFSR) for all customer-facing, fully outsourced activities of REs including the services provided by LSPs.

(Suggestion - RBI)

3.4.2.4 With evolving shape of the digital lending eco-system and agency participation in providing financial services, there needs to be certain standards and protocols to be followed by the entire partner ecosystem. Reserve Bank has recognized few Self-Regulatory Organizations (SROs) catering to different regulated segments. At secondary level, industry associations have a role to play in laying down a code of conduct incorporating best business practices, ensuring compliance of their members with regulatory guidelines and providing a mechanism for grievance redressal of customers. The WG on FinTech and Digital Banking in November 2017 had also recommended that a self-regulatory body for FinTech companies may be encouraged. It is now recommended that an SRO covering DLAs/ LSPs in the digital lending ecosystem may be set up. Reserve Bank may provide general guidance and recognize such an SRO in respect of the RBI regulated entities and their outsourced agents. GoI may also like to take similar action for digital lending business carried out by entities which are not REs of RBI. Code of conduct for Recovery Agents as part of AFSR and putting names of the erring members in a negative/ grey list for the sector by SROs after following appropriate procedure, should also form part of the code. The REs may publish a list of LSPs engaged by them on their website.

(Recommendation - GoI/ RBI/ SRO)

3.4.2.5 Analogous to the Central law of “the Banning of Unregulated Deposit Scheme Act, 2019”, Central Government may consider bringing through a legislation styled as “the Banning of Unregulated Lending Activities (BULA) Act” which would cover all entities not regulated and authorized by RBI for undertaking lending business or entities not registered under any other law for specifically undertaking public lending business. The recommended legislation may also define ‘public lending’ to bring clarity.

(Recommendation - GoI)

3.4.2.6 The Consumer Protection Act, 2019 covers banking, financing, insurance as services under its ambit. However, nature of a financial consumer and consumer of other goods and services differ vastly. Financial services are different in terms of these being customer-specific, intangible, concomitant in creation & delivery and a dynamic activity. To provide adequate recourse to financial consumers including that of digital lending beyond the established mechanism set up by regulators, a separate National Financial Consumer Protection Regulation under the above Act may be developed by all financial sector regulators which would enable the dispute resolution or grievance redressal bodies to deal with large number of service and financial disputes/ complaints in a more objective and decisive manner. Further, it should have specific provisions for digital contracts and delivery of financial services through digital mode.

(Suggestion - GoI)

3.4.3 Reinforcing Digital Lending Oversight

3.4.3.1 To prevent loan origination by unregulated entities, REs should not be allowed to extend any arrangement involving a synthetic structure, such as, the FLDG to such entities. REs should not allow their balance sheets to be used by unregulated entities in any form to assume credit risk.

(Recommendation - RBI)

3.4.3.2 The SLCC mechanism should additionally cover issues in the digital financial space and function as a forum for inter-agency co-ordination in such matters.

(a) A regular agenda in SLCC should cover reports on unauthorized apps in the market involved in digital lending/ illegal recovery and other types of activities associated with doubtful purpose/ suspected fraud. Given the national nature of digital lending, a centralized and fully digitalized data repository may be created for all issues in order to provide a country-wide view of market intelligence (MI) in real time, accessible to relevant agencies involved. Growth of any channel, product, etc. or complaints of similar nature should spur necessary regulatory/ supervisory/ enforcement attention.

(Recommendation - GoI/ State Governments/ RBI)

(b) Given the increasingly critical role played by mobile phones and mobile network operators (MNOs) in the financial system, TRAI should be inducted as a member or need-based invitee of SLCC and other security related inter-agency fora involving the financial sector.

(Recommendation - RBI)

(c) The KYC rigor for issuance of new/ replacement SIM cards, being a major vector for frauds/ illegal marketing of digital lending products, should be strengthened and the MNOs should be held accountable for any violation and shortcomings.

(Suggestion - GoI)

(d) In order to pre-empt any unscrupulous practice, such as, ‘rent-a-license’ by certain inactive NBFCs, those who have been granted CoR with provision of digital lending but who have not been carrying out such activity for a reasonably long period, their CoR conditions may be reviewed with an appropriate supervisory follow-up.

(Recommendation - RBI)

(e) RoC may consider enhancing the use of digital technology and multiple data sources for early identification of shell finance companies and finance companies with proxy directors or opaque beneficial owners on an ongoing basis. This should be followed by suitable action as per the law or reference to concerned agency for further attention. RoC may also consider making suitable arrangements for real time data sharing with RBI on the de-listing of such shell companies, companies with proxy directors or opaque beneficial owner, in order for RBI to take up further action with respect to association with such companies across banks and NBFCs.

(Suggestion - RoC)

3.4.3.3 There is a need to facilitate identification of bad actors in digital lending space by enforcement agencies in a timely and less frictional manner. The payment system regulation should refine ‘travel rules’ for narration of One Time Password (OTP) and SMS/ e-mail alerts sent to users in connection with conducting payment transactions through any digital mode under PSS Act. It should, at the minimum, display certain details such as transaction amount, available balance, name of the receiver/ beneficiary (merchant or individual beneficiary, as the case may be) as returned by the receiver’s bank/ PPI Issuer and not provided by the sender.

(Recommendation - RBI)

(b) Relevant inputs from proposed Digital Intelligence Unit of Government, existing Telecom Analytics for Fraud Management and Consumer Protection (TAFCOP), and Telecom Commercial Communications Customer Preference Regulations (TCCCPR) 2018 should be made available to respective regulators, supervisors and their regulated entities and MNOs. Name of identified unscrupulous lenders should be made available to REs to enable them to do Enhanced Due Diligence (EDD) while allowing customers to use banking/ payment/ telecom channels for such activities.

(Suggestion - GoI/ RBI)

(c) The concept of a National Financial Crime Record Bureau (NFCRB), similar to or as a subset of National Crime Records Bureau (NCRB), with a data registry similar to CCTNS (Crime and Criminal Tracking Network and Systems) and accessible to REs may be considered by the Government. This will highly supplement the onboarding diligence in the digital/ FinTech based ecosystem. Leveraging the channel of FINNET of FIU-IND can also be explored.

(Suggestion - GoI)

(d) The local law enforcement/ police agencies must proactively surveil that no unauthorized call center operates in, or spoofing/ conversion of VoIP to GSM calls, etc. originate from sites under their jurisdictions.

(Suggestion - GoI/ State Governments)

(e) There is a need to strengthen non-traditional market monitoring through media/social media monitoring, web-scraping to identify the conduct issues associated with digital lending apps. Besides, all kinds of publicity material/ direct advertisement over the web of unverified digital lending apps may be continuously monitored and appropriate action taken. Appropriate detection techniques need to be used in the process.

(Recommendation - GoI/ SRO)

(f) Bank accounts regularly operated from a different/ overseas IP address, not consistent with KYC profile of the account holder, need to be monitored by banks for suspicious activities.

(Recommendation - RBI)

3.4.4. Safeguarding Financial Stability

3.4.4.1 High yield-seeking alternative investments flowing into DLA segment can blur regulatory understanding of build-up of adverse incentives and potential spill-over of stress. Possibility of REs partnering with an unregulated LSP for digital lending could even lead to “step-in risks”. It is therefore suggested as under:

(a) Push marketing and unsolicited offers may exacerbate the risk of encouraging borrowing without a purpose. In order to streamline the push credits, REs peddling specific pre-approved loans/ limits to consumers based on scoring models should take a behaviouralised part of all such communicated amounts, based on average past conversion rate, as exposure for prudential regulation purpose.

(b) Appropriate periodical returns from REs may include digital lending data and (attempted) frauds in digital lending space so as to specifically capture crucial MIS.

(Suggestion - RBI)

3.4.4.2 In order to match the advancements of digital lending (and FinTech aided financial services in general), there is a need for commensurate digital transformation/ technology adoption by the regulators and supervisors.

(a) The regulatory/ supervisory framework for digital lending (by extension, other FinTech products/ services) should be developed with a ‘seamless digital’ approach. It should exploit the power of RegTech and SupTech tools.

(b) There is a need to convert regulatory instructions for digital lending (all FinTech regulations by extension) to machine readable format for direct interface with the RegTech systems of the REs. The idea is to replace rules written in natural legal language with computer codes and to use artificial intelligence for regulatory purposes.

(c) There is already a market dominance of BigTech/ social media entities in nudging their users to go for specific financial products or services through front-end customer engagements. There are regulatory implications relating to concentration and competition risks that may emerge if BigTech players enter the direct digital lending market in search of profitability. In certain international jurisdictions, decentralized finance (DeFi) through blockchain technology is growing fast, which involves borrowing and lending activities using auction approaches. Embedded credits are also slowly gaining traction which need due regulatory attention. A blueprint of a forward-looking framework for identifying and managing risks arising from BigTech/ DeFi lending in a graded manner may be worked out in advance.

(Suggestion - RBI)

Section 4: Technology Standards of Digital Lending

A highly digitalized lending model is known for its scale, reliance on intangible information and much broader user participation. However, the legal status of DLAs/ LSPs, playing an intermediary role between multiple lenders and multiple borrowers, is ambiguous under Information Technology Act, 2000 (IT Act). Section 2(1)(w) of the Act defines an intermediary as below:

‘Intermediary, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes;’

Even though DLAs/ LSPs may not directly fit in to the definition, the scope of the definition is wide enough to arguably qualify these entities as close to an ‘intermediary’ with activities extending to receiving / storing electronic records on behalf of REs, creating online marketplace. IT Act places certain responsibilities on intermediaries such as preservation of information¹⁶, non-disclosure of the collected information without consent or in breach of lawful contract¹⁷ etc. Besides, IT Act also vests certain powers with authorities such as penal action for contravention of provisions of the IT Act, power to issue directions for blocking of public access to any information through any computer resource, power to monitor and collect traffic data or information through any computer resource for cyber security. Uncertainty around treatment of FinTech platforms as ‘intermediary’ creates avoidable ambiguity.

4.1 Factors Spurting Growth of Digital Lending in India

The ubiquity of ICT has affected most conventional financial products in India and created newer products. Digital lending is driven by a combination of supply-side and demand-side factors. In India, unmet credit demand of younger cohorts, low financial inclusion, technological advancements and increasing internet penetration are going to be the strong drivers. However, trust in technology, data security and customer protection considerations will play a critical role in determining the extent of FinTech adoption. India accounts for the most number of DLAs in the world. India’s vision towards becoming a cash-light economy combined with the growth of public digital infrastructure and the demand for financial inclusiveness, makes it a front runner in the digital lending technology arena. The growth drivers have come both from supply as well as demand side as presented in the figures 4.1 and 4.2.

Of the above, the following could be considered as the major factors for growth of digital technology:

• The smartphone revolution

• Big data analytics, Artificial Intelligence (AI) and Machine Learning (ML)

• Enabling technological developments

• Eco-system conducive for digital lenders and FinTech companies

• Increased digital uptake to overcome challenges posed by COVID-19

4.1.1 The Smartphone Revolution

The number of smartphones in India have increased from 100 million in 2014 to over 700 million in 2021. And this number is projected to increase in the coming years. This means that most of the Indian population now has access to the internet. This process has been hastened by the availability of low-cost smartphones and the proliferation of faster and cheaper internet connections. This gives users, especially those who need urgent small-ticket loans, the option to download lending apps and avail loans without long wait times, multiple approvals and multi-pronged verifications.

4.1.2 Big Data Analytics, Artificial Intelligence (AI) and Machine Learning (ML)

The smartphone revolution has led to large volumes of data being generated and shared. This data, though insurmountable to humans, is very valuable and here’s where technological advances such as Big Data, AI and ML help derive insights from the abundance of data and allow digital lenders to better understand the needs of their customers, perform timely underwriting and improve fraud detection.

• Customer analysis: Big data analytics help digital lenders understand their customers’ needs and changes in their borrowing behaviour, in order to provide timely and customised lending options.

• Underwriting: AI/ML models can be used to assess risks and make unbiased underwriting decisions. This allows for faster and more intelligent risk assessment, without human intervention.

• Fraud Detection: AI/ML allows lenders to detect suspicious behaviour, identify repeated defaulters and flag high-risk loan requests.

4.1.3 Enabling Technological Developments

A collection of Application Program Interfaces (APIs) enables the government, businesses, start-ups and developers to harness India’s public digital infrastructure to build and deploy lending apps. The enabling factors are:

• Aadhaar authentication and e-KYC: Digital lenders can utilize the biometric service of the Aadhaar infrastructure to authenticate users and perform e-KYC.

• e-Sign and Digilocker: After verification, the lending app can harness the Aadhaar data to review borrowers’ banking activities, and also use scraping to gather data from their phones. Apart from providing borrowers’ creditworthiness, this avoids the collection and storage of paper documents. After selecting the loan option, the borrower can e-sign the documents remotely.

