RBI Issues Official Guidelines For Digital Lending, Effective Immediately

The Reserve Bank of India (RBI) on September 2, 2022 issued official guidelines to all lenders, including banks in a move to protect the borrowers from unscrupulous lending practices.

According to the new guidelines issued by the RBI, the regulated entities cannot store borrowers’ data, apart from some basic information. A lender can only store information, such as the name, address, contact details of the customers, among others, which are needed to process and disburse the loan, and its repayment. Also, digital lending apps cannot store the borrower’s biometric information.

That said, these new guidelines will be applicable only to existing customers taking fresh loans, and to new customers getting onboarded from September 2, 2022, the date when this circular has been released.

“In order to ensure a smooth transition, regulated entities shall be given time till November 30, 2022, to put in place adequate systems and processes to ensure that ‘existing digital loans’ (sanctioned as on the date of the circular) are also in compliance with these guidelines in both letter and spirit,” the RBI circular said.

The guidelines issued by the RBI cover the following regulated entities: all commercial banks, urban co-operative banks, state co-operative banks, district central co-operative banks; and non-banking financial companies (NBFCs), including housing finance companies (HFCs).

Here are the ways in which the new guidelines issued by the RBI aims to protect borrowers:

• The digital lending apps are barred from accessing mobile phone resources, such as file and media, contact list, call logs, telephony functions, etc. A one-time access can be taken for camera, microphone, location, or any other facility necessary for the purpose of on-boarding/ know your customer (KYC) requirements, and only with the explicit consent of the borrower.

• The borrower shall be provided with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data, and if required, make the app delete/ forget the data.

• The purpose of obtaining borrowers’ consent needs to be disclosed at each stage of the interface with the borrowers.

• Explicit consent of the borrower shall be taken before sharing personal information with any third party, except for cases where such sharing is required as per statutory or regulatory requirement.

• The registered entities shall provide a key fact statement (KFS) to the borrower before the execution of the contract, and in a standardised format for all digital lending products.

• The KFS shall, apart from other necessary information, contain the details of the annual percentage rate (APR), the recovery mechanism, and the details of the grievance redressal officer designated specifically to deal with digital lending/fintech related matter, as well as the cooling-off/look-up period.

• The registered entities cannot levy any fees, charges, etc., which are not mentioned in the KFS to the borrower at any stage during the term of the loan.

• The information shall be sent to the borrowers on their verified email or through SMS on the successful execution of the loan contract or transaction. The information must be sent on the letterhead of the regulated entity (bank), and must contain a KFS, a summary of the loan product, sanction letter, terms and conditions, account statements, privacy policies of the lending service providers(LSPs) or the digital lending apps (DLAs) with respect to borrowers data, etc.
• During the sign-up or the on-boarding stage, information linked to product features, loan limit, and cost etc., must be informed to the borrowers.

• The banks and NBFCs must mention on their websites the digital lending apps used by them.

• Details of nodal grievance redressal officer must be displayed on the websites of banks, NBFCs, LSPs, DLAs, and also on the KFS.

• Registered entities shall capture the economic profile of the borrowers, covering their age, occupation, income, etc., before extending any loan over their own DLAs and/or through LSPs engaged by them, with a view to assessing the borrower’s creditworthiness in an auditable way.

• Registered entities also need to ensure that there is no automatic increase in credit limit unless explicit consent of the borrower is taken on record for each such increase.

• A borrower shall be given an explicit option to exit digital loan by paying the principal and the proportionate APR without any penalty during this period. The cooling off period shall be determined by the board of the registered entity. The period so determined shall not be less than three days for loans having tenor of seven days or more, and one day for loans having tenor of less than seven days. For borrowers continuing with the loan even after the look-up period, pre-payment shall continue to be allowed in accordance with the extant RBI guidelines.

• Registered entities must conduct enhanced due diligence before entering into a partnership with an LSP for digital lending, taking into account its technical abilities, data privacy policies, and storage systems, fairness in conduct with borrowers, and the ability to comply with regulations and statutes.

• Registered entities shall carry out periodic review of the conduct of the LSPs engaged by them.

• Registered entities shall impart necessary guidance to LSPs acting as recovery agents to discharge their duties responsibly while ensuring that they comply with the extant instructions in this regard.

• According to the provisions of the Credit Information Companies’ (CIC) Regulation Act, 2005, issued by RBI from time to time, registered entities shall ensure that any lending done through their DLAs and/or DLAs of LSPs is reported to CICs irrespective of their nature or tenor.

• Registered entities shall ensure that all loan servicing, repayment, etc., are executed by the borrower directly in the registered entity’s bank account without any pass-through account/ pool account of any third party.

• The disbursements shall always be made into the bank account of the borrower except for disbursals covered exclusively under statutory or regulatory mandate (of RBI or of any other regulator), flow of money between registered entities for co-lending transactionsand disbursals for specific end use, provided the loan is disbursed directly into the bank account of the end-beneficiary. Registered entities shall ensure that in no case, a disbursal is made to a third-party account, including the accounts of LSPs and their DLAs, except as provided for in these guidelines.