Apr 2 13 min read

Digital Lending in India: Analysis and Implications

By Akhileshwari Anand, Aaron Kamath & Huzefa Tavawalla

Abstract
This article discusses the RBI’s Guidelines on Digital Lending Guidelines, released in September 2022,
and the FAQs to the Guidelines released in February 2023. The article provides a brief summary of the
Guidelines, discusses compliance and disclosure requirements for regulated entities, digital lending
apps and lending service providers, and discusses the impact on various business models and entities
such as payment aggregators, buy-now-pay-later platforms, and first-loss default guarantee
arrangements

I. Introduction
Digital lending, via websites and apps, has changed the way customers borrow money, by combining
technological advancement with traditional banking services. This has led to seamless borrowing, faster
loan disbursal with minimum paperwork, and expanded access to credit to a larger group of people,
with digital lending growing multi-fold during the Covid-19 pandemic. For example, various non-bank
websites and apps offer instant loans, with loans being disbursed in less than 10 minutes and without any
collateral. ’Pay-later‘ platforms have also helped people shop online without having to make upfront
payments.

The Reserve Bank of India (“RBI”) chose to examine the functioning of digital lending apps and
websites due to concerns of mis-selling to unsuspecting customers, data privacy breaches, misuse of
data collected, hidden costs, unethical business conduct (including recovery agents resorting to
harassment) and illegitimate operations. The RBI Working Group was set up in January 2021 (“Working
Group”). The Working Group identified three major issues: conduct, technology and charges, based on
which the Working Group released its recommendations in November 2021 (“Recommendations”).

The RBI Implementation of the Recommendations was released in August 2022, and on September 2,
2022, the RBI released the Digital Lending Guidelines (“Guidelines”). The Guidelines have been issued
under the Banking Regulation Act, 1949, the Reserve Bank of India Act, 1934, the National Housing Bank
Act, 1987, the Factoring Regulation Act, 2011 and the Credit Information Companies (Regulation) Act,
2005. Subsequent to this, the RBI published Frequently Asked Questions to the Guidelines on February
15, 2023 (“FAQs”).

This article explores the provisions of the Guidelines and its industry impact on ‘buy now pay later’ and
first-loss default guarantee models and payment aggregators.

II. Brief Overview of the Guidelines

1. Applicability
The Guidelines are applicable to digital lending services extended by banks and non-banking financial
companies (including housing finance companies) (“Regulated Entities” or “REs”). It is clarified that the
scope of digital lending would extend to lending activities that involve some physical interface with the
borrowers, such as in customer acquisition, credit assessment, loan approval, disbursement, recovery,
and associated customer service.

The Guidelines also refer to Digital Lending Apps (“DLA”) and Lending Service Providers (“LSP”). DLAs
are mobile and web-based applications with a user interface that facilitates digital lending services, (for
example, the mobile banking app of a bank that enables a user to avail of a loan through their phone). A
DLA can either be operated by an LSP or by an RE directly. LSPs are intermediaries between the RE and
the borrower. LSPs are entities that act as an agent of the RE and carry out one or more of the RE’s
functions, such as customer acquisition, underwriting support, pricing support, servicing, monitoring,
recovery of specific loans or loan portfolios.

The Guidelines reiterate that any outsourcing by an RE to an LSP or a DLA does not diminish the RE’s
obligations to conform to the existing RBI guidelines on outsourcing. In addition, REs also need to
ensure that LSPs and DLAs comply with the Guidelines.

The Guidelines are applicable to fresh loans to existing customers and new customers, who are
onboarded from September 2, 2022. For existing digital loans, that is, the loans that have been
sanctioned as on September 2, 2022, REs were given time until November 30, 2022, to put in place
adequate systems and processes to ensure compliance with the Guidelines.

2. Customer Protection

The Guidelines state that the loan disbursal and repayment cannot occur through an account of any
third party, such as a pass-through account or a pool account, including accounts of LSPs and DLAs.
The disbursals and repayments shall be made directly between the RE and the borrower’s bank account,
except in the following cases:

Disbursals covered exclusively under statutory or regulatory mandate,

Money flow between REs for co-lending transactions, for both priority and non-priority sector
lending,

Disbursals for specific end use, provided the loan is disbursed directly into the bank account of
the end-beneficiary,

When physical interface may be used for recovery of delinquent loans (only where absolutely
necessary), or

Repayment of loans issued as advances against salary, wherein the corporate employer of the
borrower deducts the EMI amount from the salary payable, and repays the instalment directly to
the RE.