• Unified Payments Interface (UPI): The UPI infrastructure can be used to disburse the loan amount into the borrower’s bank account. The pull function of UPI can also be used to receive loan payments.

• User permission: Developments in obtaining users’ consent to access their data from across the digital platforms can ensure transparency and security across the digital lending lifecycle.

4.1.4 Favourable Regulatory and Policy Environment

India’s objective to increase financial inclusion and digitisation has led to the implementation of favourable policies and regulations. These flexible regulations ensure that unauthorised digital lenders are weeded out without affecting the growth of legitimate lenders.

4.1.5 Eco-system Conducive for Digital Lenders and FinTech Companies

With an untapped base of 120 million formally employed Indians without a credit card¹⁸, start-ups and venture capital firms are making a beeline for the digital lending market and in keeping with this trend, 44 per cent of FinTech funding in 2020¹⁹ went to digital lending start-ups. With more funding and increased collaboration between established and new players in the digital lending market, the outlook for the sector is positive.

4.1.6 Increased Digital Uptake due to COVID-19

Lockdowns and restrictions imposed by COVID-19 in 2020 have driven consumers and businesses to take their transactions online. This has increased receptivity and confidence in digital transactions while enhancing consumers’ proclivity to avail instant loans from lending apps. Given the low overhead costs, technology-driven optimization and minimal manual intervention, compared to traditional loan processes, digital lenders can operate efficiently to cater to the aggressive economic needs of the post-COVID era.

4.2 Digital Lending Lifecycle

It begins with a user discovering the app and ends with the repayment of the loan. A generic digital lending process goes through the following stages:

• Lending app discovery and registration

• Loan application processing

• User verification

• Loan disbursement

• Loan repayment

4.2.1 Distribution of DLAs

Users find digital loan apps primarily through:

• Online searches on Search Engines and by browsing App Stores for related keywords.

• Marketing material distributed by digital lenders via SMS, email, online advertisements (on websites, social media, apps) and messaging platforms (WhatsApp, Telegram), etc.

The most commonly searched keywords are: Instant Loan, Personal Loan, Aadhaar Loan, Cash Loan, Mobile Loan. The user then downloads and installs the app from an app store. They register on the lending app using their mobile number and/or e-mail address. The user gives the app the necessary permissions. Based on the permissions requested, the app can access various other apps and services on the user’s phone. In this step, it has been observed that many apps request for high-risk permissions.

4.2.2 Loan Application Processing

The user fills the application and thereby provides a host of information about himself. Based on these details, the app pulls his credit score, historical banking information, mobile recharge history, etc. from the phone. Each app uses its own proprietary algorithm to score the user based on his creditworthiness and chooses to underwrite the loan.

4.2.3 User Verification

Based on the underwriting, the app displays the loan options that the user is eligible for. The user chooses the appropriate loan option. The user then verifies his identity and e-signs the loan.

4.2.4 Loan Disbursement

The loan amount is then credited into the user’s account, many times to wallets and sometimes to bank accounts. Many of the apps are found to manage cash disbursement through deemed brokers.

4.2.5 Loan Repayment

Based on the repayment plan, the user pays back the interest and principal amount in the agreed number of instalments. In case of delay, the LSPs in the business of collection/ recovery step in.

4.3 Regulatory Perspectives of Digital Lending Technology

The regulatory perspectives in the specific context of deploying digital technology in lending services centre around: (i) black box AI, (ii) privacy and data security issues, (iii) cyber/ fraud risks, and (iv) forward compatibility.

4.3.1 Black Box AI

In the age of AI/ ML, mathematical models are bound to be living in all automation making vital decisions. Many of these models encode “human prejudices, misunderstanding, bias into a software system that increasingly manage our lives. …Right there you have something very dangerous.”²⁰ The growth of the ‘connected’ lifestyle and reliance on mobile phones generates a treasure trove of "alternative" data some of which is collected even before a consumer makes an application. There are unregulated web aggregators who collect data on prospective consumers, some with their consent and some without. The LSPs/DLAs often deploy algorithms that scour through hundreds of such alternate data variables, sometimes combined with traditional credit history, to model the applicant’s fitting in to the risk appetite of the FinTech lender which is often high. How these algorithms price risk, exploit or discriminate a consumer’s specific situation remain outside the oversight of regulators.

4.3.2 Privacy and Data Security

4.3.2.1 FinTech platforms generally collect a lot of data from customers, including sensitive personal information and financial records. They also track information such as customers’ spending and social media patterns to generate an alternative credit score for determining their risk profile. While accepting terms and conditions of these platforms, customers are generally not conscious of the fact that they are signing away their privacy rights. This leads to concerns about protection of customers’ data from unauthorised access, explicit consent and awareness of customers about harvesting of their personal/ online behavioural data and sharing of data with third parties. The increasing share of digital lending can amplify these concerns. There is a need to clearly specify the obligations of FinTech platforms towards their customers.

4.3.2.2 One of the first steps in the digital lending lifecycle is requesting access to various apps and services on the user’s phone. This has been a key concern for consumers and regulators alike. Several consumer complaints were analysed that cite instances of digital lenders or digital lending apps misusing the high-risk data collected. For example, certain lending apps are collecting users’ entire phone contacts, media, gallery, etc. and using it to harass borrowers and their contacts in case of delays in repayment. Table 4.1 shows the critical permissions requested versus the percentage of apps requesting these permissions:

While accessing and storing sensitive data such as location, camera, contacts, etc. comes with high-risk, some of it could be for the proper functioning of the apps. For example, e-KYC requires access to a borrower’s camera to verify their identity. Location data is required to prevent fraud and confirm the location of the borrower. As more companies go cashless and paperless, the number of apps requesting for critical permissions will continue to grow and a prophylactic ban on lending apps accessing certain permissions would adversely impact the growth and innovation in the sector. Hence, the better approach would be to regulate and formulate better standards for cyber security, privacy and fraud, instead of heavy-handed prohibitions. Numerous privacy lapses have been observed across digital lending apps. Some of the major concerns include:

• Inadequate transparency about what information is collected, why it's collected and how it will be used.

• No option for users to update, manage, export and delete their own data after their loan has been paid.

• It is also concerning that some apps don’t disclose their partner banks or NBFCs.

• Recovery agents use borrowers’ phone contacts, photos or any other sensitive data to harass borrowers and their friends and family.

4.3.2.3 There are alleged reports of unbridled sharing of CIC information, except where only alternate data is used with propriety algorithm, without considering privacy issues. These situations include (i) an NBFC shares credit information with an LSP as a customer sourcing partner; (ii) an NBFC sharing credit information with an LSP under an information trading arrangement without any other business link; (iii) an NBFC sharing credit information with another NBFC, the latter not being a co-lender. While under the extant data privacy regime, it may be difficult to establish the source of information, adequate regulatory guardrails are warranted to prevent marketing of CIC data.

4.3.2.4 In digital credit markets, consumer data and other information is increasingly used and shared in the lending and borrowing process. Standard minimum security practices in handling consumer data to ensure privacy set quality protocol to standardize data security. This can be done through new legislation, rules and regulations, or by utilizing existing laws and expanding their interpretation to include digital finance. In designing the regulatory framework, the regulators in a consultative manner determine: i) the way data is being used and ii) the way that data is being protected via provider policies and practices. That way, the main data risks and gaps in provider policies can be tracked and practices to stem these risks be developed. There are instances of the customer being held responsible for outcomes of data attacks when she/he has protected all sensitive information. Hence, there may be a need for standardisation of data use and response to security attacks. In cases, where data is mishandled by the service provider, they should be responsible and liable for the outcomes.

4.3.3 Cyber Security and Fraud Risks

There are certain concerns²¹ which are inherent to any illegal act committed using information technology and are not specific to digital lending per se such as anonymity²² in cyberspace, the issue of jurisdiction²³, the question of evidence²⁴, and non-reporting of cybercrimes to avoid bad publicity for businesses operating online. Digital lenders have to deal with defaulters, the use of stolen identities and even higher risks in the absence of loan collaterals. The constantly evolving and interconnected nature of disruptive business models in FinTech lending makes it difficult to assign liability for consumer harms. Cyber risks have heightened in recent period.

4.3.3.1 Access Control

(a) Unauthorized Access: Poor access control policy allows unauthorized persons to access customers’ data. Apart from misuse, it enables threat actors to sell access to systems that hold sensitive information and financial data.

(b) Privilege Escalation: Threat actors can use initial access to low-priority systems to gain elevated access to sensitive resources to exfiltrate data or perform unauthorized actions.

4.3.3.2 Infrastructure and Customer Protection

(a) Misconfigured Applications: Unsecured cloud servers, misconfigured applications, open ports and exposed API keys allow threat actors to gain access to customers’ information.

(b) Breaches/ Data Leaks: Since lending apps collect users’ PII (Personally Identifiable Information), financial data and other sensitive information, they are prime targets for threat actors. With reports showing that financial services companies are 300 times more likely than other companies to be targeted by cyberattacks²⁵, lending apps should be prepared for potential attacks. If a threat actor gets access to a database containing this information, they can use it to hold the company to ransom or sell it on the dark web. They could also use it to carry out phishing attacks, scams and even identity theft. Apart from this, they can also use the initial access to deploy malware, ransomware or spyware.

4.3.3.3 Fake Apps and Fake Domains: WG research shows that 600 out of 1100 lending apps currently available are illegal apps. And as the number of lending apps grow, this trend would spike, since a user downloading a lending app cannot identify if the app is legitimate or not. It is also likely that several copycat apps and websites will mushroom across the internet. If a consumer uses such an app or website, it could collect the user’s personally identifiable information (PII), financial data and other sensitive details, which can then be used to compromise the user’s accounts, carry out phishing attacks and identity theft. Apart from affecting the user, it also damages the reputation of the company that the fake app is impersonating.

4.3.3.4 Fake Customer Care Scams: There has been a burgeoning of fake customer care scams across the internet, especially those affecting financial services and online businesses. These scams are used to collect sensitive information from users and defraud them. This can also damage the reputation of the digital lender.

4.3.3.5 Synthetic Identity Frauds: Fraudsters create synthetic identities using valid but stolen Aadhaar numbers with accompanying false PII. Growing use of synthetic identity is often attributed to increasing amount of compromised PII from major data breaches over recent years as well as unintentional disclosure over social media. The complexity in its detection and its potential financial harm depends upon the method used by fraudsters to compose a fake identity. Some of the tell-tale characteristics of a synthetic identity could be multiple account applications from the same IP address or device, multiple identities with the same Aadhaar number, multiple applicants with the same address or phone number, etc. Hence, preventing synthetic fraud is difficult and hence, requires industry level partnership and close co-ordination with law enforcement to share information, identify trends and threats.

4.3.4 Forward Compatibility of Regulation

4.3.4.1 BigTech Credit²⁶

(a) Many large multi-national corporations whose primary business is technology (e-commerce, social media, payments enablers etc.) have started lending either directly or in partnership with regulated financial entities e.g., third-party application providers (TPAPs). These corporations have a captive user base whose data is readily available across multiple business lines and can be effectively utilised in the entire loan management life cycle. These firms have a large-scale customer base and leverage the trust and control generated in this non-financial business for moving into financial services. The firms typically enter the world of finance by providing their data, either raw or processed, to established financial services firms and gradually move towards providing financial services either in partnership or directly to their customers. The size of these entities poses a significant systemic and concentration risk to the economy. They have an unfair competitive advantage over regulated entities.

(b) Unlike the case of monoline FinTech firms, there are three characteristics of an integrated business model of non-financial conglomerates or BigTech firms that could raise concerns for regulators:²⁷

(i) a complex governance structure, which could inhibit the ability of both the service providers and the regulators to correctly assess risks and mitigate them in a timely manner;

(ii) risks associated with the transformation of funds across subsidiaries and shadow banking activities;

(iii) cross-subsidisation, both in terms of cost and data sharing within an integrated business model, especially on the platform they serve clients.

Enhancing the traditional entity-based regulatory approach with activity-based regulations may be inadequate to ensure stability, level-playing-field/ competition and customer protection, in the case where a non-financial conglomerate or a BigTech firm in practice provides financial services across its associates in an integrated manner, i.e. where risk transformation, shadow-banking activities, and cross-subsidisation of cost and data could be done across financial-service subsidiaries in an integrated business model.

4.3.4.2 Decentralised Finance (DeFi) Lending

An ecosystem of financial applications based on distributed ledger technology (DLT) operating without a third-party or central administration is generally known as decentralized finance (DeFi). Self-executing smart contracts form the foundation layer of DeFi. It is supposed to be an open-source, transparent and permission-less financial service environment. DeFi is reported to have the highest lending growth rate and is considered the major contributor for locking crypto assets. In India, there are a number of platforms that advertise DeFi facility.

