Iwg Report On Digital Payments
Iwg Report On Digital Payments
Iwg Report On Digital Payments
16 December 2021
The RBI has published its Working Group's report on regulating the country's digital
lending ecosystem. In this update, we cover key aspects of the report such as
recommendations for regulation of various players in the digital lending space, proposed
security standards, data storage and transparency requirements and consumer
protection.
On 18 November 2021, the Working Group on Digital Lending (WG) constituted by the Reserve Bank of India (RBI)
published its report on the digital lending ecosystem, including lending through online platforms and mobile apps (Report
).
The Report distinguishes digital lending from conventional lending on the basis of its use of digital technologies for lending
processes such as credit assessment, loan approval, loan disbursement, loan repayment and customer service.
The recommendations and suggestions made by the WG are aimed at balancing the benefits of digital innovation with
consumer interest. They also seek to protect the integrity of the digital lending system from unregulated or unauthorised
entities carrying out lending business and prevent the digital lending ecosystem from causing disruption to existing
players.
Key Recommendations
The Report highlights the growth seen in digital lending sector over the last five years.While public sector banks and
foreign banks largely depend on their own apps/websites for disbursal of digital loans, the dependency of private sector
banks on outsourced digital lending apps (DLAs) is significantly higher. DLAs are mobile and web-based applications with
user interface that facilitate borrowing by financial consumers from lenders. While DLAs are on the rise, the RBI has also
been receiving increasing number of complaints against DLAs that are promoted by entities not regulated by the RBI. To
address these concerns, the Report suggests regulatingthe variousplayers in the digital lending ecosystem.
The Report classifies the entities engaged in digital lending into two categories - balance sheet lenders (BSLs) and
lending service providers (LSPs).
(a) Balance sheet lenders
BSLs are entities in the business of lending that carry the credit risk in their balance sheet/provide capital for associated
credit risk. These entities are ordinarily RBI-regulated entities (RE) such as banks, non-banking financial companies (
NBFCs) or other entities registered for carrying out lending activities, such as moneylenders registered under State laws,
chit fund companies, State finance corporations and credit societies.
To regulate the functioning of DLAs i.e. mobile and web-based applications with a user interface facilitating the borrowing
by a financial consumer from a digital lender, the Report provides recommendations for REs. One of the key
recommendations is that balance sheet lending through DLA should be restricted to REs or entities registered under any
other law for specifically undertaking lending business, for which a suitable notification may be issued by the appropriate
authority. The Report cites the Ministry of Electronics and Information Technology as the appropriate authority for this
purpose.
While the restrictions on balance sheet lending to be carried out by REs have been envisaged with an aim to curb illegal
or exploitative digital lending practices, this could have a significant impact on established business models where
non-regulated entities or LSPs carry credit risk or have risk-sharing arrangements with their lending partners.
The Report also proposes to specifically prohibit REs from entering into arrangements involving synthetic structures with
unregulated entities such as First Loss Default Guarantee (FLDG) (i.e. an arrangement where a third party compensates
lenders if the borrower defaults). The WG also suggests that digital products involving short term credits and deferred
payments such as the Buy Now Pay Later (BNPL) models should be treated as BSL. While BNPL models are usually
implemented with partners that are REs, the WG's suggestion stems from the fact that this exposes the balance sheet of
the entity offering BNPL, where it is treated as a deferred payment. Accordingly, the implementation of this suggestion
would mean that BNPL can only be provided by REs, and not their partner LSPs.
LSPs are agents of BSLs who provide core and ancillary lending services such as customer acquisition, loan sourcing,
underwriting support, pricing support, providing a marketplace for lenders as well as borrowers etc.
When LSPs act in partnership with an RE, their activities are governed by the guidelines on outsourcing of financial
services issued for banks/ NBFCs by the RBI. However, similar guidelines on outsourced activities by other BSLs are not
in place, thus precluding the LSPs partnering with them from such compliance obligations. The Report therefore
recommends that balance sheet lending through DLAs should be restricted to REs that are governed by guidelines on
outsourcing issued by the RBI.