Additionally, every RE should have and should ensure that their LSPs have a nodal grievance officer for
addressing any issues with respect to digital lending, fintech and DLAs. If a complaint lodged by the
borrower against an RE or LSP engaged by the RE is not resolved by the RE within 30 days, the
borrower can lodge a complaint on the Complaint Management System portal under the RBI-
Integrated Ombudsman Scheme (“RB-IOS”), or for entities currently not covered under RB-IOS, as per
the grievance redressal mechanism prescribed by the RBI.
 3. Disclosures

The Guidelines mandate that the RE must provide a Key Fact Statement (“KFS”) in a standard format.
The KFS is required for all digital lending products, and must include the all-inclusive cost of the digital
loan shown as an annual percentage rate, recovery mechanism, and details of the grievance redressal
officer designated to deal with digital lending and fintech-related matters. Any charge or fee not
mentioned in the KFS cannot be charged to the borrower.

The KFS shall also include the right of a borrower to have a cool-off/lookup period, during which the
borrower can exit the digital loan by paying back the principal and proportionate annual percentage
rate (that may include a one-time processing fee) without any penalty. REs are required to ensure that
digitally signed documents on the letterhead of the RE, such as the KFS, the sanction letter, etc., shall be
sent automatically to borrowers on their registered and verified email or phone numbers as SMSs, upon
execution of the loan contract or transaction.

REs are required to ensure that any charges payable to the LSPs are paid by the RE to the LSP, and not
charged by the LSP to the borrower. Further, any penal interest or charges levied on borrowers by the
RE should be based on the loan’s outstanding amount, and the rate of such penal charges should be
disclosed upfront in the Key Fact Statement.

REs must publish the list of LSPs and DLAs engaged by them, and the details of their activities, on the
RE’s website. DLAs of REs and LSPs shall prominently display product and loan-related information at
the on-boarding stage, to ensure borrower awareness. REs shall provide the borrower with the details of
the LSP acting as its recovery agent, at the time of loan sanction and while passing on the recovery
responsibilities to an LSP or changing of an LSP. If the borrower fails to repay the loan and a recovery
agent has been assigned to the borrower, the RE must communicate the recovery agent’s contact
information to the borrower before the recovery agent contacts the borrower. REs must ensure that
DLAs of the REs and LSPs have links (in a prominent, single place on their websites) to the REs’ website
where detailed information about the loan products, the lender, the LSP, particulars of customer care,
etc., can be accessed by the borrowers.

The reasoning behind introducing such disclosure-related compliances is: (1) to ensure customers are
informed about all charges applicable to them, and (2) for customers to be able to identify recovery
agents of the RE, and ensure recovery agents may be held accountable for unethical practices. The
concern with digital lending platforms was primarily the hidden charges in loans offered, with news
reports stating that certain platforms charged 35-40% as platform fees, service charges and processing
fees. The concern appears to continue to post the Guidelines as well, as the Ministry of Electronics and
Information Technology has blocked over 94 loan apps.

4. Data Protection

Data collection by LSPs should be need-based, with the explicit consent of the borrower at every stage.
Explicit consent is required from the user for sharing their information with third parties. Most
personal information collected by LSPs and DLAs should not be stored, except some basic minimal data
such as name, address, and contact details of the customer that may be required to carry out the LSP
and DLA operations. Further, phone data of the borrower, such as files, media, contact list, call logs, etc.
must not be accessed. However, one-time access for the camera, microphone, location or any other
facility necessary for on-boarding and/or KYC requirements is permitted, only with the explicit consent
of the borrower. Further, no biometric data can be stored or collected in the systems of the DLA and
LSP of REs.
The RE also has the responsibility to ensure that all the DLAs and LSPs that they engage have a
comprehensive privacy policy, including details of third parties that may be allowed to collect personal
information through the DLAs, the type of data that can be stored, length of storage, limitation of use of
data, etc., and that the privacy policy is prominently disclosed by the DLAs and LSPs of the RE on their
website or apps. All the data collected must be localized, i.e., it should be stored in servers located within
India. Lastly, REs have the responsibility to ensure the privacy and security of the customer’s personal
information.

The RBI historically has included data protection and localization related provisions in its regulations,
and this trend continues in the Guidelines. The restriction on data collected and the localization
requirement under the Guidelines are due to:

Excessive data and permissions collected from borrowers by DLAs/LSPs, including by legitimate
Indian fintechs offering digital lending. For example, several apps require users to provide
permissions to access location, camera and contacts to use the app, although such permissions are
not relevant to the services offered by the apps.