4.4 Recommendations/ Suggestions

Regulatory policy measures associated with FinTech in general and digital lending in particular are usually classified into three groups: ²⁸(i) direct regulation of FinTech activities; (ii) regulation focusing on new technologies for providing financial services; and (iii) developmental regulations for digital financial services. RBI is one of the select central banks in the world to have a separate and growing FinTech set-up. In view of emergence of new models in FinTech ecosystem and growing role of TechFins in the financial sector, an adaptive, outcome-focused regulatory framework with a responsive and iterative approach, needs to be conceptualized in the long term by RBI. It should provide for a segmented and data driven design rather than ‘one size fits all’ mold establishing/ consolidating regulations on minimum/ baseline technology standards, security practices in handling consumer data of FinTech Apps, including digital lending. The following are a set of recommendations and certain suggestions:

4.4.1 Institutional Mechanism

4.4.1.1 The operations of so-called ‘digital banks’/ ‘neo banks’ formulation should be covered under Reserve Bank’s regulations. More of ‘Digital-only’ NBFCs can be encouraged and groundwork for opening digital-only banks initiated. This should also cover guidance on bank-FinTech partnerships. Some of such ‘over the top’ (OTT) entities posing as if they are into ‘bank’/ ’banking’ in business promotion materials must be prohibited from doing so and each of their partner bank should be required to set out operational codes for such OTT entitles. RBI Sandbox may also have a category for digital lending and allow digital lenders to innovate and experiment with flow-based lending products under its supervision.

(Suggestion - RBI)

4.4.1.2 Verified apps are a way to ensure that the applications being used are in fact the authorized apps and not malicious or otherwise inappropriate. Lenders should not deploy any application, insourced, or outsourced, which has not been verified by DIGITA and does not carry signature granted by DIGITA as such (cf. para 3.4.2.1). The verification will be a trust-centric verification of an app on publicly well-defined policies/ trust attributes as prescribed by appropriate authorities. DIGITA will also take care of updates and patch handling as well as publisher certificate forgery. The continued ‘verified’ status of apps must be maintained only when it is possible to distinguish effectively between the version of the application that is permitted and the altered version that could be unsafe.

(Recommendation - GoI/ RBI)

4.4.1.3 Baseline digital hygiene guidelines to be issued by DIGITA in consultation with RBI would be suitably made applicable to LSPs (through REs of RBI).

(Recommendation - RBI/ DIGITA)

(a) Compliance with various basic technology standards/ requirements, including those on cyber security, stipulated by RBI will be a pre-condition to offer digital lending by the REs and for LSPs providing support to REs.

(Recommendation - RBI)

(b) DLA of each RE should have links to its own secured website where further/ detailed information about itself and about the loans, the lender, customer care particulars, link to Sachet Portal etc. can be accessed by the prospective borrowers. Alternately, this information could be made available on the app itself.

(Recommendation - RBI)

(c) Digitally signed documents supporting important transactions through DLAs of REs, such as sanction letter, terms and conditions, account statements etc. should automatically flow to registered/ verified email of the borrower upon execution of the transactions.

(Recommendation - RBI)

(d) Each DLA owner, including relevant LSPs, should name a suitably competent nodal officer to deal with FinTech related issues with customers as well as regulators, SRO, law enforcement agencies, etc. The contact details of the nodal officer would be displayed on the website of the DLA. The modalities may be finalized by the SRO in consultation with the Reserve Bank.

(Recommendation - RBI/ SRO)

4.4.1.4 Even though Section 43A of the IT Act ²⁹and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal information) Rules, 2011 (the “IT Rules”) address some concerns related to data protection, a comprehensive framework is essential to ensure protection of the individuals’ privacy and rights, to spell out the flow and usage of personal data, to create a framework for organisational and technical measures for data processing, to fix accountability of entities processing personal data, and to provide suitable remedy against unauthorised and harmful processing.

(Suggestion - GoI)

4.4.2 Technology Infrastructure and Standards

4.4.2.1 Baseline technology standards for DLAs of REs should be defined. The standards for DLAs should include secure application logic and secure application code, keeping a log of every action that the users perform along with their geolocation, IP address, and device information, multi-step approval process for critical activities and monitoring of transactions passing through the App in an auditable manner.

(Recommendation - GoI/ RBI/ SRO)

(a) Standards that need to be prescribed are for ensuring security of applications running on mobile devices, proper authentication, and appropriate configuration of servers. All DLAs need to mandatorily have these reflected in the terms of service. The standard should include input validation, review of data that is being sent to external networks, clear access rules, measures to ensure adequate protection of sensitive data and protection from SQL infusions. They need to ensure web server and API security, integrity of the app as well as that the app uses appropriate data encryption technologies. REs building their DLAs on cloud infrastructure, must make sure that cloud vendors comply with commensurate regulatory standards. The apps should have specific technological safeguards to prevent frauds including sanction of loans on stolen identity.

(b) Software publishers use digital signatures to enable end-users to verify the authenticity and integrity of their products. Every FinTech app must be signed/ verified in a secure way to deliver data to the app based on data gathered by the phone sensors, and if an app is cloned and sends data to API that wasn't processed by the original algorithms, it must signal a significant risk.

4.4.2.2 Apart from complying with relevant RBI guidelines on various standards on data and network security, monitoring for unauthorized access, data breaches, etc., the data need to be stored in servers located in India, as in the case of P2P and AA companies. As and when DIGITA finds any FinTech Apps with servers located outside India, it should immediately flag the same to RBI/ appropriate agency.

(Recommendation - GoI/ RBI/ SRO/ DIGITA)

4.4.2.3 The REs should document the rationale for algorithmic features with necessary transparency to render it as explainable AI (X-AI).

(Recommendation - RBI)

(a) Algorithm audit should point at minimum underwriting standards as well as potential discrimination factors used in determining credit availability and pricing. It must be ensured that the data used for the training of algorithms must be extensive, accurate and diverse. The DLAs will be encouraged to use Glass-box models of AI to enhance transparency and acceptability of algorithms.

(b) Digital lenders should adopt ethical AI. Doctrine of ethical AI says that it must be developed with a focus on protecting and serving the users with endeavors to design algorithms on the principles of transparency, inclusion, responsibility, impartiality, reliability, security, and privacy. Lenders should also assume the “duty of explanation” and ensure that outputs from such algorithms are explainable, transparent, and fair by knitting ethical AI design to fabric of FinTech.

4.4.3 Data Governance

The broad principles for data privacy regulation centre around (i) notice and consent – both for collection and porting, (ii) purpose limitation, (iii) data minimization, (v) use limitation and (iv) retention limitation. The DLAs as responsible data fiduciary must honour all the principles as per the informed consent of the borrower. In the long run, it is expected that data infrastructure architecture (e.g. trusted third-party execution environment) and technology itself will have built-in safeguards to ensure such discipline.

4.4.3.1 There is a global shift of data rights from data holders to customers of digital services. In the absence of an enforceable data protection law, financial consumers are still vulnerable about their personal and financial data. The Data Protection Authority, proposed in the Personal Data Protection (PDP) Bill, could serve as the regulatory body to oversee financial apps as well in future. While the extant guidelines of RBI and proposed DIGITA would partly address the symptoms of the problem, a more empowered legal and regulatory framework aimed at privacy policy of mobile apps, need to be put in place in long term to address information collected by apps from the device and use of tracking and analytic tools used in the Apps.

(Suggestion - GoI)

In the meantime, regulatory guidance as also industry initiatives may cover the following:

(Recommendation - GoI/ RBI/ SRO)

(a) As multiple players have access to sensitive consumer/ financial data, there must be clarity on issues like, the type of data that can be held, the length of time data can be held, restrictions on the use of data, data destruction protocols etc.

(b) DLA of REs, as all of them collect personal data, must have a comprehensive and compliant privacy policy available publicly. Details of any third parties, that are allowed to collect personal information via DLA, have also to be disclosed. The users will have the facility to request more details on the information that is collected. It is desirable that privacy practices of the DLAs are disclosed on the app at every stage, i.e., before requesting user permission to use personal data, during account sign up or login page, payment page, etc.

(c) Data should be collected with prior informed and explicit consent of the borrower which can be audited, if required. User Interface should not facilitate ‘trick consent’. The borrower should be provided with an option to revoke consent granted to collect their personal data and if required, make the app delete/ forget the data. After uninstallation of the App, there should not be any trace of access permission from the phone. Consumers should be able to give or deny consent for the use of specific data, its use, disclosure to outside entities (private, public or legal), and its retention and destruction. Consumers should be able to issue separate consent for each type of data that LSPs are accessing. LSPs should also inform consumers of the LSP’s data policies, especially in regard to monetising of consumer data. Codifying consent practices and recourse should be available in the case of data misuse.

(d) DLAs of REs should be required to notify consumers about detection of any privacy breaches that may leave their data vulnerable and suggest ways for consumers to respond to those breaches. When data breaches occur, pre-defined protocol should kick-in to ensure customers are aware of the security issue and the steps being taken to contain the damage. DLAs must state data misuse liability (cf para 4.4.1.4) to consumer in clear terms and conditions at the time of on-boarding. In the matter of consumer data destruction protocol, DLAs must maintain quality control standards for time and manner of user data purging.

(e) Permission to DLAs for using resources accessible through operating systems, such as, camera functions, location data (GPS), telephony functions, messaging functions, Bluetooth functions, network/ data connections should be subject to need-based/ stage-based requirements. DLAs should collect only minimum required personal data from the borrower after indicating purported usage of each data/ access permission obtained. However, the regulatory focus should be more on use of data, rather than collection of data³⁰.

(f) If functionalities of any government/ regulated utilities like the Aadhaar infrastructure, e-KYC, UPI etc. are used to conduct CDD, no biometric data should be stored/ collected in the systems associated with the DLA of REs.

4.4.3.2 Data Privacy and security measures at the end of SMS gateways/ SMS service providers should be ensured by REs/ DLAs before onboarding them. Instances of SMS gateways monetizing customers’ data should be suitably dealt with by the appropriate agency.

(Suggestion - GoI)

Section 5: Financial Consumer Protection

From a financial consumer’s point of view, it does not matter who or how lending service is provided, but the expectations of fair/ equal treatment at the pre-contractual, contractual and post-contractual stages are universal. Digital lending generates many of the similar financial consumer risks as in the conventional lending models and a few more. Innovative technologies and delivery/ interface channels, along with new lending class/ vocabulary create unique and newer risks for consumers as the focus is more on convenience/ ease of access rather than protection. The millennial generation perhaps finds it easier to ‘set up’ an account with a DLA from an unregulated FinTech provider/ shadow lender than to use a tool or channel provided by traditional banks/ NBFCs. The cross-cutting consumer protection themes in digital lending centre around access to loan products and services by digitally deprived/ data-marginalised consumers; dissemination of information and counselling to consumers; design and suitability of products and services offered; and adequacy of grievance redress infrastructure.

The precondition for digital financial consumer protection is a sound institutional arrangement which is varied across the world. Among various models used globally, with specific reference to digital lending, RBI follows an integrated model with an internal twin peaks approach i.e., separation of prudential regulation/ supervision from that of business conduct. However, the business conduct regulation/ supervision cuts across all the areas of consumer protection rather than only issues pertaining to digital transactions (although separate Ombudsman was created for digital banking grievances). Reserve Bank has historically, pre-empted and duly recognized various consumer protection issues emanating from the business of banking and issued various guidelines to REs under the relevant provisions of Banking Regulation Act, 1949 /Reserve Bank of India Act, 1934. The RBI’s approach to digital financial services has followed a graded path starting with voluntary compliance measures followed by regulatory instructions/ deterrents and then enforcement measures. A brief on the extant guidelines to address the potential consumer protection issues in the banking/ NBFC sector is provided hereunder.

5.1.1 Fair Practices Code: A Fair Practices Code (FPC) has been prescribed for both banks³¹ and NBFCs³². These entities have the freedom of drafting their own fair practices code, enhancing the scope of the guidelines but cannot curtail the spirit of the prescribed guidelines. The FPC, inter-alia, provides for –

• general guidelines for loan application processing, transparency in interest rates/ fees/ penalty, other terms and conditions, non-discriminatory practices, post disbursement supervision etc. The banks should also inform the ‘all-in-cost’ of credit to enable the customers to compare the rates with other sources of finance

• furnishing a copy of loan agreement (with all enclosures) to the borrower

• prevention of undue harassment in the matter of recovery of loans by persistently bothering the borrower at odd hours, use of muscle power etc.

• a board approved grievance redressal mechanism, such that all disputes are heard and disposed of at least at the next higher level

Further, NBFCs have been mandated to ensure that all communication to the borrower should be in vernacular language or a language as understood by the borrower. The loan sanction letter should contain the annualized rate of interest and penal interest charges should be highlighted in bold.

