Click here to Visit the RBI’s new website


1753 kb
Date : 18 Nov 2021
Report of the Working Group on Digital Lending including Lending through Online Platforms and Mobile Apps
Table of Contents
Letter of Transmittal
Executive Summary
Section 1: Introduction
1.1 Constitution of the Working Group
1.2 Foreground
1.3 Processes Followed
1.4 Broad Approach
Section 2: Digital Lending Landscape
2.1 Meaning: Digital Lending
2.2 Digital Lending Eco-System
2.3 Global Scene
2.4 Indian Scene
2.5 Trends and Future
Section 3: Regulatory Policy Approach to Digital Lending
3.1 Extant Indian Legal Regimes
3.2 Global Regulatory Practices
3.3 The Case for Regulatory/ Supervisory Review in India
3.4 Recommendations and Suggestions on Statutory-Regulatory Approach
Section 4: Technology Standards of Digital Lending
4.1 Factors Spurting Growth of Digital Lending in India
4.2 Digital Lending Lifecycle
4.3 Regulatory Perspectives of Digital Lending Technology
4.4 Recommendations/ Suggestions
Section 5: Financial Consumer Protection
5.1 Extant Frameworks in India
5.2 Global Practices
5.3 Conduct Aspects of Digital Lending in India
5.4 Recommendations/ Suggestions
Gist of Recommendations in the Report
Gist of Suggestions/ Issues for Future Examination
Annex A - Synopsis: Inputs received from Stakeholders
Annex B - Details of Interfaces and List of Entities
Annex C - Extracts of Sample Survey Data on Digital Lending
Annex D - List of Money Lending Laws in India
Annex E - Global Practice in STCC Regulation
Annex F - Prescribed Format of Key Fact Statement/ Fact Sheet
Annex G - List of Statutes dealing with Usurious Interest Rates
Annex H - Rules to stop Debt Traps by CFPB, USA

Image 1


The Working Group expresses its gratitude to the Governor, Reserve Bank of India, Shri Shaktikanta Das for entrusting the responsibility on the Group to comprehensively study all aspects of digital lending activities to enable an appropriate policy approach.

The Group invited inputs and held virtual interactions with various stakeholders including financial institutions, government bodies, law enforcement agencies, academicians, and FinTech associations/ groups. The diverse interactions and different perspectives helped the Group in getting a holistic view of the nascent digital lending ecosystem. The Group would like to place on record its appreciation for all their valuable inputs, which have immensely helped in shaping this Report.  

The Group would like to commend the rigorous work put in by the core secretarial team of the Department of Regulation, RBI, led by Shri Chandan Kumar, General Manager and consisting of Shri Anuj Sharma, AGM; Shri Lakshmana Koyya, Shri B G Gowtham Kumar Naik, and Shri Aditya Sood, Managers.

The Group would also like to acknowledge and appreciate the contribution of the secretarial teams from Department of Supervision (Shri Susheel Raina, DGM; Shri A G Giridharan, DGM; Shri Nethaji B, DGM; Shri Varun Yadav, AGM; and Ms. Tricha Sharma, AGM) and Department of Payment and Settlement Systems (Shri Anuj Ranjan, GM and Shri Brijesh Baisakhiyar, AGM). The Group would also like to express gratitude to the Legal Department (Ms. Manisha Ranvah, ALA) and all the Regional Offices of Reserve Bank of India for the inputs provided.


API Application Programming Interface
AI Artificial Intelligence
AML/ CFT Anti-Money Laundering/ Combating the Financing of Terrorism
APR Annual Percentage Rate
ASIC Australian Securities and Investments Commission
BC Business Correspondent
BIS Bank for International Settlements
BNPL Buy Now Pay Later
BR Act Banking Regulation Act, 1949
BSL Balance Sheet Lender
CBIRC China Banking and Insurance Regulatory Commission
CDD Customer Due Diligence
CIC Credit Information Company
CICRA Credit Information Companies (Regulation) Act
CoR Certificate of Registration
DLA Digital Lending Application
EDD Enhanced Due Diligence
EMI Equated Monthly Instalment
FCA Financial Conduct Authority
FLDG First Loss Default Guarantee
FPC Fair Practices Code
FSB Financial Stability Board
IBA Indian Banks' Association
ICT Information and Communication Technology
IRDAI Insurance Regulatory and Development Authority of India
IT Act Information Technology Act, 2000
KFS Key Fact Statement
KYC Know Your Customer
LEA Law Enforcement Agency
LSP Lending Service Provider
MFI Microfinance Institution
ML Machine Learning
MI Market Intelligence
MLC Micro Lending Company
NBFC Non-Banking Financial Company
NBFC-AA Non-Banking Financial Company-Account Aggregator
NBFC-P2P Non-Banking Financial Company-Peer to Peer Lending Platform
NCRB National Crime Records Bureau
PBoC People's Bank of China
PII Personal Identifiable Information
RE Regulated Entity
RMB Ren Min Bi
RoC Registrar of Companies
SACC Small Amount Credit Contract
SEBI Securities and Exchange Board of India
SLCC State Level Coordination Committee
SME Small and Medium Enterprise
SRO Self-Regulatory Organisation
STCC Short Term Consumer Credit
UPI Unified Payments Interface
WG Working Group


Application Programming Interface: A set of rules and specifications followed by software programs to communicate with each other, forming an interface between different software programs that facilitates their interaction.

Artificial Intelligence: Information technology (IT) systems that perform functions requiring human capabilities. AI can ask questions, discover and test hypotheses, and make decisions automatically based on advanced analytics operating on extensive data sets.

Annual Percentage Rate: The annual rate that is charged for borrowing a loan and includes processing fees, penalties and all other charges that are applicable to the loan throughout its life.

Balance Sheet Lending: Financial service involving extension of monetary loans, where the lender retains the loan and associated credit risk of the loan on its own balance sheet.

Balance Sheet Lenders: Lenders who undertake balance sheet lending.

Blackbox AI: A system for automated decision making often based on machine learning (deep learning) over big data mapping the users’ features into classes predicting their behavioral traits which cannot be interpreted/ explained by even those who design it.

Buy Now Pay Later: A point of sale financial product where a borrower is allowed to purchase products on deferred payment basis and pays in a predetermined number of installments.

Caveat Emptor: The principle that the buyer alone is responsible for checking the quality and suitability of goods before a purchase is made.

Consumer Protection Risk: Derived from the definition of misconduct risk, consumer protection risk is the risk that the behaviour of a financial services entity, throughout the product life cycle, will cause undesired effects and impacts on customers.

Cooling-off Period: A period of time from the date of purchase of good or service from a distance (e.g., online, over phone or email order) within which the purchaser can change her/ his mind with return or cancellation of the purchase, as a part of Terms and Conditions of the purchase contract.

Cyber Security: Protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification, or destruction.

Digital Lending: A remote and automated lending process, majorly by use of seamless digital technologies in customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service.

Digital Lending Apps: Mobile and web-based applications with user interface that facilitate borrowing by a financial consumer from a digital lender.

Embedded Credit: The lending services generated from the embedding of credit products into non-financial digital platforms.

FinTech (Financial Technology): A broad category of software applications and different digital technologies deployed by the intermediaries that provide automated and improved financial services competing with traditional financial services.

First Loss Default Guarantee: An arrangement whereby a third party compensates lenders if the borrower defaults.

Key Fact Statement: A comprehension tool in the pre-contract stage of credit process consisting of a standardized form listing all the fees, charges and other key credit information that a financial consumer needs to make informed decision which promotes transparency and healthy competition.

Glass Box Model: In a Glass Box model of AI, all input parameters and the algorithm used by the model to come to its conclusion are known imparting it better interpretability. Explainable AI (X-AI) allows humans to understand and trust the output better.

Lending Service Provider: Lending Service Provider is an agent of a balance sheet lender who carries out one or more of lender’s functions in customer acquisition, underwriting support, pricing support, disbursement, servicing, monitoring, collection, liquidation of specific loan or loan portfolio for compensation from the balance sheet lender. (A balance sheet lender must have continuing ability to handle the above functions and the lender, not the LSP, must be able to demonstrate that it exercises day-to-day responsibility for the same, when LSPs are engaged.)

Loan Flipping: The process of raising cash periodically through successive cash-out refinancings.

Loan Stacking: The process of taking out multiple loans/ credit limits by a borrower from various sources within a short period in order to reach a financial goal, both legitimate and illegitimate.

Machine Learning: A method of designing problem-solving rules that improve automatically through experience. ML algorithms give computers the ability to learn without specifying all the knowledge a computer would need to perform the desired task. The technology also allows computers to study and build algorithms that they can learn from and make predictions based on data and experience. ML is a subcategory of AI.

Market Place Lending: Use of online platform to connect financial consumers or businesses, who seek to borrow money, with investors/ lenders who are willing to buy or invest in such loans/ lend to such borrowers.

Open Texture Rules/ Standards: Those rules/ standards that allow practices to be judged on the basis of broad, flexible requirements and are commonly used as a consumer protection tool.

Pacing Problem: Time and capability gap between technological innovation/ advancement and the mechanism to regulate it.

Payday Loans: A short-term, low value, high-cost loan to cover immediate cash needs typically repayable on borrower’s next pay day or when income is received from any other source and granted without considering other financial obligations.

Payment Gateway: Payment Gateways are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.

Payment Rails: Established networks or back-end systems involved in processing of cashless payments. (Examples: pre-paid wallets/ card rails, bank real time payment rails, bank batch/ bulk payment rails, card rails, carrier billing rail, check imaging rail, etc.)

Personal Identifiable Information: Information that when used alone or with other relevant data can identify an individual.

Problematic Repayment Situation: A problematic repayment situation is one when the consumer is not able to repay the debt within a reasonable time, and/ or the consumer is only able to repay it in an unsustainable way, e.g., by cutting back on essential living expenses or by defaulting on other loans.

Regulated Entity: Entities regulated by Reserve Bank of India.

Responsibilization: Subjecting financial service providers to a broad duty to treat consumers fairly but not specifying in detail how it is to be done.

Short Term Consumer Credit: The practice of lending to consumers, amounts of money that are small relative to other forms of credit in the market for short period, say, from a few days up to12 months, at an annual percentage rate considered high compared with other credit products available to consumers.

Step-in Risk: In the context of the report, Step-in Risk refers to the risk that a balance sheet lender assumes by providing support to the LSP beyond the contractual obligations, both from reputational and substitutability point of view.

Synthetic Identity: A synthetic identity is a combination of information that is real and fake information fabricated credentials where the implied identity is not associated with a real person.

TechFin: As opposed to FinTech where traditional financial services are delivered by use of technology, TechFin is where an entity that has been delivering technology solutions launches new way to deliver financial services. In other words, FinTech takes the original financial system and improves its technology, TechFin is to rebuild the system with technology.

Travel Rule: Information required to be collected, retained and be included in every fund transfer transaction initiated by one financial institution on behalf of a customer that should travel (be passed along) to each successive financial institution in the funds transfer chain.

Vulnerable Consumers: Those consumers who are at a disadvantage in exchange relationships where that disadvantage is attributable to characteristics that are largely not controllable by them at the time of the transaction. (Andreasen and Manning, 1990)

Executive Summary

Technological innovations have led to marked improvements in efficiency, productivity, quality, inclusion and competitiveness in extension of financial services, especially in the area of digital lending. However, there have been unintended consequences on account of greater reliance on third-party lending service providers mis-selling to the unsuspecting customers, concerns over breach of data privacy, unethical business conduct and illegitimate operations. While the current share of digital lending in overall credit pie of the financial sector is not significant for it to affect financial stability, the growth momentum has compelling stability implications. It is believed that ease of accessing digital financial services, technological innovations and cost-efficient business models will eventually lead to meteoric rise in the share of digital lending in the overall credit.

The larger issue here is protecting the customers from widespread unethical practices and ensuring orderly growth. As has been seen during the pandemic-led growth of digital lending, unbridled extension of financial services to retail individuals is susceptible to a host of conduct and governance issues. Mushrooming growth of technology companies extending and aiding financial services has made the regulatory role more challenging. In view of the ease of scalability, anonymity and velocity provided by technology, it has become imperative to address the existing and potential risks in the digital lending ecosystem without stifling innovation.

Further, on a larger canvas and on a medium to long term horizon, digital innovations along with possible entry of BigTech companies may alter the institutional role played by existing financial service providers and regulated entities. A fallout of this may get reflected in blurring of regulated and unregulated financial institutions/ activities. Such developments spurred by mere commercial considerations would pose regulatory challenges in ensuring monetary and financial stability and in protecting interests of the customers. The recommendations and suggestions are aimed at addressing issues posed by digital evolution of the financial activities/ products/ institutions while ensuring ways to reap the benefits of digital innovation at the same time.

The WG recommendations would act at three levels: regulated entities of the RBI; other regulated/ authorised entities; and unregulated entities including third-party service providers functioning in the digital financial realm. The recommendations seek to protect the integrity of the system against entities that are not regulated and not authorized to carry out lending business. The onus of subjecting third-party lending service providers to a standard protocol of business conduct would lie with the regulated entities to whom they are attached. Further, an institutional mechanism is envisaged to ensure the basic level of customer suitability, appropriateness and protection of data privacy. The report further seeks to ensure that there is orderly growth in the digital lending ecosystem without it being unduly disruptive towards the existing players in the ecosystem. The idea is that the existing players in the digital lending realm should follow recommended standards of appropriateness to address conduct/ technological issues.

The approach adopted in this Report is guided by the following three principles:

  • Technology Neutrality: Neutrality towards technological differentials or business models while encouraging competition to maximize the benefits to the financial system.

  • Principle Backed Regulation: Instead of a rule-based regime, a principle-backed approach to provide sufficient scope for innovation and adaptability in a dynamic environment.

  • Addressing Regulatory Arbitrage: Addressing the arbitrage between different sets of entities in the digital lending ecosystem to ensure level playing field and market integrity.

To achieve these principles in a holistic manner, the WG has recommended a three-pronged measure on a near to medium term. Some of the key recommendations of the Working Group are enumerated below:

a) Legal & Regulatory Recommendations

Near Term (up to one year)

  • A nodal agency should be set up which will primarily verify the technological credentials of DLAs of the balance sheet lenders and LSPs operating in the digital lending ecosystem. It will also maintain a public register of the verified apps on its website.

  • Balance sheet lending through DLAs should be restricted to entities regulated and authorized by RBI or entities registered under any other law for specifically undertaking lending business. A suitable notification in this regard should be issued by the appropriate authority.

  • An SRO should be constituted covering the participants in the digital lending ecosystem.

  • All loan servicing, repayments, etc. should be executed directly in a bank account of the balance sheet lender and disbursements should always be made into the bank account of the borrower. However, borrowers having only PPI account and no bank account can be disbursed loan if the PPI accounts are fully KYC compliant.

Medium Term (above one year)

  • Central Government may consider bringing in a legislation to prevent illegal lending activities by introducing the ‘Banning of Unregulated Lending Activities Act’.

  • RBI should develop a separate framework styled as Agency Financial Service Regulation (AFSR) for all customer-facing/ fully outsourced activities of REs including LSPs.

b) Recommendations related to Technology

Near Term

  • Compliance with the prescribed baseline technology standards should be a pre-condition to offer digital lending by the REs and by LSPs providing support to REs.

  • Each DLA should have publicly available policies regarding data storage, its usage and privacy.

  • Data should be stored in servers located in India.

  • REs should document the rationale for the algorithmic features aiding lending decisions that should ensure necessary transparency.

  • Data should be collected from the borrower/ prospective borrower with prior information on the purpose, usage and implication of such data and with explicit consent of the borrower in an auditable way.

Medium Term

  • An adaptive comprehensive regulatory framework for FinTechs and TechFins.

  • Algorithm used for underwriting should be auditable and lenders shall ensure that outputs from such algorithms are knitted in ethical AI design.

c) Recommendations related to Financial Consumer Protection

Near Term

  • Each lender should provide a key fact statement in a standardized format.

  • A look-up period of certain days should be provided for all digital loans with the option of exit by paying proportionate APR without any penalty.

  • Use of unsolicited commercial communications for digital loans should be governed by a Code of Conduct.

Medium Term

  • An anti-predatory lending policy should be framed by each lender based on the characteristics to be defined by RBI/ proposed SRO.

Besides recommending concrete action points, the WG has also made several suggestions. The suggestions would require wider consultation with stakeholders and further examination by the regulators and government agencies. A gist of recommendations and suggestions along with the implementation agency is provided at the end of the report. All entities operating in the digital lending ecosystem do not come under the regulatory purview of the Reserve Bank. For entities other than regulated entities (REs) of the Reserve Bank, concerned authorities are expected to put in place similar measures as recommended/ suggested for the REs of the Reserve Bank. This would ensure holistic compliance with the recommendations/ suggestions contained in this report.

Section 1: Introduction

1.1 Constitution of the Working Group

Recent spurt of disruptive innovations and consumerization of online lending apps (‘digital lending’), both mobile and web-based, have reshaped the way financial services are structured, provisioned and consumed. In its evolution, riding on other digital cousins such as digital payment and social media, certain actors could use it for their own ends, with unintended consequences for the nascent ecosystem. Against this backdrop, the Reserve Bank had constituted a Working Group (WG) on digital lending on January 13, 2021 to study all aspects of digital lending activities in the regulated financial sector as well as by unregulated players so that an appropriate regulatory approach can be put in place. The terms of reference and names of the members of the WG are as under:

Terms of Reference

1. Evaluate digital lending activities and assess the penetration and standards of outsourced digital lending activities in RBI regulated entities;

2. Identify risks posed by unregulated digital lending to financial stability, regulated entities and consumers;

3. Suggest regulatory changes, if any, to promote orderly growth of digital lending;

4. Recommend measures, if any, for expansion of specific regulatory or statutory perimeter and suggest the role of various regulatory and government agencies;

5. Recommend a robust Fair Practices Code for digital lending players, insourced or outsourced;

6. Suggest measures for enhanced consumer protection; and

7. Recommend measures for robust data governance, data privacy and data security standards for deployment of digital lending services.


Internal Members

1. Shri Jayant Kumar Dash, Executive Director, RBI (Chairman)

2. Shri Ajay Kumar Choudhary, Chief General Manager-in-Charge, Department of Supervision, RBI (Member)

3. Shri P. Vasudevan, Chief General Manager, Department of Payment and Settlement Systems, RBI (Member)

4. Shri Manoranjan Mishra, Chief General Manager, Department of Regulation, RBI (Member Secretary)

External Members

1. Shri Vikram Mehta, Former Associate of Monexo FinTech (Member)

2. Shri Rahul Sasi, Cyber Security Expert & Founder of CloudSEK (Member)

The Group conducted four meetings between January 19, 2021 and April 01, 2021 which were attended by all members and the secretarial team.

1.2 Foreground

In recent periods, a spate of digital micro-lending by various fringe entities and their dubious business conduct were flagged to RBI, Law Enforcement Agencies (LEAs), and reported in public domain. Such incidents were grappled by various LEAs at State level, albeit in non-uniform manner, after certain clarifications on identity of regulated entities were rendered by RBI, followed up by awareness drives. This undesirable experience was the imminent prompt for constitution of the Working Group to recommend a framework to address such issues holistically.

1.3 Processes Followed

The WG adopted a four-pronged process towards the report:

(a) Discussions with Stakeholders: Formal and informal inputs were sought from academicians, regulated entities, FinTech advocacy groups, consumer interest groups, industry bodies, FinTechs, app stores, LEAs, and central and state governments. The WG received inputs from thirty-six such stakeholders and their feedback covered various aspects - legal, regulatory, technological, code of conduct, fair practices, grievance redressal, etc. A brief synopsis of such inputs is presented at Annex A. A total of ten formal interfaces were also held with important stakeholders in the digital lending arena to elicit their views on the subject. Details of interfaces and list of entities that provided their inputs to the WG are provided at Annex B.

(b) Survey and Data Analysis: A representative survey was conducted to collect data on certain aspects of digital lending in which sample data was collected from 76 Scheduled Commercial Banks (SCBs) and 75 NBFCs, out of which 48 SCBs and 13 NBFCs stated that they are not engaged in digital lending. As per the data furnished by the remaining 28 SCBs and 62 NBFCs, digital lending constituted 75 per cent and 10 per cent of total assets of banks and NBFCs respectively as on March 31, 2020. The extracts of the survey data are appended at Annex C.

(c) Review of Extant Regulatory / Supervisory Framework and Industry Practices: A detailed review was carried out covering the extant regulatory framework, prevailing practices followed by DLAs, ancillary functions performed by various outsourcing agencies and FinTechs (e.g., sourcing, appraisal, payments, collection, etc.).

(d) Review of Global Practices and Literature: The WG also reviewed internationally published literature on the subject, the global developments, approaches adopted in other jurisdictions, and the evolving views of global standard-setting bodies and assessed their suitability for Indian system.

1.4 Broad Approach

1.4.1 The WG kept in view three broad tenets while considering the best fit approach for crafting FinTech appropriate regulation for digital lending.

(a) Technology Neutrality: Regulatory approach should be neutral towards technological differentials or business models; rather be encouraging healthy competition among all players that maximize the benefits to the financial system. Technology neutrality theory would imply that what is not legal offline, cannot be legal online. Many of the trouble spots around the fringe digital lending were considered identical to the known types of undesirable lending practices in the conventional lending landscape, albeit in a digital edition. A proportionate approach of ‘same activity, same risk, same rule’ principle for the entire lending ecosystem, digital or otherwise, required up-linking of a few recommendations to the original guidelines already issued or those in the context of broader FinTech that could be prospectively issued, rather than limiting these to narrow confines of digital lending. This should also be seen to have forward compatibility in the context of approach to regulations of broader digital financial services as and when it evolves. Harmonizing market conduct rules and oversight for all comparable credit offerings for all providers and channels would also fall under this tenet. The proportionate regulatory framework for smaller players in certain key areas such as cyber security/ IT risk should have similar regulatory frameworks to avoid the ‘weakest-link’ problem that could pose risks to the payment and settlement systems.

(b) Principle Backed Regulations: A graded approach to any regulation generally moves through minimum regulation, light precautionary regulation, and strong precautionary regulation phases. As the report covers three distinctive regulatory dimensions of digital lending, it blends all the grades of regulations. For a smooth integration, a principle-backed approach has been preferred to a rule-based regime as it affords flexibility in terms of its actual application to innovations, rather than a stifling over-prescriptive regime. While a commensurate construct for the equilibrium trinity of innovation, regulation and stability for digital lending has been attempted in the report, maintaining flexibility, adaptability and continuous learning in a rapidly evolving and dynamic environment is what should be attempted in its implementation. It is rightly argued that consumer protection regulation should follow an approach of open texture rules/ standards and responsibilization rather than being a ‘command and control’ type. However, for the present context in India, the regulatory approach should include, among others, moving beyond mere disclosure and fair practice framework to more regulatory guardrails, particularly in respect of recurring issues.

(c) Addressing Regulatory Arbitrage: A sine qua non for an effective regulatory regime is to prevent the emergence of regulatory gaps and arbitrages that might arise from appearance of new service providers, innovative products, etc., which are like those being regulated in respect of the incumbent players. A level playing field is key to ensure not only fair competition but also consumer protection. The same regulatory conditions and supervision should apply to all actors who seek to innovate and compete on FinTech: incumbent banks, FinTech start-ups and BigTech firms. These efforts should be towards better consumer protection and market integrity.

1.4.2 The WG recognizes the increasing significance of ‘digital lending’ in the financial ecosystem, particularly in the realms of financial inclusion, access and SME financing spawning a compulsive case for an ecosystem of partnership. Like any emerging business models, there are bound to be structural gaps and operating issues in digital lending ecosystem. The inevitability of its growth to match the nonpareil maturation of digital payment systems in India, warrants a shift from minimum-regulation approach in nascent stage to align to the truism that financial sector cannot be left to self-regulation. Given the maturity level of the evolving ecosystem for digital lending and potential grey areas for regulatory/ legal arbitrageurs, the WG determined that there may be a need for multiple agency approach/ frameworks required to address the issues in entirety, supported by central legislations/ notifications wherever required. Hence, the recommendations essentially capture the issues in perspective and seek to create an environment where the agency roles can be more transparent with necessary identifiers to shine light on the bad actors. In the absence of laws with specific provisions to address the issues, regulation should measure up for mitigating the risks.

1.4.3 Recognizing the tradeoff between consumer convenience, the leitmotif of digital financial services, and consumer protection, the need for a very fine balance while laying clear ground rules has also been weighed in. Responsible lending will remain a distant goal without customer awareness and watchful enforcement. However, while recommending regulations, on balance, protection of financial consumers’ interest would always weigh heavier than the interest of innovation. Although the digital lending canvas is much larger, the focal problem points in the recent digital lending (‘one-click credits’) episodes have been small value (nano/ micro) unsecured/ non-income generating loans to financial consumers. There is a lack of a comprehensive regulatory framework in consumer lending through DLAs from origination to debt collection and its administration including the business of providing credit references.

Section 2: Digital Lending Landscape

The world has been talking about Bank 4.00 since 2014 indicating arrival of 4th generation in evolution of financial services comprising FinTech, online/ mobile banking, virtual global market and questioning the sustainability of conventional banking. The book “Bank 4.00” by Brett King published in 2018 carried the sub-title “Banking Everywhere, Never at a Bank”. India has been whetting its appetite for digital transformation in financial services, slowly but steadily. Digital lending is one of the most prominent off-shoots of FinTech in India. The digital/ FinTech lending has to be seen in the overall context of the FinTech eco system per se, stylised in the following diagram.

FIG 21

It’s another matter that the trend of Bank 5.01 has already been set in motion, riding on cognitive banking, embedded banking, decentralised finance, robo-advisors, hybrid robo-advisors and bots, responsible banking.

2.1 Meaning: Digital Lending

Financial Stability Board (FSB) has defined FinTech as “technologically enabled innovation in financial services that could result in new business models, applications, processes or products with an associated material effect on financial markets and institutions and the provision of financial services”. In the absence of a universally acceptable definition of the term ‘digital lending’, FSB definition of the term ‘FinTech credit2’ as all credit activity facilitated by electronic platforms whereby borrowers are matched directly with lenders comes close. This definition has been loosely explained by FSB to include market place lending i.e., lending financed mostly from wholesale sources and non-loan obligations, such as, invoice trading. FSB has also classified ‘peer-to-peer lending’ and ‘loan-based crowdfunding’ as the main components of FinTech credit. Taking cognizance of the lack of a universally acceptable comprehensive definition of ‘FinTech credit’ or ‘digital lending’, this report has not attempted to define this term, as new models and approaches are still evolving. One generally accepted feature of digital lending is that it means ‘access of credit intermediation services majorly over digital channel or assisted by digital channel’. For the purpose of this report, the characteristics that are essential to distinguish digital lending from conventional lending are use of digital technologies, seamlessly to a significant extent, as part of lending processes involving credit assessment and loan approval, loan disbursement, loan repayment, and customer service.

2.2 Digital Lending Eco-System

In India, digital lending ecosystem is still evolving and presents a patchy picture. While banks have been increasingly adopting innovative approaches in digital processes, NBFCs have been at the forefront of partnered digital lending. From the digital lending perspectives, such lending takes two forms, viz. balance sheet lending (BSL) and market place lending (MPL), aka platform lending. The difference between BSL and MPL lies where the lending capital comes from and where the credit risks of such loans reside. Balance Sheet Lenders are in the business of lending who carry the credit risk in their balance sheet and provide capital for such assets and associated credit risk, generated organically or non-organically. Market Place Lenders (MPLs) or Market Place Aggregators (MPAs) are those who essentially perform the role of matching the needs of a lender and borrower without any intention to carry the loans in their balance sheet. While P2P lending in India is a clear example of MPL, many other players who are in the business of originating digital loans, (e.g., MPAs, FinTech platforms or the so called ‘neo banks’ or BNPL players) with the intention of transferring such digital loans to BSLs, can also be bracketed with MPLs/ MPAs. These categories of market players form part of the broader class of Lending Service Providers (LSPs).

An illustration of digital lending taxonomy in a universal context is provided in Figure 2.2 below.


Another noteworthy development in recent years has been the entry of technology service providers of various forms, in addition to the existing ones, into the financial sector creating a larger universe for the ecosystem (Fig 2.3).


For this report, the ecosystem of entities engaged in digital lending has been broadly segregated into two categories, viz. (i) Balance Sheet Lenders (BSLs) and, (ii) Lending Service Providers (LSPs). The latter category encompasses both the services being provided and the service providers. An entity can perform the roles of both BSL as well as LSP, as is usually the case of traditional lenders.

2.3 Global Scene

Post global financial crisis, financial markets around the world have undergone a significant transformation driven by technological innovation. In credit segment, P2P lending platforms have emerged as a new category of intermediaries, which are either providing direct access to credit or facilitating access to credit through online platforms. Besides, there are companies primarily engaged in technology business which have also ventured into lending either directly or in partnership with financial institutions. Such companies include ‘BigTechs’, e-commerce platforms, telecommunication service providers, etc. In digital lending space, we have global examples of Person-to-Person (P2P), Person-to-Business (P2B), Business-to-Person (B2P), Business-to-Business (B2B) lending models.