The misuse of borrower data by several DLAs/LSPs. News reports state that over 300 digital
lending apps were used by cybercriminals in India to access user data and to harass borrowers.

5. Reporting and Due Diligence

REs shall ensure that any lending through DLAs and/or LSPs of the REs is reported to Credit
Information Companies (“CIC”), irrespective of the nature of the loan or its tenor. Digital lending
products offered by REs or their LSPs over merchant platforms, involving short-term, unsecured or
secured credits, or deferred payments, need to be reported to CICs by the REs as well.
REs are required to conduct enhanced due diligence before partnering with a LSP for digital lending.
This diligence should include the LSP’s technical abilities, data privacy policies, storage systems,
fairness in conduct with borrowers and ability to comply with regulations and statutes. REs are also
required to undertake periodic reviews of the conduct of LSPs, and guide LSPs on how to act
responsibly if they are acting as recovery agents.
These due diligence provisions come in the light of several lending apps operating with harsh and
predatory lending and recovery practices. By imposing the obligation on REs to vet the LSP before
partnering with them, the instances of such lenders operating in the digital lending industry may
become significantly lower.

III. Industry Concerns

The Guidelines and the FAQs appear to plug the gaps identified in relation to the regulation of digital
lending. However, the Guidelines in terms of practical implementation, require further details or
clarifications. The industry-related concerns can be categorized as follows:

1. First Loss Default Guarantee

First Loss Default Guarantee (“FLDG”) is an arrangement between a fintech and an RE, wherein the RE
issues the loan to the borrower, and the fintech promises to compensate the RE to a certain extent if the
borrower defaults in repayment. FLDG is provided at a certain pre-decided rate. Until the Guidelines,
REs such as banks and NBFCs would lend through fintechs and rely on the fintech’s underwriting for the
FLDG.
The FLDG cover motivated REs to offer more loans, which has previously put banks in a tight spot at
the time of recovery, with over 10% loans not being repaid on time in 2020. It appears that the
Guidelines would require REs accepting such FLDGs to adhere to the provisions of the RBI Master
Direction on Securitisation Of Standard Assets, specifically on synthetic securitization. The provision
appears to prohibit any transfer of risk by an RE to a third party in relation to lending.

This issue has not been clarified in the FAQs. The industry, including LSPs, continues to await RBI
clarifications on whether FLDGs can be offered to REs or not. The industry is exploring alternative
models such as revenue sharing based on repayment proficiency of loan portfolios, and revenue sharing
of interest income between the fintech and the RE.

2. Payment Aggregators

PAs, as per the RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways, are “entities that
facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion
of their payment obligations without the need for merchants to create a separate payment integration system of their
own.” PAs facilitate merchants to connect with acquirers. In the process, they receive payments from
customers, pool and transfer the payments to the merchants after a particular time period.

The issue faced by PAs in relation to the Guidelines is that some PAs have also been performing the
functions of LSPs. For instance, the PAs were facilitating loans and pooling funds for disbursal and
acceptance, including facilitating equated monthly installments (“EMI”) on e-commerce and digital
platforms. The Guidelines have now restricted PAs (as PAs are not REs) from pooling money from
borrowers and lenders. Thus, funds cannot pass through the accounts of PAs. This has been confirmed
by the FAQs, which state that PAs performing the role of an LSP must comply with the Guidelines, and
no express exception has been provided for PAs to handle funds in the digital lending process.

For example, in a “pay-later” option offered while making a payment on an e-commerce website, if the
PA were handling funds directly, the transaction would have included a pass-through of funds through
the PA account at the time of loan disbursal and repayment by the borrower-purchaser. The model so
far was that some e-commerce platforms had an arrangement with REs for capital; when a customer
opted for the pay later option, a digital loan could be availed immediately through banks or NBFCs, and
loans would be disbursed through the PA’s pooling account. Post the Guidelines and FAQs, money
cannot pass through the PA’s account.

Certain PAs may also offer both: (1) PA services to merchants, and (2) digital lending services to
merchants (through partner banks or NBFCs). In this model, the partner bank or NBFC may directly
disburse loans to the merchants. The PA collects money from the merchant’s customers. The money
collected is then apportioned by the PA between: (1) the merchant’s account with the PA (for settlement
of money collected from customers), and (2) the merchant’s loan account with the bank or NBFC, as
repayment of the merchant’s loan. In this model, the issue that arises is that the PA may handle funds
directly in loan repayment. Post the introduction of the Guidelines and the FAQs, the PA cannot handle
the funds directly in the loan repayment.