5.1.2 Managing Risks and Code of Conduct in Outsourcing of Financial Services: Financial institutions are increasingly using outsourcing as a means of both reducing cost and accessing specialist expertise, not available internally and/ or to achieve strategic goals. Reserve Bank has hence, laid down comprehensive guidelines/ directions for both banks³³ and NBFCs³⁴, which broadly follow the principle that the outsourcing of any activity does not diminish their obligations and those of their Board and senior management, making them responsible for actions of their service providers (direct selling agents, recovery agents etc.). A Board approved outsourcing policy needs to be put in place, which incorporates, inter-alia, due diligence criteria for selection/ renewal, delegation of authority depending on risks and materiality, and systems to monitor and review the operations and policies periodically. Some indicatory provisions of the code to address the consumer protection risks are as under:

• Regulated entities have to ensure customer data privacy and security in the hands of service providers, including any security breaches.

• To ensure, fair treatment of borrowers, the regulated entity and their agents shall not resort to intimidation or harassment of any kind, either verbal or physical, against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude the privacy of the debtors' family members, referees and friends, making threatening and anonymous calls or making false and misleading representations.

• All service providers need to adhere to a Code of Conduct (as approved by Board/ prescribed by IBA). It is essential that the recovery agents adhere to extant instructions on Fair Practices Code.

• It is the onus of the regulated entities to ensure these service providers are properly trained to handle with care and sensitivity, their responsibilities particularly aspects like soliciting customers, hours of calling, privacy of customer information and conveying the correct terms and conditions of the products on offer etc.

5.1.3 Code of Recovery: Comprehensive guidelines on recovery agents has been prescribed for banks³⁵ (in case of NBFCs, general guidelines are prescribed in the FPC to prevent undue harassment to customer), which provide for due diligence of agents, (advance) information to the borrower about recovery agencies, adherence to FPC, outsourcing guidelines and code of conduct by recovery agents, no further assignment of cases to agency until disposal of any complaint lodged against it, and mandatory training of recovery agents, etc.

5.1.4 Ombudsman Scheme: Customer complaints and grievances are integral to any business, regardless of comprehensiveness of business conduct guidelines. To give voice to the consumers and identify the consumer grievances on an on-going basis, Ombudsman Scheme was hence, operationalized in 1995 to establish a system of expeditious and inexpensive resolution of ‘bank’ customer complains. The Banking Ombudsman Scheme has evolved over the last two decades³⁶ and a dedicated Ombudsman Scheme had also been instituted for NBFCs³⁷ in 2018 and for digital transactions³⁸ in 2019. An integrated Ombudsman Scheme³⁹ has been rolled out to further enhance the simplicity, effectiveness, and responsiveness of the Ombudsman framework adopting a ‘One Nation One Ombudsman’ approach.

5.1.5 Key Fact Statement (KFS): As per the provisions, banks should provide a clear, concise, one-page key fact statement/ fact sheet, as per prescribed format (Annex F) to all borrowers as in case of any change in any terms and conditions. The same may also be included as a summary box to be displayed in the credit agreement. A standardized loan agreement in a language of customer’s choice, has also been mandated for the borrowers of NBFC-MFIs.

5.1.6 Charter of Customer Rights: Additionally, a Charter of Customer Rights was released by Reserve Bank in 2014⁴⁰ which enshrines broad, overarching principles for protection of customers of all scheduled commercial banks, regional rural banks, and urban co-operative banks. It enunciates the ‘five’ basic rights of bank customers, viz. (i) Right to Fair Treatment, (ii) Right to Transparency, Fair and Honest Dealing, (iii) Right to Suitability, (iv) Right to Privacy, and (v) Right to Grievance Redress and Compensation. The banks are expected to prepare their own Board approved policy incorporating the five basic rights of the Charter which, among other things, would contain monitoring and oversight mechanism for ensuring adherence.

5.1.7 Risks associated with Information Technology: Appropriate guidelines have been prescribed for both banks⁴¹ and NBFCs⁴² suggesting measures to be undertaken to ensure stability and security of their IT systems and prevent incidences of cyber breaches which may have implications on consumer protection.

5.1.8 Consumer Protection Act, 2019: The new Act, as is applicable to banking and financing services, provides for enforcement of six consumer rights and has brought e-commerce and electronic service providers within its ambit and is hence applicable to digital lenders and their agents; the Act inter-alia has specific provisions prohibiting false and misleading advertisements, and unfair trade practices.

It is pertinent to note that all the aforementioned guidelines on consumer protection are applicable to all regulated entities and/ or their agents engaged in digital lending. In line with the rapid increase in digital lending, and the associated consumer protection risks, RBI vide its circular titled ‘Loans Sourced by Banks and NBFCs over Digital Lending Platforms: Adherence to Fair Practices Code and Outsourcing Guidelines’ dated June 24, 2020, had reiterated the responsibilities of all regulated entities vis-à-vis the extant guidelines and emphasized their adherence in letter and spirit.

5.2 Global Practices

There is no specific globally recognised regulatory framework for digital lending platforms⁴³. It is interesting to note that many jurisdictions have additional requirements for providers of payday loans apart from general requirements for any credit providing institutions. The products offered by most of the digital lending platforms are short tenure loans which are similar to payday loans.

5.2.1 Australia

A cap on costs exists for all credit contracts (excluding those offered by an authorised deposit taking institution). The cap varies based on the term of a contract and the amount of credit. It is presumed that the customer is unsuitable if he/ she is in default under another Small Amount Credit Contract (SACC) or has had more than two SACCs in the last 90 days.

Any payday lender must display a warning statement at their premises, online or over the phone. Additionally, it has to provide contact details for free debt help and alternatives from financial counsellors, Australia’s social security agency and ASIC’s MoneySmart (financial education) website.

5.2.2 United Kingdom

Payday lenders are required to carry a risk warning which needs to be made prominent and that redirects consumers to the website of the authority in charge of debt advice in the country, the Money Advice service. According to Advertising Standards Authority of UK, misrepresenting the product in advertisements by suggesting that these loans are a viable means of addressing ongoing financial concerns, explicitly encouraging non-essential spending or themes or styles that are likely to appeal to children have to be avoided.

Financial Conduct Authority has introduced caps on interest rate, other fees and default fees with an overall cap on total amount of additional charges that can be collected. There is a limit to two rollovers for payday lending. Additionally, they are required to publish details of all their payday products sold online on at least one FCA-authorised price comparison website and must provide link to that website from their own. There is a cooling off period of fourteen days before which a consumer can withdraw.

Another distinction for UK is its Consumer Rights Act 2015 inasmuch as it was innovative in seeking to create a distinct regime for digital contracts, closely modelled on the rules for sale of goods (later adopted by EU as well). This is a good example of the law seeking to maintain traditional consumer core values whilst adapting them to the digital context.

5.2.3 Ireland

The Consumer Protection Code for Licensed Moneylenders (Central Bank of Ireland, 2009) also requires that moneylenders must ensure any warnings required by the Code are prominent i.e., they must be in a box, in bold type and of a font size that is larger than the normal font size used throughout the document or advertisement. They are also required to prominently indicate the high-cost nature of the loan on all loan documentation where the APR is 23% or higher.

5.2.4 South Africa

A pre- agreement quotation has to be provided to the borrower valid for five days. The cost of credit, which includes initiation cost, monthly service fee, credit life insurance and interest rates, is regulated and capped in a staggered manner.

5.3 Conduct Aspects of Digital Lending in India

In the context of equitable distribution of benefits from AI, insofar as financial inclusion is concerned, ethical and responsible use of digital technology often comes up for discussion. There has been a general feedback on lack of such responsibility from the DLAs. This phenomenon is illustrated by the following diagram:

Some of the contemporary conduct aspects of DLAs have a close resemblance to the issues in microfinance sector in 2010. Some microfinance institutions (MFIs) at that time pursued aggressive business strategy and margin growth without considering the vulnerabilities of the borrowers or its potential macro-economic impact. Some of the high yield seeking investments in the digital lending space appear to have adopted a similar approach. The difference this time is that it is amplified by digital technology and hence the potential impact might be much wider. The business conduct aspects especially those pertaining to protection of the vulnerable sections have been analysed and identified under the following broad concerns.

(a) Pre-contract stage – (i) product design and distribution; (ii) over indebtedness

(b) Contract Stage – (i) transparency; (ii) responsible pricing

(c) Post Contract Stage – (i) fair and respectful treatment; (ii) effective recourse

5.3.1 Product Design, Access and Distribution

5.3.1.1 Consumer protection risk must be assessed throughout the life cycle of the product starting from product development. Without access to user feedback, many providers do not fully understand consumer needs. Because target consumers are inexperienced with financial services, they might not fully understand their own needs either. Lack of knowledge both on the consumer and provider sides, creates a disconnect between user needs and the financial products that they use. Consumers, then, fail to manage their finances effectively and do not use the tools that would most benefit their individual circumstances.

5.3.1.2 In the absence of easy-to-understand information, borrowers tend to choose the most easily available product, without fully comprehending the consequences. Impacts get amplified manifold in digital medium because of its instant, remote, and automated nature. While inadequate information imposes a disproportionate burden of repayment on the vulnerable consumers, excessive and generic disclosures by the financial service provider render consumers less inclined to review such generic disclosures. As product appropriateness is a critical matter, it should not be left only to the principle of ‘caveat emptor’, DLAs need to adopt suitability requirements to ensure its appropriateness to the consumer’s needs and circumstances. This can be achieved through a KYC process involving sufficient and verifiable information for customer segmentation. This can be then used by human and technical resources to ensure that the service/ product being offered to a prospective consumer is appropriate for her/ his needs, expectations and risk profile. Even from lenders’ perspective, assessment is often based on algorithms which are not foolproof to identify the most suitable product in view of the possibility of faulty assumptions in the machine learning process. Hence, the loan product interface should include several means of actively engaging with the borrowers. Further, the labelling of input controls in vernacular languages should be helpful, particularly for rural customers where the awareness about the products and associated data points are often low.

5.3.1.3 Aggressive advertising by DLAs, coupled with instant disbursements, can also lure some customers to borrow recklessly for consumption/ life-style needs. Unsolicited invitations for digital loans, can lead to over-indebtedness and non-repayment. Augmenting the loan application form to ask a couple of simple numeracy questions will help identify some high-risk clients at low cost. Asking the customer a simple verifiable question such as how much she/ he can repay every week given her/ his stated current monthly income and expenses is easily done. If she/ he gets it wrong, she/ he could be offered a smaller loan and monitored more carefully. This further implicitly places more responsibility on the customer to borrow responsibly⁴⁴.

5.3.1.4 Increasing dependence of lenders on third-party platforms may also lead to situations wherein the customers get locked out of the system in case of any unilateral restriction on access imposed by the platforms and may face difficulty in having direct access to lender.

5.3.1.5 In recent times there has been the development of several new products like, "Buy Now Pay Later (BNPL)" which is a form of point of sale credit – buyers/ purchasers are typically given a 15-30 day interest-free repayment period. Such transactions are not reported to the credit bureaus, as they do not fall under the definition of ‘credit’. It is often labelled as a product for enhanced customer engagement and seamless user-experience, a potential replacement for credit cards, but not a credit product. However, if the user fails to make the payment in the interest-free period, he may be a charged penalty, fees and the outstanding amount may be converted into EMI. Though BNPL models are being deployed in partnership with banks /NBFCs, many FinTechs are also taking the exposure on their balance sheet and treating them as deferred payments.

5.3.2 Over Indebtedness/ Predatory Lending

5.3.2.1 The consumer over-indebtedness is a consequence of both the demand and supply side variables. Over indebtedness starts before a default actually happens. Reckless lending in the digital realm has been perpetrated in equal measures by lax pre-agreement borrower assessment policies of lenders, including but not limited to their failure in establishing/ assessing consumer credit worthiness, and current state of indebtedness. Information about loans extended by money lenders or companies other than NBFCs is not submitted to credit information companies. This may lead to under-reporting of outstanding loans of the borrowers resulting in their over-indebtedness.

5.3.2.2 The concept of responsible lending expects lenders not to act solely in self-interest but also bake in prevention of borrower’s detriment through the life cycle of the relationship, ensuring both an affordable (for borrower) and sustainable (for lender) credit. Notwithstanding the regulatory efforts, and disciplined lending, an ignorant borrower or urgent need for credit by a borrower, not matching the repayment abilities often pushes her/ him to over-indebtedness. Certain lenders may have also been indulging in reckless lending practices guided by sheer profit motives, riding on excessive interest rates to compensate for the delinquencies. There is also a tendency to increase the business rapidly by lending to sub-prime borrowers beyond their repayment capacity and the increased risk gets priced in terms of higher spread charged to all borrowers, resulting in exorbitant interest rates. Hence, suitable remedial measures need to be provided for the customer to service his debt and live his life with dignity. The focus needs to shift from a sales-oriented culture to an engagement-based culture. Customers should feel confident in dealing with the lenders, rather than perceiving them as predatory. Organizations need to invest in educating customers about good financial behaviour and the pros and cons of various financial products as per their life-stages.