A paper3 published by BIS has estimated total global alternative credit (i.e., credit through FinTechs and BigTechs) in 2019 at USD 795 billion in which share of FinTechs and BigTechs is around USD 223 billion and USD 572 billion respectively. China, USA and UK are the largest markets for FinTech credit. BigTech has exhibited rapid growth in Asia (China, Japan, Korea and Southeast Asia), and some countries in Africa and Latin America. The largest market for both FinTech credit and BigTech credit is China, although of late, it has shown signs of contraction due to certain market and regulatory developments. While USA is the second largest market for FinTech credit, its share in BigTech credit is comparatively small. In BigTech credit, Japan is the second largest market with USD 23.5 billion lending in 2019. In UK, FinTech credit volumes are estimated at USD 11.5 billion in 2019 (up from USD 9.3 billion in 2018). The BIS paper has highlighted that FinTech credit volumes are growing decently in European Union, Australia and New Zealand while these have stagnated in USA and UK and declined in China. In many emerging market and developing countries, FinTech lenders are attaining economic significance in specific segments such as small and medium-sized enterprises.

2.4 Indian Scene

2.4.1 Digital Lending vis-à-vis Physical Lending

Based on data received from a representative sample of banks and NBFCs (representing 75 per cent and 10 per cent of total assets of banks and NBFCs respectively as on March 31, 2020), it is observed that lending through digital mode relative to physical mode is still at a nascent stage in case of banks (₹1.12 lakh crore via digital mode vis-à-vis ₹53.08 lakh crore via physical mode) whereas for NBFCs, higher proportion of lending (₹0.23 lakh crore via digital mode vis-à-vis ₹1.93 lakh crore via physical mode) is happening through digital mode.

Chart 21

In 2017, there was not much difference between banks (0.31 per cent) and NBFCs (0.55 per cent) in terms of the share of total amount of loan disbursed through digital mode whereas NBFCs were lagging in terms of total number of loans with a share of 0.68 per cent vis-à-vis 1.43 per cent for banks. Since then, NBFCs have made great strides in lending through digital mode.

2.4.2 Share of Digital Lending

Overall volume of disbursement through digital mode for the sampled entities has exhibited a growth of more than twelvefold between 2017 and 2020 (from ₹11,671 crore to ₹1,41,821 crore).


Private sector banks and NBFCs with 55 per cent and 30 per cent share respectively are the dominant entities in digital lending ecosystem. Also, share of NBFCs has increased from 6.3 per cent in 2017 to 30.3 per cent in 2020 indicating their increasing adoption of technological innovations. During the same period, public sector banks have also increased their share significantly from 0.3 per cent to 13.1 per cent. The prominent role of NBFCs in fostering digital mode of lending is reflective of the flexible regulatory regime (vis-à-vis banks) meant for NBFCs.

2.4.3 Product Profile Product mix based on loan purpose

The major products disbursed digitally by banks are personal loans followed by SME loans. A few private sector banks and foreign banks are also offering Buy Now Pay Later (BNPL) loans. Loans under ‘others’ category for banks comprise mostly of small business and trade loans, home loans and education loans.

Chart 23

Majority of loans disbursed digitally by NBFCs are personal loans followed by ‘others’ loans. In case of NBFCs, ‘others’ loans primarily include consumer finance loans. Even though the amount disbursed under BNPL loans is only 0.73 per cent (SCBs) and 2.07 per cent (NBFCs) of the total amount disbursed, the volumes are quite significant indicating a large number of small size loans for consumption. Product mix based on loan tenure

One difference between banks and NBFCs is in terms of tenure of loans disbursed through digital channels. While around 87 per cent of loans amounting to ₹0.98 lakh crore disbursed by banks have tenure of more than one year, for NBFCs only 23 per cent of the loans amounting to ₹0.05 lakh crore fall under this bucket.

Chart 24

On the contrary, loans with tenure of less than 30 days have maximum share in case of NBFCs (37.5 per cent amounting to ₹0.9 lakh crore) vis-à-vis 0.7 per cent amounting to ₹0.007 lakh crore for banks.

2.4.4 Source of DLAs among Regulated Entities

While public sector banks and foreign banks have been observed to largely depend on their own apps/ websites for disbursal of digital loans, the dependency of private sector banks on outsourced/ third-party apps is significantly higher. Credit offered through digital channels by public sector banks is mostly secured whereas for private sector banks and foreign banks, most of the digital lending portfolio is unsecured and specifically, the third-party app sourced loans in private sector banks are unsecured. In case of NBFCs, there is not much difference between disbursal through own digital channels and third party digital channels with some skew towards own channels (57 per cent).

2.4.5 Density of DLAs and illegal players As per the findings of the WG, there were approximately 1100 lending apps available for Indian Android users across 80+ application stores (from January 01, 2021 to February 28, 2021). Details are as under:

No. of App Stores in which Indian loan apps are available ~81
No. of unique Indian loan apps that have the keywords: loan, instant loan, quick loan, etc. ~1100
No. of illegal4 loan apps ~600
Table 2.1 Complaints against DLAs – Sachet, a portal established by the Reserve Bank under State Level Coordination Committee (SLCC) mechanism for registering complaints by public, has been receiving significantly increasing number of complaints against digital lending apps (around 2562 complaints from January 2020 to March 2021). Majority of the complaints pertain to lending apps promoted by entities not regulated by the Reserve Bank such as companies other than NBFCs, unincorporated bodies and individuals. Another significant chunk of complaints pertains to lending apps partnering with NBFCs especially smaller NBFCs (asset size of less than ₹1000 crore). Geographical and time-line wise distributions of these complaints are provided in following tables:

State Number of Complaints received5
Maharashtra 572
Karnataka 394
Union Territory of Delhi 352
Haryana 314
Telangana 185
Andhra Pradesh 144
Uttar Pradesh 142
West Bengal 138
Tamil Nadu 57
Gujarat 56
Table 2.2

Period Number of Complaints received
February to July 2020 85
September to November 2020 133
December 2020 919
January 2021 661
February 2021 392
March 2021 250
Table 2.3

Post issuance of the press release6 dated December 23, 2020 by the Reserve Bank cautioning public against unauthorised digital lending platforms/ mobile apps and creating awareness to register complaints against such lenders on Sachet, a significant increase in complaints was observed with December 2020 recording the maximum number of complaints at over 35 per cent of the total complaints. These are still early days, but the trends are indicating a steady decline in complaints since January 2021. Actions taken by google play store against digital lending apps reported by the enforcement authorities are given below:

Sr. No. Enforcement authority No. of reported apps by the enforcement authority Actions taken
1. Cyberabad Commissionerate, Hyderabad 115 58 were removed for policy violation
17 were found to be compliant
17 were unpublished by the developers
10 were removed from Play Store in India for failing to respond, pending submissions of documents by the developers
5 URLs were not Play App URLs, nor did they relate to any other Google product
4 were duplicate URLs
2 of the links were Play Store search page URLs that did not identify specific apps that were a part of their investigation
2 URLs did not link to any app
2. Rachakonda Commissionerate, Hyderabad 17 9 were removed for policy violation
5 were removed from Play Store in India for failing to provide NBFC certification, pending submissions of documents by the developers.
2 were found to be compliant
1 was unpublished by the developer
3. Office of Commissioner of Police, Chennai 17 9 were removed for policy violation
5 were removed from Play Store in India for failing to provide NBFC certification, pending submissions of documents by the developers
2 were found to be compliant
1 was unpublished by the developer
4. Intelligence Bureau, Ministry of Home Affairs 214 115 were removed for policy violation
63 were found to be compliant
24 were unpublished by the developer
12 were removed from Play Store in India for failing to provide NBFC certification, pending submissions of documents by the developers.
5. MeitY 27 14 were removed for policy violation
7 were unavailable
4 were found to be compliant
3 were unpublished by the developer
1 URL was broken
Table 2.4

2.5 Trends and Future

If past performance is key to predict the future, then it can be unambiguously stated that digital lending is the way to go. In not-so-distant future, lending in general and especially retail and MSME lending through physical mode may be rendered obsolete as is the case with operational banking today. It makes sense for banking transactions to take newer shape as purchases, payments and record-keeping go digital. The growth in digital lending over last five years, when other enabling factors and supporting infrastructure were still evolving, has been phenomenal and it is time for digital lending to operate in full swing, enabled by support and participation from all stakeholders. As per a Report7, India had highest FinTech adoption rate of 87 per cent as of 2020. This report values Indian FinTech market at ₹8.35 lakh crore by 2026 in comparison to ₹2.3 lakh crore in 2020 thus expanding at a compound annual growth rate of ~24.56 per cent.

Section 3: Regulatory Policy Approach to Digital Lending

From a regulatory policy outlook, the FinTech landscape can be divided into two spheres, viz. Incrementalistic FinTech and Futuristic FinTech8. The former uses new data, algorithm, software applications to perform traditional financial service provisions without significant change in the underlying functions. The latter disrupts the financial markets in manners that effectively supersede regulation. The work of the WG is generally centered around the first sphere of FinTech which is under current focus.

3.1 Extant Indian Legal Regimes

In India, lending activity, online or otherwise, is governed by following laws, in addition to various regulatory instructions issued by RBI for its regulated entities:

3.1.1 Banking Regulation (BR) Act, 1949: Business of banking as defined in Section 5(b) of the BR Act, includes providing loans inter alia by a banking company, through online mode or otherwise. All banks (public and private sector) including small finance banks, regional rural banks and co-operative banks are required to get themselves registered with the Reserve Bank for undertaking digital lending.

3.1.2 Reserve Bank of India (RBI) Act, 1934: Besides banks, NBFCs, complying with principal business criteria are required to be registered with RBI as per provisions of RBI Act. For this purpose, an NBFC is defined as a company registered under the Companies Act whose principal business is financial activity i.e. business of loans and advances, acquisition of shares/ stocks/ bonds/ debentures/ securities issued by Government or local authority or other marketable securities of a like nature, leasing, hire-purchase, insurance business, chit business. This does not include any institution whose principal business is agriculture activity, industrial activity, purchase or sale of any goods (other than securities) or providing any services and sale/ purchase/ construction of immovable property.

Further, financial activity is treated as principal business when a company’s financial assets constitute more than 50 per cent of the total assets and income from financial assets constitute more than 50 per cent of the gross income. A company fulfilling both these criteria is required to get itself registered as an NBFC with RBI. The term 'principal business' is not defined under the RBI Act. RBI has defined it to ensure that only companies predominantly engaged in financial activity are subject to its regulation and supervision. Hence, if there are companies engaged in agricultural operations, industrial activity, purchase and sale of goods, providing services or purchase, sale or construction of immovable property as their principal business and are doing some financial business in a small way, they are not required to get themselves registered with RBI.

To obviate dual regulation, certain categories of NBFCs, regulated by other regulators, have been exempted from the requirement of registration with RBI, viz. alternative investment fund companies/ merchant banking companies/ stock exchanges/ stock broking companies registered with SEBI, insurance companies registered with IRDAI, Nidhi companies/ mutual benefit companies under Companies Act, and chit companies under Chit Funds Act.

3.1.3 Companies Act, 2013: Companies, which are not meeting principal business criteria for registration as an NBFC with RBI, can also undertake lending activities subject to applicable provisions of the Companies Act, 2013 such as Section 1869 of the Companies Act, 2013 which prescribes certain restrictions on the loan amount and minimum interest rate for such loans. Besides, there are nidhi companies/ mutual benefit companies which are permitted to receive deposits from and lending to their members as per provisions of Section 406 of the Companies Act, 2013 and ‘Nidhi Rules, 2014’.

3.1.4 State Money Lenders Acts: The Constitution of India has conferred the power to legislate on matters relating to money lending and moneylenders to the States. Most of the states have their respective money lenders legislations in place (Annex D). Many of these are comprehensive legislations providing detailed and stringent provisions for regulation and supervision of the money lending business. These legislations contain provisions aimed at protecting the borrowers from malpractices of the moneylender. Some of the salient aspects of these laws are as below:

  1. Registration requirement for carrying on the business of money lending in the State

  2. Maintaining and providing statement of accounts to the debtors

  3. Powers to prescribe maximum interest rate

  4. Penalties for carrying on business without licence and for intimidating the debtors or interfering with their day-to-day activities, including the cognizability of such offences

  5. Dispute resolution mechanism

3.1.5 Chit Funds Act, 1982: Chit Fund companies are regulated under the Chit Funds Act, 1982, which is a Central Act, and is implemented by the State Governments. Those chit funds, which are registered under this Act, can legally carry on chit fund business which involves contributions by members in instalments by way of subscription to the chit and each member of the chit receives the chit amount by rotation.

3.1.6 Others: In addition to the above, there are other entities carrying out lending activities which are governed by their specific Acts (and other applicable laws) such as State Finance Corporations, Regional Rural Banks, Life Insurance Corporation of India and Credit Societies.

3.2 Global Regulatory Practices

3.2.1 A comparative study of global regulatory practices in respect of ‘FinTech platform financing’ has been undertaken by Bank for International Settlements (BIS) in its publication released in August, 202010. FinTech platform financing has been defined as a mechanism for intermediating financing over the internet using an electronic platform. However, this does not include banks (deposit-taking institutions that are members of a deposit insurance scheme), for which this activity has been separately classified as digital banking. FinTech platform financing is further bifurcated under following sub-categories:

(i) FinTech balance sheet lending: This has been defined as electronic platforms using their own balance sheet in the ordinary course of business to intermediate between borrowers and lenders.

(ii) Crowdfunding: This has been defined as matching persons/ entities needing funds with those who are willing to provide these funds for a financial return. Depending on the type of funding, it is further distinguished between loan crowdfunding and equity crowdfunding. Crowdfunding facilitates establishment of individual contracts between those seeking funds and those seeking to invest/ lend, and the platform, by itself, does not undertake risk transformation.

3.2.2 Most jurisdictions do not have any specific regulatory framework for FinTech balance sheet lending and it is governed by regulations applicable to other non-bank lending institutions as described below:

(i) Banking license: Some jurisdictions require every entity engaged in lending money and concluding loan agreements to necessarily hold a banking license e.g., Austria and Germany. These jurisdictions classify commercial lending as a regulated banking business. However, regulatory requirements are applied in a proportionate manner.

(ii) Non-bank license: For non-bank lenders, there are several frameworks which include regulation of those entities which are primarily engaged in lending business as well as those which undertake lending along with other activities. A brief about these frameworks is as below:

a) Money lenders: In Hong Kong Special Administrative Region (Hong Kong SAR), any person/ corporation providing loans is required to get a money lender’s licence. Similarly, in Japan, any non-bank lender must register itself as a money lending business operator.

b) Non-bank financial intermediaries/ lenders: In Italy, non-bank financial intermediaries are required to obtain authorization from the Bank of Italy for providing financing in any form and are subject to a prudential supervisory framework akin to banks. In the United States, non-bank lenders are required to comply with applicable state laws regulating money lending.

c) Investment funds: In the European Union, alternative investment fund managers using investment funds for lending are subject to authorization requirements under the ‘Alternative Investment Fund Managers Directive’.

(iii) No license requirement: In some jurisdictions, lending business of non-bank entities is not regulated under any specific financial law, and they are subject to requirements of applicable commercial law. Besides, there are usury laws mandating limits on interest rates e.g., lending by non-banks in Peru is not regulated but subject to an interest rate ceiling that is established by the Peruvian Central Bank.

3.2.3 In Brazil, regulations11 have been prescribed for direct credit companies (called Sociedades de Crédito Direto, SCD) which can carry out lending business exclusively through an electronic platform. In addition to balance sheet lending, SCDs are also permitted to (i) provide credit analysis to third parties; (ii) undertake collection for third parties; and (iii) act as insurance representatives and electronic money issuer in accordance with relevant regulations as applicable for these activities. SCDs are not allowed to raise funds from the public, except by issuing shares, and must operate from their own capital.

3.2.4 The China Banking and Insurance Regulatory Commission (CBIRC) and the People's Bank of China (PBoC) have jointly released interim rules12 on online micro loan business for feedback on November 2, 2020. These rules, inter alia, cover following aspects: a) requiring online micro lending company (MLC) to operate only in the province of their registration; b) approval of CBIRC for any cross-provincial business operation; c) criteria on registered capital (starting from RMB 1 billion going up to RMB 5 billion for cross-provincial operations), and controlling shareholders, d) relevant limits in terms of amount, purpose, and joint lending (minimum 30 per cent of the total loan amount to be contributed by MLCs for loans lent jointly with banks), e) measures to strengthen management, standardize equity management, fund management, and consumer rights protection, f) setting out supervisory rules and measures, etc.

3.2.5 In most jurisdictions, regulatory framework for crowd-funding platforms includes registration requirement, a minimum amount of paid-in capital, list of permitted activities, governance norms, business continuity planning, and disclosure requirements.

3.3 The Case for Regulatory/ Supervisory Review in India

In recent times, technological innovations have brought about growth in digital financial services, including digital lending, at exponential rate. While the regulator-led developments in India, such as that in payment space, come with a basic regulatory perimeter around it ab initio, market-led innovations always reveal certain initial regulatory and enforcement lags which need to be verged upon. Globally, in digital lending, an ex-post approach is preferred to an ex-ante approach for a more proportionate intervention, which supports both innovation and competition. The WG identified cases for regulatory/ supervisory interpositions in three areas of digital financial services. While the current section deals with regulations around digital financial services, the following two sections deal with technology and consumer protection issues respectively.

3.3.1 Regulatory Perimeter The assumption that because something is technologically possible, it should be allowed, is flawed and needs to be challenged: the law or regulation cannot just be wished away13. Lending activity, whether online or otherwise, by any legitimate lender is governed by the respective applicable legislation. Apart from these legitimate lenders engaged in balance sheet lending organically, there are essentially two types of entities operating in the digital lending ecosystem which require attention:

(i) Lending Service Providers (LSPs): In the context of digital lending, these are essentially technology-centric entities which act as both core and ancillary lending service providers. The services provided by LSPs include providing a marketplace for the lenders as well as the borrowers, loan sourcing, underwriting, collection services for repayments, data aggregation & analysis, rating services, etc. Within LSPs, there are two types of entities:

a) Entities regulated by the financial sector regulators such as credit information companies, NBFC-Account Aggregator (NBFC-AA), NBFC-Peer to Peer Lending Platform (NBFC-P2P) regulated by RBI; and credit rating agencies regulated by SEBI

b) Entities not specifically regulated by any financial sector regulator

Technically, LSPs are not undertaking ‘business of a financial institution’ as defined under the RBI Act and the loans, which are sourced, appraised or serviced by them, are not their assets. Generally, LSPs are acting in partnership with a bank or an NBFC and therefore, their activities are governed by the guidelines on outsourcing of financial services issued for banks/ NBFCs by RBI. However, similar guidelines on outsourced activities by other balance sheet lenders (i.e., excluding banks/ NBFCs) are not in place thus precluding LSPs partnering with them from any specific scrutiny.

(ii) Fringe lenders: These are shadow balance sheet lenders which operate without getting themselves registered for lending activities with the concerned authorities, thus creating an informal market. Considering the anonymity and velocity provided by technology, it is a challenging task to identify and monitor such fraudulent platforms/ applications on real time basis. Rent-an-NBFC model by digital lenders: A synthetic structure enabling unregulated entities to lend without complying with prudential norms is through credit risk sharing arrangements by way of a “First Loss Default Guarantee (FLDG)” extended by the LSPs. Under this, the LSP provides certain credit enhancement features such as first loss guarantee up to a pre-decided percentage of loans generated by it. From the LSP’s perspective, offering FLDG acts as a demonstration of its under-writing skills whereas from the lender’s perspective, it ensures platform’s skin in the business. For all practical purposes, credit risk is borne by the LSP without having to maintain any regulatory capital. The loan portfolio backed by FLDG is akin to off-balance sheet portfolio of the LSP wherein the nominal loans sit in the books of the lender without having to partake in any lending process. In some cases, the LSP, as a non-banking non-financial company (NBNC) may be undertaking balance sheet lending in partnership with a bank/ NBFC or on stand-alone basis, while not satisfying the principal business criteria to remain outside regulation. Besides, there are higher operational risks which arise due to increasing reliance of lenders on third-party service providers. With increasing share of digital lending in retail/ personal space, there is a potential for risk build-up because of these platforms. This may also be adding to counterparty risks posed by the platform to its lending partners. Shadow Lending: Conduct of financial service under digital anonymity and layering under regulated entities in varied forms is also a cause of concern. Many players operating in the digital lending ecosystem are not required to be registered with a financial sector regulator. This coupled with anonymity provided by internet, country of origin, involvement of different entities in the life-cycle of a loan and lack of clear demarcation between actual balance sheet lender and LSPs raise multiple strategic concerns besides those related to money laundering. Payments Banks: The objective of setting up Payments Banks (PBs) with a structured licensing process was to provide small savings accounts and payments/ remittance services to migrant labor workforce, low-income households, small businesses, and other unorganized users. The PBs are eligible for conversion into a Small Finance Bank (SFB) after five years of operations. Since they are not permitted to lend, currently they act as LSP for other NBFCs/ banks.

3.3.2 Supervisory Enforcement Concerns Supervisory enforcement in respect of the DLAs running afoul of expected conduct has been hobbled by three broad factors, viz. (i) majority of DLAs were neither regulated nor related/ linked to any regulated entity, (ii) NBFCs linked to certain DLAs were smaller ones, subject to light-touch supervision (iii) an effective deterrence would have involved multi-agency approach for which any established mechanism was absent. The challenges required agencies to police the boundaries between orthodox financial system and the world of digital lending, practically in a black box. Some of the NBFCs holding CoR can undertake both physical and digital lending, but do not even have a website. It had been reported in media that certain ill-reputed foreign investors employ methods, such as “borrowing” an NBFC licence, or using a Variable Interest Entity (VIE) structure to circumvent Indian laws for digital lending. Engagement of multiple entities in entire lending process without any audit trails also raises concerns around money laundering. There is a need to put a mechanism in place to distinguish between genuine and fraudulent operators. To monitor and report such entities on real-time basis, financial consumers need to be empowered with sufficient information and tools to do so. Globally, the regulatory/ supervisory bandwidth to deal with digital lending has been under continuous upgradation. The experiment of FCA, UK, with the Bank of England to reduce the ‘compliance burden’ through digital regulatory reporting by regulated entities may be a natural fit for supervisors of digital lending in India as well. Through ‘TechSprints” events they are exploring Distributed Ledger Technology (DLT) and Natural Language Processing (NLP) technology to set standards and procedures in regulation, compliance as also in transactional applications and maintenance of databases of REs.

3.3.3 Financial Stability Linkages Digital lending does improve financial stability from efficiency gains, disintermediation, diversification of credit market landscape and improving certain structural imbalances by directly tying up with investors with matching liquidity and risk bearing capacity. However, it has a flip side of equal proportion. Potential problems are magnified by operational weaknesses and insufficient disclosures paired with potential conflicts of interest, as well as a lack of dedicated resolution frameworks and limited regulatory oversight. An article written by Prof. William Magnuson in Bloomberg in September 2017, titled “The Next Crisis Will Start in Silicon Valley: Forget Wall Street. Worry about FinTech” had drawn attention of financial sector regulators to the new vector for potential financial instability. Financial innovation and financial liberalisation have traditionally preceded stresses in the financial system. The sudden emergence of new types of players, outside proper regulatory perimeter, providing alternate lending services amount to financial liberalisation. Currently, the share of digital lending in overall credit is too small to have any significant impact on financial stability. However, given their ease of scalability, it may assume greater significance sooner than later. It is, therefore, pertinent to address existing and potential risks while leveraging on the benefits of emerging FinTechs. Depending on the level of direct and indirect exposures of the traditional banking to online lending sector, a key financial stability risk is the potential spill over of losses originating in online lending to the broader financial system. Critical interdependence among each constituent of the digital lending ecosystem has potential for seamless transmission of risks, at times with amplifications, from unregulated entities to regulated entities. The determining factors of impact of digital lending, going forward, on financial stability, would include the following:

(i) Degree to which the traditional banking function of lending is driven through FinTech by entities which relatively lack banking experience as well as track record. During a cycle of downturn or stress, this could potentially affect stability by creating unknown system vulnerabilities.

(ii) Degree to which the FinTech behind digital lending creates interconnectedness through higher complexity and additional points of failures.

(iii) Degree to which digital lending affects concentration risk with rapid rise of alternate lending mechanism in certain market segments and level of their substitutability.

(iv) Degree to which it fragments the design and delivery of loan products across several providers and platforms, blurring the responsibility for operational risks, customer suitability, compensation, etc.

(v) Degree of over-reliance on automated credit under-writing involving opaque/ complex processes with rapid propagation of risks. AI/ ML may amplify systemic risk if more lenders adopt similar optimization algorithms to manage their risk management functions. The result may be a financial system that is increasingly procyclical when shocks materialize. The LSPs largely depend on the data generated in their normal business or gathered from other sources to expand their outreach and their foray into financial arena raises certain concerns such as new forms of concentration risk, systemic risk, market power, regulatory arbitrage, customer protection, data privacy and cyber security. There is no doubt that emergence of TechFin entities contributes towards increasing competition, furthering financial inclusion, introducing innovation, and improving overall efficiency of financial services but the downside risks call for evaluating the need for a review of current regulatory framework applicable to their business. The broader debate on regulatory arbitrage focuses on two aspects. First, banks may shift capital-intensive activities to online lending platforms leading to regulatory leakage and, second, online lending platforms may continue to gradually adopt services which are at the core of bank-based financial intermediation. The above concerns were more pronounced in the case of fringe digital lenders. However, the need for some of the regulated entities improving their behaviour on this front was also conspicuous. Hence, the report is more focused on consumer finance rather than business finance through digital lending. There may be certain other prudential regulatory concerns in digital lending models affecting the intermediaries themselves (e.g., holding structure, governance, risk management, operational resilience etc.), and financial stability risks (requiring data and information gathering and analysis, emerging regulatory intervention etc.), which have not been directly covered in this report.

3.3.4 Balancing Risks and Innovations

In a BIS paper published in February 202114, it has been argued that public policy goals such as financial stability, market integrity and consumer protection should take precedence in the objectives of financial regulation in comparison to creating a level playing field. Further, complete homogenisation of the requirements to be satisfied by different types of players does not necessarily result in more and fair competition. In some areas, such as consumer protection, anti-money laundering/ combating the financing of terrorism (AML/ CFT), and conduct of business, an activity-based approach may be needed to achieve the primary policy goals whereas in others, such as financial stability, an entity-based approach would be more appropriate. While framing the regulations for the financial sector, Reserve Bank has always been conscious of the fact that the degree of regulation of a financial entity should be commensurate with the risk the entity poses to the financial system and the scale of its operations. This approach has also been advocated in the circular on ‘Scale Based Regulation (SBR): A Revised Regulatory Framework for NBFCs’ issued on October 22, 2021.

3.4 Recommendations and Suggestions on Statutory-Regulatory Approach

Besides recommending concrete action points, the WG has also made several suggestions. The suggestions would require wider consultation with stakeholders and further examination by the regulators and government agencies.

3.4.1 Calibrating Existing Regulations Being a responsible activity and use of digital channel amplifying its impact velocity, balance sheet lending through DLAs should be restricted to entities regulated and authorized by RBI or entities registered under any other law for specifically undertaking lending business, for which a suitable notification may be issued by appropriate authority15.

(Recommendation - GoI)

Regulatory bodies for other authorized lenders such as credit societies, registered money lenders, non-banking non-finance companies (NBNCs), etc. may consider stipulating appropriate guidelines consistent/ proportionate with that of RBI, to prevent/ minimize environment of regulatory arbitrage in the businesses of digital lending.

(Suggestion - GoI) Partnership between LSPs and BSLs in digital lending is a ground reality and should be encouraged with appropriate transparency in the interest of consumers.

(a) In order to avoid creation of operational grey areas in the process and for the sake of better transparency, all loan servicing, repayment, etc., should be executed directly in a bank account of the balance sheet lenders without any pass-through account/ pool account of any third party. The disbursements should always be made into the bank account of the borrower. Use of pre-paid instruments (PPIs) (cards/ wallets), in addition to bank accounts, may be permitted when full inter-operability among PPIs is implemented. However, borrowers having only PPI account and no bank account can be disbursed loan if the PPI accounts are fully KYC compliant. Any fees, etc., payable to LSPs as per agreement with lender, should be paid by the lenders, and not received by them directly from the borrower.

(Recommendation - RBI)

(b) The LSP agreement for the balance sheet lenders needs to be as per a uniform model to be brought out by the proposed SRO.

(Suggestion - RBI/ SRO)

(c) New digital lending products involving short term, unsecured/ secured credits going under the guise of deferred payments or the like, such as BNPL should be treated as part of balance sheet lending, if not in the nature of operational credit by merchants. Since these products do not meet the requirements of traditional credit facilities, a suitable notification may be issued by the Government of India in this regard.

(Suggestion - GoI) There is a need to expand the reach of established/ formal digital channels for digital lending to crowd out the fringe lenders. Other entities, such as web aggregator of loan products, considered critical to digital lending should be considered as LSPs and may need to be subjected to discipline and code of conduct by the regulated entities to which they are attached.

(Suggestion - RBI/ SRO) Broadening the coverage of credit reporting systems will enable lenders to make better credit decisions for a wider segment of consumers.