The Report also raises concerns on the difficulty in overseeing the various entities involved in the lending process for
weeding out fraudulent operators and addressing money laundering concerns. It recommends that:
- RBI should develop a separate framework styled as Agency Financial Service Regulation for all customer-facing/fully
outsourced activities of REs (e.g. contact centres, customer document management systems, etc. which may include LSP
functions).
- All transactions such as loan servicing, repayment, etc. should be executed directly in a bank account of the BSL without
using any pass-through account/pool account of a third party. This measure seeks to increase transparency and avoid
operational grey areas between LSPs and partnering BSLs. Further, the disbursements would always have to be made
into the bank account of the borrower. This recommendation may affect models currently used in the market.
- Use of pre-paid instruments (PPI) (cards/ wallets), in addition to bank accounts, may be permitted when full
inter-operability among PPIs is implemented. However, loans can be disbursed to borrowers who have only a PPI account
(but do not have a bank account) if such PPI accounts are fully KYC compliant. Further, any fees payable to LSPs as per
the agreement with the lender, should be paid by the lenders and not received by the LSPs directly from the borrower.
The Report also recommends tightening the rules governing payment transaction information. Additionally, entities
considered critical to digital lending such as web aggregator of loan products should be considered as LSPs and be
subjected to a code of conduct by the REs.
- The LSP agreement for BSL needs to be as per a uniform model to be brought out by a Self-Regulatory Organisation (
SRO), which should consist of LSPs and DLAs as members.
- Digitally signed documents supporting important transactions through DLAs of REs, such as sanction letter, terms and
conditions, account statements etc., should automatically flow to registered/verified email of the borrower upon execution
of the transactions.
Given the broad definition of LSPs, the Report shows a keen intent to ensure that the control of DLA lies in the hands of
the RE and that LSPs do not have a free rein on the processes of the DLA outside of the RE's supervision. If the
proposed Agency Financial Service Regulation mentioned above comes into play, it is likely to have a notable impact on
the relationship between LSPs and REs.
The Report recommends creation of an independent nodal agency to ensure that only authorised and trusted DLAs are
used by consumers. The primary function of the DIGITA will be to verify DLAs through which customers interact with the
financial system. Verification by DIGITA will take place prior to such apps becoming publicly available. DIGITA will verify
the technological credentials of DLAs including BSLs and LSPs. On successful verification, a 'verified' signature of the
DIGITA will be provided. DLAs not carrying this signature will be considered as unauthorised for the purpose of law
enforcement. DIGITA will also maintain a public register of verified apps.
The Report further suggests that DIGITA should monitor compliance and have the power to revoke the 'verified' status if
non-compliance is found and support (on an ongoing basis) digital market intelligence on potentially harmful public apps
interacting with the regulated financial system. The parameters of the verification process will depend on well-defined
policies/trust attributes as prescribed by appropriate authorities.
At present, it is unclear how DIGITA would carry out the DLA verification process as this check would require both
technical and legal expertise including extensive coordination with app stores distributing the DLAs.
The Report also recognises that the Data Protection Authority, proposed under the Personal Data Protection Bill, 2019,
could serve as the regulatory body to oversee financial apps in future. It recognises that DIGITA will only be able to partly
address the problem and long-term solutions will come from a more empowered legal and regulatory framework aimed at
better privacy protection.
The Report recommends that operation of neo banks or digital-only banks be brought under the ambit of RBI regulations.
Therefore, entities having FLDG and other synthetic business models will have to potentially procure an authorisation
from the RBI to continue their business.