5.3.2.3 Equally important but often underemphasized facet of product appropriateness is the responsible borrowing culture. The onus is equally on the borrowers to provide accurate and complete information to the lender to enable them to make an informed lending decision rather than providing misleading information or hiding any relevant information. The borrower should put in efforts to verify the credentials of the lenders and pay heed to the terms and conditions of the loan. The borrower should also make an assessment of their income and repayment capacity considering their expenses and should carefully consider if availing credit is the only option left to meet the immediate needs/ wants This becomes more critical in case of loans availed for consumption/ life-style needs. Last but not the least, the borrower is obliged to make timely repayments. He should realize that any laxity on this front is not in his self-interest and may impact his credit history adversely thus making it difficult to avail credit on favourable terms in future.

5.3.2.4 What could be lacking currently regulatorily are explicit guidelines in the Fair Practices Code to restrict reckless lending, and predatory practices like debt entrapment (ensuring that borrowers will be unable to repay loans and ultimately forcing them to default), debt treadmill (finding methods that will produce a constant stream of fee payments from the borrower to the lender) and debt criminalization (making borrowers fear arrest if they fail to repay their loans).

5.3.3. Transparency

5.3.3.1 Without transparency on the part of credit providers, consumers miss relevant information that they use to make financial decisions. Compounding this, consumers often have limited resources and knowledge about financial terminology which prohibit them from understanding often complex financial products and services. As a result, consumers, are unable to understand or gain correct, clear, and/ or comprehensive information about credit products. Consumers, then, make poor or suboptimal choices. Total cost of a loan and other key aspects are not always communicated to the prospective borrower. In view of low financial literacy/ numeracy and complexities involved in the financial products, there are inherent information asymmetries in the financial sector, with suppliers having more information than customers resulting in disadvantage to the customers. Therefore, full disclosures about the loan product and its features become a key factor to bridge this gap. At the same time, these disclosures should not lead to information overload which can undermine the usefulness of the information provided. Fair and simple disclosures enable the customers to compare different loan products across various service providers thus empowering them to make an informed decision. An improved understanding by the borrower would also enhance competition which may lower interest rates and raise the quality of services offered by the digital platforms.

5.3.3.2 Another concern is regarding customers’ poor understanding of what data is being used for what purpose by the DLAs and with whom the data is being shared. Even if they understand, they cannot easily access and control how DLAs use their data. Algorithms used by DLAs can reproduce and perpetuate certain outcomes which are systematically prejudiced due to erroneous assumptions in the machine learning process thus discriminating against certain sections of customers.

5.3.3.2 Lack of standardized loan agreements giving rise to lengthy documentation is often a barrier for accessing small ticket loans from conventional lenders, which is relatively lower in the digital space. The extant guidelines emphasize transparency in loan agreements through upfront disclosure of rates/ fees/ penalty etc. A standardized key fact statement/ loan card has also been prescribed for banks/ NBFC-MFI. Standardization of a loan fact sheet, along with the most important terms and conditions across the credit industry (and specifically digital lending) needs to be ensured to facilitate transparency and also enable comparability (against various lenders) for the typical borrower. Every communication also needs to be in the vernacular language, or a language as understood by the borrower.

5.3.4 High Pricing/ Usurious Lending

5.3.4.1 With a customer base largely comprised of small borrowers having limited financial knowledge, it is of paramount importance for DLAs to be transparent about the total cost including interest and other charges borne by the customers. DLAs carry out credit assessment by using alternative data and mostly cater to those borrowers, who do not have a well-documented credit history and are not served by the traditional financial institutions. Therefore, their assessment models are based on high loss rates which, in turn, are compensated by levying high interest rate and other charges on all borrowers. Further, there is a tendency to mask the excessive interest rates by disclosing only weekly or monthly rates depending on the repayment schedule. It has also been observed that the entire costs associated with first loss default guarantee or any other such mechanism offered by the platforms to their lending partners are passed on to the borrowers resulting in higher interest rates. Though it is difficult to have the same benchmark for the level of interest rates for all borrowers across all segments, rates of interest beyond a certain level are indeed excessive and can neither be sustainable nor justifiable

5.3.4.2 Statutory caps on interest rates, also known as usury laws, have always been highly debated. It is contended that such caps reduce exorbitant interest rates and unfair treatment for the most vulnerable customers, who would otherwise be reduced to eternal debt servitude. However, interest rate caps are argued to exclude high risk borrowers from obtaining credit or developing a credit history, as lending to them becomes unprofitable. The Usurious Loans Act, 1918 (as is applicable to unorganized sector, including money lenders⁴⁵) gives power to courts to examine and re-open transactions if there is reason to believe that the interest rate is excessive, or transaction was substantially unfair. The Act was primarily enacted in the pre-independence era to offer protection to agrarian borrowers who often were charged excessively high interest rates. Section 21A of The Banking Regulation Act, 1949, however, limits the application of the Usurious Loan Act to banking companies. A list of existing provisions governing usurious interest rates under various statutory acts is given in Annex G. The REs are instead governed by extant regulations and guidelines, which inter-alia include provisions on transparency in pricing and responsible lending. In the spirit of customer protection, especially the most vulnerable, the Malegam Committee⁴⁶ in its report examined the issue of pricing of credit and noted that affordability for borrowers should go hand-in-hand with sustainability for the MFI. Keeping in view the vulnerability of MFI borrowers, it opined that some form of interest rate control is essential – an interest rate cap would lead to exclusion; hence, a margin cap was recommended as it is also fairer to the MFI (it will not be exposed to the volatility risk associated with cost of funds). The extant FPC for NBFCs, touches upon the complaints above excessive interest charged by NBFCs, and states that though interest rates are not regulated, rates of interest beyond a certain level may be seen to be excessive and can neither be sustainable nor be conforming to prudent financial practice.

5.3.4.3 Reserve Bank, as per its extant guidelines, does not generally regulate the rate of interest in a prescriptive manner. Regulators need to tread with caution in quantitatively defining a ‘usurious’ rate as a one-size-fits-all approach would be detrimental to the ecosystem. The core rationale for deregulating rate of interest lies as much in wide variation in cost of funds, business models, and margins, etc. as in promoting an open market for credit. Further, a rate cap or margin is likely to result in crowding of interest rates at the upper threshold, which will be disadvantageous to the general borrower. It would be prudent to instead, examine the extant regulations on excessive interest rates and transparency in pricing, and adapt them to the realm of digital lending. Specifically, in digital lending, it has been observed that -

• The existence of layer(s) between the borrower and the balance sheet lender leads to non-transparent and unethical loan pricing. The regulated entities are at times not aware of the additional charges/ fees being levied by their third parties.

• As has been explained in Section 3.3.1.2, credit risk sharing mechanisms have also emerged in the form of first loss default guarantee. Internal cost compensation arrangement between the balance sheet lender and the LSP has a bearing on the interest rates being charged to the customers.

• Costs associated with FLDG or any other such mechanism are passed on by the platforms to the borrowers resulting in higher interest rates.

5.3.5 Fair and Respectful Treatment

5.3.5.1 Fair treatment of customers generally includes ethical conduct, reasonable selling practices, and treatment of customer’s information. Even though the principles of fair treatment are adequately known, it is a difficult task to hard-code these in regulations. Nonetheless, the basic principle remains that the customer should be treated fairly and respectfully at all times. This assumes more significance in digital lending where the target customers are usually small borrowers having limited access to/ awareness about grievance redressal mechanism. This, in turn, may either leave them no option but to accept unruly behaviour or lead them to take extreme steps. There is a need to explicitly establish lenders’ responsibility for the behaviour of their digital partners specially in collection practices by way of severe sanctions for any infractions. Another concern, specifically in digital lending, pertains to security of borrowers’ information as well their privacy. These concerns get exacerbated in digital lending because of usage of technology which creates greater data footprint besides providing anonymity. There is a need to establish a framework which ensures confidentiality and security while promoting creation of a well-managed information sharing process to build the credit history. DLAs rely extensively on alternative data to assess creditworthiness of borrowers. Data-points pertaining to personal details and social behaviour are fed into algorithm-based underwriting models which rely on AI and ML. Over a period, the outcomes of these models may inadvertently discriminate against certain section of borrowers thus depriving them access to credit.

5.3.5.2 No Uniform Code of Conduct for Recovery Agents: Having no collections team on the field, some digital lenders reportedly misuse signed agreements to access mobile phone data and contacts of the borrower to adopt strong-arm inducements to repay. Threat of real or make-believe police complaints/ legal notices against borrowers have also been used for recovery. Few digital lenders are understood to have invested in a hybrid collections infrastructure to use softer modes of follow-up. Coercive, intrusive methods of recovery, which cause undue harassment to the customer and lead to violation of customer data privacy, are a major cause of the consumer complaints in digital lending. It is noted that separate guidelines have been set out for recovery agents employed by banks which is more comprehensive than the directions issued for NBFCs (currently a part of FPC). The distinction may need to be reviewed to ensure similar standards are employed for agents employed by banks and NBFCs. Besides, on-field collection teams and optimum-sized call centres would also make the lender understand the challenges faced by the customers in repaying.

5.3.5.3 Due Diligence of Third-Party Service Providers: The extant guidelines provide for a board approved policy to be framed for selecting any service providers by a regulated entity. The Working Group’s representative survey has, however, revealed that there are instances of regulated entities partnering with multiple apps for loan disbursement (an RE was found to be partnering with 36 apps, while many others had partnered with 15-20 apps). The number and choice of LSPs a bank/ NBFC partners with is a commercial decision. However, the regulated entities should be in a position to conduct meaningful and thorough due diligence for all their partners, while also ensuring their adherence to the outsourcing and FPC guidelines on an on-going basis.

5.3.6 Grievance Redress and Effective Recourse

5.3.6.1 Financial consumers have an inherent right to an accessible, affordable, fair, and timely grievance redressal mechanism, and the same principle governs a digital credit consumer. The tech-enablers (smart phones, internet, AI/ ML, etc.) of digital lending facilitate an instantaneous, faceless, hassle-free consumer credit journey but paradoxically, have not translated into an improved, simplified experience vis-à-vis grievance resolution. The hallmark of any effective complaint resolution mechanism is succinctly captured in the ability of a consumer to answer – how, when, and where? However, a typical digital borrower in India seems to be unable to either establish, identify or navigate the resolution process. The DLAs aggressively market, nudge, and even hand-hold consumers to avail loans digitally but are lacking in their efforts to provide grievance redressal which is not only a violation of extant guidelines⁴⁷ and consumer rights, but also endangers the adoption, acceptability and trustworthiness of digital lending amongst the masses in the long run.

5.3.6.2 The presence of multiple third parties has led to dilution of responsibility, which translates into unavailability/ ineffectiveness of single point of contact for the customer. Many DLAs do not (prominently) display the name and appropriate contact details of the grievance redressal officer. The lack of a face-to-face interface in the digital lending models, especially for complaint resolution, affects the accessibility of the redressal mechanisms for most consumers. The presence of unregulated entities in the space further aggravates the problem.

5.3.6.3 The REs need to ensure adherence to the extant RBI guidelines for grievance redressal mechanism in letter and spirit, including for redress of grievances from outsourced services. Further, considering the uniqueness of the digital channels for credit delivery, it is imperative to leverage technology and explore newer, inclusive, and more responsive mechanisms for grievance redressal.

5.3.6.4 There are two avenues for effective grievance redress and dispute settlement concerning financial consumer - the first is internal at the institution level and the second is redress obtained from an external independent body. There is a need, particularly in the space of consumer lending, for having an affordable and efficient grievance/ dispute resolution mechanism with effective enforcement powers.

5.3.6.5 Ombudsman Scheme: The Ombudsman Scheme extended to NBFCs in 2018 is applicable to (a) those authorized to accept deposits, or (b) have customer interface with asset size of one billion rupees or above. The high threshold of asset size essentially exempts smaller NBFCs, which originate majority of the small-ticket digital loans, and hence, the deterrence effect is absent in majority of the digital lenders partnering with (smaller) NBFCs.

5.4 Recommendations/ Suggestions

5.4.1 Loan Product Design and Distribution

5.4.1.1 Most digital lending apps rely on bulk SMS marketing campaigns and some deploy contextual in-app/ web-search strategies to tap their prospective customers at their most vulnerable state. Loan products must be advertised without making misleading claims and without misleading the consumer. Each DLA must have “opt-in” and “opt-out” options, the latter being the default option, for sending consumers/customers marketing messages. The DLAs must adopt responsible advertising and marketing standards in line with the Code of Conduct to be put in place by the proposed SRO.

(Recommendation - GoI/ RBI/ SRO)

5.4.1.2 Minimizing cases of repayment stress/ distress

(a) In order to discourage perpetuation of ‘payday loans’, fixed sum/ non-installment unsecured STCCs with very short contractual maturity should be put under regulatory restrictions.