(a) Mandatory submission of information to Credit Information Companies (CICs) by a broader group of lenders will break the perpetuation of data marginalization of certain vulnerable groups. Reporting to CICs in respect of all lending carried out through DLAs should be ensured at a shorter interval compared to conventional reporting. This will ensure less dependence on alternate data for financial consumers as more and more of them would develop formal credit history for themselves. Further, it will offer wider choices/ competitive pricing for consumers. Lending done through DLAs must be reported to CICs irrespective of its nature/ tenure. In order to disincentivize lenders from delayed or non-reporting, non-adherence to timely credit reporting for a loan exposure to CICs can be a trigger for RBI to restrict certain activities at the post origination stage, like assignment/ securitization of specific loans or recovery enforcement process with regard to specific loans, etc. The onus of proof of appropriate reporting will lie with the balance sheet lender.

(Recommendation - RBI)

(b) In order to prevent loan targeting/ marketing by digital lenders based on credit reports obtained from Credit Institutions under Credit Information Companies (Regulation) Act (CICRA), appropriate regulatory changes may be made to allow only entities regulated by any financial sector regulator to act as agent on behalf of the borrower. Each access/ enquiry of credit information by any specified institution should be conveyed to the borrower through electronic channel.

(Recommendation - RBI)

3.4.2 Enhancing Statutory/ Regulatory Framework In order to have a nodal agency to ensure that only authorised and trusted DLAs are used by consumers, it is desirable that an independent body styled as Digital India Trust Agency (DIGITA) should be set up. The agency may be set up in consultation with stakeholders including regulators, industry participants, representative bodies and the government. While encouraging innovation, it should discharge the function of verifying the digital lending apps (by extension, in future, other FinTech apps through which customers interact with the regulated financial system) before such apps can be publicly distributed through app stores or through any other digital means. Eligible apps not carrying the ‘verified’ signature of DIGITA should be considered as unauthorized for the purpose of law enforcement. A public register of ‘verified’ apps should be maintained by DIGITA with essential details on its website. Any subsequent changes in such apps for potential non-compliance should be surveilled by the Agency and it should have the power to revoke the ‘verified’ status of the apps. DIGITA should also support on an ongoing basis, digital market intelligence on potentially harmful public apps interacting with the regulated financial system.

(Recommendation - GoI/ RBI) In order to devise granular/ stricter regulatory and supervisory framework, Short Term Consumer Credit (STCC) may be defined to include digital lending as is done in certain jurisdictions (Annex E) and appropriate regulations, on similar lines as that for MFIs can be framed. In view of the commonalities of concerns/ as an alternative to separate regulation, the extant / proposed regulatory framework/ codes of conduct for MFIs could be expanded to suitably include STCCs. This will make a single harmonized set of conduct rules for short term lending. Government may consider notifying the same to make it proportionately applicable to other entities (not falling under RBI’s regulatory domain) engaged in provision of similar financial services.

(Suggestion - GoI/ RBI) Under current regulatory framework, regulation on all outsourced activities has been prescribed for compliance by REs of the Reserve Bank. Going by the increasing trend of business models leveraging the use of agents and third parties including LSPs for scale, reach and cost-effectiveness, RBI may develop a separate framework styled as Agency Financial Service Regulation (AFSR) for all customer-facing, fully outsourced activities of REs including the services provided by LSPs.

(Suggestion - RBI) With evolving shape of the digital lending eco-system and agency participation in providing financial services, there needs to be certain standards and protocols to be followed by the entire partner ecosystem. Reserve Bank has recognized few Self-Regulatory Organizations (SROs) catering to different regulated segments. At secondary level, industry associations have a role to play in laying down a code of conduct incorporating best business practices, ensuring compliance of their members with regulatory guidelines and providing a mechanism for grievance redressal of customers. The WG on FinTech and Digital Banking in November 2017 had also recommended that a self-regulatory body for FinTech companies may be encouraged. It is now recommended that an SRO covering DLAs/ LSPs in the digital lending ecosystem may be set up. Reserve Bank may provide general guidance and recognize such an SRO in respect of the RBI regulated entities and their outsourced agents. GoI may also like to take similar action for digital lending business carried out by entities which are not REs of RBI. Code of conduct for Recovery Agents as part of AFSR and putting names of the erring members in a negative/ grey list for the sector by SROs after following appropriate procedure, should also form part of the code. The REs may publish a list of LSPs engaged by them on their website.

(Recommendation - GoI/ RBI/ SRO) Analogous to the Central law of “the Banning of Unregulated Deposit Scheme Act, 2019”, Central Government may consider bringing through a legislation styled as “the Banning of Unregulated Lending Activities (BULA) Act” which would cover all entities not regulated and authorized by RBI for undertaking lending business or entities not registered under any other law for specifically undertaking public lending business. The recommended legislation may also define ‘public lending’ to bring clarity.

(Recommendation - GoI) The Consumer Protection Act, 2019 covers banking, financing, insurance as services under its ambit. However, nature of a financial consumer and consumer of other goods and services differ vastly. Financial services are different in terms of these being customer-specific, intangible, concomitant in creation & delivery and a dynamic activity. To provide adequate recourse to financial consumers including that of digital lending beyond the established mechanism set up by regulators, a separate National Financial Consumer Protection Regulation under the above Act may be developed by all financial sector regulators which would enable the dispute resolution or grievance redressal bodies to deal with large number of service and financial disputes/ complaints in a more objective and decisive manner. Further, it should have specific provisions for digital contracts and delivery of financial services through digital mode.

(Suggestion - GoI)

3.4.3 Reinforcing Digital Lending Oversight To prevent loan origination by unregulated entities, REs should not be allowed to extend any arrangement involving a synthetic structure, such as, the FLDG to such entities. REs should not allow their balance sheets to be used by unregulated entities in any form to assume credit risk.

(Recommendation - RBI) The SLCC mechanism should additionally cover issues in the digital financial space and function as a forum for inter-agency co-ordination in such matters.

(a) A regular agenda in SLCC should cover reports on unauthorized apps in the market involved in digital lending/ illegal recovery and other types of activities associated with doubtful purpose/ suspected fraud. Given the national nature of digital lending, a centralized and fully digitalized data repository may be created for all issues in order to provide a country-wide view of market intelligence (MI) in real time, accessible to relevant agencies involved. Growth of any channel, product, etc. or complaints of similar nature should spur necessary regulatory/ supervisory/ enforcement attention.

(Recommendation - GoI/ State Governments/ RBI)

(b) Given the increasingly critical role played by mobile phones and mobile network operators (MNOs) in the financial system, TRAI should be inducted as a member or need-based invitee of SLCC and other security related inter-agency fora involving the financial sector.

(Recommendation - RBI)

(c) The KYC rigor for issuance of new/ replacement SIM cards, being a major vector for frauds/ illegal marketing of digital lending products, should be strengthened and the MNOs should be held accountable for any violation and shortcomings.

(Suggestion - GoI)

(d) In order to pre-empt any unscrupulous practice, such as, ‘rent-a-license’ by certain inactive NBFCs, those who have been granted CoR with provision of digital lending but who have not been carrying out such activity for a reasonably long period, their CoR conditions may be reviewed with an appropriate supervisory follow-up.

(Recommendation - RBI)

(e) RoC may consider enhancing the use of digital technology and multiple data sources for early identification of shell finance companies and finance companies with proxy directors or opaque beneficial owners on an ongoing basis. This should be followed by suitable action as per the law or reference to concerned agency for further attention. RoC may also consider making suitable arrangements for real time data sharing with RBI on the de-listing of such shell companies, companies with proxy directors or opaque beneficial owner, in order for RBI to take up further action with respect to association with such companies across banks and NBFCs.

(Suggestion - RoC) There is a need to facilitate identification of bad actors in digital lending space by enforcement agencies in a timely and less frictional manner. The payment system regulation should refine ‘travel rules’ for narration of One Time Password (OTP) and SMS/ e-mail alerts sent to users in connection with conducting payment transactions through any digital mode under PSS Act. It should, at the minimum, display certain details such as transaction amount, available balance, name of the receiver/ beneficiary (merchant or individual beneficiary, as the case may be) as returned by the receiver’s bank/ PPI Issuer and not provided by the sender.

(Recommendation - RBI)

(b) Relevant inputs from proposed Digital Intelligence Unit of Government, existing Telecom Analytics for Fraud Management and Consumer Protection (TAFCOP), and Telecom Commercial Communications Customer Preference Regulations (TCCCPR) 2018 should be made available to respective regulators, supervisors and their regulated entities and MNOs. Name of identified unscrupulous lenders should be made available to REs to enable them to do Enhanced Due Diligence (EDD) while allowing customers to use banking/ payment/ telecom channels for such activities.

(Suggestion - GoI/ RBI)

(c) The concept of a National Financial Crime Record Bureau (NFCRB), similar to or as a subset of National Crime Records Bureau (NCRB), with a data registry similar to CCTNS (Crime and Criminal Tracking Network and Systems) and accessible to REs may be considered by the Government. This will highly supplement the onboarding diligence in the digital/ FinTech based ecosystem. Leveraging the channel of FINNET of FIU-IND can also be explored.

(Suggestion - GoI)

(d) The local law enforcement/ police agencies must proactively surveil that no unauthorized call center operates in, or spoofing/ conversion of VoIP to GSM calls, etc. originate from sites under their jurisdictions.

(Suggestion - GoI/ State Governments)

(e) There is a need to strengthen non-traditional market monitoring through media/social media monitoring, web-scraping to identify the conduct issues associated with digital lending apps. Besides, all kinds of publicity material/ direct advertisement over the web of unverified digital lending apps may be continuously monitored and appropriate action taken. Appropriate detection techniques need to be used in the process.

(Recommendation - GoI/ SRO)

(f) Bank accounts regularly operated from a different/ overseas IP address, not consistent with KYC profile of the account holder, need to be monitored by banks for suspicious activities.

(Recommendation - RBI)

3.4.4. Safeguarding Financial Stability High yield-seeking alternative investments flowing into DLA segment can blur regulatory understanding of build-up of adverse incentives and potential spill-over of stress. Possibility of REs partnering with an unregulated LSP for digital lending could even lead to “step-in risks”. It is therefore suggested as under:

(a) Push marketing and unsolicited offers may exacerbate the risk of encouraging borrowing without a purpose. In order to streamline the push credits, REs peddling specific pre-approved loans/ limits to consumers based on scoring models should take a behaviouralised part of all such communicated amounts, based on average past conversion rate, as exposure for prudential regulation purpose.

(b) Appropriate periodical returns from REs may include digital lending data and (attempted) frauds in digital lending space so as to specifically capture crucial MIS.

(Suggestion - RBI) In order to match the advancements of digital lending (and FinTech aided financial services in general), there is a need for commensurate digital transformation/ technology adoption by the regulators and supervisors.

(a) The regulatory/ supervisory framework for digital lending (by extension, other FinTech products/ services) should be developed with a ‘seamless digital’ approach. It should exploit the power of RegTech and SupTech tools.

(b) There is a need to convert regulatory instructions for digital lending (all FinTech regulations by extension) to machine readable format for direct interface with the RegTech systems of the REs. The idea is to replace rules written in natural legal language with computer codes and to use artificial intelligence for regulatory purposes.

(c) There is already a market dominance of BigTech/ social media entities in nudging their users to go for specific financial products or services through front-end customer engagements. There are regulatory implications relating to concentration and competition risks that may emerge if BigTech players enter the direct digital lending market in search of profitability. In certain international jurisdictions, decentralized finance (DeFi) through blockchain technology is growing fast, which involves borrowing and lending activities using auction approaches. Embedded credits are also slowly gaining traction which need due regulatory attention. A blueprint of a forward-looking framework for identifying and managing risks arising from BigTech/ DeFi lending in a graded manner may be worked out in advance.

(Suggestion - RBI)

Section 4: Technology Standards of Digital Lending

A highly digitalized lending model is known for its scale, reliance on intangible information and much broader user participation. However, the legal status of DLAs/ LSPs, playing an intermediary role between multiple lenders and multiple borrowers, is ambiguous under Information Technology Act, 2000 (IT Act). Section 2(1)(w) of the Act defines an intermediary as below:

‘Intermediary, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes;’

Even though DLAs/ LSPs may not directly fit in to the definition, the scope of the definition is wide enough to arguably qualify these entities as close to an ‘intermediary’ with activities extending to receiving / storing electronic records on behalf of REs, creating online marketplace. IT Act places certain responsibilities on intermediaries such as preservation of information16, non-disclosure of the collected information without consent or in breach of lawful contract17 etc. Besides, IT Act also vests certain powers with authorities such as penal action for contravention of provisions of the IT Act, power to issue directions for blocking of public access to any information through any computer resource, power to monitor and collect traffic data or information through any computer resource for cyber security. Uncertainty around treatment of FinTech platforms as ‘intermediary’ creates avoidable ambiguity.

4.1 Factors Spurting Growth of Digital Lending in India

The ubiquity of ICT has affected most conventional financial products in India and created newer products. Digital lending is driven by a combination of supply-side and demand-side factors. In India, unmet credit demand of younger cohorts, low financial inclusion, technological advancements and increasing internet penetration are going to be the strong drivers. However, trust in technology, data security and customer protection considerations will play a critical role in determining the extent of FinTech adoption. India accounts for the most number of DLAs in the world. India’s vision towards becoming a cash-light economy combined with the growth of public digital infrastructure and the demand for financial inclusiveness, makes it a front runner in the digital lending technology arena. The growth drivers have come both from supply as well as demand side as presented in the figures 4.1 and 4.2.

Figure 4.1

Figure 4.2

Of the above, the following could be considered as the major factors for growth of digital technology:

  • The smartphone revolution

  • Big data analytics, Artificial Intelligence (AI) and Machine Learning (ML)

  • Enabling technological developments

  • Eco-system conducive for digital lenders and FinTech companies

  • Increased digital uptake to overcome challenges posed by COVID-19

4.1.1 The Smartphone Revolution

The number of smartphones in India have increased from 100 million in 2014 to over 700 million in 2021. And this number is projected to increase in the coming years. This means that most of the Indian population now has access to the internet. This process has been hastened by the availability of low-cost smartphones and the proliferation of faster and cheaper internet connections. This gives users, especially those who need urgent small-ticket loans, the option to download lending apps and avail loans without long wait times, multiple approvals and multi-pronged verifications.

4.1.2 Big Data Analytics, Artificial Intelligence (AI) and Machine Learning (ML)

The smartphone revolution has led to large volumes of data being generated and shared. This data, though insurmountable to humans, is very valuable and here’s where technological advances such as Big Data, AI and ML help derive insights from the abundance of data and allow digital lenders to better understand the needs of their customers, perform timely underwriting and improve fraud detection.

  • Customer analysis: Big data analytics help digital lenders understand their customers’ needs and changes in their borrowing behaviour, in order to provide timely and customised lending options.

  • Underwriting: AI/ML models can be used to assess risks and make unbiased underwriting decisions. This allows for faster and more intelligent risk assessment, without human intervention.

  • Fraud Detection: AI/ML allows lenders to detect suspicious behaviour, identify repeated defaulters and flag high-risk loan requests.

4.1.3 Enabling Technological Developments

A collection of Application Program Interfaces (APIs) enables the government, businesses, start-ups and developers to harness India’s public digital infrastructure to build and deploy lending apps. The enabling factors are:

  • Aadhaar authentication and e-KYC: Digital lenders can utilize the biometric service of the Aadhaar infrastructure to authenticate users and perform e-KYC.

  • e-Sign and Digilocker: After verification, the lending app can harness the Aadhaar data to review borrowers’ banking activities, and also use scraping to gather data from their phones. Apart from providing borrowers’ creditworthiness, this avoids the collection and storage of paper documents. After selecting the loan option, the borrower can e-sign the documents remotely.

  • Unified Payments Interface (UPI): The UPI infrastructure can be used to disburse the loan amount into the borrower’s bank account. The pull function of UPI can also be used to receive loan payments.

  • User permission: Developments in obtaining users’ consent to access their data from across the digital platforms can ensure transparency and security across the digital lending lifecycle.

4.1.4 Favourable Regulatory and Policy Environment

India’s objective to increase financial inclusion and digitisation has led to the implementation of favourable policies and regulations. These flexible regulations ensure that unauthorised digital lenders are weeded out without affecting the growth of legitimate lenders.

4.1.5 Eco-system Conducive for Digital Lenders and FinTech Companies

With an untapped base of 120 million formally employed Indians without a credit card18, start-ups and venture capital firms are making a beeline for the digital lending market and in keeping with this trend, 44 per cent of FinTech funding in 202019 went to digital lending start-ups. With more funding and increased collaboration between established and new players in the digital lending market, the outlook for the sector is positive.

4.1.6 Increased Digital Uptake due to COVID-19

Lockdowns and restrictions imposed by COVID-19 in 2020 have driven consumers and businesses to take their transactions online. This has increased receptivity and confidence in digital transactions while enhancing consumers’ proclivity to avail instant loans from lending apps. Given the low overhead costs, technology-driven optimization and minimal manual intervention, compared to traditional loan processes, digital lenders can operate efficiently to cater to the aggressive economic needs of the post-COVID era.

4.2 Digital Lending Lifecycle

It begins with a user discovering the app and ends with the repayment of the loan. A generic digital lending process goes through the following stages:

  • Lending app discovery and registration

  • Loan application processing

  • User verification

  • Loan disbursement

  • Loan repayment

4.2.1 Distribution of DLAs

Users find digital loan apps primarily through:

  • Online searches on Search Engines and by browsing App Stores for related keywords.

  • Marketing material distributed by digital lenders via SMS, email, online advertisements (on websites, social media, apps) and messaging platforms (WhatsApp, Telegram), etc.

The most commonly searched keywords are: Instant Loan, Personal Loan, Aadhaar Loan, Cash Loan, Mobile Loan. The user then downloads and installs the app from an app store. They register on the lending app using their mobile number and/or e-mail address. The user gives the app the necessary permissions. Based on the permissions requested, the app can access various other apps and services on the user’s phone. In this step, it has been observed that many apps request for high-risk permissions.

4.2.2 Loan Application Processing

The user fills the application and thereby provides a host of information about himself. Based on these details, the app pulls his credit score, historical banking information, mobile recharge history, etc. from the phone. Each app uses its own proprietary algorithm to score the user based on his creditworthiness and chooses to underwrite the loan.

4.2.3 User Verification

Based on the underwriting, the app displays the loan options that the user is eligible for. The user chooses the appropriate loan option. The user then verifies his identity and e-signs the loan.

4.2.4 Loan Disbursement

The loan amount is then credited into the user’s account, many times to wallets and sometimes to bank accounts. Many of the apps are found to manage cash disbursement through deemed brokers.

4.2.5 Loan Repayment

Based on the repayment plan, the user pays back the interest and principal amount in the agreed number of instalments. In case of delay, the LSPs in the business of collection/ recovery step in.

4.3 Regulatory Perspectives of Digital Lending Technology

The regulatory perspectives in the specific context of deploying digital technology in lending services centre around: (i) black box AI, (ii) privacy and data security issues, (iii) cyber/ fraud risks, and (iv) forward compatibility.

4.3.1 Black Box AI

In the age of AI/ ML, mathematical models are bound to be living in all automation making vital decisions. Many of these models encode “human prejudices, misunderstanding, bias into a software system that increasingly manage our lives. …Right there you have something very dangerous.”20 The growth of the ‘connected’ lifestyle and reliance on mobile phones generates a treasure trove of 'alternative' data some of which is collected even before a consumer makes an application. There are unregulated web aggregators who collect data on prospective consumers, some with their consent and some without. The LSPs/DLAs often deploy algorithms that scour through hundreds of such alternate data variables, sometimes combined with traditional credit history, to model the applicant’s fitting in to the risk appetite of the FinTech lender which is often high. How these algorithms price risk, exploit or discriminate a consumer’s specific situation remain outside the oversight of regulators.

4.3.2 Privacy and Data Security FinTech platforms generally collect a lot of data from customers, including sensitive personal information and financial records. They also track information such as customers’ spending and social media patterns to generate an alternative credit score for determining their risk profile. While accepting terms and conditions of these platforms, customers are generally not conscious of the fact that they are signing away their privacy rights. This leads to concerns about protection of customers’ data from unauthorised access, explicit consent and awareness of customers about harvesting of their personal/ online behavioural data and sharing of data with third parties. The increasing share of digital lending can amplify these concerns. There is a need to clearly specify the obligations of FinTech platforms towards their customers. One of the first steps in the digital lending lifecycle is requesting access to various apps and services on the user’s phone. This has been a key concern for consumers and regulators alike. Several consumer complaints were analysed that cite instances of digital lenders or digital lending apps misusing the high-risk data collected. For example, certain lending apps are collecting users’ entire phone contacts, media, gallery, etc. and using it to harass borrowers and their contacts in case of delays in repayment. Table 4.1 shows the critical permissions requested versus the percentage of apps requesting these permissions:

Permission to read % of DLAs
Location ~30%
Camera ~30%
Contacts ~21%
Make Phone Calls ~11%
Record Audio ~11%
Table 4.1

While accessing and storing sensitive data such as location, camera, contacts, etc. comes with high-risk, some of it could be for the proper functioning of the apps. For example, e-KYC requires access to a borrower’s camera to verify their identity. Location data is required to prevent fraud and confirm the location of the borrower. As more companies go cashless and paperless, the number of apps requesting for critical permissions will continue to grow and a prophylactic ban on lending apps accessing certain permissions would adversely impact the growth and innovation in the sector. Hence, the better approach would be to regulate and formulate better standards for cyber security, privacy and fraud, instead of heavy-handed prohibitions. Numerous privacy lapses have been observed across digital lending apps. Some of the major concerns include:

  • Inadequate transparency about what information is collected, why it's collected and how it will be used.

  • No option for users to update, manage, export and delete their own data after their loan has been paid.

  • It is also concerning that some apps don’t disclose their partner banks or NBFCs.

  • Recovery agents use borrowers’ phone contacts, photos or any other sensitive data to harass borrowers and their friends and family. There are alleged reports of unbridled sharing of CIC information, except where only alternate data is used with propriety algorithm, without considering privacy issues. These situations include (i) an NBFC shares credit information with an LSP as a customer sourcing partner; (ii) an NBFC sharing credit information with an LSP under an information trading arrangement without any other business link; (iii) an NBFC sharing credit information with another NBFC, the latter not being a co-lender. While under the extant data privacy regime, it may be difficult to establish the source of information, adequate regulatory guardrails are warranted to prevent marketing of CIC data. In digital credit markets, consumer data and other information is increasingly used and shared in the lending and borrowing process. Standard minimum security practices in handling consumer data to ensure privacy set quality protocol to standardize data security. This can be done through new legislation, rules and regulations, or by utilizing existing laws and expanding their interpretation to include digital finance. In designing the regulatory framework, the regulators in a consultative manner determine: i) the way data is being used and ii) the way that data is being protected via provider policies and practices. That way, the main data risks and gaps in provider policies can be tracked and practices to stem these risks be developed. There are instances of the customer being held responsible for outcomes of data attacks when she/he has protected all sensitive information. Hence, there may be a need for standardisation of data use and response to security attacks. In cases, where data is mishandled by the service provider, they should be responsible and liable for the outcomes.

4.3.3 Cyber Security and Fraud Risks

There are certain concerns21 which are inherent to any illegal act committed using information technology and are not specific to digital lending per se such as anonymity22 in cyberspace, the issue of jurisdiction23, the question of evidence24, and non-reporting of cybercrimes to avoid bad publicity for businesses operating online. Digital lenders have to deal with defaulters, the use of stolen identities and even higher risks in the absence of loan collaterals. The constantly evolving and interconnected nature of disruptive business models in FinTech lending makes it difficult to assign liability for consumer harms. Cyber risks have heightened in recent period. Access Control

(a) Unauthorized Access: Poor access control policy allows unauthorized persons to access customers’ data. Apart from misuse, it enables threat actors to sell access to systems that hold sensitive information and financial data.

(b) Privilege Escalation: Threat actors can use initial access to low-priority systems to gain elevated access to sensitive resources to exfiltrate data or perform unauthorized actions. Infrastructure and Customer Protection

(a) Misconfigured Applications: Unsecured cloud servers, misconfigured applications, open ports and exposed API keys allow threat actors to gain access to customers’ information.

(b) Breaches/ Data Leaks: Since lending apps collect users’ PII (Personally Identifiable Information), financial data and other sensitive information, they are prime targets for threat actors. With reports showing that financial services companies are 300 times more likely than other companies to be targeted by cyberattacks25, lending apps should be prepared for potential attacks. If a threat actor gets access to a database containing this information, they can use it to hold the company to ransom or sell it on the dark web. They could also use it to carry out phishing attacks, scams and even identity theft. Apart from this, they can also use the initial access to deploy malware, ransomware or spyware. Fake Apps and Fake Domains: WG research shows that 600 out of 1100 lending apps currently available are illegal apps. And as the number of lending apps grow, this trend would spike, since a user downloading a lending app cannot identify if the app is legitimate or not. It is also likely that several copycat apps and websites will mushroom across the internet. If a consumer uses such an app or website, it could collect the user’s personally identifiable information (PII), financial data and other sensitive details, which can then be used to compromise the user’s accounts, carry out phishing attacks and identity theft. Apart from affecting the user, it also damages the reputation of the company that the fake app is impersonating. Fake Customer Care Scams: There has been a burgeoning of fake customer care scams across the internet, especially those affecting financial services and online businesses. These scams are used to collect sensitive information from users and defraud them. This can also damage the reputation of the digital lender. Synthetic Identity Frauds: Fraudsters create synthetic identities using valid but stolen Aadhaar numbers with accompanying false PII. Growing use of synthetic identity is often attributed to increasing amount of compromised PII from major data breaches over recent years as well as unintentional disclosure over social media. The complexity in its detection and its potential financial harm depends upon the method used by fraudsters to compose a fake identity. Some of the tell-tale characteristics of a synthetic identity could be multiple account applications from the same IP address or device, multiple identities with the same Aadhaar number, multiple applicants with the same address or phone number, etc. Hence, preventing synthetic fraud is difficult and hence, requires industry level partnership and close co-ordination with law enforcement to share information, identify trends and threats.

4.3.4 Forward Compatibility of Regulation BigTech Credit26

(a) Many large multi-national corporations whose primary business is technology (e-commerce, social media, payments enablers etc.) have started lending either directly or in partnership with regulated financial entities e.g., third-party application providers (TPAPs). These corporations have a captive user base whose data is readily available across multiple business lines and can be effectively utilised in the entire loan management life cycle. These firms have a large-scale customer base and leverage the trust and control generated in this non-financial business for moving into financial services. The firms typically enter the world of finance by providing their data, either raw or processed, to established financial services firms and gradually move towards providing financial services either in partnership or directly to their customers. The size of these entities poses a significant systemic and concentration risk to the economy. They have an unfair competitive advantage over regulated entities.

(b) Unlike the case of monoline FinTech firms, there are three characteristics of an integrated business model of non-financial conglomerates or BigTech firms that could raise concerns for regulators:27

(i) a complex governance structure, which could inhibit the ability of both the service providers and the regulators to correctly assess risks and mitigate them in a timely manner;

(ii) risks associated with the transformation of funds across subsidiaries and shadow banking activities;

(iii) cross-subsidisation, both in terms of cost and data sharing within an integrated business model, especially on the platform they serve clients.

Enhancing the traditional entity-based regulatory approach with activity-based regulations may be inadequate to ensure stability, level-playing-field/ competition and customer protection, in the case where a non-financial conglomerate or a BigTech firm in practice provides financial services across its associates in an integrated manner, i.e. where risk transformation, shadow-banking activities, and cross-subsidisation of cost and data could be done across financial-service subsidiaries in an integrated business model. Decentralised Finance (DeFi) Lending

An ecosystem of financial applications based on distributed ledger technology (DLT) operating without a third-party or central administration is generally known as decentralized finance (DeFi). Self-executing smart contracts form the foundation layer of DeFi. It is supposed to be an open-source, transparent and permission-less financial service environment. DeFi is reported to have the highest lending growth rate and is considered the major contributor for locking crypto assets. In India, there are a number of platforms that advertise DeFi facility.

4.4 Recommendations/ Suggestions

Regulatory policy measures associated with FinTech in general and digital lending in particular are usually classified into three groups: 28(i) direct regulation of FinTech activities; (ii) regulation focusing on new technologies for providing financial services; and (iii) developmental regulations for digital financial services. RBI is one of the select central banks in the world to have a separate and growing FinTech set-up. In view of emergence of new models in FinTech ecosystem and growing role of TechFins in the financial sector, an adaptive, outcome-focused regulatory framework with a responsive and iterative approach, needs to be conceptualized in the long term by RBI. It should provide for a segmented and data driven design rather than ‘one size fits all’ mold establishing/ consolidating regulations on minimum/ baseline technology standards, security practices in handling consumer data of FinTech Apps, including digital lending. The following are a set of recommendations and certain suggestions:

4.4.1 Institutional Mechanism The operations of so-called ‘digital banks’/ ‘neo banks’ formulation should be covered under Reserve Bank’s regulations. More of ‘Digital-only’ NBFCs can be encouraged and groundwork for opening digital-only banks initiated. This should also cover guidance on bank-FinTech partnerships. Some of such ‘over the top’ (OTT) entities posing as if they are into ‘bank’/ ’banking’ in business promotion materials must be prohibited from doing so and each of their partner bank should be required to set out operational codes for such OTT entitles. RBI Sandbox may also have a category for digital lending and allow digital lenders to innovate and experiment with flow-based lending products under its supervision.