The WG has proposed strict regulation for short-term consumer credit (STCC). STCC has been defined under the Report
as the practice of lending to consumers, amounts of money that are small relative to other forms of credit in the market for
a short period (up to 12 months), at an annual percentage rate (APR) considered high compared with other credit
products available to consumers. The Report recommends that STCC be defined to include digital lending and brought
under the regulation governing short term lending. It proposes to bring standard definition for the cost of STCC in terms of
an APR and bring pay-day loans and unsecured STCCs under regulatory scrutiny. It further proposes that no penal
interest be levied for the pre-payment of any STCC. The Report also seeks to place limits on STCC lenders in terms of
the number of concurrent or multiple loans offered to customers. The SRO is proposed to be tasked with the responsibility
of keeping a tab on high cost STCCs in the market. This would bring in a granular regulatory and supervisory framework
for STCCs.
The Report identifies specific regulatory issues relating to digital lending technology. In this regard, it has highlighted:
(a) tracking of information of users by DLAs (such as social media patterns and spending habits) through requests for
access to various apps and services on the user's device. The Report acknowledges that such access would be required
for certain limited purposes such as location and camera details for KYC; and
(b) sharing of Credit Information Companies (CIC) information by NBFCs to LSPs without any privacy violations and lack
of adequate regulatory guardrails required to prevent unwarranted marketing of CIC data.
The Report therefore recommends mandating standard minimum-security practices in handling consumer data. The
Report calls for DIGITA, in consultation with the RBI, to issue guidelines for baseline digital hygiene to be implemented by
LSPs and compliance with RBI stipulated cybersecurity and technology standards as a pre-condition to offer digital
lending services. The Report also recommends defining baseline technology standards applicable for DLAs of REs such
as measures for ensuring security of applications running on mobile devices, proper authentication, and appropriate
configuration of servers.
- The standards for DLAs to include secure application logic and secure application code, keeping a log of every action
that the users perform along with their geolocation, IP address and device information, multi-step approval process for
critical activities and monitoring of transactions passing through the app in an auditable manner.
- All DLAs would need to mandatorily have their standards reflected in the terms of service. REs building their DLAs on
cloud infrastructure, would need to make sure that cloud vendors comply with commensurate regulatory standards.
- DLAs of each RE should have links to their own secured website where further/ detailed information about itself and
about the loans, the lender, customer care particulars, etc. can be accessed by the prospective borrowers.
- Each DLA owner, including relevant LSPs, should name a nodal officer to deal with customers as well as regulators, law
enforcement agencies, etc. The contact details of the nodal officer would be displayed on the website of the DLA.
The Report separately notes the impact of big technology companies in the fields of e-commerce, social media and
payments carrying out digital lending directly or in partnership with REs. It highlights that they have an unfair competitive
advantage over REs, on account of readily available data across multiple non-finance business lines, which can be used
to leverage entry into financial services. It notes that the size of these entities poses a significant systemic and
concentration risk to the economy. However, the Report does not make any specific recommendation or suggestion in this
context.
The Report mandates that data needs to be stored in servers in India, and that the DIGITA should immediately flag to RBI
or the appropriate agency, any fintech apps with servers located outside India. While this obligation is likely to be directly
applicable only to DLAs, the same may be contractually passed to other LSPs by RE.
The WG has described DLAs as data fiduciaries and has suggested adherence to privacy principles of purpose limitation,
data minimisation, use limitation and retention limitation. It has recommended that the DLAs (i) should be clear on the type
of data held, length of data held, and its data destruction protocols; (ii) put in place a comprehensive privacy policy
covering the collection, use and sharing of data with third parties; (iii) collect data with prior informed and explicit consent
of the user that can be audited; and (iv) obtain permissions and access data from the users, subject to need based
requirements. No biometric data should be stored by DLAs of REs if any functionalities like Aadhaar, e-KYC and UPI are
used to conduct customer due diligence. The Report is not clear on how the above requirements will be supervised and
implemented by the different agencies (RBI, GoI, DIGITA and SRO) and which entity will be overseeing the same.