(Suggestion - RBI)

(b) The DLAs catering to low credit-penetrated markets, should design more sachetised/ simplified products with appropriate mobile interface designs in a manner that can be easily understood by the target consumers. Sachetised/ Simplified products would help consumers make well informed borrowing decisions.

(Recommendation - SRO/ REs)

(c) DLAs should provide mandatory user education at user/ customer on-boarding/ sign-up stage itself about the product features and about computation of loan limit & cost. Borrowers must know the costs and conditions associated with the product before they accept to borrow and assume obligation to pay.

(Recommendation - GoI/ RBI/ SRO)

(d) A cooling off/ look-up period of certain days (globally, it varies between 3 to 14 days) should be given to customers for exiting digitally obtained loans by paying proportionate APR without any penalty, regardless of source of funding for such exit i.e., own source or refinance.

(Recommendation - GoI/ RBI)

5.4.1.3 All disclosures about the proposed credit facility should be available to the borrower upfront in an easily understandable manner to facilitate comparison. In this regard, the following are recommended:

(Recommendation - GoI/ RBI/ SRO)

(a) Each lender should provide a key fact statement (KFS) in standardized format for all digital lending products. Besides, the lender should also send SMS/ email with a summary of product information and ensure that the customers understand the lending terms and conditions. Contracting process and delivery of information should include digitally signed sanction letters to be emailed and abridged KFS to be sent by SMS/ e-mail. The format of KFS, for it to be effective, should be developed after obtaining feedback from consumers on their expectations from such statements. Brokered loans, DLA/ lead generator’s commission (e.g., yield spread premium) should be disclosed to the borrower) if the borrower bears the cost directly or indirectly.

(b) A standardized and simplified loan agreement format may be prepared by the proposed SRO for financial consumers of digital lending covering terms and conditions. The loan agreement should be in a language understood by the borrower, say, in vernacular language. Needless to add, such agreement should be in consonance with the applicable laws, regulations and FPC.

(c) Responding to consumers with the reasons for decline of a credit application made through DLAs should be mandatory.

(d) Lack of mutual information creates a wedge between user needs and the products that they use. All digital lenders may be required to gather feedback/ rating of their service in the formats to be designed by the proposed SRO.

5.4.2 Preventing Over-indebtedness (Anti-predatory Lending)

5.4.2.1 Underwriting standards should be demonstrably adopted by all lenders using the services of DLAs. Some of the typical protections against payday loans, based on the model of Consumer Financial Protection Bureau (CFPB) of USA, are enumerated in Annex H. While complying with the CDD norms, lenders should ensure to capture the economic profile of borrowers. The digital lenders distributing products such as one-click loans, will be duty-bound to assess the consumer’s creditworthiness in an auditable way.

(Recommendation - GoI/ RBI)

5.4.2.2 All DLAs should refrain from employing predatory lending practices that push the borrowers to unsustainable levels of personal debt. Guiding principles in this regard may be developed by RBI/ proposed SRO. These recommendations/ suggestions cover aspects beyond digital lending in view of the commonality of concerns.

(a) For the purpose of STCC, while it may be difficult to prescribe a quantitative definition of over indebtedness, a uniform and principle-based approach to determining indebtedness/ debt serviceability of individuals/ households should be worked out. Such an approach should factor in the structural/ long term liability profile of the borrower rather than his short-term liability profile.

(Suggestion - GoI/ RBI)

(b) Anti-Predatory Lending Policy has to be formulated and publicly displayed by each lender. All STCC customers need to be mandatorily (akin to statutory warnings) taken to a financial education website page designed in vernacular languages to acquaint the prospective borrowers of the risk and consequences of high-cost loans and alternatives available, if any. The intention should be to enable the vulnerable sections to have better access to fair, non-exploitative, loan facilities. The scope of the Financial Literacy Centres (FLCs), Centre for Financial Literacy (CFLs) and even Electronic Banking Awareness and Training Programmes (E-baat), may be expanded to include digital lending and DLAs.

(Recommendation - GoI/ RBI)

(c) Restriction on loan flipping (a type of restructuring/ refinancing) may be considered where high-cost loans are subjected to refinances (say, more than twice in 18 months), without demonstrating any benefit to the borrower, such as, whether the borrower receives cash, a lower interest rate or a lower monthly payment as a result of the refinance. The restructuring/ refinance (loan flipping/ churning) for STCCs should be in accordance with the regulatory guidelines to be framed for such purpose. Automatic increases in credit limits should be prohibited except under express consent taken on record for such increases, subject to satisfying general customer protection measures.

(Recommendation - GoI/ RBI)

5.4.3 Responsible Pricing (anti-usurious lending)

5.4.3.1 The regulatory approach should include, among others, moving beyond mere disclosure and fair practice framework to more regulatory guardrails, particularly in respect of recurring issues.

(a) RBI may establish standard definitions for the cost of digital STCC/ micro credit as Annual Percent Rate (APR). All contingent costs should be appropriately factored in the APR. This would enable disclosure of costs in a clear and understandable way. The disclosure should include monetary and non-monetary impact of early, partial, late or non-repayment of the loan (contingent costs). Such information can be shared electronically, in a timely and cost-effective manner. Better understanding of costs by financial consumers of STCC can improve repayment performance.

(Recommendation - GoI/ RBI)

(b) There should be specific lending norms tailored for STCC lenders, such as affordability rules, the number of concurrent short-term loans or multiple loans that a consumer can hold at a point in time or over a given period. For lenders other than REs, GoI may like to take action. The STCCs generally carry comparatively higher cost. While the WG does not recommend any hard cap on the APR, the SRO shall keep a tab on such market-mechanism, which can be considered as high cost STCCs⁴⁸.

(Recommendation - GoI/ RBI/ SRO))

5.4.3.2 Certain operational practices loaded against the financial consumers should be directly addressed.

(Suggestion - GoI/ RBI)

(a) Interest amount must be charged in arrears and never charged/ debited in advance. Any other fee should not be included as outstanding principal for compounding purpose. All fees should be included in calculation of APR and should be reasonable, and intended to cover costs closely related to the reason for fee, e.g., administrative cost or notional loss from early payment etc. Lenders are supposed to earn income from lending activities. Some digital lenders are charging interest for the whole month even though the disbursal does not take place in the beginning of the month. The interest calculation should be on actual days basis. Similarly, the benefit of interest reduction on the principal on account of pre-payments should be given from the actual date without linking it to next EMI cycle. Fee-harvesting⁴⁹ features of digital lending may have to be restrained and any fee that has not been disclosed to the borrower at the time of sanction and/ or not factored in while disclosing the APR should not be chargeable. Any change in fee, if applicable, has to be informed to the consumer sufficiently in advance.

(b) Penal rate of interest should not be levied for prepayment of STCCs in full or part except a nominal administrative fee, if at all. For non-STCCs, if there is a pre-payment penalty clause, the APR will have to be demonstrably lower than what the APR would have been without a pre-payment penalty clause. The pre-payment penalty has to be suitably factored in while computing the APR.

5.4.3.3 The proposed key facts statement (KFS)/ fact-sheet applicable also to all STCC/ micro borrowers would give customers a simple summary of the important terms and conditions (tenor/ fees/ interest rate/ reset dates) of the financial contract. Use of any techniques by digital lenders, where they use hidden fee structures or “teaser” rates, should invite appropriate regulatory/ supervisory action.

(Recommendation - GoI/ RBI)

5.4.4 Fair and Respectful Treatment of Borrowers

5.4.4.1 There is a need to develop responsible borrowing culture in the digital lending landscape as much as responsible lending. This exercise of developing a positive financial behavior and attitude has to be taken up both by the industry as well as by regulators/ government. Such awareness/ education drives should emphasize legally permissible method of borrowing; building a credit score; improving appreciation for different features of credit and lower cost alternatives i.e., methods for shopping around for informed choices by providing digital comparison tools; addressing borrower’s behavior biases through debt advice/ counselling solutions for consumers in financial distress, etc. The behavior of consumers in understating their existing indebtedness at the time of seeking a loan should be a factor for consideration during future grievance or consumer protection/ recourse processes. Increased awareness of financial consumers about their data trails and credit histories - including their credit reports will, in turn, incentivize better repayment performance.

(Recommendation – GoI/ RBI)

5.4.4.2 Fair treatment of borrowers in financial difficulty refers to the lender’s obligation to detect, as early as possible, consumers going into repayment difficulties; engage with those consumers at an early stage to identify the causes for those difficulties and provide necessary information; help the borrower to address temporary financial difficulties and return to normal situation. Customer harassment needs to be suitably defined by the SRO in consultation with RBI. Disclosure of the type of debt that can be collected by LSP on behalf of an RE, the person who can collect such debt and the manner in which such debt can be collected, should be specified in the loan agreement with the borrower.

(Recommendation - RBI/ SRO)

5.4.4.3 As partnership with consumer facing LSPs is a dominant model in digital lending, there are specific aspects which are emphasized as under:

(Recommendation (a) to (d) - GoI/ RBI/ SRO)

(a) REs must conduct enhanced due diligence before entering into partnership with an LSP. The due diligence must be proportionate to the risks posed by the activity. RBI should incorporate appropriate provisions in the proposed Agency Financial Services Regulations.

(b) The REs should be required to put in place detailed fair collection policies and procedures on their website, as prescribed under extant regulations. In view of increasing significance and reach of DLAs and consequent concerns over unethical recovery practices, there is a need to standardize the code of conduct for recovery to be framed by the proposed SRO in consultation with RBI. In the event, a debt collector needs to contact any third party about a borrower’s debt, such arrangements need to be explicitly factored in the loan agreement, specifically the type/ description of third parties. REs should ensure that LSPs are prohibited from employing abusive debt-collection practices including the use of false statements, practices akin to or constituting harassment, or giving of false or unauthorized credit information to third parties.

(c) As per extant regulations, REs are required to display the names of entities they have deployed for recovery operations on their website with adequate details. It may be mandated that the lender communicates to the borrower, at the time of sanction of the loan, the details of any LSP who can approach the customer for recovery. Similarly, at the time of passing on the recovery responsibilities to an LSP, similar prior communication to the borrower should be followed.

(d) The recovery agents, both off-site and onsite, should be required to undergo adequate training and accreditation to discharge their responsibilities with care and sensitivity. The institutional mechanism for accreditation can be worked out by the broader industry in consultation with RBI.

(e) The lenders should carry out periodic review of the conduct of the LSPs engaged in recovery and scan for their name in any ‘negative’ list or report its name to ‘negative’ list if there is significant breach of any code. In order to check the activities of dubious LSPs, an easier mechanism should be made available to lodge complaints about harsh treatment by such entities. The ‘negative list’ of LSPs to be maintained by the SRO should be meticulously followed for compliance.

(Recommendation - SRO/ DIGITA)

5.4.4.4 Formally disputed repayments should be indicated in the credit report along with the disputed amount vis-à-vis default or repaid amount. Certain types of updates/ inquiries with CIC about credit history of the borrower by any entity should be intimated to the borrower by SMS/ email to avoid any misreporting or unsolicited enquiries. Reasonable free access to the borrower for own data should also be considered by CICs.