(Suggestion - RBI) Verified apps are a way to ensure that the applications being used are in fact the authorized apps and not malicious or otherwise inappropriate. Lenders should not deploy any application, insourced, or outsourced, which has not been verified by DIGITA and does not carry signature granted by DIGITA as such (cf. para The verification will be a trust-centric verification of an app on publicly well-defined policies/ trust attributes as prescribed by appropriate authorities. DIGITA will also take care of updates and patch handling as well as publisher certificate forgery. The continued ‘verified’ status of apps must be maintained only when it is possible to distinguish effectively between the version of the application that is permitted and the altered version that could be unsafe.

(Recommendation - GoI/ RBI) Baseline digital hygiene guidelines to be issued by DIGITA in consultation with RBI would be suitably made applicable to LSPs (through REs of RBI).

(Recommendation - RBI/ DIGITA)

(a) Compliance with various basic technology standards/ requirements, including those on cyber security, stipulated by RBI will be a pre-condition to offer digital lending by the REs and for LSPs providing support to REs.

(Recommendation - RBI)

(b) DLA of each RE should have links to its own secured website where further/ detailed information about itself and about the loans, the lender, customer care particulars, link to Sachet Portal etc. can be accessed by the prospective borrowers. Alternately, this information could be made available on the app itself.

(Recommendation - RBI)

(c) Digitally signed documents supporting important transactions through DLAs of REs, such as sanction letter, terms and conditions, account statements etc. should automatically flow to registered/ verified email of the borrower upon execution of the transactions.

(Recommendation - RBI)

(d) Each DLA owner, including relevant LSPs, should name a suitably competent nodal officer to deal with FinTech related issues with customers as well as regulators, SRO, law enforcement agencies, etc. The contact details of the nodal officer would be displayed on the website of the DLA. The modalities may be finalized by the SRO in consultation with the Reserve Bank.

(Recommendation - RBI/ SRO) Even though Section 43A of the IT Act 29and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal information) Rules, 2011 (the “IT Rules”) address some concerns related to data protection, a comprehensive framework is essential to ensure protection of the individuals’ privacy and rights, to spell out the flow and usage of personal data, to create a framework for organisational and technical measures for data processing, to fix accountability of entities processing personal data, and to provide suitable remedy against unauthorised and harmful processing.

(Suggestion - GoI)

4.4.2 Technology Infrastructure and Standards Baseline technology standards for DLAs of REs should be defined. The standards for DLAs should include secure application logic and secure application code, keeping a log of every action that the users perform along with their geolocation, IP address, and device information, multi-step approval process for critical activities and monitoring of transactions passing through the App in an auditable manner.

(Recommendation - GoI/ RBI/ SRO)

(a) Standards that need to be prescribed are for ensuring security of applications running on mobile devices, proper authentication, and appropriate configuration of servers. All DLAs need to mandatorily have these reflected in the terms of service. The standard should include input validation, review of data that is being sent to external networks, clear access rules, measures to ensure adequate protection of sensitive data and protection from SQL infusions. They need to ensure web server and API security, integrity of the app as well as that the app uses appropriate data encryption technologies. REs building their DLAs on cloud infrastructure, must make sure that cloud vendors comply with commensurate regulatory standards. The apps should have specific technological safeguards to prevent frauds including sanction of loans on stolen identity.

(b) Software publishers use digital signatures to enable end-users to verify the authenticity and integrity of their products. Every FinTech app must be signed/ verified in a secure way to deliver data to the app based on data gathered by the phone sensors, and if an app is cloned and sends data to API that wasn't processed by the original algorithms, it must signal a significant risk. Apart from complying with relevant RBI guidelines on various standards on data and network security, monitoring for unauthorized access, data breaches, etc., the data need to be stored in servers located in India, as in the case of P2P and AA companies. As and when DIGITA finds any FinTech Apps with servers located outside India, it should immediately flag the same to RBI/ appropriate agency.

(Recommendation - GoI/ RBI/ SRO/ DIGITA) The REs should document the rationale for algorithmic features with necessary transparency to render it as explainable AI (X-AI).

(Recommendation - RBI)

(a) Algorithm audit should point at minimum underwriting standards as well as potential discrimination factors used in determining credit availability and pricing. It must be ensured that the data used for the training of algorithms must be extensive, accurate and diverse. The DLAs will be encouraged to use Glass-box models of AI to enhance transparency and acceptability of algorithms.

(b) Digital lenders should adopt ethical AI. Doctrine of ethical AI says that it must be developed with a focus on protecting and serving the users with endeavors to design algorithms on the principles of transparency, inclusion, responsibility, impartiality, reliability, security, and privacy. Lenders should also assume the “duty of explanation” and ensure that outputs from such algorithms are explainable, transparent, and fair by knitting ethical AI design to fabric of FinTech.

4.4.3 Data Governance

The broad principles for data privacy regulation centre around (i) notice and consent – both for collection and porting, (ii) purpose limitation, (iii) data minimization, (v) use limitation and (iv) retention limitation. The DLAs as responsible data fiduciary must honour all the principles as per the informed consent of the borrower. In the long run, it is expected that data infrastructure architecture (e.g. trusted third-party execution environment) and technology itself will have built-in safeguards to ensure such discipline. There is a global shift of data rights from data holders to customers of digital services. In the absence of an enforceable data protection law, financial consumers are still vulnerable about their personal and financial data. The Data Protection Authority, proposed in the Personal Data Protection (PDP) Bill, could serve as the regulatory body to oversee financial apps as well in future. While the extant guidelines of RBI and proposed DIGITA would partly address the symptoms of the problem, a more empowered legal and regulatory framework aimed at privacy policy of mobile apps, need to be put in place in long term to address information collected by apps from the device and use of tracking and analytic tools used in the Apps.

(Suggestion - GoI)

In the meantime, regulatory guidance as also industry initiatives may cover the following:

(Recommendation - GoI/ RBI/ SRO)

(a) As multiple players have access to sensitive consumer/ financial data, there must be clarity on issues like, the type of data that can be held, the length of time data can be held, restrictions on the use of data, data destruction protocols etc.

(b) DLA of REs, as all of them collect personal data, must have a comprehensive and compliant privacy policy available publicly. Details of any third parties, that are allowed to collect personal information via DLA, have also to be disclosed. The users will have the facility to request more details on the information that is collected. It is desirable that privacy practices of the DLAs are disclosed on the app at every stage, i.e., before requesting user permission to use personal data, during account sign up or login page, payment page, etc.

(c) Data should be collected with prior informed and explicit consent of the borrower which can be audited, if required. User Interface should not facilitate ‘trick consent’. The borrower should be provided with an option to revoke consent granted to collect their personal data and if required, make the app delete/ forget the data. After uninstallation of the App, there should not be any trace of access permission from the phone. Consumers should be able to give or deny consent for the use of specific data, its use, disclosure to outside entities (private, public or legal), and its retention and destruction. Consumers should be able to issue separate consent for each type of data that LSPs are accessing. LSPs should also inform consumers of the LSP’s data policies, especially in regard to monetising of consumer data. Codifying consent practices and recourse should be available in the case of data misuse.

(d) DLAs of REs should be required to notify consumers about detection of any privacy breaches that may leave their data vulnerable and suggest ways for consumers to respond to those breaches. When data breaches occur, pre-defined protocol should kick-in to ensure customers are aware of the security issue and the steps being taken to contain the damage. DLAs must state data misuse liability (cf para to consumer in clear terms and conditions at the time of on-boarding. In the matter of consumer data destruction protocol, DLAs must maintain quality control standards for time and manner of user data purging.

(e) Permission to DLAs for using resources accessible through operating systems, such as, camera functions, location data (GPS), telephony functions, messaging functions, Bluetooth functions, network/ data connections should be subject to need-based/ stage-based requirements. DLAs should collect only minimum required personal data from the borrower after indicating purported usage of each data/ access permission obtained. However, the regulatory focus should be more on use of data, rather than collection of data30.

(f) If functionalities of any government/ regulated utilities like the Aadhaar infrastructure, e-KYC, UPI etc. are used to conduct CDD, no biometric data should be stored/ collected in the systems associated with the DLA of REs. Data Privacy and security measures at the end of SMS gateways/ SMS service providers should be ensured by REs/ DLAs before onboarding them. Instances of SMS gateways monetizing customers’ data should be suitably dealt with by the appropriate agency.

(Suggestion - GoI)

Section 5: Financial Consumer Protection

From a financial consumer’s point of view, it does not matter who or how lending service is provided, but the expectations of fair/ equal treatment at the pre-contractual, contractual and post-contractual stages are universal. Digital lending generates many of the similar financial consumer risks as in the conventional lending models and a few more. Innovative technologies and delivery/ interface channels, along with new lending class/ vocabulary create unique and newer risks for consumers as the focus is more on convenience/ ease of access rather than protection. The millennial generation perhaps finds it easier to ‘set up’ an account with a DLA from an unregulated FinTech provider/ shadow lender than to use a tool or channel provided by traditional banks/ NBFCs. The cross-cutting consumer protection themes in digital lending centre around access to loan products and services by digitally deprived/ data-marginalised consumers; dissemination of information and counselling to consumers; design and suitability of products and services offered; and adequacy of grievance redress infrastructure.

5.1 Extant Frameworks in India

The precondition for digital financial consumer protection is a sound institutional arrangement which is varied across the world. Among various models used globally, with specific reference to digital lending, RBI follows an integrated model with an internal twin peaks approach i.e., separation of prudential regulation/ supervision from that of business conduct. However, the business conduct regulation/ supervision cuts across all the areas of consumer protection rather than only issues pertaining to digital transactions (although separate Ombudsman was created for digital banking grievances). Reserve Bank has historically, pre-empted and duly recognized various consumer protection issues emanating from the business of banking and issued various guidelines to REs under the relevant provisions of Banking Regulation Act, 1949 /Reserve Bank of India Act, 1934. The RBI’s approach to digital financial services has followed a graded path starting with voluntary compliance measures followed by regulatory instructions/ deterrents and then enforcement measures. A brief on the extant guidelines to address the potential consumer protection issues in the banking/ NBFC sector is provided hereunder.

5.1.1 Fair Practices Code: A Fair Practices Code (FPC) has been prescribed for both banks31 and NBFCs32. These entities have the freedom of drafting their own fair practices code, enhancing the scope of the guidelines but cannot curtail the spirit of the prescribed guidelines. The FPC, inter-alia, provides for –

  • general guidelines for loan application processing, transparency in interest rates/ fees/ penalty, other terms and conditions, non-discriminatory practices, post disbursement supervision etc. The banks should also inform the ‘all-in-cost’ of credit to enable the customers to compare the rates with other sources of finance

  • furnishing a copy of loan agreement (with all enclosures) to the borrower

  • prevention of undue harassment in the matter of recovery of loans by persistently bothering the borrower at odd hours, use of muscle power etc.

  • a board approved grievance redressal mechanism, such that all disputes are heard and disposed of at least at the next higher level

Further, NBFCs have been mandated to ensure that all communication to the borrower should be in vernacular language or a language as understood by the borrower. The loan sanction letter should contain the annualized rate of interest and penal interest charges should be highlighted in bold.

5.1.2 Managing Risks and Code of Conduct in Outsourcing of Financial Services: Financial institutions are increasingly using outsourcing as a means of both reducing cost and accessing specialist expertise, not available internally and/ or to achieve strategic goals. Reserve Bank has hence, laid down comprehensive guidelines/ directions for both banks33 and NBFCs34, which broadly follow the principle that the outsourcing of any activity does not diminish their obligations and those of their Board and senior management, making them responsible for actions of their service providers (direct selling agents, recovery agents etc.). A Board approved outsourcing policy needs to be put in place, which incorporates, inter-alia, due diligence criteria for selection/ renewal, delegation of authority depending on risks and materiality, and systems to monitor and review the operations and policies periodically. Some indicatory provisions of the code to address the consumer protection risks are as under:

  • Regulated entities have to ensure customer data privacy and security in the hands of service providers, including any security breaches.

  • To ensure, fair treatment of borrowers, the regulated entity and their agents shall not resort to intimidation or harassment of any kind, either verbal or physical, against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude the privacy of the debtors' family members, referees and friends, making threatening and anonymous calls or making false and misleading representations.

  • All service providers need to adhere to a Code of Conduct (as approved by Board/ prescribed by IBA). It is essential that the recovery agents adhere to extant instructions on Fair Practices Code.

  • It is the onus of the regulated entities to ensure these service providers are properly trained to handle with care and sensitivity, their responsibilities particularly aspects like soliciting customers, hours of calling, privacy of customer information and conveying the correct terms and conditions of the products on offer etc.

5.1.3 Code of Recovery: Comprehensive guidelines on recovery agents has been prescribed for banks35 (in case of NBFCs, general guidelines are prescribed in the FPC to prevent undue harassment to customer), which provide for due diligence of agents, (advance) information to the borrower about recovery agencies, adherence to FPC, outsourcing guidelines and code of conduct by recovery agents, no further assignment of cases to agency until disposal of any complaint lodged against it, and mandatory training of recovery agents, etc.

5.1.4 Ombudsman Scheme: Customer complaints and grievances are integral to any business, regardless of comprehensiveness of business conduct guidelines. To give voice to the consumers and identify the consumer grievances on an on-going basis, Ombudsman Scheme was hence, operationalized in 1995 to establish a system of expeditious and inexpensive resolution of ‘bank’ customer complains. The Banking Ombudsman Scheme has evolved over the last two decades36 and a dedicated Ombudsman Scheme had also been instituted for NBFCs37 in 2018 and for digital transactions38 in 2019. An integrated Ombudsman Scheme39 has been rolled out to further enhance the simplicity, effectiveness, and responsiveness of the Ombudsman framework adopting a ‘One Nation One Ombudsman’ approach.

5.1.5 Key Fact Statement (KFS): As per the provisions, banks should provide a clear, concise, one-page key fact statement/ fact sheet, as per prescribed format (Annex F) to all borrowers as in case of any change in any terms and conditions. The same may also be included as a summary box to be displayed in the credit agreement. A standardized loan agreement in a language of customer’s choice, has also been mandated for the borrowers of NBFC-MFIs.

5.1.6 Charter of Customer Rights: Additionally, a Charter of Customer Rights was released by Reserve Bank in 201440 which enshrines broad, overarching principles for protection of customers of all scheduled commercial banks, regional rural banks, and urban co-operative banks. It enunciates the ‘five’ basic rights of bank customers, viz. (i) Right to Fair Treatment, (ii) Right to Transparency, Fair and Honest Dealing, (iii) Right to Suitability, (iv) Right to Privacy, and (v) Right to Grievance Redress and Compensation. The banks are expected to prepare their own Board approved policy incorporating the five basic rights of the Charter which, among other things, would contain monitoring and oversight mechanism for ensuring adherence.

5.1.7 Risks associated with Information Technology: Appropriate guidelines have been prescribed for both banks41 and NBFCs42 suggesting measures to be undertaken to ensure stability and security of their IT systems and prevent incidences of cyber breaches which may have implications on consumer protection.

5.1.8 Consumer Protection Act, 2019: The new Act, as is applicable to banking and financing services, provides for enforcement of six consumer rights and has brought e-commerce and electronic service providers within its ambit and is hence applicable to digital lenders and their agents; the Act inter-alia has specific provisions prohibiting false and misleading advertisements, and unfair trade practices.

It is pertinent to note that all the aforementioned guidelines on consumer protection are applicable to all regulated entities and/ or their agents engaged in digital lending. In line with the rapid increase in digital lending, and the associated consumer protection risks, RBI vide its circular titled ‘Loans Sourced by Banks and NBFCs over Digital Lending Platforms: Adherence to Fair Practices Code and Outsourcing Guidelines’ dated June 24, 2020, had reiterated the responsibilities of all regulated entities vis-à-vis the extant guidelines and emphasized their adherence in letter and spirit.

5.2 Global Practices

There is no specific globally recognised regulatory framework for digital lending platforms43. It is interesting to note that many jurisdictions have additional requirements for providers of payday loans apart from general requirements for any credit providing institutions. The products offered by most of the digital lending platforms are short tenure loans which are similar to payday loans.

5.2.1 Australia

A cap on costs exists for all credit contracts (excluding those offered by an authorised deposit taking institution). The cap varies based on the term of a contract and the amount of credit. It is presumed that the customer is unsuitable if he/ she is in default under another Small Amount Credit Contract (SACC) or has had more than two SACCs in the last 90 days.

Any payday lender must display a warning statement at their premises, online or over the phone. Additionally, it has to provide contact details for free debt help and alternatives from financial counsellors, Australia’s social security agency and ASIC’s MoneySmart (financial education) website.

5.2.2 United Kingdom

Payday lenders are required to carry a risk warning which needs to be made prominent and that redirects consumers to the website of the authority in charge of debt advice in the country, the Money Advice service. According to Advertising Standards Authority of UK, misrepresenting the product in advertisements by suggesting that these loans are a viable means of addressing ongoing financial concerns, explicitly encouraging non-essential spending or themes or styles that are likely to appeal to children have to be avoided.

Financial Conduct Authority has introduced caps on interest rate, other fees and default fees with an overall cap on total amount of additional charges that can be collected. There is a limit to two rollovers for payday lending. Additionally, they are required to publish details of all their payday products sold online on at least one FCA-authorised price comparison website and must provide link to that website from their own. There is a cooling off period of fourteen days before which a consumer can withdraw.

Another distinction for UK is its Consumer Rights Act 2015 inasmuch as it was innovative in seeking to create a distinct regime for digital contracts, closely modelled on the rules for sale of goods (later adopted by EU as well). This is a good example of the law seeking to maintain traditional consumer core values whilst adapting them to the digital context.

5.2.3 Ireland

The Consumer Protection Code for Licensed Moneylenders (Central Bank of Ireland, 2009) also requires that moneylenders must ensure any warnings required by the Code are prominent i.e., they must be in a box, in bold type and of a font size that is larger than the normal font size used throughout the document or advertisement. They are also required to prominently indicate the high-cost nature of the loan on all loan documentation where the APR is 23% or higher.

5.2.4 South Africa

A pre- agreement quotation has to be provided to the borrower valid for five days. The cost of credit, which includes initiation cost, monthly service fee, credit life insurance and interest rates, is regulated and capped in a staggered manner.

5.3 Conduct Aspects of Digital Lending in India

In the context of equitable distribution of benefits from AI, insofar as financial inclusion is concerned, ethical and responsible use of digital technology often comes up for discussion. There has been a general feedback on lack of such responsibility from the DLAs. This phenomenon is illustrated by the following diagram:

Fig 5.1

Some of the contemporary conduct aspects of DLAs have a close resemblance to the issues in microfinance sector in 2010. Some microfinance institutions (MFIs) at that time pursued aggressive business strategy and margin growth without considering the vulnerabilities of the borrowers or its potential macro-economic impact. Some of the high yield seeking investments in the digital lending space appear to have adopted a similar approach. The difference this time is that it is amplified by digital technology and hence the potential impact might be much wider. The business conduct aspects especially those pertaining to protection of the vulnerable sections have been analysed and identified under the following broad concerns.

(a) Pre-contract stage – (i) product design and distribution; (ii) over indebtedness

(b) Contract Stage – (i) transparency; (ii) responsible pricing

(c) Post Contract Stage – (i) fair and respectful treatment; (ii) effective recourse

5.3.1 Product Design, Access and Distribution Consumer protection risk must be assessed throughout the life cycle of the product starting from product development. Without access to user feedback, many providers do not fully understand consumer needs. Because target consumers are inexperienced with financial services, they might not fully understand their own needs either. Lack of knowledge both on the consumer and provider sides, creates a disconnect between user needs and the financial products that they use. Consumers, then, fail to manage their finances effectively and do not use the tools that would most benefit their individual circumstances. In the absence of easy-to-understand information, borrowers tend to choose the most easily available product, without fully comprehending the consequences. Impacts get amplified manifold in digital medium because of its instant, remote, and automated nature. While inadequate information imposes a disproportionate burden of repayment on the vulnerable consumers, excessive and generic disclosures by the financial service provider render consumers less inclined to review such generic disclosures. As product appropriateness is a critical matter, it should not be left only to the principle of ‘caveat emptor’, DLAs need to adopt suitability requirements to ensure its appropriateness to the consumer’s needs and circumstances. This can be achieved through a KYC process involving sufficient and verifiable information for customer segmentation. This can be then used by human and technical resources to ensure that the service/ product being offered to a prospective consumer is appropriate for her/ his needs, expectations and risk profile. Even from lenders’ perspective, assessment is often based on algorithms which are not foolproof to identify the most suitable product in view of the possibility of faulty assumptions in the machine learning process. Hence, the loan product interface should include several means of actively engaging with the borrowers. Further, the labelling of input controls in vernacular languages should be helpful, particularly for rural customers where the awareness about the products and associated data points are often low. Aggressive advertising by DLAs, coupled with instant disbursements, can also lure some customers to borrow recklessly for consumption/ life-style needs. Unsolicited invitations for digital loans, can lead to over-indebtedness and non-repayment. Augmenting the loan application form to ask a couple of simple numeracy questions will help identify some high-risk clients at low cost. Asking the customer a simple verifiable question such as how much she/ he can repay every week given her/ his stated current monthly income and expenses is easily done. If she/ he gets it wrong, she/ he could be offered a smaller loan and monitored more carefully. This further implicitly places more responsibility on the customer to borrow responsibly44. Increasing dependence of lenders on third-party platforms may also lead to situations wherein the customers get locked out of the system in case of any unilateral restriction on access imposed by the platforms and may face difficulty in having direct access to lender. In recent times there has been the development of several new products like, 'Buy Now Pay Later (BNPL)' which is a form of point of sale credit – buyers/ purchasers are typically given a 15-30 day interest-free repayment period. Such transactions are not reported to the credit bureaus, as they do not fall under the definition of ‘credit’. It is often labelled as a product for enhanced customer engagement and seamless user-experience, a potential replacement for credit cards, but not a credit product. However, if the user fails to make the payment in the interest-free period, he may be a charged penalty, fees and the outstanding amount may be converted into EMI. Though BNPL models are being deployed in partnership with banks /NBFCs, many FinTechs are also taking the exposure on their balance sheet and treating them as deferred payments.

5.3.2 Over Indebtedness/ Predatory Lending The consumer over-indebtedness is a consequence of both the demand and supply side variables. Over indebtedness starts before a default actually happens. Reckless lending in the digital realm has been perpetrated in equal measures by lax pre-agreement borrower assessment policies of lenders, including but not limited to their failure in establishing/ assessing consumer credit worthiness, and current state of indebtedness. Information about loans extended by money lenders or companies other than NBFCs is not submitted to credit information companies. This may lead to under-reporting of outstanding loans of the borrowers resulting in their over-indebtedness. The concept of responsible lending expects lenders not to act solely in self-interest but also bake in prevention of borrower’s detriment through the life cycle of the relationship, ensuring both an affordable (for borrower) and sustainable (for lender) credit. Notwithstanding the regulatory efforts, and disciplined lending, an ignorant borrower or urgent need for credit by a borrower, not matching the repayment abilities often pushes her/ him to over-indebtedness. Certain lenders may have also been indulging in reckless lending practices guided by sheer profit motives, riding on excessive interest rates to compensate for the delinquencies. There is also a tendency to increase the business rapidly by lending to sub-prime borrowers beyond their repayment capacity and the increased risk gets priced in terms of higher spread charged to all borrowers, resulting in exorbitant interest rates. Hence, suitable remedial measures need to be provided for the customer to service his debt and live his life with dignity. The focus needs to shift from a sales-oriented culture to an engagement-based culture. Customers should feel confident in dealing with the lenders, rather than perceiving them as predatory. Organizations need to invest in educating customers about good financial behaviour and the pros and cons of various financial products as per their life-stages. Equally important but often underemphasized facet of product appropriateness is the responsible borrowing culture. The onus is equally on the borrowers to provide accurate and complete information to the lender to enable them to make an informed lending decision rather than providing misleading information or hiding any relevant information. The borrower should put in efforts to verify the credentials of the lenders and pay heed to the terms and conditions of the loan. The borrower should also make an assessment of their income and repayment capacity considering their expenses and should carefully consider if availing credit is the only option left to meet the immediate needs/ wants This becomes more critical in case of loans availed for consumption/ life-style needs. Last but not the least, the borrower is obliged to make timely repayments. He should realize that any laxity on this front is not in his self-interest and may impact his credit history adversely thus making it difficult to avail credit on favourable terms in future. What could be lacking currently regulatorily are explicit guidelines in the Fair Practices Code to restrict reckless lending, and predatory practices like debt entrapment (ensuring that borrowers will be unable to repay loans and ultimately forcing them to default), debt treadmill (finding methods that will produce a constant stream of fee payments from the borrower to the lender) and debt criminalization (making borrowers fear arrest if they fail to repay their loans).

5.3.3. Transparency Without transparency on the part of credit providers, consumers miss relevant information that they use to make financial decisions. Compounding this, consumers often have limited resources and knowledge about financial terminology which prohibit them from understanding often complex financial products and services. As a result, consumers, are unable to understand or gain correct, clear, and/ or comprehensive information about credit products. Consumers, then, make poor or suboptimal choices. Total cost of a loan and other key aspects are not always communicated to the prospective borrower. In view of low financial literacy/ numeracy and complexities involved in the financial products, there are inherent information asymmetries in the financial sector, with suppliers having more information than customers resulting in disadvantage to the customers. Therefore, full disclosures about the loan product and its features become a key factor to bridge this gap. At the same time, these disclosures should not lead to information overload which can undermine the usefulness of the information provided. Fair and simple disclosures enable the customers to compare different loan products across various service providers thus empowering them to make an informed decision. An improved understanding by the borrower would also enhance competition which may lower interest rates and raise the quality of services offered by the digital platforms. Another concern is regarding customers’ poor understanding of what data is being used for what purpose by the DLAs and with whom the data is being shared. Even if they understand, they cannot easily access and control how DLAs use their data. Algorithms used by DLAs can reproduce and perpetuate certain outcomes which are systematically prejudiced due to erroneous assumptions in the machine learning process thus discriminating against certain sections of customers. Lack of standardized loan agreements giving rise to lengthy documentation is often a barrier for accessing small ticket loans from conventional lenders, which is relatively lower in the digital space. The extant guidelines emphasize transparency in loan agreements through upfront disclosure of rates/ fees/ penalty etc. A standardized key fact statement/ loan card has also been prescribed for banks/ NBFC-MFI. Standardization of a loan fact sheet, along with the most important terms and conditions across the credit industry (and specifically digital lending) needs to be ensured to facilitate transparency and also enable comparability (against various lenders) for the typical borrower. Every communication also needs to be in the vernacular language, or a language as understood by the borrower.

5.3.4 High Pricing/ Usurious Lending With a customer base largely comprised of small borrowers having limited financial knowledge, it is of paramount importance for DLAs to be transparent about the total cost including interest and other charges borne by the customers. DLAs carry out credit assessment by using alternative data and mostly cater to those borrowers, who do not have a well-documented credit history and are not served by the traditional financial institutions. Therefore, their assessment models are based on high loss rates which, in turn, are compensated by levying high interest rate and other charges on all borrowers. Further, there is a tendency to mask the excessive interest rates by disclosing only weekly or monthly rates depending on the repayment schedule. It has also been observed that the entire costs associated with first loss default guarantee or any other such mechanism offered by the platforms to their lending partners are passed on to the borrowers resulting in higher interest rates. Though it is difficult to have the same benchmark for the level of interest rates for all borrowers across all segments, rates of interest beyond a certain level are indeed excessive and can neither be sustainable nor justifiable Statutory caps on interest rates, also known as usury laws, have always been highly debated. It is contended that such caps reduce exorbitant interest rates and unfair treatment for the most vulnerable customers, who would otherwise be reduced to eternal debt servitude. However, interest rate caps are argued to exclude high risk borrowers from obtaining credit or developing a credit history, as lending to them becomes unprofitable. The Usurious Loans Act, 1918 (as is applicable to unorganized sector, including money lenders45) gives power to courts to examine and re-open transactions if there is reason to believe that the interest rate is excessive, or transaction was substantially unfair. The Act was primarily enacted in the pre-independence era to offer protection to agrarian borrowers who often were charged excessively high interest rates. Section 21A of The Banking Regulation Act, 1949, however, limits the application of the Usurious Loan Act to banking companies. A list of existing provisions governing usurious interest rates under various statutory acts is given in Annex G. The REs are instead governed by extant regulations and guidelines, which inter-alia include provisions on transparency in pricing and responsible lending. In the spirit of customer protection, especially the most vulnerable, the Malegam Committee46 in its report examined the issue of pricing of credit and noted that affordability for borrowers should go hand-in-hand with sustainability for the MFI. Keeping in view the vulnerability of MFI borrowers, it opined that some form of interest rate control is essential – an interest rate cap would lead to exclusion; hence, a margin cap was recommended as it is also fairer to the MFI (it will not be exposed to the volatility risk associated with cost of funds). The extant FPC for NBFCs, touches upon the complaints above excessive interest charged by NBFCs, and states that though interest rates are not regulated, rates of interest beyond a certain level may be seen to be excessive and can neither be sustainable nor be conforming to prudent financial practice. Reserve Bank, as per its extant guidelines, does not generally regulate the rate of interest in a prescriptive manner. Regulators need to tread with caution in quantitatively defining a ‘usurious’ rate as a one-size-fits-all approach would be detrimental to the ecosystem. The core rationale for deregulating rate of interest lies as much in wide variation in cost of funds, business models, and margins, etc. as in promoting an open market for credit. Further, a rate cap or margin is likely to result in crowding of interest rates at the upper threshold, which will be disadvantageous to the general borrower. It would be prudent to instead, examine the extant regulations on excessive interest rates and transparency in pricing, and adapt them to the realm of digital lending. Specifically, in digital lending, it has been observed that -

  • The existence of layer(s) between the borrower and the balance sheet lender leads to non-transparent and unethical loan pricing. The regulated entities are at times not aware of the additional charges/ fees being levied by their third parties.

