RBI Digital Lending Guidelines — An Overview

(Article written on Personal Interpretation basis. Comments welcome)

Background

Covid led condition created a huge surge in credit across all classes in India. Taking advantage of this condition, cyber criminals from neighbouring countries started launching instant loan apps on App stores and via SMS. These were illegal lending apps.

These apps relied on two Android Permissions:

1. Contacts
2. Storage

During installation, both data went to the criminals whose servers were hosted in non-resposive cloud infrastructure.

Worse part of these apps was the harsh recovery practice. If a borrower failed to pay loan back, they would send morphed / harrasment message to all contacts of borrower.

This situation led to multiple suicides across the country. RBI formed a working group to tackle this menace.

RBI has comeup with guidelines on Digital Lending Apps with immediate effect. Following are some important points to implement by Regulated Entities (REs)

https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=54187

These are divided in three parts:

1. Customer Protection
2. Technology and Data Requirement
3. Regulatory Framework

Role of LSPs (Loan Service Providers)

An agent of a Regulated Entity who carries out for a fee from the RE, one or more of lender’s functions in customer acquisition, underwriting support, pricing support, disbursement, servicing, monitoring, collection, recovery of specific loan or loan portfolio.

REs are mostly fintech compaines who provide Penny Drop Transaction, OCR, Face Recognization, Finance Management, recovery etc.

(3.4.1.2) REs to ensure that any fees, etc. payable to LSPs is paid directly by them (REs) and are not charged by LSP to the borrower directly.

(3.4.1.2) : REs have to ensure that all loan servicing, repayment, etc., shall be executed directly in their bank account without any pass-through account/ pool account of any third party.

Regulated entities cannot use Payment Aggregators’s bulk payout / settlement/disbursement service as these are pool/pass-through accounts.

How to validate?

Check the bank statement of the borrower. It should directly reflect the creditor’s name and not PA/PG name.

(4.4.1.3) : As per extant RBI guidelines, if any complaint lodged by the borrower is not resolved by the RE within the stipulated period (currently 30 days), he/she can lodge a complaint over the Complaint Management System (CMS) portal or other prescribed modes under the Reserve Bank- Integrated Ombudsman Scheme (RB-IOS).

https://sachet.rbi.org.in — Sachet portal of RBI can be used to escalate the issue if any problem is not solved in 30 days.

(3.4.2.2) REs shall publish the list of LSPs (and DLAs, if any) engaged by them along with the details of the activities for which they have been engaged, on their website.

Many regulated entities do not have their own website and there is no clarity on an App using their name. RBI has directed all REs publish name of apps authorized by them on their website. REs also need to ensure cyber security of such apps.

(4.4.1.3) Compliance with various technology standards/ requirements on cybersecurity stipulated by RBI or other agencies, or as may be specified from time to time, to be a pre- condition to offer digital lending by the REs and LSPs.

Cyber security framework by RBI may be applicable to all Apps and REs. Hence a thorough application security and infrastructure security testing needs to be conducted.

(4.4.3.1) In any case, DLAs should desist from accessing mobile phone resources such as file and media, contact list, call logs, telephony functions, etc.

Android /IOS app should refrain from taking permission of Contact List, Call Logs or Telephone. Since they were misused for harrasment, this rule will eliminate misuse of the borrower’s contact.

(4.4.2.2) REs to ensure that all data is stored in servers located within India while ensuring compliance with statutory obligations/ regulatory instructions.

RBI has mandated data to be stored only in Indian Servers to ensure that no sensitive data leaves Indian Cyber Space.

(3.4.1.4) REs to ensure that any lending done through DLAs is reported to CICs irrespective of its nature/ tenor.

Credit Information Companies needs to be intimated for all lending does through Lending Apps. This can be checked with credit companies like Experian, CIBIL etc.

These guidelines apply to only Regulated Entities. However guidelines on loan apps that are not regulated are still pending from RBI’s end.

Ex.

5. Recommendations, though accepted in-principle, which require further examination are listed as Annex-II.

6. Recommendations which require wider engagement with the Government of India and other stakeholders in view of the technical complexities, setting up of institutional mechanism and legislative interventions are listed in Annex-III.

Digital lending through various channels is a complex issue in terms of regulation as well as effective implementation of regulation.

___