(Recommendation- RBI)

Gist of Recommendations in the Report

Total Recommendations - 26

Gist of Suggestions/ Issues for Future Examination

Total Suggestions - 17

Annex A - Synopsis: Inputs received from Stakeholders

Annex B - Details of Interfaces and List of Entities

Details of interfaces

1. Commissioner of Police, Cyberabad Commissionerate, Hyderabad

2. Chief Technology Officer, State Bank of India

3. Chief Technology Officer, ICICI Bank Limited

4. Deputy Commissioner of Police, Cyber Cell, Mumbai

5. Shri Naveen Kukreja, Founder & CEO, Paisabazar.com

6. Shri Achal Mittal, CEO, NDX P2P Private Limited

7. Shri Dilip Asbe, MD & CEO, National Payments Corporation of India

8. Shri Aman Jain, MD & Business Head, Google India

9. Digital Lenders Association of India

10. FinTech Association for Consumer Empowerment

List of various entities/ individuals that provided their inputs to the Working Group

1. Smt Koduri Nikhila, Regional Director, Hyderabad Regional Office, Reserve Bank of India

2. Dr. Snehal Herwadkar, Director, DEPR, Reserve Bank of India

3. Shri Sathyan David, Retired Chief General Manager, Reserve Bank of India

4. Shri G N Rath, Retired General Manager, Reserve Bank of India

5. Indian Cyber Crime Coordination Centre, Ministry of Home Affairs

6. Chief Secretary, Government of Telangana

7. Commissioner of Police, Cyberabad Commissionerate, Hyderabad

8. Vidhi Centre for Legal Policy

9. Digital Lenders Association of India

10. FinTech Association for Consumer Empowerment

11. Shri Ashish Kohli, CEO, Kreditech Financial Services Private Limited

12. Shri Dilip Asbe, MD & CEO, National Payment Corporation of India

13. Prof. D. Janakiram, Director, Institute for Development and Research in Banking Technology

14. Shri V.V. Balaji, Head, Chief Technology Officer, ICICI Bank Limited

15. Shri Nandkumar Saravade, CEO, Reserve Bank Information Technology Private Limited

16. Chief Technology Officer, State Bank of India

17. Shri Achal Mittal, Co-founder & CEO, CEO, NDX P2P Private Limited

18. Shri Hardeep Singh, Legal and Policy, CRED

19. Transunion CIBIL

20. Shri Rajeev Jain, MD, Bajaj Finserv

21. DMI Finance Private Limited

22. Kudos Finance and Investments Private Limited

23. Abhijit Bose, Chief Credit Officer, DCB Bank Limited

24. Shri Pulak Ghosh, Professor, IIM-Bangalore

25. Dr. Anantha Nageswaran, Part-Time Member, PM’s Economic Advisory Council

26. Amazon Web Services

27. Shri Srinivas Yanamandra, Chief Compliance Officer, New Development Bank

28. Shri Ramgopal Subramani, Chief Operating Officer, Perfios Software Solutions Private Limited

29. Shri Naveen Kukreja, CEO, Paisa Bazaar

30. Shri Gaurav Chopra, Payments Council of India

31. Premji Invest

32. FICCI

33. Indicus Centre for Financial Inclusion

34. Indian Lenders Association

Annex C - Extracts of Sample Survey Data on Digital Lending

Information collected from 76 scheduled commercial banks (48 submitted nil information) and 75 NBFCs (13 submitted nil information)

I. Scheduled Commercial Banks (Individual data for 28 banks)

II. NBFCS (Individual data for 62 NBFCs)

III. Product mix based on loan purpose (as on December 31, 2020)

IV. Tenure wise distribution of loans and amount disbursed (in Rs. crore) through digital channels (as on December 31, 2020)

Annex D - List of Money Lending Laws in India

Annex E - Global Practice in STCC Regulation

Short-term high-cost consumer credit: the description adopted by FinCoNet and examples from selected jurisdictions

Short-term high-cost credit has been described by FinCoNet (FinCoNet, 2017) as the practice of lending to consumers:

• amounts of money that are small relative to other forms of credit in the market,

• for short periods of time (most commonly for durations of under 12 months),

• at a rate that is considered to be high compared with other credit products available to consumers in their jurisdiction.

Short-term high-cost credit products are referred to in different ways and display different features among responding jurisdictions: short-term high-cost credit, high-cost short-term credit, payday loans, home-collected credit, small amount credit contracts (SACCs), short- term small-dollar credit (STSDC) or moneylending agreements. Their duration can vary from a few days and up to the following payday (payday loans), to a few months and up to a year repayable through instalments. Some jurisdictions consider also overdraft facilities and credit card debt as being short-term high-cost credit.

Some jurisdictions have adopted a codified definition of specific categories of short-term high-cost consumer credit provided by specialised lenders in their markets. The definitions are based on elements such as the duration of the credit agreement, the amount borrowed, or the applicable interest rate. The examples of Australia, Canada, Denmark, Ireland, the Netherlands, South Africa, the United Kingdom and the United States presented below provide an indication of the variation of what is considered short-term high-cost credit among the jurisdictions covered by this report.

Australia

In Australia, specific measures were implemented in 2013 to regulate the short-term consumer credit market (Australian Government, 2009). The National Consumer Credit Protection Act of 2009 prohibits loans for up to AUS 2000 with a term of 15 days or less (which are defined “short-term credit”), and authorises Small Amount Credit Contracts (SACC). A SACC is defined as a contract that:

• is not a continuing credit contract and is unsecured;

• is not provided by an authorised deposit-taking institution (ADI);

• has a credit limit of AUS 2000 or less; and

• has a term between 16 days and one year.

The Act also establishes Medium Amount Credit Contracts (MACC), being loans with credit limits between AUS 2001 and AUS 5000, which are not offered by an ADI or a continuing credit contract and have a term of between 16 days and 2 years.

Canada

In Canada, there is no general definition of high-cost shorter-term credit. However, federal legislation provides a definition of “payday loan”, a specific type of short-term high-cost credit. Regulation of certain payday loans is at the Provincial (State) level for Provinces designated by the Governor in Council. To be designated, a province must enact legislative measures that “protect recipients of payday loans and that provide for limits on the total cost of borrowing under the agreements.” For Provinces that have not been designated, payday loans are governed by the generally applicable criminal rate of interest provisions of the federal Criminal Code.

Denmark

In Denmark the Consumer Credit Act of 2013 (Danish Competition and Consumer Authority, 2013) defines short-term credit as a credit agreement concluded between a consumer and a creditor who is not a bank, without collateral, without condition of purchase of product or service, and whose term is maximum 3 months.

Ireland

The Irish Consumer Credit Act (Government of Ireland, 1995) opts for the definition “moneylending”, and defines a moneylending agreement as a credit agreement into which a moneylender enters, or offers to enter, with a consumer in which one or more of the following apply:

• the agreement was concluded away from the business premises of the moneylender or the business premises of the supplier of goods or services under the agreement;

• any negotiations for, or in relation to the credit were conducted at a place other than the business premises of the moneylender or the business premises of the supplier of goods or services under the agreement;

• repayments under the agreement will, or may, be paid by the consumer to the moneylender or his representative at any place other than the business premises of the moneylender or the business premises of the supplier of goods or services under the agreement; or

• where the total cost of credit to the consumer under the agreement is in excess of an APR of 23 per cent., or such other rate as may be prescribed by the Minister for Finance.

The Netherlands

In the Netherlands, short-term consumer credit is defined by the Dutch Authority for the Financial Markets as a consumer credit agreement which has to be paid back within 3 months, involving costs that exceed the statutory cost cap of 14% APR.

South Africa

The National Credit Act (Republic of South Africa, 2005) defines short term credit transactions as credit transactions:

• in respect of a deferred amount at inception of the agreement not exceeding ZAR 8000; and

• in terms of which the whole amount is repayable within a period not exceeding 6 months.

United Kingdom

The Financial Conduct Authority defines high-cost short-term credit in its Handbook of rules and guidance as a regulated credit agreement:

• which is a borrower-lender agreement or a P2P agreement;

• in relation to which the APR is equal to or exceeds 100%;

• either:

1. in relation to which a financial promotion indicates (by express words or otherwise) that the credit is to be provided for any period up to a maximum of 12 months or otherwise indicated (by express words or otherwise) that the credit is to be provided for a short term; or

2. under which the credit is due to be repaid or substantially repaid within a maximum of 12 months of the date on which the credit is advanced

• which is not secured by a mortgage, charge or pledge; and

• which is not:

3. a credit agreement in relation to which the lender is a community finance organisation; or

4. a home credit loan agreement, a bill of sale loan agreement or a borrower-lender agreement enabling a borrower to overdraw on a current account or arising where the holder of a current account overdraws on the account without a pre-arranged overdraft or exceeds a pre-arranged overdraft limit.

The above definition is largely limited to payday loans. In addition, the FCA regulates other forms of high-cost short-term credit, including home-collected credit.

United States

In the United States, the Financial Consumer Protection Bureau is currently considering the introduction of stricter rules on short-term credit at the Federal level. A definition that is valid at the Federal level can be found in the CFPB Rule applying to short-term credit issued in October 2017 (CFPB, 2017). These are defined as short-term loans that have terms of 45 days or less, including typical 14-day and 30-day payday loans, as well as short-term vehicle title loans that are usually made for 30-day terms. The rule excludes or exempts several types of consumer credit, including: (1) loans extended solely to finance the purchase of a car or other consumer good in which the good secures the loan; (2) home mortgages and other loans secured by real property or a dwelling if recorded or perfected; (3) credit cards; (4) student loans; (5) non-recourse pawn loans; (6) overdraft services and lines of credit; (7) wage advance programs; (8) no-cost advances; (9) alternative loans (similar to loans made under the Payday Alternative Loan program administered by the National Credit Union Administration); and (10) accommodation loans.

Source: SHORT-TERM CONSUMER CREDIT - Provision, regulatory coverage and policy responses. Joint report by the G20 OECD Task Force on Financial Consumer Protection, FinCoNet and the OECD International Network on Financial Education, 2019

Annex G - List of Statutes dealing with Usurious Interest Rates

Annex H - Rules to stop Debt Traps by CFPB, USA

1. Full-payment test: Lenders are required to determine whether the borrower can afford the loan payments and still meet basic living expenses and major financial obligations. For payday and auto title loans that are due in one lump sum, full payment means being able to afford to pay the total loan amount, plus fees and finance charges within two weeks or a month. For longer-term loans with a balloon payment, full payment means being able to afford the payments in the month with the highest total payments on the loan. The rule also caps the number of loans that can be made in quick succession at three.

2. Principal-payoff option for certain short-term loans: Consumers may take out a short-term loan of up to $500 without the full-payment test if it is structured to allow the borrower to get out of debt more gradually. Under this option, consumers may take out one loan that meets the restrictions and pay it off in full. For those needing more time to repay, lenders may offer up to two extensions, but only if the borrower pays off at least one-third of the original principal each time. To prevent debt traps, these loans cannot be offered to borrowers with recent or outstanding short-term or balloon-payment loans. Further, lenders cannot make more than three such loans in quick succession, and they cannot make loans under this option if the consumer has already had more than six short-term loans or been in debt on short-term loans for more than 90 days over a rolling 12-month period. The principal-payoff option is not available for loans for which the lender takes an auto title as collateral.

3. Less risky loan options: Loans that pose less risk to consumers do not require the full-payment test or the principal-payoff option. This includes loans made by a lender who makes 2,500 or fewer covered short-term or balloon-payment loans per year and derives no more than 10 percent of its revenue from such loans. These are usually small personal loans made by community banks or credit unions to existing customers or members. In addition, the rule does not cover loans that generally meet the parameters of “payday alternative loans” authorized by the National Credit Union Administration. These are low-cost loans which cannot have a balloon payment with strict limitations on the number of loans that can be made over six months. The rule also excludes from coverage certain no-cost advances and advances of earned wages made under wage-advance programs offered by employers or their business partners.

4. Debit attempt cutoff: The rule also includes a debit attempt cutoff that applies to short-term loans, balloon-payment loans, and longer-term loans with an annual percentage rate over 36 percent that includes authorization for the lender to access the borrower’s checking or prepaid account. After two straight unsuccessful attempts, the lender cannot debit the account again unless the lender gets a new authorization from the borrower. The lender must give consumers written notice before making a debit attempt at an irregular interval or amount. These protections will give consumers a chance to dispute any unauthorized or erroneous debit attempts, and to arrange to cover unanticipated payments that are due. This should mean fewer consumers being debited for payments they did not authorize or anticipate or charged multiplying fees for returned payments and insufficient funds.

October 2017

Source: https://www.consumerfinance.gov/about-us/newsroom/cfpb-finalizes-rule-stop-payday-debt-traps/

Bibliography

1) Cornelli, G, J Frost, L Gambacorta, R Rau, R Wardrop and T Ziegler (2020): ‘FinTech and BigTech credit: a new database’, BIS Working Papers, No 887, September.

2) ‘Digitally Delivered Credit: Consumer Protection Issues and Policy Responses to New Models of Digital Lending’, Policy Guidance Note and Results from Regulators Survey, November 2017, Alliance for Financial Inclusion

3) Fernando Restoy (February 2021): ‘FinTech regulation: how to achieve a level playing field’, Occasional Paper, No 17, Bank for International Settlements

4) ‘FinTech credit: Market structure, business models and financial stability implications’- Report prepared by a Working Group established by the Committee on the Global Financial System (CGFS) and the Financial Stability Board (FSB), May 22, 2017

5) Johannes Ehrentraud, Denise Garcia Ocampo, Camila Quevedo Vega (August 2020): ‘Regulating FinTech financing: digital banks and fintech platforms’, FSI Insights on policy implementation, No 27. Bank for International Settlements

6) John Owens (July 2018), ‘Responsible Digital Credit: What does responsible digital credit look like?’, Center for Financial Inclusion

7) Nigel Fletcher (2007): ‘Challenges for regulating financial fraud in cyberspace’, Journal of Financial Crime Vol. 14 No. 2, 2007 pp. 190-207

8) Oya Pinar Ardic, Joyce A. Ibrahim, Nataliya Mylenko (January 2011), ‘Consumer Protection Laws and Regulations in Deposit and Loan Services’, Policy Research Working Paper, 5536, World Bank

9) Report of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (Chairman: G. Gopalakrishna), January 2011, Reserve Bank of India

10) Report of the Technical Group Set up to Review Legislations on Money Lending (Chairman: S.C. Gupta), July 2007, Reserve Bank of India

11) Speech by Anand Sinha, Former Deputy Governor, Reserve Bank of India ‘Strengthening Governance in Microfinance Institutions (MFIs) - Some Random Thoughts’, April 27, 2012

12) Speech by Agustín Carstens, General Manager, Bank for International Settlements, ‘BigTech in finance and new challenges for public policy’, December 4, 2018

13) Speech by Fernando Restoy, Chairman, Financial Stability Institute, Bank for International Settlements ‘Regulating FinTech: what is going on, and where are the challenges?’, October 16, 2019

14) Speech by M. Rajeshwar Rao, Deputy Governor, Reserve Bank of India ‘NBFC Regulation- Looking ahead’, November 6, 2020

15) Speech by R Gandhi, Former Deputy Governor, Reserve Bank of India, ‘Regulating financial innovation - P2P lending platforms design challenges’, May 17, 2016.