  • As has been explained in Section, credit risk sharing mechanisms have also emerged in the form of first loss default guarantee. Internal cost compensation arrangement between the balance sheet lender and the LSP has a bearing on the interest rates being charged to the customers.

  • Costs associated with FLDG or any other such mechanism are passed on by the platforms to the borrowers resulting in higher interest rates.

5.3.5 Fair and Respectful Treatment Fair treatment of customers generally includes ethical conduct, reasonable selling practices, and treatment of customer’s information. Even though the principles of fair treatment are adequately known, it is a difficult task to hard-code these in regulations. Nonetheless, the basic principle remains that the customer should be treated fairly and respectfully at all times. This assumes more significance in digital lending where the target customers are usually small borrowers having limited access to/ awareness about grievance redressal mechanism. This, in turn, may either leave them no option but to accept unruly behaviour or lead them to take extreme steps. There is a need to explicitly establish lenders’ responsibility for the behaviour of their digital partners specially in collection practices by way of severe sanctions for any infractions. Another concern, specifically in digital lending, pertains to security of borrowers’ information as well their privacy. These concerns get exacerbated in digital lending because of usage of technology which creates greater data footprint besides providing anonymity. There is a need to establish a framework which ensures confidentiality and security while promoting creation of a well-managed information sharing process to build the credit history. DLAs rely extensively on alternative data to assess creditworthiness of borrowers. Data-points pertaining to personal details and social behaviour are fed into algorithm-based underwriting models which rely on AI and ML. Over a period, the outcomes of these models may inadvertently discriminate against certain section of borrowers thus depriving them access to credit. No Uniform Code of Conduct for Recovery Agents: Having no collections team on the field, some digital lenders reportedly misuse signed agreements to access mobile phone data and contacts of the borrower to adopt strong-arm inducements to repay. Threat of real or make-believe police complaints/ legal notices against borrowers have also been used for recovery. Few digital lenders are understood to have invested in a hybrid collections infrastructure to use softer modes of follow-up. Coercive, intrusive methods of recovery, which cause undue harassment to the customer and lead to violation of customer data privacy, are a major cause of the consumer complaints in digital lending. It is noted that separate guidelines have been set out for recovery agents employed by banks which is more comprehensive than the directions issued for NBFCs (currently a part of FPC). The distinction may need to be reviewed to ensure similar standards are employed for agents employed by banks and NBFCs. Besides, on-field collection teams and optimum-sized call centres would also make the lender understand the challenges faced by the customers in repaying. Due Diligence of Third-Party Service Providers: The extant guidelines provide for a board approved policy to be framed for selecting any service providers by a regulated entity. The Working Group’s representative survey has, however, revealed that there are instances of regulated entities partnering with multiple apps for loan disbursement (an RE was found to be partnering with 36 apps, while many others had partnered with 15-20 apps). The number and choice of LSPs a bank/ NBFC partners with is a commercial decision. However, the regulated entities should be in a position to conduct meaningful and thorough due diligence for all their partners, while also ensuring their adherence to the outsourcing and FPC guidelines on an on-going basis.

5.3.6 Grievance Redress and Effective Recourse Financial consumers have an inherent right to an accessible, affordable, fair, and timely grievance redressal mechanism, and the same principle governs a digital credit consumer. The tech-enablers (smart phones, internet, AI/ ML, etc.) of digital lending facilitate an instantaneous, faceless, hassle-free consumer credit journey but paradoxically, have not translated into an improved, simplified experience vis-à-vis grievance resolution. The hallmark of any effective complaint resolution mechanism is succinctly captured in the ability of a consumer to answer – how, when, and where? However, a typical digital borrower in India seems to be unable to either establish, identify or navigate the resolution process. The DLAs aggressively market, nudge, and even hand-hold consumers to avail loans digitally but are lacking in their efforts to provide grievance redressal which is not only a violation of extant guidelines47 and consumer rights, but also endangers the adoption, acceptability and trustworthiness of digital lending amongst the masses in the long run. The presence of multiple third parties has led to dilution of responsibility, which translates into unavailability/ ineffectiveness of single point of contact for the customer. Many DLAs do not (prominently) display the name and appropriate contact details of the grievance redressal officer. The lack of a face-to-face interface in the digital lending models, especially for complaint resolution, affects the accessibility of the redressal mechanisms for most consumers. The presence of unregulated entities in the space further aggravates the problem. The REs need to ensure adherence to the extant RBI guidelines for grievance redressal mechanism in letter and spirit, including for redress of grievances from outsourced services. Further, considering the uniqueness of the digital channels for credit delivery, it is imperative to leverage technology and explore newer, inclusive, and more responsive mechanisms for grievance redressal. There are two avenues for effective grievance redress and dispute settlement concerning financial consumer - the first is internal at the institution level and the second is redress obtained from an external independent body. There is a need, particularly in the space of consumer lending, for having an affordable and efficient grievance/ dispute resolution mechanism with effective enforcement powers. Ombudsman Scheme: The Ombudsman Scheme extended to NBFCs in 2018 is applicable to (a) those authorized to accept deposits, or (b) have customer interface with asset size of one billion rupees or above. The high threshold of asset size essentially exempts smaller NBFCs, which originate majority of the small-ticket digital loans, and hence, the deterrence effect is absent in majority of the digital lenders partnering with (smaller) NBFCs.

5.4 Recommendations/ Suggestions

5.4.1 Loan Product Design and Distribution Most digital lending apps rely on bulk SMS marketing campaigns and some deploy contextual in-app/ web-search strategies to tap their prospective customers at their most vulnerable state. Loan products must be advertised without making misleading claims and without misleading the consumer. Each DLA must have “opt-in” and “opt-out” options, the latter being the default option, for sending consumers/customers marketing messages. The DLAs must adopt responsible advertising and marketing standards in line with the Code of Conduct to be put in place by the proposed SRO.

(Recommendation - GoI/ RBI/ SRO) Minimizing cases of repayment stress/ distress

(a) In order to discourage perpetuation of ‘payday loans’, fixed sum/ non-installment unsecured STCCs with very short contractual maturity should be put under regulatory restrictions.

(Suggestion - RBI)

(b) The DLAs catering to low credit-penetrated markets, should design more sachetised/ simplified products with appropriate mobile interface designs in a manner that can be easily understood by the target consumers. Sachetised/ Simplified products would help consumers make well informed borrowing decisions.

(Recommendation - SRO/ REs)

(c) DLAs should provide mandatory user education at user/ customer on-boarding/ sign-up stage itself about the product features and about computation of loan limit & cost. Borrowers must know the costs and conditions associated with the product before they accept to borrow and assume obligation to pay.

(Recommendation - GoI/ RBI/ SRO)

(d) A cooling off/ look-up period of certain days (globally, it varies between 3 to 14 days) should be given to customers for exiting digitally obtained loans by paying proportionate APR without any penalty, regardless of source of funding for such exit i.e., own source or refinance.

(Recommendation - GoI/ RBI) All disclosures about the proposed credit facility should be available to the borrower upfront in an easily understandable manner to facilitate comparison. In this regard, the following are recommended:

(Recommendation - GoI/ RBI/ SRO)

(a) Each lender should provide a key fact statement (KFS) in standardized format for all digital lending products. Besides, the lender should also send SMS/ email with a summary of product information and ensure that the customers understand the lending terms and conditions. Contracting process and delivery of information should include digitally signed sanction letters to be emailed and abridged KFS to be sent by SMS/ e-mail. The format of KFS, for it to be effective, should be developed after obtaining feedback from consumers on their expectations from such statements. Brokered loans, DLA/ lead generator’s commission (e.g., yield spread premium) should be disclosed to the borrower) if the borrower bears the cost directly or indirectly.

(b) A standardized and simplified loan agreement format may be prepared by the proposed SRO for financial consumers of digital lending covering terms and conditions. The loan agreement should be in a language understood by the borrower, say, in vernacular language. Needless to add, such agreement should be in consonance with the applicable laws, regulations and FPC.

(c) Responding to consumers with the reasons for decline of a credit application made through DLAs should be mandatory.

(d) Lack of mutual information creates a wedge between user needs and the products that they use. All digital lenders may be required to gather feedback/ rating of their service in the formats to be designed by the proposed SRO.

5.4.2 Preventing Over-indebtedness (Anti-predatory Lending) Underwriting standards should be demonstrably adopted by all lenders using the services of DLAs. Some of the typical protections against payday loans, based on the model of Consumer Financial Protection Bureau (CFPB) of USA, are enumerated in Annex H. While complying with the CDD norms, lenders should ensure to capture the economic profile of borrowers. The digital lenders distributing products such as one-click loans, will be duty-bound to assess the consumer’s creditworthiness in an auditable way.

(Recommendation - GoI/ RBI) All DLAs should refrain from employing predatory lending practices that push the borrowers to unsustainable levels of personal debt. Guiding principles in this regard may be developed by RBI/ proposed SRO. These recommendations/ suggestions cover aspects beyond digital lending in view of the commonality of concerns.

(a) For the purpose of STCC, while it may be difficult to prescribe a quantitative definition of over indebtedness, a uniform and principle-based approach to determining indebtedness/ debt serviceability of individuals/ households should be worked out. Such an approach should factor in the structural/ long term liability profile of the borrower rather than his short-term liability profile.

(Suggestion - GoI/ RBI)

(b) Anti-Predatory Lending Policy has to be formulated and publicly displayed by each lender. All STCC customers need to be mandatorily (akin to statutory warnings) taken to a financial education website page designed in vernacular languages to acquaint the prospective borrowers of the risk and consequences of high-cost loans and alternatives available, if any. The intention should be to enable the vulnerable sections to have better access to fair, non-exploitative, loan facilities. The scope of the Financial Literacy Centres (FLCs), Centre for Financial Literacy (CFLs) and even Electronic Banking Awareness and Training Programmes (E-baat), may be expanded to include digital lending and DLAs.

(Recommendation - GoI/ RBI)

(c) Restriction on loan flipping (a type of restructuring/ refinancing) may be considered where high-cost loans are subjected to refinances (say, more than twice in 18 months), without demonstrating any benefit to the borrower, such as, whether the borrower receives cash, a lower interest rate or a lower monthly payment as a result of the refinance. The restructuring/ refinance (loan flipping/ churning) for STCCs should be in accordance with the regulatory guidelines to be framed for such purpose. Automatic increases in credit limits should be prohibited except under express consent taken on record for such increases, subject to satisfying general customer protection measures.

(Recommendation - GoI/ RBI)

5.4.3 Responsible Pricing (anti-usurious lending) The regulatory approach should include, among others, moving beyond mere disclosure and fair practice framework to more regulatory guardrails, particularly in respect of recurring issues.

(a) RBI may establish standard definitions for the cost of digital STCC/ micro credit as Annual Percent Rate (APR). All contingent costs should be appropriately factored in the APR. This would enable disclosure of costs in a clear and understandable way. The disclosure should include monetary and non-monetary impact of early, partial, late or non-repayment of the loan (contingent costs). Such information can be shared electronically, in a timely and cost-effective manner. Better understanding of costs by financial consumers of STCC can improve repayment performance.

(Recommendation - GoI/ RBI)

(b) There should be specific lending norms tailored for STCC lenders, such as affordability rules, the number of concurrent short-term loans or multiple loans that a consumer can hold at a point in time or over a given period. For lenders other than REs, GoI may like to take action. The STCCs generally carry comparatively higher cost. While the WG does not recommend any hard cap on the APR, the SRO shall keep a tab on such market-mechanism, which can be considered as high cost STCCs48.

(Recommendation - GoI/ RBI/ SRO)) Certain operational practices loaded against the financial consumers should be directly addressed.

(Suggestion - GoI/ RBI)

(a) Interest amount must be charged in arrears and never charged/ debited in advance. Any other fee should not be included as outstanding principal for compounding purpose. All fees should be included in calculation of APR and should be reasonable, and intended to cover costs closely related to the reason for fee, e.g., administrative cost or notional loss from early payment etc. Lenders are supposed to earn income from lending activities. Some digital lenders are charging interest for the whole month even though the disbursal does not take place in the beginning of the month. The interest calculation should be on actual days basis. Similarly, the benefit of interest reduction on the principal on account of pre-payments should be given from the actual date without linking it to next EMI cycle. Fee-harvesting49 features of digital lending may have to be restrained and any fee that has not been disclosed to the borrower at the time of sanction and/ or not factored in while disclosing the APR should not be chargeable. Any change in fee, if applicable, has to be informed to the consumer sufficiently in advance.

(b) Penal rate of interest should not be levied for prepayment of STCCs in full or part except a nominal administrative fee, if at all. For non-STCCs, if there is a pre-payment penalty clause, the APR will have to be demonstrably lower than what the APR would have been without a pre-payment penalty clause. The pre-payment penalty has to be suitably factored in while computing the APR. The proposed key facts statement (KFS)/ fact-sheet applicable also to all STCC/ micro borrowers would give customers a simple summary of the important terms and conditions (tenor/ fees/ interest rate/ reset dates) of the financial contract. Use of any techniques by digital lenders, where they use hidden fee structures or “teaser” rates, should invite appropriate regulatory/ supervisory action.

(Recommendation - GoI/ RBI)

5.4.4 Fair and Respectful Treatment of Borrowers There is a need to develop responsible borrowing culture in the digital lending landscape as much as responsible lending. This exercise of developing a positive financial behavior and attitude has to be taken up both by the industry as well as by regulators/ government. Such awareness/ education drives should emphasize legally permissible method of borrowing; building a credit score; improving appreciation for different features of credit and lower cost alternatives i.e., methods for shopping around for informed choices by providing digital comparison tools; addressing borrower’s behavior biases through debt advice/ counselling solutions for consumers in financial distress, etc. The behavior of consumers in understating their existing indebtedness at the time of seeking a loan should be a factor for consideration during future grievance or consumer protection/ recourse processes. Increased awareness of financial consumers about their data trails and credit histories - including their credit reports will, in turn, incentivize better repayment performance.

(Recommendation – GoI/ RBI) Fair treatment of borrowers in financial difficulty refers to the lender’s obligation to detect, as early as possible, consumers going into repayment difficulties; engage with those consumers at an early stage to identify the causes for those difficulties and provide necessary information; help the borrower to address temporary financial difficulties and return to normal situation. Customer harassment needs to be suitably defined by the SRO in consultation with RBI. Disclosure of the type of debt that can be collected by LSP on behalf of an RE, the person who can collect such debt and the manner in which such debt can be collected, should be specified in the loan agreement with the borrower.

(Recommendation - RBI/ SRO) As partnership with consumer facing LSPs is a dominant model in digital lending, there are specific aspects which are emphasized as under:

(Recommendation (a) to (d) - GoI/ RBI/ SRO)

(a) REs must conduct enhanced due diligence before entering into partnership with an LSP. The due diligence must be proportionate to the risks posed by the activity. RBI should incorporate appropriate provisions in the proposed Agency Financial Services Regulations.

(b) The REs should be required to put in place detailed fair collection policies and procedures on their website, as prescribed under extant regulations. In view of increasing significance and reach of DLAs and consequent concerns over unethical recovery practices, there is a need to standardize the code of conduct for recovery to be framed by the proposed SRO in consultation with RBI. In the event, a debt collector needs to contact any third party about a borrower’s debt, such arrangements need to be explicitly factored in the loan agreement, specifically the type/ description of third parties. REs should ensure that LSPs are prohibited from employing abusive debt-collection practices including the use of false statements, practices akin to or constituting harassment, or giving of false or unauthorized credit information to third parties.

(c) As per extant regulations, REs are required to display the names of entities they have deployed for recovery operations on their website with adequate details. It may be mandated that the lender communicates to the borrower, at the time of sanction of the loan, the details of any LSP who can approach the customer for recovery. Similarly, at the time of passing on the recovery responsibilities to an LSP, similar prior communication to the borrower should be followed.

(d) The recovery agents, both off-site and onsite, should be required to undergo adequate training and accreditation to discharge their responsibilities with care and sensitivity. The institutional mechanism for accreditation can be worked out by the broader industry in consultation with RBI.

(e) The lenders should carry out periodic review of the conduct of the LSPs engaged in recovery and scan for their name in any ‘negative’ list or report its name to ‘negative’ list if there is significant breach of any code. In order to check the activities of dubious LSPs, an easier mechanism should be made available to lodge complaints about harsh treatment by such entities. The ‘negative list’ of LSPs to be maintained by the SRO should be meticulously followed for compliance.

(Recommendation - SRO/ DIGITA) Formally disputed repayments should be indicated in the credit report along with the disputed amount vis-à-vis default or repaid amount. Certain types of updates/ inquiries with CIC about credit history of the borrower by any entity should be intimated to the borrower by SMS/ email to avoid any misreporting or unsolicited enquiries. Reasonable free access to the borrower for own data should also be considered by CICs.

(Recommendation- RBI)

Gist of Recommendations in the Report

Total Recommendations - 26

Sr. No. Para No. Gist of the Action Point Implementing Authority/ Agency
1 Restricting balance sheet lending through DLAs to REs or entities registered under any other law for specifically undertaking lending business GoI
2 Direct execution of loan servicing, repayment etc. in a bank account of the balance sheet lenders and disbursements into the bank account of the borrower RBI
Borrowers having only PPI account can be disbursed loan in fully KYC compliant PPIs RBI
Any fees etc. payable to LSPs to be paid by the lenders, and not received by them directly from the borrower RBI
3 Reporting of lending done by REs through DLAs to CICs RBI
Non-adherence of timely credit reporting of a loan exposure by REs to CICs should act as a trigger for RBI to not allow certain activities in post origination stage, such as, assignment/ securitization or recovery enforcement process RBI
Allowing only entities regulated by any financial sector regulator as agent on behalf of the borrower for CIC reporting/ information collection. RBI
Intimation of each access/ enquiry of credit information by any specified institution to the borrower RBI
4 Setting up of an independent body styled as Digital India Trust Agency (DIGITA) GoI/ RBI
Eligible apps not carrying the ‘Verified’ signature of DIGITA to be considered as unauthorized GoI/ RBI
5 Setting up an SRO covering DLAs and LSPs in the digital lending ecosystem GoI/ RBI
Publishing the list of LSPs engaged by REs on their website GoI/ RBI
6 Legislation styled as “the Banning of Unregulated Lending Activities (BULA) Act” GoI
7 Prohibiting REs from entering into arrangements involving synthetic structures, such as, FLDG with unregulated entities RBI
8 Regular agenda in SLCC covering reports on unauthorized apps in the market involved in digital lending/ illegal recovery and other types of activities associated with doubtful purpose/ suspected fraud GoI/ State Governments/ RBI
Induction of TRAI as member/ need based invitee to SLCC RBI
Withdrawal of the digital channel provisions from the CoR of NBFCs not undertaking digital lending for a reasonably long period RBI
9 Refining ‘travel rules’ of narration of payment transactions through any digital mode under PSS Act RBI
Strengthening non-traditional market monitoring GoI/ SRO
Monitoring promotion of unverified digital lending apps for appropriate action GoI
Monitoring by banks of accounts regularly operated from a different/ overseas IP address not consistent with KYC profile of the account holder RBI
10 Lenders should deploy only apps verified by DIGITA GoI/ RBI
11 Applicability of Baseline digital hygiene guidelines to LSPs DIGITA/ RBI
Compliance with various basic technology standards/ requirements on cybersecurity should be a pre-condition to offer digital lending by the REs and LSPs providing support to REs RBI
Each DLA should have links to its own secured website to display various information required by the prospective borrowers RBI
Digitally signed documents supporting important transactions through DLAs should automatically flow to registered/ verified email of the borrower RBI
Each DLA owner, including relevant LSPs, should have a suitably competent nodal officer to deal with FinTech related issues RBI/ SRO
12 Baseline technology standards for DLAs of REs. Auditable logs should be kept for every action that user performs on the app GoI/ RBI/ SRO
DLAs should mandatorily reflect the basic standards in the terms of service GoI/ RBI/ SRO
Every FinTech app must be signed/ verified in a secured manner GoI/ RBI/ SRO
13 Data should be stored in servers located in India GoI/ RBI/ SRO/ DIGITA
14 Algorithm used for underwriting should be auditable RBI
Adoption of ethical AI by digital lenders RBI
15 Clear policy guidelines regarding the storage of data GoI/ RBI/ SRO
DLA should make its comprehensive and compliant privacy policy available in public domain GoI/ RBI/ SRO
Policy on customer consent GoI/ RBI/ SRO
Standards for handling security breach GoI/ RBI/ SRO
No biometric data related to customer due diligence should be stored in the systems associated with the DLA GoI/ RBI/ SRO
16 Code of conduct on the use of unsolicited commercial communications for digital loans GoI/ RBI/ SRO
17 Designing of more sachetised/ simplified products by the DLAs catering to low credit-penetrated markets SRO/ REs
Education to users at on-boarding/sign-up stage about the product features GoI/ RBI/ SRO
A cooling off/ look-up period of certain days for all digitally obtained loans GoI/ RBI
18 Key fact statement (KFS) in standardized format for all digital lending products GoI/ RBI/ SRO
SMS/email to borrowers with summary of product information and lending terms GoI/ RBI/ SRO
Disclosure of Brokered loans/ DLA/ lead generator’s commission (e.g., yield spread premium) to the borrower GoI/ RBI/ SRO
A standardized and simplified loan agreement format for financial consumers of digital lending, by the proposed SRO GoI/ RBI/ SRO
Mandatory response to consumer with clear reasons for decline of credit application GoI/ RBI/ SRO
Feedback/ rating of the services of all digital lenders in the formats to be decided by the proposed SRO GoI/ RBI/ SRO
19 Lenders to capture the economic profile of borrower and assess the consumer’s creditworthiness in an auditable way GoI/ RBI
20 Formulation and display of Anti-Predatory Lending Policy by each lender GoI/ RBI
All STCC customers to be mandatorily taken to a financial education website page specially to be designed by SRO SRO
Expanding the scope of the Financial Literacy Centres, Centre for Financial Literacy and even Electronic Banking Awareness and Training Programmes (E-baat), to include digital lending and DLAs RBI
Imposing restriction on flipping where high-cost loans are subjected to refinances GoI/ RBI
Prohibition on automatic increases in credit limits except with customer’s explicit consent GoI/ RBI,
21 Standard definitions for the cost of digital STCC/ micro credit as Annual Percent Rate (APR) GoI/ RBI
Specific lending norms tailored for STCC providers, such as affordability rules GoI/ RBI/ SRO
SRO to keep a tab on such market-mechanism, which can be considered as high-cost STCC GoI/ RBI/ SRO
22 Requirement to provide a key fact statement (KFS) to all STCC/ micro borrowers GoI/ RBI
Appropriate regulatory action for practices such as hidden fee structures GoI/ RBI
23 Specific programme to develop responsible borrowing culture GoI/ RBI
24 Defining customer harassment by the SRO in consultation with RBI RBI/ SRO
25 Enhanced due diligence by the BSLs before entering into partnership with an LSP GoI/ RBI/ SRO
Standardized code of conduct for recovery to be framed by the proposed SRO in consultation with RBI. GoI/ RBI/ SRO
Communication from the lender to the borrower about the details of LSPs who have sourced the loan and prior communication about the LSP entrusted with recovery GoI/ RBI/ SRO
Training and accreditation for the recovery agents GoI/ RBI/ SRO
Periodic review of the conduct of the LSPs engaged in recovery SRO/ DIGITA
Maintenance of the negative list’ of LSPs by an appropriate body SRO/ DIGITA
26 Indication of the formally disputed repayments in the credit report along with the disputed amount vis-à-vis default or repaid amount. RBI
Intimation of certain types of updates/ enquiries sought with CIC to the borrower by SMS/ email RBI
Reasonable free access to the borrower for own data from CICs RBI

Gist of Suggestions/ Issues for Future Examination

Total Suggestions - 17

Sr. No. Para No. Gist of the Action Point Implementing Authority/ Agency
1 Stipulation of appropriate guidelines consistent/ proportionate with that of RBI guidelines by regulatory bodies for other authorized lenders Other regulatory bodies
2 Uniform LSP agreement for the balance sheet lenders RBI/ SRO
Treating new digital lending products such as BNPL etc. as part of lending, if not in the nature of operational credit by merchants GoI
3 Web aggregator of loan products to be subjected to discipline and code of conduct RBI/ SRO
4 Defining and regulating Short Term Consumer Credit (STCC) RBI/ GoI
Expansion of the extant/ proposed regulatory framework/ codes for MFIs to suitably include STCCs RBI/ GoI
5 Development of a separate framework styled as Agency Financial Service Regulation for all customer-facing/ fully outsourced distribution activities of REs including that by the LSPs RBI
6 Development of a separate National Financial Consumer Protection Regulation GoI
7 Strengthening KYC rigor for issuance of new/ replacement SIM cards and holding MNOs accountable for any shortcomings GoI
Superior use of digital technology and multiple data sources by RoC for early identification of shell finance companies and finance companies with proxy directors or opaque beneficial owner on an ongoing basis RoC
Suitable action on such companies as per the law or reference to concerned agency RoC
Real time data sharing by RoC with RBI on the de-listing of such shell companies, companies with proxy directors or opaque beneficial owner, for RBI to take up further action with respect to exposures of such companies across banks and NBFCs RoC
8 Making relevant inputs from proposed Digital Intelligence Unit of Government, existing Telecom Analytics for Fraud Management and Consumer Protection, Telecom Commercial Communications Customer Preference Regulations 2018 available to respective supervisors of digital lending segment of FinTech GoI/ RBI
A concept of Setting up of a National Financial Crime Record Bureau, similar to National Crime Records Bureau, with a data registry similar to crime and criminal tracking network and systems and accessible to REs GoI
Exploring leveraging of the channel of FINNET of FIU-IND GoI
Proactive surveillance by the local law enforcement/ police agencies GoI/ State Governments
9 Treatment of behaviouralised part of pre-approved credit facilities as exposure for prudential purpose RBI
Appropriate periodical returns from REs on digital data/attempted (frauds) RBI
10 Development of a regulatory/ supervisory framework for digital lending with a ‘seamless digital’ approach RBI
Conversion of regulatory instructions for digital lending to machine readable formats RBI
A blueprint of a forward-looking framework for identifying and managing risks arising from BigTech/ DeFi RBI
11 Regulations for the operations of so-called ‘digital banks’/ ‘neo banks’ formulation RBI
Encouragement for ‘digital only’ NBFCs and initiation of digital only banks RBI
12 Create a comprehensive framework for organisational and technical measures for data processing, to fix accountability of entities processing personal data, and to provide suitable remedy against unauthorised and harmful processing GoI
13 The Data Protection Authority, proposed in the Personal Data Protection Bill, could serve as the regulatory body GoI
14 Data Privacy and security at the end of SMS gateways/ SMS service providers by the REs/ DLAs before onboarding them. Monetizing of data by SMS gateways should be suitably dealt with by the appropriate agency GoI
15 Restriction on fixed sum/ non-installment unsecured STCCs with very short contractual maturity RBI
16 Uniform and principle-based approach for determining indebtedness/ debt serviceability of individuals/ household GoI/ RBI
17 Interest amount must be charged in arrears and never charged/ debited in advance GoI/ RBI
Any other fee should not be included as outstanding principal for compounding purpose GoI/ RBI
Any fee included in calculation of APR will have to be reasonable and meant to cover costs closely related to the reason for the fee GoI/ RBI
The interest calculation should be on actual days basis GoI/ RBI
The benefit of interest reduction on the principal on account of pre-payments should be given from the actual date without linking it to next EMI cycle GoI/ RBI
Any fee that has not been disclosed to the borrower at the time of sanction or not factored in while disclosing the APR should not be chargeable GoI/ RBI
Any change in fee, if applicable, has to be informed to the consumer sufficiently in advance GoI/ RBI
No prepayment penal rate of interest should be levied for STCCs for full or proportionate closure except a nominal administrative fee, if at all GoI/ RBI
For non-STCCs, if there must be a pre-payment penalty clause, the APR will have to be demonstrably lower than that without a pre-payment penalty clause GoI/ RBI

Annex A - Synopsis: Inputs received from Stakeholders

Legal Aspects
Sr. No. Feedback from Stakeholders
1. There is a need for data protection law, especially considering alternative credit appraisal models and customer confidentiality.
2. Proposed amendments in the IT Act –

• Addition of “applications & social media platforms” to the definition of intermediaries

• Section 79 provides exemption of liability and changes the same to limited liability for intermediaries under certain instances. An intermediary shall not be liable for any third-party information or data made available by it or hosted by it, if it is not having actual knowledge, i.e. only through a court order or on being notified by the appropriate government or its agency and not otherwise. This section needs to be amended to recognize the request made by the financial institution and the intermediaries to be made responsible for directly or indirectly allowing, promoting or abetting instances of wrongful conduct by persons.
3. • Recognition of loan records in digital platforms by extending the provisions of Banker Book’s Evidence Act.