Further, lending platforms have been struggling to comply with the Guidelines to route loan
repayments directly to the RE’s account. As the model is dependent on customers, i.e. it requires linkage
of the customer’s bank accounts with the RE’s account, this has been difficult for fintechs and REs to
implement.
Against the backdrop of the Guidelines, the Payments Council of India (“PCI”) has made a
representation to the RBI to exempt PAs from the norm of the Guidelines that restricts fund flow of
loan disbursals and repayments through pass-through accounts. PCI’s reasoning was that PAs are
regulated by the RBI, and the movement of funds is also through a regulated escrow account of PAs;
hence, PAs should have the right to disburse loans and collect loan repayments through their regulated
accounts. The PCI had also stated that the new Guidelines would hamper the operations of REs and
increase their operational costs. However, the FAQs have clarified that while PAs offering only PA
services would remain outside the ambit of the Guidelines, any PA performing the role of an LSP is
required to comply with the Guidelines. No exemption, as sought by the PCI, is provided to PAs.

The significance of the restriction of pass-through of funds through the accounts of PAs is that several
fintechs are now restricted from offering services that involve pass-through of funds through their pool
accounts. Although the Guidelines are for lending activities, it appears to place a restriction on licensed
PAs from participating in the process. Though PAs are RBI-authorised companies, this pass-through
account restriction is not exempt for PAs under the RBI Guidelines on Regulation of Payment Aggregators
and Payment Gateways, 2021.

3. ’Buy Now Pay Later’ Apps

Prior to the Guidelines, the RBI circular on Prepaid Payment Instruments (“PPIs”) and credit lines ( June
2022) banned the loading of non-bank PPIs such as prepaid cards and wallets from credit lines. Credit
lines are pre-approved borrowing amounts provided by banks or NBFCs (as lenders), that allow
individuals and businesses to access credit anytime without further approval within the pre-approved
borrowing limit. Basis the RBI’s Master Direction on PPIs, PPIs such as e-wallets may only be loaded and
reloaded using cash, debits to a bank account, and credit and debit cards, thus confirming that PPIs may
not be loaded through credit lines.

This credit lines restriction affected several ’Buy Now Pay Later’ (“BNPL”) platform providers, as the
BNPL platforms offered credit to their users through non-bank issued PPIs, that used pre-approved
credit-lines to load the PPIs. Prior to the restriction, loans were offered in real time or within minutes of
the borrower’s request, as the credit-lines were pre-approved and the borrower did not require further
approval at the time of availing the BNPL service.

The RBI restriction on credit lines led BNPL companies to move to a model of fresh sanction of a loan
for every lending transaction undertaken by the borrower on the platform. The new model requires the
loan to be approved, disbursed and subsequently loaded into the PPI at each instance. This has led to a
change in the operations of several such BNPL platforms.

The Guidelines further required changes by BNPL platforms to ensure there was no pass-through of
loan disbursal or repayment through the BNPL platform account or any other intermediary account.
The double whammy of the credit lines circular and the Guidelines has rendered the operations of
BNPL companies in their erstwhile form virtually impossible. This has led to several such fintech
companies having to undertake drastic pivots, and in certain cases, shutdown.

IV. Conclusion
Despite the Guidelines being comprehensive in relation to customer and data protection, there remain
industry-level concerns that require clarification for effective implementation. The clarification on the
role of PAs has brought much-awaited clarity, and the RBI’s stance is that pass-through of funds for
digital lending through PAs and BNPL platforms is not permitted. Limited exemptions for corporate
employers and physical recovery of loans have been provided, as explained above.

Industry players expect RBI to issue further clarifications on the Guidelines, especially for the
exemptions on offering FLDGs. Such a clarification would help the industry devise the right model to
operate effectively and within the confines of the law. The pertinent factor for devising models relating
to FLDGs is how REs may be motivated to lend digitally through LSPs/DLAs, if REs are not permitted
to enter into FLDG arrangements with fintechs. Apart from industry bodies, the new Department of
Fintech could liaise with fintechs and represent them before other relevant RBI departments to achieve
a quick resolution on the FLDG issue.

Akhileshwari Anand, Aaron Kamath & Huzefa Tavawalla - Fintech Law & Regulatory Practice Group, Nishith
Desai Associates