16) Speech by Shaktikanta Das, Governor, Reserve Bank of India, ‘Opportunities and Challenges of FinTech’, March 25, 2019

17) Speech by Shaktikanta Das, Governor, Reserve Bank of India, ‘Financial Sector in the New Decade’, March 25, 2021

18) ‘India FinTech Report 2021’ Report by The Digital Fifth

¹ Banking 5.00 by Bernardo Nicolletti, 2021

² ‘FinTech credit: Market structure, business models and financial stability implications’- Report prepared by a Working Group established by the Committee on the Global Financial System (CGFS) and the Financial Stability Board (FSB), May 22, 2017

³ Cornelli, G, J Frost, L Gambacorta, R Rau, R Wardrop and T Ziegler (2020): ‘Fintech and BigTech credit: a new database’, BIS Working Papers, no 887, September.

⁴ Methodology adopted by Shri Rahul Sasi, member of this Group

⁵ during January 01, 2020 to March 31, 2021

⁶ /documents/87730/39710918/PR819297a4f4a08194ef796c4d35ed26d1798.pdf

⁷ https://www.researchandmarkets.com/reports/5456732/fintech-market-in-india-2021

⁸ Humans Judged by Machines, Frank Pasquade, 2021

⁹ Selected provisions of Section 186 of the Companies Act on ‘Loan and investment by company’ - Sub-section 2: No company shall directly or indirectly (a) give any loan to any person or other body corporate; (b) give any guarantee or provide security in connection with a loan to any other body corporate or person; and (c) acquire by way of subscription, purchase or otherwise, the securities of any other body corporate, exceeding sixty per cent of its paid-up share capital, free reserves and securities premium account or one hundred per cent of its free reserves and securities premium account, whichever is more.
Sub-section 7: No loan shall be given under this section at a rate of interest lower than the prevailing yield of one year, three year, five year or ten year Government Security closest to the tenor of the loan.

¹⁰ Johannes Ehrentraud, Denise Garcia Ocampo, Camila Quevedo Vega (2020): “Regulating fintech financing: digital banks and fintech platforms”, FSI Insights on policy implementation, No 27

¹¹ https://www.bcb.gov.br/content/financialstability/org_docs/Resolution%204656.pdf

¹² https://www.cbirc.gov.cn/en/view/pages/ItemDetail.html?docId=943996&itemId=980

¹³ Zetzsche et al. 2018

¹⁴ Fernando Restoy (2021): “Fintech regulation: how to achieve a level playing field”, Occasional Paper, No 17

¹⁵ The Ministry of Electronics and Information Technology, has power under section 69A of the Information Technology Act read with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009.

¹⁶ Section 67C of the IT Act: Preservation and retention of information by intermediaries. – (1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe. (2) any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with an imprisonment for a term which may extend to three years and also be liable to fine.

¹⁷ Section 72A of the IT Act: Punishment for disclosure of information in breach of lawful contract.–Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.

¹⁸ https://inc42.com/datalab/digital-lending-in-india-the-rise-of-consumer-lending-report-2020/

¹⁹ https://inc42.com/datalab/the-most-favoured-fintech-subsector-for-startup-investors-in-india/

²⁰ Book “Weapons of Math Destruction” by Cathy O’Neil, 2016

²¹ Nigel Fletcher (2007): Challenges for regulating financial fraud in cyberspace, Journal of Financial Crime Vol. 14 No. 2, 2007 pp. 190-207

²² In cyberspace, a criminal can carry out a crime in secret against innocent third parties. By the time, they realise that they have been victim of a crime; it may be too late for the authorities to identify the criminal.

²³ The international scope of cyberspace makes it hard to determine jurisdiction.

²⁴ Ease and feasibility of collecting sufficient evidence to prosecute

²⁵ https://markets.businessinsider.com/news/stocks/cyberattacks-impact-major-threats-to-financial-firms-not-prepared-2019-6-1028296130

²⁶ https://clsbluesky.law.columbia.edu/2017/06/01/techfins-and-the-regulatory-challenges-of-data-driven-finance/

²⁷ https://www.pier.or.th/wp-content/uploads/2021/06/pier_dp_154.pdf

²⁸ https://www.bis.org/speeches/sp191017a.htm

²⁹ Section 43A of the IT Act: Compensation for failure to protect data. –Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. Explanation.–For the purposes of this section,– (i) ―body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities; (ii) ―reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit; (iii) ―sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit

³⁰ Example: Indonesia’s Financial Services Authority has stipulated that all registered and licensed lending platforms are only allowed to access three features on user’s smartphones, namely the camera, microphone, and location. If the platforms access data from any other source than these three features, authority will either cancel their registration or at least ask the IT Ministry to immediately block the application.

³¹ para 2.5. of Master Circular on ‘Loans and Advances – Statutory and Other Restrictions’ dated July 01, 2015

³² para 28 to 39 of Master Directions on Non-Banking Financial Company, 2016

³³ /en/web/rbi/-/notifications/guidelines-on-managing-risks-and-code-of-conduct-in-outsourcing-of-financial-services-by-banks-3148

³⁴ /en/web/rbi/-/notifications/directions-on-managing-risks-and-code-of-conduct-in-outsourcing-of-financial-services-by-nbfcs-11160

³⁵ /en/web/rbi/-/notifications/recovery-agents-engaged-by-banks-4141

³⁶ /documents/87730/30842423/BOS2006_2302017.pdf

³⁷ applicable to registered NBFCs which (a) are authorized to accept deposits; or (b) have customer interface, with asset size of one billion rupees or above, as on date of the audited balance sheet of previous financial year.

³⁸ /documents/87730/39016390/OSDT31012019.pdf

³⁹ /en/web/rbi/-/press-releases/statement-on-developmental-and-regulatory-policies-51078

⁴⁰ /en/web/rbi/-/press-releases/rbi-releases-charter-of-customer-rights-32667

⁴¹ /en/web/rbi/-/notifications/working-group-on-information-security-electronic-banking-technology-risk-management-and-cyber-frauds-implementation-of-recommendations-6366 and /en/web/rbi/-/notifications/cyber-security-framework-in-banks-10435

⁴² /en/web/rbi/-/notifications/master-direction-information-technology-framework-for-the-nbfc-sector-10999

⁴³ FSI - Regulating fintech financing: digital banks and fintech platforms https://www.bis.org/fsi/publ/insights27_summary.pdf

⁴⁴ https://www.cgap.org/blog/some-insights-over-indebtedness-india

⁴⁵ The State Government may, by notification in the Official Gazette, direct that it shall not apply to any area, class of persons, or class of transactions which it may specify in its notification.

⁴⁶ Sub-Committee of the Central Board of Directors of RBI to study issues and concerns in the MFI sector

⁴⁷ The Reserve Bank Master Directions as applicable to banks/NBFCs have clearly laid down guidelines for grievance redressal mechanism to be adopted by its regulated entities, including for redress of grievances related to outsourced services. A circular (DOR (NBFC) (PD) CC. No.112/03.10.001/2019-20 dated June 24, 2020) was also issued to address various concerns emanating from loans sourced by banks/NBFCs over digital lending platforms which inter-alia covered steps to ensure effective grievance redressal.

⁴⁸ For example, FCA, UK defines APR of 100% and above as High-Cost Short Term Credit (HCSTC)

⁴⁹ Activities which are intended to generate the fee-based income for the lender especially on small loans.

⁵⁰ except the territories which, immediately before the 1st November, 1956, were comprised in Part B States. The State Government may, by notification in the Official Gazette, direct that it shall not apply to any area, class of persons, or class of transactions which it may specify in its notification

⁵¹ Section 3 : The Courts, in any suit to which this Act applies, whether heard ex parte or otherwise, the Court has reason to believe, —(a) that the interest is excessive; and (b) that the transaction was, as between the parties thereto, substantially unfair, the Court may exercise all or any of the following powers, namely, may, —(i) re-open the transaction, take an account between the parties, and relieve the debtor of all liability in respect of any excessive interest; 3(ii) notwithstanding any agreement, purporting to close previous dealings and to create a new obligation, re-open any account already taken between them and relieve the debtor of all liability in respect of any excessive interest, and if anything has been paid or allowed in account in respect of such liability, order the creditor to repay any sum which it considers to be repayable in respect thereof; (iii) set aside either wholly or in part or revise or alter any security given or agreement made in respect of any loan, and if the creditor has parted with the security, order him to indemnify the debtor in such manner and to such extent as it may deem just: Provided that, in the exercise of these powers, the Court shall not—(i) re-open any agreement purporting to close previous dealings and to create a new obligation which has been entered into by the parties or any persons from whom they claim at a date more than 1 [twelve] years from the date of the transaction; (ii) do anything which affects any decree of a Court.

Section 3(2) In this section “excessive” means in excess of that which the Court deems to be reasonable having regard to the risk incurred as it appeared, or must be taken to have appeared, to the creditor at the date of the loan. (b) In considering whether interest is excessive under this section, the Court shall take into account any amounts charged or paid, whether in money or in kind, for expenses, inquiries, fines, bonuses, premia, renewals or any other charges, and if compound interest is charged, the periods at which it is calculated, and the total advantage which may reasonably be taken to have been expected from the transaction. (c) In considering the question of risk, the Court shall take into account the presence or absence of security and the value thereof, the financial condition of the debtor and the result of any previous transactions of the debtor, by way of loan, so far as the same were known, or must be taken to have been known, to the creditor. (d) In considering whether a transaction was substantially unfair, the Court shall take into account all circumstances materially affecting the relations of the parties at the time of the loan or tending to show that the transaction was unfair, including the necessities or supposed necessities of the debtor at the time of the loan so far as the same were known, or must be taken to have been known, to the creditor. Explanation. —Interest may of itself be sufficient evidence that the transaction was substantially unfair.

⁵² (1) Notwithstanding anything contained in the Kerala Money-Lenders Act, 1958 (35 of 1958), -

(a) whoever contravenes the provisions of section 3 shall, on conviction, be punished with imprisonment for a term which may extend to three years and also with fine which may extend to fifty thousand rupees;

(b) whoever harasses any debtor mentally or physically or abets such harassment for recovery of any loan, shall, on conviction, be punished with imprisonment for a term which may extend to one year and also with fine which may extend to ten thousand rupees.

(2) Where the person who has advanced the loan or any other person as directed by him, harasses the debtor mentally or physically and consequently and immediately thereafter the debtor commits suicide, the person who advanced the loan, shall, on conviction, be punished with imprisonment for a term which may extend to five years and also with fine which may extend to fifty thousand rupees.

⁵³ Section 35: Notwithstanding anything contained in any law for the time being in force, the Court shall, in any suit to which this Act applies, between the money-lender and the debtor, whether heard ex-parte or otherwise, —(a) re-open any transaction, or any account already taken between the parties; (b) take an account between the parties; (c) reduce the amount charged to the debtor in respect of any excessive interest; (d) if on taking accounts it is found that the money-lender has received more than what is due to him, pass a decree in favour of the debtor in respect of such amount

⁵⁴ Notwithstanding anything contained in any law for the time being in force, or in any agreement (1) "no borrower other than a borrower or commercial loan" shall be liable to pay after the commencement of this Act (a) any sum in respect of principal and interest which together with any amount already paid or included in any decree in respect of a loan exceeds twice the principal of the original loan, (b) on account of interest outstanding on the date up to which such liability is computed, a sum greater than the principal outstanding on such date, (c) any interest other than simple interest at a rate per annum not exceeding in the case of—(i) unsecured loans—twelve and a half per centum. (ii) secured loans—ten per centum; where such loan was advanced or such amount was paid or such decree was passed or such interest accrued before or after the commencement of this Act; (2) "no borrower other than an borrower of commercial loan" shall after the commencement of this Act, be deemed to have been liable to pay before the date of such commencement in respect of interest paid before such date or included in a decree passed before such date, interest rates per annum exceeding those specified in sub-clause (c) of clause (1); (3) a lender shall be entitled to institute a suit at any time after the commencement of this Act in respect of a transaction to which either or both of the preceding clauses applies or apply