• Moneylenders to adhere to their respective territorial jurisdictions.
4. Digital loan platforms fall within the definition of 'intermediaries' as per IT Act, 2000 and should therefore be made to follow all the rules applicable to the intermediaries, including those which require them to display the name, contact details and address of the nodal officers and cooperate with law enforcement.
5. Indian Personal Data Protection Law to cover all issues related to general data security and consent for data processing
6. Allow centralised stamping/ franking of loan documents
7. Risk of Perjury - The NBFC/bank that refinances the Digital Lending App (DLA) must be required to provide a certificate of good governance on the part of DLA at the risk of perjury. Similarly, both Google and Apple must insist on a set of declarations of ethical business practice from the DLA, again, at the risk of perjury. Regardless of enforcement, insistence of such declarations and self-certification will, in and of themselves, act as a deterrent.

Regulatory Aspects
Sr. No. Feedback from Stakeholders
1. Lending Apps to be registered as NBFC-Digital Money Lenders


• Restrict foreign ownership

• Minimum paid up capital and NOF to be prescribed

• Only Indian directors (resident in India)

• Maintain a lien marked FD

Processes and Products

• Only personal unsecured loans to be offered

• Maximum loan size to be INR 5 lacs

• Loan tenor of 3 – 36 months

• Mandate to be members of CIC with regular credit reporting

• Daily reporting to CICs regarding loan inquiry

• Full KYC process (as approved by RBI) to be followed, irrespective of ticket size


• Registration can be carried out by PWC, KPMG, EY etc. based on guidelines issued by RBI

• Fees to be charged (INR 1-2 lacs) to ensure only serious players apply.

• CoR to be issued for 3 years post which audit will be conducted by the same firms.

• Respective App-store to verify CoR
2. • Clarity on the applicability of outsourcing guidelines to bank/ NBFC-FinTech partnerships.

• RBI should set out an indicative list of activities, along with a negative list that may be provided by such digital platforms. Further, credit sanction should remain exclusively with the bank and NBFC.

• A licensing framework for digital-only banks with prudential requirements and licensing pre-conditions like commercial banks

• Creating an easy to access database of authorized banks and NBFCs (on lines of FCA, UK) either on the RBI website or through a separate portal to customers to confirm if an entity has been licensed/ registered by RBI.
3. • Licensing for non-regulated digital lenders or internet based financial and non-financial companies, with light touch regulation and prescription of entry point norms such as minimum capital and reporting requirements

• Prescribe organization governance standards for digital lenders

• Clear reporting framework and improve coverage of reporting to credit bureaus
4. a) Based on a comparative study of regulation of Fintech in various countries, the regulatory focus is on:

• Requirement to ensure communications with customers were accurate and did not omit important information during advertising and promotion

• AML requirements were a priority for regulators. due diligence, especially as related to eligibility criteria of borrowers and creditworthiness/ affordability were obligations commonly imposed upon firms.

• Regulatory requirements related to operations, management, systems and controls.

• Rules related to complaint handling processes, segregation of client assets and governance ranked highest.

b) Digital lenders should have a clear established process for loan approvals, as well as for amending, renewing, and refinancing existing loans and for demonstrating what type of data is used in the process of granting a loan and how data quality is assured.

c) White listing of digital lenders
5. Comparative Study (Brazil) (FSI Report)

Digital lenders known as Sociedode de Credito Directo (SCD) are not allowed to raise funds from the public except by issuing shares. However, they can sell or assign their roles to other FIs. SCDs are subject to risk-weighted capital requirements comparable with those applied to smallest tier of credit institutions in Brazil. In terms of governance, an SCD needs to inter-alia, be established as a corporation and include Sociedode de Credito Directo in its legal name, have senior staff that is deemed to be fit and proper, pursue an integrated risk management approach, and conduct its lending business by selecting borrowers according to consistent verifiable and transparent criteria that are relevant for assessing their credit risk.
6. Credit Reporting to Bureaus

• Credit Bureaus should enhance their infrastructure to update near-real time information on weekly basis.

• sharing of negative information on non-payment of very small loans may again push the first-time borrowers towards informal or unorganized channels of lending. In this context, regulators must come out with guidelines on what all positive and negative information should be shared and how the information should be used as a component of credit assessment.

Responsible Underwriting

• Transparency and responsible sourcing of customer has been a critical area where lenders and regulator need to focus. In this regard, there may be a requirement to prescribe minimum tenure, maximum interest rate, the maximum number of lenders from which a borrower can borrow etc.
7. • Lighter e-KYC regulations for low ticket size

• Lending platforms to disclose their partnerships, underwriting partner’s details, etc.

• Cap maximum loan amount at Rs.5 lac per lending app per borrower and Limit maximum exposure to Rs.2.5 lac for a single NBFC to a borrower in case of co-lending (like P2P platforms).

• Common eKYC norms across Banks and Digital Lending Platforms.
8. Bring newer products like BNPL within the definition of credit
9. Requirement of digital Aadhar based identification & authentication (only allowed for banks currently).
10. • Outsourcing guidelines should provide for full disclosure of loss sharing arrangements, if any, between the RE and digital partners

• Controlling access to NACH and Payment Gateways for only regulated lenders
11. Eliminate regulatory frameworks that enable rent-a-bank or rent-a-NBFC model and emphasize the RBI’s supervisory expectations for the FinTech or digital lenders that are involved in these types of lending arrangements by -

i. following prudent credit underwriting practices and standards,

ii. ensuring that the loan complies with applicable laws, including consumer protection laws and fair lending laws,

iii. considering the borrower's privacy eliminating coercive collection practices and

iv. complying with RBI guidelines on managing the risks of third-party or outsourced relationships.

The best mechanism to insist on proper regulatory licensing for these lenders will be to follow the test for True Lender criteria given below:

a) Lender named to borrower

b) Participation in risk

c) Underwriting of the loan

d) Responsibilities of customer onboarding and KYC

e) Servicing – encompassing from payments to collections and routine customer support

If the FinTech performs the above (a) through (e), they should obtain a Certificate of Registration as an NBFC. Alternatively, if the Fintech:

i. Performs only (a) or any other actions other than (a), they should obtain a Certificate of Registration as an NBFC

ii. Performs only (b) or any other actions other than (b), they should obtain a Certificate of Registration as an NBFC

iii. Performs only (c) they should obtain a Certificate of Registration as an NBFC or as a P2P lender and if they perform (c) with any of (a) and/ or (b), they should obtain a Certificate of Registration as an NBFC, but if they perform (c) with either (d) and/ or (e), they should at least have a P2P license.

iv. Performs only (d) the lender that is outsourcing the service should follow the outsourcing guidelines published by the RBI for all NBFCs and Banks. However, if they perform (d) with any of (a) and/ or (b), they should obtain a Certificate of Registration as an NBFC, but if they perform (d) with either (c) and/ or (e), they should at least have a P2P license.

Performs only (e) the lender that is outsourcing the service should follow the outsourcing guidelines published by the RBI for all NBFCs and Banks. However, if they perform (e) with any of (a) and/ or (b), they should obtain a Certificate of Registration as an NBFC, but if they perform (e) with either (c) and / or (d), they should at least have a P2P license.
12. Mandate quarterly returns from REs reporting their digital partners and their exposure
13. • Curb payday-loans through regulation

• Multi-layered offshore entities doing digital lending to be brought under appropriate laws and regulation

• Non-regulated entities should be categorized as special regulated entities similar to third party app providers (TPAP) guidelines in payment industry.

• Bureau access to be restricted to non-REs, thereby ensuring customer data protection
14. RBI to publish list of the digital lending apps of financial institutions including special RE apps on its portal as part of awareness among the public
15. It should be mandatory for every NBFC to intimate mobile application of disbursement and collection of loans to the bank
16. On-boarding of the lending app (B2B on-boarding – need to have checklist and compliance requirements which is applicable only one time). All app-stores should allow such lending apps only after verifying the checklist such as copy of RBI authorisation/ NBFC authorization.

Clearing houses (such as UPI, debit cards) should issue guidelines to acquiring bank to only allow on-boarding them as “valid or verified merchants” after the verification of checklist as mentioned above. This can be applicable only for lending apps, institutions.
17. RBI should evaluate a “Digital NBFC” licensing which would require adherence to compliances, standardization of processes, etc., similar to NBFCs, with a couple of changes to provide room for promoting growth and innovation of digital lending
18. Businesses/ lenders which are offering products such as buy-now-pay-later, salary advances, or invoice purchases must be brought within the ambit of NBFC regulations, by including the said activities as lending activities.
19. The regulator should consider allowing non-balance sheet lending to allow for experimentation, development of segments/ entities. In the case of non-balance sheet lending for digital lenders, the onus would also be on the balance sheet provider. This could be complemented with controls around:

i. Ticket size (say upto Rs 5 Lakh of loan amount)

ii. Life-stage of company (say allowed for first 3 years of existence post which lender needs to move to co-lending model)

iii. AUM Cap (non-balance sheet lending allowed till AUM reaches say Rs 100 or Rs 200 Crore post which lender needs to move to co-lending model.

iv. There could be added requirements around financial inclusiveness

These permits should be provided only for companies which obtain a “Digital NBFC” license from RBI.
20. Co-lending model should be allowed for all regulated lenders (licensed digital lenders included) for personal loans also.
21. • RBI has proposed Rs 20 crore capital requirement for NBFC license. Lowering of threshold (existing 2 crore capital requirement could suffice) in the initial life stage and increase it to Rs 20 crore after 3-4 years or on reaching a certain AUM may be considered.

• RBI should mandate adoption of Account aggregator framework by all banks, deposit taking NBFCs and nudge other regulators (IRDAI, SEBI) to do the same for insurance, mutual funds and equity broking industry.
22. • Since the video-based Customer Identification Process (V-CIP) currently restricts application timings to office hours and delays underwriting process, it is recommended to consider the following arrangement:

Successful OTP based e-KYC + Automated Video KYC (to be verified on post facto basis by the Bank) followed where verification can happen on post facto basis a digitized process, like customer reading out OTP or a dynamic code flashed on screen on a real time basis.

Burden of payment should be with the user (who is using the CKYC and thereby, reducing their process cost) and not the uploader lender (who is adding to the database and making the system richer in terms of data/customers). This would encourage the database becoming richer, stronger faster.
23. • Distributors (e.g., digital aggregators) should be provided access to consumer data through credit bureaus, the Account Aggregator framework, GST, banking data etc. There should be valid and reasonable entry barriers for the platforms who can access this data, like ISO certification, audits, minimum capital requirement etc.

Responsible distributors (as ascertained by respective REs) should be allowed to perform non-underwriting tasks like KYC, income and document validation, etc. besides acquisition of customers.
24. RBI should clearly lay down the reporting framework and improve the coverage of reporting to credit bureaus by digital lenders.
25. RBI must create a regulation for digital group lending/liability with privacy protections.
26. A separate product category in the consumer credit information file should be created to report Buy Now Pay Later Loans.
27. (i) There is a need to put in place a strong monitoring and evaluation lens on the existing regulated entities.

(ii) Better enforcement of extant regulations/ laws through better supervision so that RBI can work with law enforcement to have illegal and non-compliant operators prosecuted under relevant law, and cancel the license of regulated entities flouting extant regulations/ laws

(iii) Enforcement of applicable regulations on upstream entities, such as payment gateways and aggregators, will help block the entry of unauthorized lenders into the ecosystem.

(iv) Enlisting Google & Apple should also facilitate compliance with the law. Greater monitoring, careful curation and regular due diligence of entities uploading their lending apps on the App stores will ensure better enforcement outcomes.
28. Inclusion of eNACH and UPI-Collect as financial instruments would provide recourse to digital lenders in case of default (similar to a cheque dishonor).
29. To prevent misuse of customer data and deter privacy violations, following steps may be taken:

• Institutions (utility, EPFO etc.) can provide APIs for verification of address and employment.

• A mechanism to get the latest mobile number of the borrower from TRAI in case the borrower changes SIM cards.

Ready access to certain non-intrusive customer data (as is available from Credit Bureaus) without consent to help credit appraisal.
30. • Regulate all entities which marketing loans through a lightly regulated Loan Service Provider (LSP) license are. There should be no loopholes. NBFC that book loans will continue to be an NBFC. LSP can work with an NBFC under the existing Outsourcing of Financial Services guidelines of the RBI. In addition, LSP can exist under a BC (Business Correspondent) relationship with existing banks and NBFC
31. Due to lack of restrictions/regulation of digital lending, pseudo regulators like Google Play App Store and Facebook are stepping-in. Example – Google Play prohibits apps which offer loans of tenure less than 90 days. This may not be suitable for Indian ecosystem as there are examples of successful ventures like MannDeshi Bank (offering daily and weekly loans to woman vegetable sellers) which would in violation of Google Play’s guidelines.
32. The BNPL model is currently gaining traction especially in e-commerce - loans are being offered at 0% interest rate. The platforms claim that since there is no interest being charged, they are not required to book the loan on a NBFC or to report it to a credit bureau. Hence, no regulations are applicable to them. The platforms do take creative steps once a loan turns NPA, including post-facto creation of a loan on the books of NBFC. RBI must clearly re-define what constitutes credit so as to classify BNPL as a loan and hence bring it under regulatory coverage.
33. RBI has mandated that UPI credit can only be provided through a bank’s overdraft system, but banks have not provided FinTech enterprises access to this facility as banks are hesitant to utilize overdraft accounts with UPI as such transactions would be voluminous and in real-time. Hence, FinTech enterprises create virtual pool accounts for releasing credit over UPI. As a result, the credit disbursement is neither regulated neither reported.

Hence, UPI credit can be tied to a PPI with a mandatory linkage to a NBFC’s line of credit or bank overdraft account. This will necessitate amendment in the extant NPCI guidelines.
34. i) RBI must enforce stricter KYC norms for payment gateways to onboard merchants.

ii) RBI must create a clear process for payment gateways to follow in case a fraud is detected. Including sharing of data with FinTech partners. They must have the responsibility of being a party to any legal case that the wronged party/ FinTech may file.
35. Currently several entities which are not under regulatory purview are taking regulatory arbitrage which leads to non-compliances with fair practices code and evolution of alternate form of money lenders.

Hence, RBI should provide baseline framework for regulating such entities. The framework should inter-alia include:

• Registration requirement with RBI

• Credit assessment and repayment norms

• Cap on loan amount

• Overall exposure of entity

• Cap on Interest rate

• Fair practices code and Grievance redressal mechanism
36. A sector-specific data protection regulatory framework for digital financial services should be considered.
37. Since illegitimate entities enter the space by registering themselves under the Companies Act or the Moneylenders Act promulgated by the state governments, such loopholes should be plugged by standardising digital lending norms across legislative spectrums.
38. Cap the maximum FLDG on lines of Capital Adequacy Ratio (~15-20%) so that unregulated players do not pose systemic risks. Hence bank/ NBFCs will also actively participate in the credit assessment without relying on the underwriting of digital lenders. This approach will also encourage digital lenders to expand only within the guidelines and framework of RBI regulations and will be compelled to apply for CoR from RBI.
39. Regulator needs to completely curb the operations of any digital lender operating without partnering with any NBFC/ bank.

a. Play store can ask for CoR number of the digital lender to be validated by an API approval from the regulator

b. In case, digital lender does not have a CoR, then the CoR of at least one NBFC along with the agreement to be submitted on the play store.
40. Strict adherence to outsourcing guidelines and FPC to be ensured by the RE
41. On the lines of web aggregators for insurance (regulated by IRDAI), web aggregators for banking products should be brought under the regulatory purview of RBI. Various activities of banking product aggregators need to be supervised by the RBI, specially activities around the ‘free’ bureau reports, collection and usage of customer data.
42. Publish the list of NBFC’s and the brand names and apps associated with them, which will serve as a whitelist of all the regulated apps in public domain. Further, if an NBFC is providing their certificate to a third-party company, corresponding brand name should also be listed. The activity of publishing can be done by RBI or the SRO.
43. The per loan cost of checks that are required as per regulation are (for smaller tickets) a much larger percentage of the credit amount. KYC, credit bureau, marketing, underwriters’ labour can be a substantial share of disbursed principal especially in case of low approval-rates. This would be best assessed by (market average) absolute fees while pure percentage restrictions on processing fees are not a reasonable approach.
44. Create a clear definition of what players are included in the (regulated) lending ecosystem. Unregulated players should be categorised separately, and a supervisory framework should be designed and implemented to regularly monitor and audit/ certify their activities.
45. In order to enforce the extant regulatory framework, some market participants may support/ supplement the regulator as under:

a. Google/ Apple to verify NBFC licenses of companies that offer FinTech apps on their online “stores”

b. Payment gateway providers to control proper incorporation and documentation of all its partners

c. Credit bureaus and collection agencies to only cooperate with accredited FinTech players
46. Clarity should be provided on e-KYC procedures to be undertaken by fin-tech lending companies as offline and online procedures are not clearly delineated
47. Lenders should be allowed to restructure distressed loans or find other solutions in cases of hardship
48. Guidelines may be framed prescribing the borrower data which the lenders are permitted to collect for the following use:

a. Assessing application for unsecured credit, secured credit (mortgages) and insurance products etc.

b. Reviewing of existing credit facilities

c. Developing of credit scoring system

d. Acceptance of guarantees

e. Application for services (for example, when a person applies for a mobile phone service contract in the United States, the telecommunications company may conduct a credit check of the applicant)

f. Verifying personal credentials

g. Payment history in respect of continuing credit services with retailers

h. An investigation into fraud, corruption, or theft
49. Lenders should leverage existing Account Aggregator infrastructure. The usage of Consent Managers (i.e. account aggregators) should be mandated for lenders for better consumer control over their data. This will also help in regulating the collection of data by lenders to take credit decisions.
50. DPD guidelines should be looked at (not 180 but 45 days) since many loans are also with a shorter tenure.
51. • Payment Gateways should not work with unregulated entities who are disbursing loans but should only partner with regulated entities like Banks and NBFC who are licensed to lend.

• Bureaus should not work directly with unregulated entities.

• Bureau reporting guidelines required for digital loans

• FinTech's should not get direct access to Bureau, Payment Gateway, Esign, E-NACH, E-KYC, PAN Verification.

• Aadhar Verification should only be via regulated entities (Bank/ NBFC)
52. A standardised framework and approach on use of CKYC will provide a level playing field for banks/ NBFCs and FinTech’s to source customers.
53 Guidelines may be framed on digital execution of the loan agreement/documents based on OTP based Aadhaar signatures.
54. Specific cap/ criteria on maximum unsecured exposure (MUE) at a customer level should be introduced to control overall indebtedness. This needs to be ensured by all lending institutions across conventional/ digital lending mechanism.
55. Digital lending should be allowed only for regulated entities and their agents, and the regulator takes different approach in treating these digital players as per their type. Only the following entities should be allowed -

1. Commercial Banks – Scheduled and Non-Scheduled

2. Cooperative Banks and Regional Rural Banks

3. Non-Banking Financial Companies including Housing Finance Companies

4. Digital lending platforms as agent of Banks and NBFCs under outsourcing arrangement

5. P2P lending platforms

6. LSP and Open Credit Enablement Network (OCEN) participants

7. Other regulated entities such as Nidhis, Registered Cooperative Societies etc.

A brief of recommendations for different players

NBFCs/ banks - Digital lending or co-lending by these regulated entities is currently governed exhaustively under the extant regulations - Guidelines on Fair Practices Code for Lender, Guidelines on Recovery Agents engaged by banks, Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks, Master Circular on Customer Service in Banks, Master Direction on Information Technology Framework etc. Strict adherence to these guidelines shall be ensured.

Agents of NBFC/ banks – Agents of regulated entities function under the existing regulatory framework and under the terms of valid legal agreements with their partner banks and NBFCs who on-board such agents after duly conducting stringent due diligence on the agents and hence can be exempt from additional licensing requirements.

NBFC-P2P – The current RBI guidelines clearly define the scope of activities that can be undertaken, and also have safeguards for transparency, disclosure, and consumer protection.

Unlicensed Digital Lenders – These unlicensed lenders need to be tackled on priority by all stakeholders in the digital ecosystem including app store operators and search engines to prevent their distribution and usage to ensure consumer protection.
56. The regulator should outsource some of its functions of regulating Digital Lending Apps (DLA) to a regulated entity (NBFCs, for example), as its sub-agent, for greater effectiveness and hold them responsible. If the regulator wishes to do the job itself, it can insist that the license application includes a full recitation of the regulatory conditions for approval by the applicant to ensure that they are cognizant of the requirements and are willing to commit to comply with them.
57. Need to bring in interest rate regulations without adversely impacting the economics of digital lenders and broader objective of financial inclusion. Target segment of digital lenders, viz. mid prime and New to Credit customers have high delinquency and cost of acquiring and serving these customers are also high. Regulators may consider introducing interest rates caps in a phased manner broadly in line with the effective interest rates of credit cards. Further, to enable economics for digital lenders, regulator may consider providing access to low-cost liability lines including through securitization lines.
58. • Digital Credit Cards/ line of credits should be allowed to operate without license to further improve financial inclusion.

• Allow 5% P2P lending in the overall basket to manage cost of borrowing and access to capital

Technological Aspects
Sr. No. Feedback from Stakeholders
1. Minimum technology standards may be prescribed to weed out non-serious players and push the sector towards maturity.
2. • The tools for enforcing market conduct will need to be re-designed to address the new risks. High-tech tools to be developed to enforce market conduct and provide a convenient mechanism for consumer grievance redressal.

• RBI has prescribed detailed guidelines to banks/NBFCs on cyber security and the same is subjected to on-site inspection. Similar regulation for DLEs may be considered to prevent perpetration of frauds.

Creation of IT infrastructure for digital lending akin to infrastructure created for digital payments.
3. • Baseline technology/ security requirements expected from consumer facing service provider operating the digital lending platform may be specified.

• Avoid conflict of interest, and data security/privacy for customers in case a DLE is servicing multiple NBFC/ banks.
4. • We may need to work closely with Google Play Store/ Apple App Store to review the financial apps, having non-essential permissions which compromises the personal data of consumers for identification of bad actors in the system.

• A Government/ Non-Governmental agency may provide rating to the financial apps registered in the app stores.

• Mechanism to monitors malicious activity at touch points such as payment gateways, bank account may be devised.

• Digital Lenders should ensure that information is protected against disclosure to unauthorised users (data confidentiality), improper modification (data integrity) and inaccessibility when needed (data availability).

• Suggestion may be made to Ministry of Electronics and Information Technology (MeITY) for standardisation in registration of the financial app in Google Play Store/Apple App store or other app stores.
5. • Confusing menus and user interfaces – A prescription on necessary details and the clutter free standard interface would help the borrowers in taking well thought out decisions.

• Discriminatory Algorithms - Algorithm based lending practices have been found to result in unintended discrimination based on race, ethnicity, religion, national origin, gender, marital status, age, sexual orientation, and other protected classes. In this regard, these algorithms should be subjected to pretesting, testing and retesting. SROs may dictate the ideal algorithms with rationale for relying on specific information or factors at the time of making credit decisions. As the algorithms being used by white label apps are not subjected to testing, the whole industry may have same side blinds or unintended discrimination.
6. • Elaborate security processes and protocols needs to be instituted against potential cyber intrusion and attacks by making it an integral part of software development life cycle.

• Data security practices should include data encryption, masking, data audit program, clear definition of data breach with reporting, and a data governance structure headed by a Data Privacy Officer.

• IT infrastructure monitoring also needs to be put in place for holistic security.

• ISO 27001 (ISMS: Information Security Management Framework), and ISO 22301 (BCMS: Business Continuity Management Framework) have been recommended for covering all IT security aspects comprehensively.
7. Classification of consumer data into essential (necessary for completing loan journey) and peripheral. The borrower should have the ability to complete loan journey without sharing peripheral data.
8. When drafting regulations and putting in place a regulatory framework to supervises the use of technology/ cloud adoption by such digital lending companies), regulators should take a “principles-based approach”. Principles-based regulation means moving away from reliance on prescriptive rules and relying more on high-level, broadly stated rules, objectives or principles to set the standards by which entities must conduct business.
9. RBI should audit the books and use heavy duty ML to figure out potential suspicion.
10. In collaboration with CICs, digital lenders can leverage AI/ ML to determine creditworthiness of first time/ new to credit lenders
11. Mandate CERT-In compliance for all platforms to ensure adherence to IT Act, which can be verified by the partnering RE
12. No customer data to be share with special REs, therefore mobile apps cannot become a data aggregator by using their partnership with a reputed RE
13. Access to confidential personal information of customers such as his contacts, location, gallery, files etc. should be prevented.
14. While the personal data privacy laws will help to provide a legal framework for information protection (customer data from their phone including personal data, pictures etc), RBI needs to take strong steps to discourage access to such data through online lending applications.
15. Certification of digital lending apps by Govt appointed agency (like ISI) could validate that the apps are genuine thus giving the customer an additional trust on the app that is collecting various information from the customer. Such measure will also prevent issues like the recent Chinese app incidents
16. As multiple domestic/ foreign apps are currently sourcing/disbursing loans, data residency and privacy guidelines as prescribed by RBI are not being enforced, as these become applicable only once the data reaches a regulated entity. Hence, licensing of such platforms/ apps as Loan Service Providers shall bridge this regulatory gap.

Further, CISA audit may be mandated for all (including foreign apps) even if done remotely. CERT-In may be roped in to create a new cybersecurity audit certification for FinTech apps that are being operated remotely from other jurisdictions.
17. Direct google play store to not impose contradictory US-centric guidelines in India.
18. IDRBT and/or similar entities can test lending apps and vet the terms-and-conditions offered by the lending apps. This can be voluntary or mandated by regulator for entities that they regulate. A process similar to IB-CART (used in cyber security and about vulnerabilities in various banks’ online applications) may be extended for encouraging best practices in lending apps. The process may include:

• Collecting information from various players (we may limit to regulated entities, since non-regulated may not cooperate) and share with the forum.

• Keeping track of unregulated players apps and report to the appropriate authority. This requires crawling of play-stores/social media.

• Pass on information to CERT-IN for law enforcement, blocking, removal of apps from play-store, etc
19. Improve self-regulate/ auto-regulate to increase trust and simplify compliance – enable lending process automation through formal contracts using audited contracts running on a distributed ledger (or similar). A digital lending platform based on distributed ledger technology where the regulator node controls the transactions can be thought of as a long- term solution
20. Since illegitimate entities enter the space by registering themselves under the Companies Act or the Moneylenders Act promulgated by the state governments, such loopholes should be plugged by standardising digital lending norms across legislative spectrums and due diligence to be carried out by the platforms before on boarding the apps on their App Store. RBI can consider adopting monitoring such apps and take-down procedures in collaboration with the app stores.
21. A graded privacy policy could be an option where compliance requirements vary based on pre-defined categorisation of entities. For instance, privacy requirement for a credit app would be different from that of a payment application. Such a granularity would help regulated entities acquire the right set of consent artefacts for well-defined purpose.
22. Data Protection – Two risks need to be addressed, viz. data protection (from unauthorized access), and data privacy (use and management). An external agency can be set up like NPCI for consumer data protection throughout its life cycle and can be benchmarked to global data protection frameworks. Certain suggestions are -

(a) Access to only 5 additional contacts with explicit consent

(b) No access to media gallery

(c) Data deletion within 1 month from close of loan

(d) Penalty matrix for breaches – to be audited by external agency

(e) Obligation on the lender to ensure consumer fully understands the term and conditions of the loan

(f) Mandatory and full disclosure to the client on data being collected and how it is being used.
23. In order to strengthen the onboarding process of lending apps on App stores, RBI should frame required guidelines and include relevant clauses

- Requirement of a CoR should be stipulated during onboarding process.

- The platforms should be instructed to regularly monitor the lending apps to ensure that guidelines are being adhered to. Any breach should result in termination and reporting to the RBI.
24. Data security obligations, data retention periods should cover all participants during the term necessary for actual product or service. Clarity may be provided on the requirements of data localization rules.
25. Strict Adherence to Cyber Security Guidelines - RBI has provided guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds and notifications on Cyber Security Framework for banks. Regulated entities including banks and NBFCs should ensure strict adherence to such guidelines and should proactively promote an understanding of the bank’s cyber security framework amongst their outsourced service providers and other relevant stakeholders to ensure appropriate action to support their synchronized implementation.
26. To check and control app-based fraud, the transaction activity has to be monitored and both ends of the transaction need to be supervised, to check aggressive lending and reckless or multiple borrowing. NBFC/bank analytics have to be upgraded to flag abnormal/suspicious activity. NBFC must invest in technology and other capabilities needed to tackle these challenges.
27. India’s proposed Personal Data Protection Bill is fairly exhaustive but till the bill is implemented there may be a need to impose interim measures

• Apps should be allowed to obtain any personal information from customers only with their express permission. There should be adequate safeguards against unauthorized access of data (including contact list, photos, call records, non-transaction messages), periodic information security audits, and clear mapping of use cases including cross sell or upsell against data collected from customers.