The Report also recommends that information on lending carried out through DLAs should be mandatorily shared with
CIC at regular intervals. This measure seeks to reduce reliance on alternate data (i.e. data collected on prospective
customers from connected apps or devices, with or without consent) for lending. The onus of proof for such reporting
would lie on the BSL and non-adherence of timely credit reporting of a loan exposure by REs to CICs should act as a
trigger for RBI to not allow certain activities in post origination stage, such as assignment/securitisation or recovery
enforcement process. Further, it suggests that only REs may act as the agent of borrowers in seeking credit reports from
credit institutions under CIC. If implemented, this could impact business models of LSPs that provide credit risk profiling
services to REs, as they would no longer be able to fetch information on behalf of the borrower.
The WG has identified that there is a lack of regulatory oversight or understanding of how algorithms are used by DLAs to
build risk profiles of users. The WG has cautioned against the possibility of potential bias and discrimination in assessing
credit availability and pricing where entities are left entirely unregulated. The Report recommends that REs should
document the rationale for the algorithmic features deployed by them to make the algorithmic decision-making process
transparent for consumers. This is underscored by the requirement on part of the lenders to ensure that input parameters
are known and outputs from the algorithms are explainable to ensure better interpretability. Further, it has recommended
that the algorithms used by lenders for underwriting must be auditable. While the Report does not have a requirement to
disclose elements like the source code, in the absence of clarity on what the audit would entail and the confidentiality
accorded to the information shared, there may be reluctance on part of REs and LSPs to reveal their proprietary
algorithms that constitute trade secrets or other intellectual property.
8. Consumer Protection
To safeguard the interests of DLA consumers, the Report makes specific recommendations and suggestions emphasizing
transparency, financial inclusion and user education. In this spirit, it requires a key fact statement, including a summary of
the terms and conditions of the contract, to be furnished in a standardised format by all lenders along with an SMS
summary of product information. The SRO may also formulate a standardised loan agreement covering digital lending
terms. The Report recommends that DLAs adopt responsible advertising and marketing standards as prescribed in the
code of conduct to be formulated by the SRO in respect of unsolicited commercial communications. Importantly, the
Report recommends that a cooling off/ look-in period, ideally between 3 to 14 days, be granted to customers for exiting
the loan upon payment of proportional APR but without any penalty.
To cover financial services, digital contracts and the delivery of financial services through digital modes, the Report
suggests the creation of a separate National Financial Consumer Protection Regulation under the Consumer Protection
Act, 2019. It recommends that REs put in place fair collection policies that prohibit abusive debt collection and
harassment, and identify recovery personnel on their websites. All lenders are required to formulate and display
anti-predatory lending policies based on certain characteristics that the RBI or SRO are required to identify in the future.
The Report with its slew of recommendations and suggestions proposes a stringent crackdown on DLAs engaging in
malpractices. Being constituted primarily of RBI representatives, the WG reflects a better understanding of the institutional
views of the digital lending ecosystem and the Report is a welcome effort to balance consumer interests with innovation.
However, with restrictions on permissible activities, extensive reporting obligations etc., the Report proposes onerous
obligations on unregulated LSPs by bringing them within the RBI's regulatory fold and impacting some of the existing DLA
business models in the market. That said, the WG's recommendations do not suggest streamlining or restricting LSPs to
such an extent that it confines them to specific business models or activities.
Comments on the Report have been sought from stakeholders and members of the public by 31 December 2021 via
email. The WG may make further recommendations based on consultations and comments received from the relevant
stakeholders. While the Report is not binding, given the composition of the WG (consisting of one Executive Director and
Chief General Managers of the RBI), it is possible that the RBI may soon issue guidelines covering some of the points
discussed in the Report. Stakeholders such as banks, NBFCs and fintech and other companies carrying out some form of
digital lending including through specific models such as FLDG, BNPL or sharing credit risk may need to study the Report
closely to understand how this will impact their business models.
If you require any further information about the material contained in this newsletter, please get in touch with your Trilegal relationship partner or send an email to
[email protected]. The contents of this newsletter are intended for informational purposes only and are not in the nature of a legal opinion. Readers are encouraged to
seek legal counsel prior to acting upon any of the information provided herein.