Indian consumers have realised the potential of digital lending for enhancing purchasing power in the past decade. While digital lending is a stimulant fostering retail growth for Indian traders, regulation was ultimately deemed necessary to preserve the stability of the financial ecosystem and protect borrowers’ interests.

With a view to addressing concerns pertaining to unbridled engagement of third parties, mis-selling, breach of data privacy, unfair business conduct, charging of exorbitant interest rates and unethical recovery practices, the Reserve Bank of India (RBI) constituted a Working Group on digital lending in January 2021, reviewing the framework for lending through online platforms and apps.

The Working Group adopted the approach of striking a balance between boosting innovation in financial services and ensuring orderly development of the growing market.

The recommendations on regulation of the digital lending ecosystem were proposed by the Working Group in November 2021. Following extensive consultations with industry stakeholders, the RBI laid out its implementation plan and strategy in August 2022. The RBI subsequently issued the framework to regulate digital lending in India in the form of the Guidelines on Digital Lending in September 2022.

The RBI’s objective behind regulation of the space was the need to mitigate concerns associated with unregulated digital lending identified by the Working Group, and to prevent the erosion of public confidence within the digital lending ecosystem.

What is digital lending?

Digital lending, as the name suggests, is a remote and automated lending process, which is undertaken largely by the use of seamless digital technologies for customer acquisition, credit assessment, loan approval, disbursement, recovery and associated customer service.

In the ecosystem, loans and digital lending services are facilitated through mobile and web-based applications that provide the user interface, which are referred to as “digital lending apps or platforms” (lending apps).

In this context, the RBI clarified that if some physical interface with customers exists for the lending activity, it should not impact the characterisation, and would continue to be construed as digital lending.

Ecosystem participants

Through the above-mentioned guidelines, the RBI regulates activities of commercial banks and non-banking financial companies (NBFCs) – both of which are regulated by the RBI (regulated entities) – as well as unregulated fintech entities that engage with regulated entities.

• Regulated entities offer loans and credit facilities to borrowers.

• Unregulated fintech entities recognised as lending service providers (LSPs) participate in the ecosystem as agents of lenders and undertake one or more of the lender’s functions, which may include customer acquisition, underwriting support, pricing support, servicing, monitoring and recovery. As LSPs are considered outsourced service providers for regulated entities, their engagement by regulated entities is subject to compliance with the applicable outsourcing guidelines of the RBI.

• The borrowers avail loans or credit that is offered by regulated entities through digital means on the lending apps.

• Through the guidelines, the RBI intends to safeguard the interests of borrowers in respect of loans offered by regulated entities through the lending apps.

In the digital lending ecosystem, the lending apps can be operated by regulated entities or LSPs.

While the guidelines prescribe conditions for regulated entities and LSPs, the regulatory mandate is on regulated entities to ensure that LSPs comply with the guidelines. Typically, such compliance is ensured through contractual arrangements where suitable obligations are imposed by regulated entities.

Guideline themes

The guidelines protect borrowers through a host of requirements on regulated entities such as due diligence and supervision of LSPs, transparency in fees, and disclosures required to be made in respect of the credit facility. Further, the guidelines are centred on data security and safeguard borrower data and information.

Focus on borrower data

The guidelines accord a high level of protection to the data of borrowers. Regulated entities and LSPs need to ensure this data is handled in accordance with the borrower’s instructions within the parameters of the digital lending framework.

The RBI expressly states that regulated entities are responsible for data privacy and security of the customer’s personal information. Key conditions of the guidelines dealing with handling borrower data are:

• Consent. The guidelines clarify that lending apps are mandated to collect borrower data on a need only basis, based on prior explicit consent of the concerned borrower. The borrowers must have the option to give or deny consent for the use of specific data, as well as the right to restrict disclosure to third parties, decide the period of retention of data, revoke consent, or direct the deletion of the data. The purpose of obtaining consent needs to be disclosed by the lending app at each stage of interface. To demonstrate compliance, an audit trail is required to be maintained for verifying consent.

Broadly speaking, these requirements are consistent with the consent-based regime for processing of personal data envisaged under the data protection laws applicable to India, including the recently promulgated Digital Personal Data Protection Act, 2023.

• Data minimisation. LSPs and lending apps are allowed to store only basic minimal data such as name, address and contact details that may be required to carry out operations. They cannot store borrowers’ personal information.

• Data sharing. In cases where third parties collect personal data of borrowers through the lending apps, the details of such third parties must be disclosed to borrowers. Such sharing of personal data with any third party must be based on the prior explicit consent of the borrower.

• Access to mobile phone features. The guidelines also impose certain restrictions on lending apps accessing mobile phone resources like file and media, contact list, call logs and telephony functions. The lending apps will need to be configured in a manner where facilities like camera, microphone and location are only accessed once for on-boarding and KYC requirements, which is undertaken based on a borrower’s explicit consent.

• Data-related policies. Regulated entities are required to put in place policies that govern the usage, storage and destruction of data, and the handling of security breaches. These policies need to be disclosed on the lending apps.

The data related conditions flowing from the guidelines are likely to be a contentious point in contractual arrangements between regulated entities and LSPs.

It is a common industry practice in India for fintech businesses to engage with regulated entities to facilitate the opening of credit channels for their existing customers. Commercially, the arrangement involves a referral of customers by the fintech, an LSP, to the regulated entity, resulting in an individual customer of the fintech becoming a customer of the regulated entity.

In such scenarios, the restrictions on holding and storing the data of customers by the fintech – which will be construed as an LSP – could become a huge blocker that necessitates the fintech to look for innovative solutions.

There may be scenarios where the fintech houses both LSP business for credit offerings as well as payments business (for instance, payment aggregator or issuer of prepaid payment instruments).

Such a fintech would store and have access to lending as well as payments data. If customers were to make a request for deletion of data based on rights recognised under the guidelines, it may leave the fintech entity in a dilemma, when data of the individual is stored in a common data repository.

To address such situations, it may be critical for such fintech businesses to ensure that lending data is segregated from and not co-mingled with payments data, despite a regulatory mandate of this nature.

In light of this, it seems clear that regulated entities and LSPs may not be able to claim rights over their use of borrower data. The borrower has the autonomy to determine the manner in which regulated entities and LSPs can use their data, through their consent, with LSPs subject to further regulatory restrictions.

Future outlook

India has seen significant growth in digital lending in the past few years. It is projected that loans originated through digital lending will account for 5% of all retail loans by 2028.

With the guidelines, the RBI lays down the framework to bring financial stability and ensure that borrower interests are safeguarded, in furtherance of the mandate to operate India’s credit system to its advantage.

Regulated entities are facing actions for non-adherence with the regulatory guidelines applicable to credit and lending. Considering the peculiar nature of some of the conditionalities, the digital lending space will be interesting to watch as the RBI aggressively intensifies scrutiny of structures and arrangements to monitor compliance.