• Develop framework for model risk management to mitigate any potential impact of advanced data and artificial intelligence based financial models on financial stability, similar to the impending regulation in mature geographies like USA.

There need to be explicit guidelines on customer data access to third party services and platforms. Only digital platforms with documented partnerships with registered NBFCs/ banks should be allowed to access any personal customer data used for underwriting or storage.
28. Artificial Intelligence (AI) and more specifically deep learning are one of the most recent innovations in data analytics to be leveraged by the financial sector. Adoption of deep learning in finance is likely to threaten financial stability in the long-run due to herding (various actors making similar decisions based on standard models), network connectedness and regulatory gaps (as innovation will outpace updates to regulatory regimes).

Recommendations to Manage Micro-Prudential Risk –

1. Internal Mapping – mapping of institution-wide dependencies on internal data and software may help reveal concentrated dependencies within each financial institution.

2. Model Hygiene - Regulators should update the existing framework for model risk management within the financial sector to better capture deep learning models and need to focus more on how the model arrives at its prediction.

3. Firm Buffers - Authorities might consider add-on or minimum buffers -building in some margin of error - if banks were to determine risk weights or capital based upon deep learning algorithms

4. Regulatory Diversity - Regulations meant to address explainability, fairness, and robustness concerns -even if written to be technologically neutral-may lead to uniformity. Regulators might address this trade-off when crafting regulation by proposing multiple ways to internalize regulations while remaining compliant with guidance.

Recommendations to Manage Macro-Prudential Risk –

1. External Mapping - of each firm’s external dependencies on data and software providers. Once aggregated and viewed from the network level, such external mappings could provide a better -though likely still incomplete-picture of systemic dependencies and complex interconnections of the system

2. Material External Dependencies - Material or system wide dependencies on third party AI-as-a-Service providers, such as Google, OpenAI, and others, may call for requirements that such external models comply with updated financial system model risk management regulation.

3. Horizontal Reviews: A framework of horizontal reviews could be helpful to assess the extent to which there may develop uniform decision making across the network. Horizontal reviews related to deep learning models could reveal herding amongst market participants or network interconnectedness to material external dependencies.

4. Network Buffers - There could be a requirement that financial institutions continue running back-up traditional data analytics models in case the models fail or act in unexpected ways

5. Developing World - The systemic risk and financial fragility challenges of deep learning adoption in finance are likely to be more acute in developing countries, and hence international community should pay closer attention working to assist developing countries in preventing potential problems early; Possible macro-prudential policy interventions also may be guided within the purview of the IMF & the World Bank

6. Ex-post Interventions: policymakers may wish to consider how best to plan in advance for potential ex-post, crisis management intervention.

7. Call to Action - The dedication and ingenuity of academia, public officials, and the private sector will be needed to best understand the magnitude and scope of potential challenges

Business Conduct/ FPC/ Customer Grievance aspects
Sr. No. Feedback from Stakeholders
1. • Digital lenders to have board approved policy to address consumer grievances and complaints.

• Contact details of consumer grievance redressal officer to be prominently displayed and communicated to borrowers

• Fair practice code for recovery
2. • The guidelines set out for recovery agents employed by banks are far more comprehensive than the directions issued for NBFCs. Such a distinction is approach may be revisited to provide similar standards for agents employed by banks and NBFCs.

• Active and clear disclosure of partner banks and grievance redressal mechanism.

• Banks to have a Code of Conduct to set out standards and practices for neo-bank partners.

• Explicitly and prominently state the regulatory status of the FinTech or it partner NBFC/ bank in the user interface as was mandated by June 2020 circular.

• Under the existing FPC framework, most obligations relating to disclosure of terms and conditions and transparency is rightly placed on the regulated entities. However, as digital platforms are acting as the first point of contact for customers, RBI should set out the most important terms and conditions that banks and NBFCs should require such service providers to disclose upfront to customers.
3. • A separate Fair Practices Code for DLE to be put in place by RBI.

• Additional disclosure requirements for DLEs specific to digital delivery and remote KYC process. Benchmarks and standards to be set on transparency and disclosure.

• RBI may promote responsible lending practices to monitor levels of over-indebtedness. Examine product designs to support responsible lending and reduce incentives for irresponsible borrowings.

• The primary method of collection among others includes pulling money from a mobile money wallet or a bank account. Customers often consent willingly or unknowingly as the lenders simply include it in the lengthy and difficult to read terms and conditions of contract and design it as an opt out rather than opt in option. Recent unhealthy collection practices of threatening the borrowers to share the default among with contacts in the mobile data points to lack of implementation of fair collection practices. There is a need to protect the consumer from such unhealthy practices in digital lending.
4. • Consumer awareness may be done through initiatives of Department of Communication such as ‘RBI Kehta Hai’

• Mechanism to obtain periodical report from CEPD and Ombudsman office regarding such complaints.
5. • It is hard to read agreements on mobile screens. The agreements should be sent to borrowers before loan sanction and disbursement.

• Presently, unlike MFI, there is no guideline on the type and format in which critical conditions of loan need to be displayed. Prescribing a disclosure format on processing charges, interest rates, tenure, penal charges etc. would lead to much desired transparency and comparability among loans across different platforms.

• The agreement should be made available in languages other than English.

• Adopting responsible advertising and marketing standards

• Borrowers should be given adequate notice so that the recovery process becomes smoother.

• Transparency in terms of tie-up between lenders and Technology Partners, the business model

• Regulation of Interest Rates and Charges - Principally, it is a well-accepted practice that only market forces should decide the pricing of loans. However, as digital lenders are catering mostly financially frail customers who are not being catered through traditional organized channels, it is vital that the pricing is sustainable and based on repayment capability of borrowers. Like traditional models, there should be a graded approach on pricing depending upon the relative credit scoring of customers.

• Revenue Sharing between lenders and Technology Platforms - Presently, there is no consensus on sustainable model of revenue sharing between the lending lenders and the technology partners. Such gaps create opportunities for the technology partners to indulge in coercive recovery practices.

• Detailed policies on collection and recovery procedures - Regulator should come out with specific guidelines on digital lenders’ collection practices such as calls, communication, no pressure to re-borrow, threats and no surprise fees.

• Digital credit providers may also provide proactive information (alerts of upcoming payments, missed payments, late fees etc.) that may better assist borrowers, including identification of financial counsellors located in the customer’s geographic area and other resources for customers suffering from financial strain.

• Lenders should be held accountable for the appointment of credible technology partners with strict agreements on collection and use of data, putting in place the requisite internal systems to check data mishandling and policy for collection of limited data and its retention on internal servers.
6. App/NBFC should provide loan sanction letter, loan agreement copy, repayment schedule statement through email and post in customers local language.
7. Cap on the limit of maximum interest rate to be charged and also guidelines for collection of loan amounts.
8. All intermediary platforms which onboard digital lending apps to verify the app narration (short and long narration).
9. Currently, some non-regulated REs access credit bureau data on behalf of the customer through their platform by taking one-time customer consent but continue to ping the credit bureaus and store customer data. This practice needs to be curtailed.
10. Appoint Nodal Officer for grievance redressal
11. Upfront disclosure of all-in, annualized cost of a loan with illustrative examples of loan repayment cost
12. Explicit barring of certain collection practices like calling borrower’s contacts.
13. Create a SRO
14. Consumer should be made aware that in case of co-lending by multiple NBFCs, multiple accounts will be reported to CIC for one loan.
15. Grievance redressal mechanism along with an escalation matrix.
16. Special REs should be governed via FPC and under Complaints & Ombudsman Framework.
17. • As the entire process of appraisal, disclosure and acceptance of MITC, and loan agreement is digital, digital lending entities should maintain an audit trail in case any dispute arises in the future.

• To maintain a balance between the interest of the borrowers and NBFCs, following changes may be carried out in the FPC-

o FPC could stipulate that cognizance of complaints from defaulting borrowers would not be taken unless there was evidence of coercive and threatening language or acts of physical coercion.

o Further, NBFCs and banks may be advised that all collection calls should be recorded as an audit trail so that these can be used to verify the veracity of complaints of misbehaviour.
18. Rate of interest, processing fees, other charges, loan tenure, loan amount approved, identity of lender and grievance contact information etc. should be clearly stipulated in the loan offer made to the customer via digital lending platforms. Since digital contracts can be hard to absorb on small screens, these mandatory key terms must require explicit display and consent of borrowers.
19. There should be a clear fair practices code for digital lenders. Both the digital lender as well as the balance sheet provider/co-lending partner (which is usually a large bank or NBFC) should ensure adherence to such codes.

a. Transparency around data capture and use of data:

The data being captured and use cases should be clearly communicated to the customer in simple language. These would also be eventually part of the new data protection guidelines.

b. Transparent communication of Pricing/cost of loan:

i. Annualized, reducing balance interest rate must be clearly displayed to consumer. Some platforms could be using monthly interest rates or flat interest rates. These practices need to stop.

ii. Total cost of borrowing displayed in the form of total annualized interest.

c. Reason for decline always to be communicated:

It should be made mandatory to explain the reason of rejection to consumers. For ease of standardization, the regulator, in consultation with industry, could pre-define 5/10/15 categories of rejections. This should be applicable for all lending (digital or non-digital).

d. Selling allied products along with the loan:

It should be made mandatory to take the payment for allied/x-sell products separately from the consumers. This would ensure that consumers are completely aware of the products and want to take it and ready to pay for these instead of these getting debited from their final disbursal loan amounts.

e. Grievance Redressal Mechanism:

Similar to Banking and NBFC ecosystem, there should be defined timelines, escalation mechanism for any grievances. This information should be visible to the consumers on the platform.

f. Drive Consumer Awareness around borrowing, maintaining Credit health:

Given the lack of financial, credit awareness amongst larger population, a concerted effort to increase consumer awareness around borrowing and credit health would go a long way in building a healthier lending ecosystem.
20. To make new digital players survivable, there should not be any cap on pricing as of now and for regulator to watch the space carefully and intervene later if needed.
21. Certification of FPC by industry bodies like IBA, DLAI, FIDC or CERT-In at periodic intervals. The App stores can check for such certification before listing.
22. Based on learnings from the Code of Conduct as prescribed by Digital Lenders Association of Kenya, and Digital Lenders Association of India, a FPC for Digital Lending Associates (engaged by banks/ NBFCs) has been proposed. The 7 principles shall be –

Principle 1: Obligation to adhere to applicable law & regulations apart from industry norms

DLAs shall apply good market practices, industry customers and other commonly used industry guidelines, as long as they do not conflict with applicable laws and regulations

Principle 2: Responsible lending and affordability assessment

DLAs shall always uphold their responsibility to make fair income and affordability assessments of customer and to ensure that financial product and services, including the loan and all charges and fees, are not in excess of a customer’s capacity to pay.

Principle 3: Cooperation with Intermediaries

DLAs shall engage with their Intermediaries in a manner that the principle contained in this Code are duly adhered to even by the Intermediaries in their areas contributing to the overall digital lending activities of the DLAs

Principle 4: Transparency of Product, Pricing and Services

DLAs shall, during each activity related to the initiation, conclusion and performance of a digital loan agreement, provide comprehensive information on the rights and obligations of the customers, so as to enable them to make a conscious and unhampered decision regarding incurring and fulfilling the obligation.

Principle 5: Data Usage and Sharing

DLAs shall practice good faith and standards of due professional care in the collection, storage, use and sharing of personal data of customers.

Principle 6: Customer Management

DLAs shall adopt internal procedures in accordance with applicable laws, regulations and the principles of this Code regarding the consideration of customer complaints.

Principle 7: Fair treatment in Debt Servicing and Collection

DLAs and their debt collection providers shall be guided by their best knowledge and professionalism in the market, to ensure that debt collection activities are conducted in a fair and professional manner.
23. RBI must have sole authority to determine fair practice guidelines for lending apps in India.
24. Reduce asymmetry for borrowers – e.g.

a. enable platforms for syndicated loans for MSME/ micro-finance,

b. enable multiple loans from different financers against same collateral,

c. reducing costs for leads and legal/net-worth-vetting etc.: e.g. when loan is refused by one financer- minimize cost to borrow from another financer,

d. automatically develop credit history starting with micro-finance and beyond
25. Digital lending platforms should disclose in transparent manner terms and conditions of lending. Such lending platforms should ensure that identity theft of borrowers is avoided by incorporating proper authentication mechanism. Such platform should also ensure data privacy of the customers. IT security aspects of such digital platforms should be strengthened to meet the challenges emanating from innovative measures adopted by cyber fraudsters.
26. Existing redressal mechanisms like Banking Ombudsman (BO) could be strengthened by training and equipping the BOs with matters of privacy, data protection and other such dynamic issues. Running data analytics on the Complaint Management System (CMS) and using social media analytics to identify trends and taking suo moto action would help strengthen end user confidence.
27. All the stakeholders in the ecosystem need to uniformly follow the rules related to data privacy and must have clearly defined processes for collecting, processing, storing, and deleting the customer's data.
28. Institutions must provide a clear communication to the customer on how the data would be used. Tutorials/programs to provide these details to the customer should be encouraged. The customer should clearly know the risks associated with sharing of data and the remedial measures available through the institution.
29. The data being collected by DSAs (on behalf of lenders) should be limited in scope, used only for specific purposes for which the consent was taken, and any misuse thereof should be curtailed
30. Smaller NBFCs are the major originators of STPL and this step will deter regulated NBFCs that are either complicit or negligent of their digital channel partners. Further, the wait time of 30 days should be reduced to 15 days. Technology and automated processes could be deployed to look after the increased case load.
31. (a) Communicate the rate (including any fees) in the form of APR

(b) Capping interest rates especially for low ticket size, low tenure loans. Example – 75% for up to 3-month loans and 60% for above 3-month loans

(c) Proposed external agency to monitor the marketing of products

(d) NPCI-like external agency to approve the marketing, sales and development of such innovative products and supervise the execution.
32. As a part of the regulatory and supervisory framework, the following may be prescribed –

• Capping charges and interest rates

• Incorporation in India

• Tight relationship between NBFC/lenders and tech providers
33. Business Correspondent regulations may be reviewed and need to apply similar guidelines and responsibilities/ liability/ obligations to the agents of the NBFCs/ lenders
34. Following details should be displayed in mobile applications including Instant Loan Apps:

a) Name of NBFC with Registration & license number

b) details of MD/ Owner of app or NBFC

c) interest rate and other charges

d) model loan agreement

e) grievance redressal mechanism

f) Bank guidelines governed by them
35. Special REs to disclose upfront to the customer, the name of the primary bank/ NBFC
36. Regular RE to be held accountable for any malpractice from special REs. All customer correspondence to be cobranded communication to ensure full transparency to the customer
37. Setup a SRO for Lending App promoters.

The powers of the SRO can be stipulated by RBI and may have the following powers:

a) Identify fake/ unauthorised lending apps or websites by using the whitelist created.

b) Identify companies found indulging in malpractices/ harassment for recovery.

c) Report them to RBI
38. Applying yearly interest “APR” calculations to fees of much shorter duration is misleading.
39. Regulator to launch periodic consumer awareness programmes with respect to customers’ rights and duties in the field of unsecured credit
40. Create an industry wide grievance redress mechanism to be followed in the event of a customer complaint
41. Key loan terms (i.e. cost and time) to be clearly communicated upfront and to be shown fully calculated for the chosen loan amount.

Clear communication as to what final amount is to be paid out to the borrower in case certain amounts are to be deducted from the actual loan amount for whatever reason.
42. Limitations on penalty accruals
43. Requirement to disclose to credit consumers any third parties that may be involved by the lender in the loaning process.
44. • Rules and regulations should strongly support lawful and efficient collections

• All collection activity should be moved under the supervision of one dedicated regulator (RBI)

• All collection activity must strictly comply with criminal law

• Using the court and enforcement system should only be used as a last resort

• Awareness should be created amongst borrowers regarding negative consequences of delay and default of loans. Regulator to launch periodic consumer awareness programmes with respect to their data principal rights.

• Small delinquent claims are best dealt with (internal or external) pre-litigation collection.

Following measures may be taken:

1. All lenders and collection companies are to be properly incorporated and to have directors/senior executives pass a reasonable “fit and proper” criteria

2. Create a register of “approved” collection agencies or FinTechs that are mainly focussed on collections

3. Prescription that all collection staff are to a) have a clean criminal record b) have no negative credit bureau entry c) pass trainings and a test of basic knowledge of collection rules and ethical behaviour and practices

4. Regular internal and external audit procedures to ensure compliance with collection guidelines

5. Analogously to lending create a standardised collection complaints process

6. Phone calls, letters/ electronic communication and physical visits should be allowed to remind a debtor of his payment obligation and the possible legal consequence if he/ she fails to do so - but within a given timeframe (e.g. 6am to 10pm during workdays, 10am to 6pm during weekends and holidays)

7. All collection conversations are to be taped and stored for at least 3 months
45 For customer protection: Consent from the customer should be taken for the below mentioned points before taking underwriting data

- Loan application

- Loan scheme

- Access to phone data
46. Periodic Audit and Rating of the processes adapted by digital lending platforms to ensure hygiene and control can be a very important measure to address customer protection issues/ gaps.
47. Guidelines on customer education for the digital lending apps, for e.g., visibility of lending Partner’s name prominently on the confirmation page/ App/ Loan TnC (first page) of these digital lending apps
48. Applications on digital lending app/platform should be simple, easy to navigate and easy to download. Application should specify terms and conditions in simple language and bold fonts. Most Important Terms & conditions (MITC) should be prominently displayed and requested for acknowledgement. Loan statements should be simple and easy to understand for the customers.
49. • Lending should be linked to the credit bureau score of the borrowers or the lenders own assessment that should be clearly spelt out.

• Annual interest rate should be transparently quoted in the loan document.

• Repayment schedule should be mentioned in the loan document.

• Lending should be clearly related to a specific objective and to the monthly earning of the borrowers. Surplus available with the borrower, after meeting the regular requirements, must be assessed and only to that extent loan should be extended.

• Under Micro-finance regulations, indebtedness limit is given. Likewise, for personal loans, particularly those extended to certain segments of society such as farmers, labourers could be defined. Loan amount and repayment capacity should be correlated so that we can avoid the instances of over-indebtedness.

• Put in place an effective grievance redressal mechanism.

• Finally, the ‘Principals’ of these lenders should be responsible for their lenders and be liable for any wrong-doing by these outsourced entities.
50. 1. The regulator must err more on the side of consumer protection than worry about stifling innovation.

2. NBFCs that lend directly to borrowers through their own apps can take the lead and set an example for other Digital Lending Apps (DLA) to follow. This is one way of crowding in good business practices.

3. NBFCs lend their names and funds to DLAs and also enjoy the fruits of lending activity. Hence, it is the onus of regulated entities to ensure due diligence and ensure smooth and orderly conduct of lending and collection business.

4. The DLA are not from the financial sector but they have cracked the acquisition channel. They need to be educated about lending. Regulated entities need to devote time and resources to train and orient the DLA on the extant regulations, while also disassociating themselves from those that display errant behavior with customers.

5. All DLA that deal with money must display the bank/ NBFC certificate which also ensures moral responsibility of the regulated entities to the borrower.

6. ‘Mystery shopping’ should be employed to ensure that good practices and code of conduct are adhered to.

7. Other measures -

• Terms and conditions of the loan should be available in the borrower’s language. The language and the visual cues used have to be simple, easy to understand and the borrower’s consent taken that they have fully understood the terms and conditions.

• The annual percentage rate (APR) that is charged on the loan should be displayed in Font 12 on the telephone screen.

• Statutory warnings – similar to those displayed on cigarette packs – on the dangers of excessive borrowing should be part of the loan documentation and displayed in bold letters and bright colors.

• The regulator has to mandate clear interest rate ceilings and minimum repayment cycles with severe penalties, including revocation of license, for violations.

• It is imperative that the regulator comes up with a strong and capable customer grievance redressal mechanism. The consumer should have knowledge of the entire procedure of registering complaints along with the contact number to do so.

• Commercial entities will be fearful of the reputation risk, once reprimanded and fined publicly by the regulator. The regulator should not fight shy of resorting to that tactic to ensure consumer protection.

Play Store (Google, Apple etc.) – For financial products, including credit, that are sold through apps listed on their platforms, they can insist of fulfilment of conditions prior to featuring them on their platforms. Declarations of clear ownership of DLA with contact address, telephone numbers and proofs of address of promoters or owners of the app must be insisted. The NBFC parent that refinances the DLA must be required to provide a certificate of good governance on the part of DLA at the risk perjury. Similarly, both Google and Apple must insist on a set of declarations of ethical business practice from the DLA, again, at the risk of perjury. Regardless of enforcement, insistence of such declarations and self-certification will, in and of themselves, act as a deterrent.
51. • Mandate to reveal the true cost of lending at the time of origination of loans to the borrowers, including break up of interest rates and fees.

• Periodic audits to ensure compliance to extant outsourcing guidelines.

• Prevent misuse of customer data by recovery agents through restricted data access, formal training and robust grievance redressal mechanism

• Mandate integration of educational messages in digital product design to report unfair collection practices. Monitor the same through Ombudsman/Independent Committee

• Guidelines to ensure misleading information is not used in marketing

Other Aspects
Sr. No. Feedback from Stakeholders
1. Prohibition on usage of misleading terms like ‘bank’ and ‘banking’ by platforms either as a part of their names or URL. Marketing material being used should not be misleading.
2. Any contravention of the minimum requirements by such platforms must be immediately reported by banks and NBFCs to RBI.
3. Consumer Education

• Lead to be taken by industry bodies like DLAI

• NGOs in the financial space can be engaged
4. Regulatory Sandbox - Leverage regulatory sandbox for digital banks to assess the viability, risks, scalability, and adequacy of extant regulatory and supervisory framework.
5. Regulatory Sandbox - Encourage more participation to promote innovation in technology
6. Financial Literacy – Use of targeted interventions and technological innovations.
7. • Continuous interactions with law enforcement agencies such as police may give valuable insight to the problem and necessary market intelligence.

• Institutional mechanism may be put in place to pass on loan application not sanctioned by one institution for consideration by another based on their own risk appetite. This shall help in expanding the institutional credit reach to more consumers.
8. One NBFC should use only one application and only such app should be available in Google/ Apple App Store and it should not be kept in standalone files, which can be forwarded and downloaded.
9. Many foreigners are coming on business visa and starting business in India. RBI can monitor such foreigners coming on business visa and doing illegal business. A coordination and information sharing mechanism between the Ministry of Corporate Affairs, Intelligence Bureau, RBI and the State Police can be established.
10. RBI should develop a platform. This platform is where the customer can give all data and the concerned FinTech company can only get this data with proper anonymizing and develop their underwriting model. This way, the FinTech company will not have direct knowledge of who these customers are.
11. It should be mandatory to have the physical address in app store, which is verifiable. they should have board member whose details should be online, and they should be made accountable.
12. Define clear roles in the lending ecosystems for different players
13. • Mandatory checking of credit score with a CIC for assessment

• Reporting of all loans (including in co-lending model) even short tenure by leveraging APIs to prevent loan stacking

• Loan repayment and delinquency to be reported on a weekly basis

• Details of loan tenure, interest, borrower’s income and employment type should also be reported to help analyse state of digital lending

• Instances of credit enquiry by one entity, disbursal by another, and collection by a third one should be avoided as it makes it difficult to trace the loan.
14. Details of loan tenure, interest, borrower’s income and employment type should also be reported to help analyse state of digital lending. Reporting should be mandated under Credit Information Companies (Regulation) Act, 2005.
15. In coordination with FIU, a close watch should be maintained on receipts and payments and financial transactions of such Foreign nationals.
16. RBI should conduct bi-monthly coordination meetings with all the stakeholders, region-wise regarding financial frauds and measures to prevent them. RBI should also conduct meetings with DGP, State CID/EOW heads, Police Commissioners on this.
17. RBI should provide wide publicity about emerging financial frauds and Cyber Crime frauds in print/visual/audio mode in national and regional language. RBI should communicate any circular or guidelines issued in the interest of public to the law enforcing agencies in concerned State and to major Police Commissionerates.
18. RBI should appoint Nodal Officers to coordinate with all agencies including law enforcement agencies.
19. RBI should forward complaints, if any, received in respect of financial frauds to the law enforcing agencies of concerned state to all the Commissionerates to take pre-empt measures.
20. Industry bodies may maintain a central registry of recognized lending apps/agents
21. The personal insolvency rules under IBC need to be notified to help lenders file for personal bankruptcy proceedings against retail borrowers. There would be a process for the designated Court to appoint a receiver to take possession of the assets of the debtor and distribute them among the creditors. Inputs from legal Department can be taken and a Model Code may be proposed. This would be a deterrent for wilful defaulters.
22. Retail borrowing for personal and home loans should be kept out of the purview of restructuring guidelines.
23. Demand-side measures like financial literacy should complement the supply-side enforcement of applicable Law. Create awareness on the available options for lending through digital channels and support in the creation of information about the ecosystem
24. RBI should encourage competition and innovation such that alternate products that offer the consumers the same benefit at improved access, lesser cost, or lesser risk are available in the financial marketplace.
25. Correct consumer issues in Credit Cards:

(i) Payment Mandates at the time of issuance: Almost all the personal loans require customers to give bank mandates to pay future EMIs. Similar mandates should be necessitated for credit card payments to ensure customers do not miss payments and incur high costs.

(ii) Fees should not go into revolver calculation and not have interest cost: Fees should not get clubbed with spend balances for revolve calculation and should never bear interest. It could have a reasonable simple separate late payment charge on fee which is easier to understand.

(iii) Correct complexities regarding Cash advance: Cash advances must not carry interest balance from day zero and actually be treated like a spend balance. To discourage too much cash advances, a reasonable cash transaction fee however must be continued
26. Encourage informal sector to get semi-regulated on such formal platforms to provide loans for high-risk proposals.
27. Expand ability of formal sector to increase FI in lending, without significant increase in risk.
28. There is a need to have close coordination with the law enforcement agencies to understand the big picture and to ensure such instances are detected early.
29. a) Bureaus are engaging in monopolistic practices because of lack of competition and are charging obnoxious rates for passing certain information like total loans and overdue loans etc. which is passed on by NBFCs/ digital lenders only to them

b) Bureaus to be nudged/ mandated by the regulator to charge only a nominal cost for certain non-proprietary information like total outstanding and overdue loans.

c) The same will be supremely useful for digital lenders who are paying a fixed cost per file irrespective of the ticket size of the loan and is eventually getting passed onto consumers in form of high processing fee.
30. Suggestions to strengthen the ecosystem for a robust and secure digital delivery system -

a) Increase the coverage & limits on UPI based mandate for EMI payments. The present limit is Rs. 2,000/- and the Banks covered in this are limited.

b) Restart Aadhaar based E-KYC for NBFCs

c) Direct debit mandate set up with banks may be allowed for a seamless process

d) Certain procedural improvements on mandate setup and presentations of EMIs etc. are in the works at NPCI:

i) Aadhaar based mandate set up through NPCI needs to be improved for a frictionless process for customers. The response time from NPCI for such mandate set up are presently T+2 days depending on bank to bank. This needs to be improved and should be uniform across banks. Ideally the same should be real time.

ii) Response time on presentations done for mandates set up is between 1-2 days depending on Bank to Bank. A quicker response time will help in curtailing risk for lenders and thereby expand market with greater confidence

e) Increased access to Customer Information with their due consent will allow lenders to fine tune their credit decision models and have better response time for approval of loans:

f) Banking information of the customers in seamless digital mode across all bank accounts maintained by the customer through a centralized agency.

g) Telecom and utility bills of consumers for verifications (for limited purpose of address validations).

h) Investment holding of customers in demat/ mutual funds/insurance.

i) GST and MCA records for business entities.
31. Effective supervision should be preferred over creation of new regulation. The recent reports highlighted two types of bad actors: unregulated lenders (that were engaged in illegal lending), and regulated entities that acted in violation of the Applicable Law. Hence, coordination with law enforcement for the former and stricter implementation of Outsourcing Guidelines for the latter are needed. Further, Google/Apple which operate play stores and payment gateways can be roped in for better monitoring and control. Creation of new regulation for DSAs will not help mitigate the current risks.
32. Demand-side campaigns like financial literacy should complement supply-side enforcement of applicable/ extant laws
33. Promote competition and innovation in the ecosystem to organically reduce small ticket personal loans (STPL). Other financial products like Buy Now Pay Later, earned wage access (a factoring for wages) etc. can be substitutes to STPL, especially for the working-class demographic (18-30 years), and help avoid the perils of STPL. Having a proliferation of options to avail of these substitutes will organically wean customers away from the STPLs and reduce the scope of potential harm.
34. Creation of a digital lending standing group with adequate industry representation for taking a long-term view on the innovations in the space.
35. Creation of Early Warning Systems

Special cells within the regulator or such similar mechanisms in coordination with the stakeholders (like FinTech industry, banks, police, civic bodies) that can identify similar risks in advance.
36. The collection agencies/ agents hired by the digital lenders should be mandated to clear Debt Recovery Agent examination/ training (based on the guidelines from the IIBF), which is currently applicable to collection agencies of Banks and NBFC’s. This training should be imparted by an IIBF approved institute only. All the digital lenders should adhere to the collection guidelines issued by the RBI.
37. In order to improve the quality of underwriting, lender may be provided access to the below information sources:

a. Telecommunication providers

b. Smartphones and their operating systems

c. Credit Bureaus

d. Social Networks

e. MFIs

f. Insurance companies

g. ARCs/ collection agency data
38. Continued support of Digilocker as repository of document across all institutions
39. Digital lenders can be used as a medium to provide credit bureau education to customers in simple and easy terminology which can enhance customers understanding on maintaining a good credit history.
40. Responsible Digital Lenders can set up a SRO that can evolve a code of good conduct and ethical lending and collection practices for digital lenders.
41. • There is a strong need to set up an SRO under the supervision of RBI with representation from key industry players. Wide range of compliance related matters including stability of the tech process and underwriting models, customer privacy and data protection, usurious lending practices, and unlawful collection practices could be brought under the ambit of the SRO. A well-coordinated task force is required under the SRO that operates in tandem with eco-system that facilitates these apps like Google/ iOS Playstore, telecom operators and local law enforcement agencies to regulate and prevent unlawful operations of rogue entities.

• Credit bureau reports of customers should be accessible only to regulated entities like banks/ NBFCs.

Annex B - Details of Interfaces and List of Entities

Details of interfaces

1. Commissioner of Police, Cyberabad Commissionerate, Hyderabad

2. Chief Technology Officer, State Bank of India

3. Chief Technology Officer, ICICI Bank Limited

4. Deputy Commissioner of Police, Cyber Cell, Mumbai

5. Shri Naveen Kukreja, Founder & CEO,

6. Shri Achal Mittal, CEO, NDX P2P Private Limited

7. Shri Dilip Asbe, MD & CEO, National Payments Corporation of India

8. Shri Aman Jain, MD & Business Head, Google India

9. Digital Lenders Association of India

10. FinTech Association for Consumer Empowerment

List of various entities/ individuals that provided their inputs to the Working Group

1. Smt Koduri Nikhila, Regional Director, Hyderabad Regional Office, Reserve Bank of India

2. Dr. Snehal Herwadkar, Director, DEPR, Reserve Bank of India

3. Shri Sathyan David, Retired Chief General Manager, Reserve Bank of India

4. Shri G N Rath, Retired General Manager, Reserve Bank of India

5. Indian Cyber Crime Coordination Centre, Ministry of Home Affairs

6. Chief Secretary, Government of Telangana

7. Commissioner of Police, Cyberabad Commissionerate, Hyderabad

8. Vidhi Centre for Legal Policy

9. Digital Lenders Association of India

10. FinTech Association for Consumer Empowerment

11. Shri Ashish Kohli, CEO, Kreditech Financial Services Private Limited

12. Shri Dilip Asbe, MD & CEO, National Payment Corporation of India

13. Prof. D. Janakiram, Director, Institute for Development and Research in Banking Technology

14. Shri V.V. Balaji, Head, Chief Technology Officer, ICICI Bank Limited

15. Shri Nandkumar Saravade, CEO, Reserve Bank Information Technology Private Limited

16. Chief Technology Officer, State Bank of India

17. Shri Achal Mittal, Co-founder & CEO, CEO, NDX P2P Private Limited

18. Shri Hardeep Singh, Legal and Policy, CRED

19. Transunion CIBIL

20. Shri Rajeev Jain, MD, Bajaj Finserv

21. DMI Finance Private Limited

22. Kudos Finance and Investments Private Limited

23. Abhijit Bose, Chief Credit Officer, DCB Bank Limited

24. Shri Pulak Ghosh, Professor, IIM-Bangalore

25. Dr. Anantha Nageswaran, Part-Time Member, PM’s Economic Advisory Council

26. Amazon Web Services

27. Shri Srinivas Yanamandra, Chief Compliance Officer, New Development Bank

28. Shri Ramgopal Subramani, Chief Operating Officer, Perfios Software Solutions Private Limited

29. Shri Naveen Kukreja, CEO, Paisa Bazaar

30. Shri Gaurav Chopra, Payments Council of India

31. Premji Invest


33. Indicus Centre for Financial Inclusion

34. Indian Lenders Association

Annex C - Extracts of Sample Survey Data on Digital Lending

Information collected from 76 scheduled commercial banks (48 submitted nil information) and 75 NBFCs (13 submitted nil information)

I. Scheduled Commercial Banks (Individual data for 28 banks)

Total amount disbursed through digital channels (Rs. in crore) Total number of loans disbursed through digital channels
FY 2017 FY 2018 FY 2019 FY 2020 As on Dec 31, 2020 FY 2017 FY 2018 FY 2019 FY 2020 As on Dec 31, 2020
288 3 120 134 29 1373 32 359 774 238
- 1175 7713 16453 17789 - 55603 299226 694265 758421
- - 1594 2972 1621 - - 5998 13504 105150
- - - - 3 - - - - 861
32 683 2638 2111 1549 606 4108 16410 19568 10585
193 211 694 1739 5351 29008 40230 91799 249317 685948
- - - - 19 - - - 23 2287
- - 77 153 111 - 3 8846 19119 14846
- - - - 11 - - - - 10376
66 230 602 1,332 1,619 4387 20940 36726 90914 145295
10074 22184 29428 38624 38,206 941537 1476016 2159075 2722959 2582300
- - - 569 1241 - - - 721228 1309069
- - - - 15 - - - - 94
81 491 669 926 475 3260 22901 33691 50705 17829
- - 1835 2846 1,720 - - 39635 57317 35896
- 442 1559 1,522 1,025 - 15486 41513 33728 20911
- - - 128 696 - - - 1117 5360
84 474 851 953 835 4929 30934 69024 82993 75748
- - 1035 4880 12151 - - 8438 31763 2250060
- - 410 524 610 - - 410 524 610
- - - - 2 - - - - 191
- 5 33 94 110 - 390 1832 4436 5118
- - - - 1,065 - - - - 18421
15 123 398 495 481 99 2689 8887 11715 11645
- 12 4137 10054 16467 - 2482 327346 787775 1152497
- - - - 1 - - - - 170
96 314 5488 12283 9108 3984 11412 192959 487972 164402
- - - - 48 - - - - 5521

II. NBFCS (Individual data for 62 NBFCs)

Total amount disbursed through digital channels (Rs. in crore) Total number of loans disbursed through digital channels
FY 2017 FY 2018 FY 2019 FY 2020 as on Dec 31, 2020 FY 2017 FY 2018 FY 2019 FY 2020 As on Dec 31, 2020
1 19 25 28 1000 23 729 1021 4434 121087
3 26 180 331 97 563 6893 86135 520447 210088
- - - - 5 - - - - 9400
- - - - 152 - - - - 1810
- 4 5 8 34 - 2494 3446 4842 117754
16 18 15 18 7 8472 8271 5089 7736 3052
- - - - 63 - - - - 72638
2 3 5 13 3 156 209 223 8699 4620
- - 52 12 64 - - 99720 25469 125189
21 113 2905 4852 2337 10552 63038 1940802 3425019 -
NA 285 509 849 303 - 126857 184655 221427 72052
- - 28 53 3 - - 711 1377 57
- - 121 594 348 - - 56632 1106085 3574496
- 1 9 16 26 - 983 7631 8721 17335
- 230 1627 3730 2227 - 100954 986666 3200943 2094517
12 189 751 1302 485 2398 33949 432837 682370 168832
- - - - 1 - - - - 6147
9 16 35 53 38 558 1876 3820 4834 2868
- - - 111 53 - - - 101278 61708
62 715 1463 1969 1902 28613 297209 540810 650901 568405
- 1 620 4354 4374 - 161 229407 2544056 2357285
18 16 13 4 531 291 563 413 129 17756
- - 2 46 48 - 38 284 4670 4992
- - - - 31 - - - - 11059
- 8 55 133 37 - 3541 14677 26279 15523
- 1 3 7 3 33 70 175 439 66
- - - - - - 1 62 89 37
2 1 1 2 1 108 137 308 442 140
- 5 22 17 6 - 5615 29455 22330 8367
68 517 992 593 282 9505 164733 580594 98725 124254
- 179 348 813 492 11 12479 172018 498974 420160
  4 126 733 755 - 58177 1228078 6186769 5902781
- - - - 1 - - - - 6098
- - - 9 5 - - - 17732 9784
- - - 24 320 - - - 150814 763323
- - - 40 75 - - - 18144 20876
- - - 935 989 - - - 2000245 2266004
355 801 1680 2365 560 7530 13391 28936 52835 8589
- - - 1 - - - - 2830 -
- - - 116 3 - - - 6505 177
- - - 6 35 - - - 4801 20222
- - - 0 2 - - - - 223
8 29 23 36 494 28717 88516 43006 46484 125134
72 77 74 143 24 633 605 767 1825 297
27 151 173 498 493 161 2288 12194 124971 1236317
- - 9 9401 742 - - 36189 19012913 970389
51 36 39 22 116 30 19612 18963 22720 409645
- - 4 187 257 - - 34934 641909 656355
- - - 643 981 - - - 1091558 2149805
- - - 6 20 - - - 55001 164852
- - 24 125 117 - - 2833 40358 30675
2 20 285 1329 992 518 8149 201164 1100056 964278
- - - 3 9 - - - 51 391
- - - 2 9 - - - 478 2300
- 52 1125 6162 871 - 173775 2623942 10562631 1178446
12 17 8 36 167 2716 3237 1528 12408 127009
- - - 21 224 - - - 280076 393460
- 9 21 28 1 - 7172 12532 30017 1838
- - - 25 56 - - - 41920 67835
- - - - 36 - - - - 91917
- - 5 131 214 - - 12589 283764 439832
- - - 95 14 - - - 437625 91416

III. Product mix based on loan purpose (as on December 31, 2020)

Purpose of the loan Scheduled Commercial Banks NBFCs
Amount disbursed
(in Rs. crore)
Number of loans Amount disbursed
(in Rs. crore)
Number of loans
Personal loans 57086 3493449 12200 16077212
Vehicle Loans 4487 235695 111 57064
Gold loans 401 37380 23 2086
SME loans 18528 310492 1737 218555
Buy Now Pay Later 822 3600646 487 3628970
Others 31033 2011975 8980 10489660

IV. Tenure wise distribution of loans and amount disbursed (in Rs. crore) through digital channels (as on December 31, 2020)

Tenure Scheduled Commercial Banks NBFCs
Upto 30 days 758 8827
31-60 days 321 683
61-90 days 6167 1718
91 days to one year 7075 6920
More than one year 98036 5390

Annex D - List of Money Lending Laws in India

S. No. State Legislation
1 Himachal Pradesh HP Money Lenders Act 1976
2 Punjab The Punjab Registration of Money-Lenders Act, 1938
3 Haryana Adopted Punjab Legislation vide Haryana Adaptation of Laws Order, 1968
4 Rajasthan Rajasthan Money Lenders Act, 1963
5 Uttar Pradesh Uttar Pradesh Regulation of Money Lending Act, 1976
6 Uttarakhand Same as Uttar Pradesh
7 Gujarat Gujarat Money Lenders Act 2011
8 Kerala Kerala Money Lenders Act, 1958
9 Tamil Nadu Tamil Nadu Money Lenders Act, 1957
10 Maharashtra Maharashtra Money lender's Act
11 Andhra Pradesh Andhra Pradesh (Telangana Area) Money Lenders Act, 1349
12 Telangana Andhra Pradesh (Telangana Area) Money Lenders Act, 1349
13 West Bengal Bengal Money-Lenders Act, 1940
14 Odisha Orissa Money Lenders Act, 1939
15 Bihar Bihar Money Lenders Act, 1974
16 Karnataka Karnataka Money Lenders Act, 1961
17 Madhya Pradesh Madhya Pradesh Money Lenders Act
18 Chhattisgarh Same as M.P.
19 Assam The Assam Money Lenders Act, 1934
20 Tripura Tripura Moneylenders Act, 2009
21 Nagaland Nagaland Money Lenders Act, 2005
22 Mizoram The Mizoram Money Lenders' Act, 2010

Annex E - Global Practice in STCC Regulation

Short-term high-cost consumer credit: the description adopted by FinCoNet and examples from selected jurisdictions

Short-term high-cost credit has been described by FinCoNet (FinCoNet, 2017) as the practice of lending to consumers:

  • amounts of money that are small relative to other forms of credit in the market,

  • for short periods of time (most commonly for durations of under 12 months),

  • at a rate that is considered to be high compared with other credit products available to consumers in their jurisdiction.

Short-term high-cost credit products are referred to in different ways and display different features among responding jurisdictions: short-term high-cost credit, high-cost short-term credit, payday loans, home-collected credit, small amount credit contracts (SACCs), short- term small-dollar credit (STSDC) or moneylending agreements. Their duration can vary from a few days and up to the following payday (payday loans), to a few months and up to a year repayable through instalments. Some jurisdictions consider also overdraft facilities and credit card debt as being short-term high-cost credit.

Some jurisdictions have adopted a codified definition of specific categories of short-term high-cost consumer credit provided by specialised lenders in their markets. The definitions are based on elements such as the duration of the credit agreement, the amount borrowed, or the applicable interest rate. The examples of Australia, Canada, Denmark, Ireland, the Netherlands, South Africa, the United Kingdom and the United States presented below provide an indication of the variation of what is considered short-term high-cost credit among the jurisdictions covered by this report.


In Australia, specific measures were implemented in 2013 to regulate the short-term consumer credit market (Australian Government, 2009). The National Consumer Credit Protection Act of 2009 prohibits loans for up to AUS 2000 with a term of 15 days or less (which are defined “short-term credit”), and authorises Small Amount Credit Contracts (SACC). A SACC is defined as a contract that:

  • is not a continuing credit contract and is unsecured;

  • is not provided by an authorised deposit-taking institution (ADI);

  • has a credit limit of AUS 2000 or less; and

  • has a term between 16 days and one year.

The Act also establishes Medium Amount Credit Contracts (MACC), being loans with credit limits between AUS 2001 and AUS 5000, which are not offered by an ADI or a continuing credit contract and have a term of between 16 days and 2 years.


In Canada, there is no general definition of high-cost shorter-term credit. However, federal legislation provides a definition of “payday loan”, a specific type of short-term high-cost credit. Regulation of certain payday loans is at the Provincial (State) level for Provinces designated by the Governor in Council. To be designated, a province must enact legislative measures that “protect recipients of payday loans and that provide for limits on the total cost of borrowing under the agreements.” For Provinces that have not been designated, payday loans are governed by the generally applicable criminal rate of interest provisions of the federal Criminal Code.


In Denmark the Consumer Credit Act of 2013 (Danish Competition and Consumer Authority, 2013) defines short-term credit as a credit agreement concluded between a consumer and a creditor who is not a bank, without collateral, without condition of purchase of product or service, and whose term is maximum 3 months.


The Irish Consumer Credit Act (Government of Ireland, 1995) opts for the definition “moneylending”, and defines a moneylending agreement as a credit agreement into which a moneylender enters, or offers to enter, with a consumer in which one or more of the following apply:

• the agreement was concluded away from the business premises of the moneylender or the business premises of the supplier of goods or services under the agreement;

• any negotiations for, or in relation to the credit were conducted at a place other than the business premises of the moneylender or the business premises of the supplier of goods or services under the agreement;

• repayments under the agreement will, or may, be paid by the consumer to the moneylender or his representative at any place other than the business premises of the moneylender or the business premises of the supplier of goods or services under the agreement; or

• where the total cost of credit to the consumer under the agreement is in excess of an APR of 23 per cent., or such other rate as may be prescribed by the Minister for Finance.

The Netherlands

In the Netherlands, short-term consumer credit is defined by the Dutch Authority for the Financial Markets as a consumer credit agreement which has to be paid back within 3 months, involving costs that exceed the statutory cost cap of 14% APR.

South Africa

The National Credit Act (Republic of South Africa, 2005) defines short term credit transactions as credit transactions:

• in respect of a deferred amount at inception of the agreement not exceeding ZAR 8000; and

• in terms of which the whole amount is repayable within a period not exceeding 6 months.

United Kingdom

The Financial Conduct Authority defines high-cost short-term credit in its Handbook of rules and guidance as a regulated credit agreement:

• which is a borrower-lender agreement or a P2P agreement;

• in relation to which the APR is equal to or exceeds 100%;

• either:

1. in relation to which a financial promotion indicates (by express words or otherwise) that the credit is to be provided for any period up to a maximum of 12 months or otherwise indicated (by express words or otherwise) that the credit is to be provided for a short term; or

2. under which the credit is due to be repaid or substantially repaid within a maximum of 12 months of the date on which the credit is advanced

• which is not secured by a mortgage, charge or pledge; and

• which is not:

3. a credit agreement in relation to which the lender is a community finance organisation; or

4. a home credit loan agreement, a bill of sale loan agreement or a borrower-lender agreement enabling a borrower to overdraw on a current account or arising where the holder of a current account overdraws on the account without a pre-arranged overdraft or exceeds a pre-arranged overdraft limit.

The above definition is largely limited to payday loans. In addition, the FCA regulates other forms of high-cost short-term credit, including home-collected credit.

United States

In the United States, the Financial Consumer Protection Bureau is currently considering the introduction of stricter rules on short-term credit at the Federal level. A definition that is valid at the Federal level can be found in the CFPB Rule applying to short-term credit issued in October 2017 (CFPB, 2017). These are defined as short-term loans that have terms of 45 days or less, including typical 14-day and 30-day payday loans, as well as short-term vehicle title loans that are usually made for 30-day terms. The rule excludes or exempts several types of consumer credit, including: (1) loans extended solely to finance the purchase of a car or other consumer good in which the good secures the loan; (2) home mortgages and other loans secured by real property or a dwelling if recorded or perfected; (3) credit cards; (4) student loans; (5) non-recourse pawn loans; (6) overdraft services and lines of credit; (7) wage advance programs; (8) no-cost advances; (9) alternative loans (similar to loans made under the Payday Alternative Loan program administered by the National Credit Union Administration); and (10) accommodation loans.

Source: SHORT-TERM CONSUMER CREDIT - Provision, regulatory coverage and policy responses. Joint report by the G20 OECD Task Force on Financial Consumer Protection, FinCoNet and the OECD International Network on Financial Education, 2019

Annex G - List of Statutes dealing with Usurious Interest Rates

Act Purpose Applicability and extent Section
a. The Usurious Loans Act, 1918: To give additional powers to Courts to deal in certain cases with usurious loans of money or in kind It extends to whole of India50 Section 3 empowers Courts in any suit to determine whether the interest charged is excessive. The explanation of the Section 3(2) provides the guidelines to determine what is excessive and what factors to be considered by the Court to determine whether excessive or not.51
b. The Tamil Nadu Prohibition of Charging Exorbitant Interest Act, 2003 An Act to prohibit the charging of exorbitant interest by any person It extends to the whole of the State of Tamil Nadu Section 3: No person shall charge exorbitant interest on any loan advanced by him.

Section 4: Notwithstanding anything contained in the Money-lenders Act, whoever contravenes the provisions of section 3 or molests or abets the molestation of any debtor for recovery of any loan shall be punishable with imprisonment for a term which may extend to three years and also with fine which may extend to thirty thousand rupees.

Further, Tamil Nadu Money-Lenders Act, 1957 excludes advance made by a bank or a Co-operative society from the definition of Loan Section 2(6).

Section 2(8) excludes Bank and Cooperative societies from the definition of Money Lenders.
c. Kerala Prohibition of Charging Exorbitant Interest Act, 2012 An Act to prohibit lending of money for exorbitant interest and to provide for stringent punishment for charging exorbitant interest in the money lending business in the State of Kerala It extends to the whole of the State of Kerala Section 3: No person shall charge exorbitant interest on any loan advanced by him.

Section 9 provides penalty for contravention of provisions of section 3 with imprisonment and fine52

The Act Also states that the words and expression not defined in the Act but defined in the Kerala Money-Lenders Act, 1958 shall have the same meaning.

Section 2(5) of the Kerala Money Lenders Act excludes advance made by a bank or a Co-operative society from the definition of Loan

Section 2(7) excludes Bank and Cooperative societies from the definition of Money Lenders
d. The Maharashtra Money-Lending (Regulation) Act, 2014 To regulate the transactions of money-lending in the State of Maharashtra It extends to the whole of the State of Maharashtra.

It excludes Banks, NBFCs from the definition of Money lenders (Section 2(14)
Section 31 empowers the State to fix the maximum rates of interest to be charged by a money-lender in respect of secured loan and unsecured loan

Section 35 empowers Court to reopen the transaction and reduce the amount charged in case excess interest is charged53
e. The Rajasthan Money-Lenders Act, 1963 To make better provision for the regulation and control of transactions of money-lending in the State of Rajasthan It extends to State of Rajasthan.

It excludes from the definition of Loan in Section 2(9) the loans given or taken by Banks/ Cooperative Societies.

Section 2(10) excludes Banking Companies as defined under Section 5 of the BR Act, from the definition of Money lenders
Section 29 puts limitation on rates of interest. 29(1) The State Government may, from time to time, by notification in the Official Gazette, fix the maximum rates of simple interest for any class of business of money-lending in respect of secured and unsecured loan. (2) No money-lender shall charge or receive from a debtor interest at a rate exceeding the maximum rate fixed by the State Government under sub section (1)

Section 33 provides for Reopening of transactions or accounts already taken — Notwithstanding anything contained in any law for the time being in force, the court shall, in any suit to which this Act applies, whether heard ex party or otherwise. (a) re-open any transaction or any account already taken between; the parties; (b) taken account between the parties; (c) reduce the amount charged to the debtor in respect of any excessive interest;
f. The Uttar Pradesh Regulation of Money-Lending Act, 1976 For the regulation of money-lending transactions and for the registration of money-lenders, and for matters connected therewith, or incidental thereto Not applicable to loan or advance by or any deposit with any bank or a co-operative society

Extends to whole of UP
Section 12 empowers The State Government, after considering the rate of interest normally charged by a scheduled bank for commercial loans, to notify the maximum rates of interest that may be charged by money-lenders
g. The Punjab Registration of Money-lender's Act, 1938 To register money-lenders and to regulate their business Extends to whole of Punjab Section 2(8) excludes a loan advanced by a bank, a co-operative Society from definition of loans

Section 6 provides that a moneylender's license may be cancelled by the Collector, if it has been found by a Court that he has charged higher rates of interest than those prescribed under Section 5 of the Punjab Relief of Indebtedness Act in more than one suit.
h. Assam Money Lenders Act, 1934 For more effectual control of money-lending in Assam Extends to Assam Section 2(3) excludes a loan advanced by a bank, a co-operative Society from definition of loans.

Section 4 provides for prohibition of compound interest

Section 9 bars to recovery of interest exceeding the principal.
i. Bengal Money-Lenders Act, 1940 To make further and better provision for the control of money-lenders and for the regulation and control of money-lending in the State of West Bengal. Extends to State of West Bengal but it shall not apply to the Reserve Bank of India constituted by the Reserve Bank of India Act, 1934(Section 1(2)) Section 2(12) excludes a loan advanced by a bank, a co-operative Society from definition of loans.

Section 30 provides for limitations as to amount and rate of interest recoverable.54

By section 45A it has repealed the Usurious Loans Act, 1918 in respect of money lending transactions falling within the purview of the Bengal Moneylenders Act.
j. The Nagaland Money Lenders Act, 2005 To regulate and control the business of money lending in the State of Nagaland Extends to whole of India Section 2(9) excludes a loan advanced by a bank/ Company from definition of loans.

Section 2(10) excludes banks or company from the definition of money lenders

Section 20 provides penalty for molestation of debtor
k. The Orissa Money-lenders' Act, 1939 To regulate money-lending transactions and to grant relief to debtors in the State of Orissa. Extends to State of Orrisa Section 2(4) excludes Bank or Co-operative Society from the definition of money lenders

Section 7C provides that no money-lender shall recover towards the interest in respect of any loan advanced by him, an amount in excess of the amount of the principal

Section 7 D provides that any loan in respect of which the money-lender has realised from the debtor an amount equal to, or more than twice the amount of the principal, shall stand discharged and the amount, if any, so realised in excess of twice the amount of loan shall be refunded by the money-lender to the debtor.

Section 9 provides that no Court shall pass a decree for interest at rates exceeding 9 per centum in the case of a secured loan and 12 per centum simple per annum in the case of unsecured loan.

Section 11 provides for power of Courts to re-open certain transactions and appropriate excess interest towards loans
l. Bihar Money-Lenders Act, 1974 To consolidate and amend the law relating to regulation of money lending transactions and to grant relief to debtors in the State of Bihar. Extends to state of Bihar Section 2(j) excludes a loan advanced by a banks, cooperative societies and companies from definition of loans.

Section 13 provides power of Court to re-open certain transaction and relieve the debtor of all liability in respect of any simple interest in excess of twelve per centum per annum in the case of secured loan and fifteen per centum per annum in the case of an unsecured loan;
m. Gujarat Money lenders Act 2011 To regulate transactions of money lending in Gujarat   Section 2(9) excludes a loan advanced by a banks, cooperative societies and companies from definition of loans.

Section 28 provides that no Court shall pass a decree for interest greater than principal

Section 30 provides power of Court to re-open certain transaction and reduce the amount charged in case of excessive interest
n. Goa Money Lenders and Accredited Loan Providers Act, 2013 For protecting the interests of borrowers, for regulating the transactions of money lending and for securing more transparency in such transactions in the State of Goa Extends to Goa Section 2(j) excludes a loan advanced by banks, cooperative societies and NBFCs from definition of loans including a loan advanced by any institution, --

(a) established by or under an Act of Parliament or the Legislature of State, which grants any loan or advance in pursuance of the provisions of that Act; or

(b) notified in this behalf by the Government, in consultation with the Reserve Bank of India

Section 18 provides for limitation on rates of interest charged by money lenders and accredited loan providers. (1) The Government may from time to time by notification in the Official Gazette, specify the maximum rates of interest for any local area chargeable by money lenders and accredited loan providers and separate rates of interests may be specified in respect of secured and unsecured loans.

(2) If any money lender or accredited loan provider charges or receives from a borrower interest at a rate exceeding the maximum rate fixed by the Government under sub-section (1), he shall be liable for penalty as specified in section 24.

(3) The maximum rate of interest notified by the Government under sub-section (1), shall be calculated by taking into account the interest rate trends, cost of transactions, cost of the capital, the risk premium and the administrative expenses associated with such loans.

Section 19 provides that no money lender or accredited loan provider shall recover towards the interest in respect of any loans advanced by him, an amount in excess of the principal amount

Section 22 provides penalty for molestation
o. The M.P. Moneylenders Act, 1934 To regulate the transactions of money lending in Madhya Pradesh Extends to Madhya Pradesh

The Act is not applicable to such other financing institution in the public sector which is :-(i) established by or under the Central or State Law for the time being in force; and

(ii) controlled or managed by the Central Government or the State Government, as the State Government may, by notification, specify.
Section 2(vii) excludes a loan advanced by a bank, cooperative societies or a company from definition of loans
p. Andhra Pradesh (Telangana Area) Money Lenders Act, 1349 F To regulate the transactions of money lending and to make better provisions for its control Extends to Telangana area of the State of Andhra Pradesh Section 2(iv) excludes a loan advanced by a bank, cooperative societies or a company from definition of loans

Section 11 gives power of Court to limit interest due in certain cases. It states that no Court shall be competent to pass a decree for a sum exceeding the principal on account of any outstanding interest in respect of a loan advanced to cultivator or labourer before the commencement of this Act.

Section 10 provides for Computation of interest. - (1) The Government may fix the maximum rate of interest for any local area of class of business of money lending in respect of secured loans and unsecured loans

Section 11

(2) provides that In an inquiry under sub section (1) into the loan advanced to a cultivator or a labourer, the outstanding interest shall be computed in the following manner inter alia, in the account of interest upto the date on which this Act comes into force, simple interest on the balance of principal shall be calculated at the rate agreed between the parties, provided that it does not exceed nine per cent per annum in the case of secured loan and twelve per cent per annum in the case of unsecured loan, and, from the date on which this Act comes into force upto 18th Khurdad 1355 F, the rate of interest shall not exceed nine per cent per annum and twelve per cent per annum respectively. From 18th Khurdad 1355 F., the rate of interest shall not exceed six per cent per annum and nine per cent per annum respectively;

Section10 (1B) provides that whoever, being a money lender, demands or charges or receives from a debtor interest at a rate exceeding the maximum rate fixed by the Government under sub section (1), shall be punished with imprisonment for a term which may extend to six months, or with fine which may extend to one thousand rupees, or with both.
q. The Andhra Pradesh Money Lenders Act, 2000 To provide for the regulation and control of the business of money-lending in the State of Andhra Pradesh It extends to whole of the State of Andhra Pradesh

Section 35 provides that the provisions of this Act, shall be in addition to and not, save as otherwise expressly provided in this Act, in derogation of any other law for the time being in force in the State relating to the relief of indebtedness including indebtedness amongst Agriculturists, members of weaker section and members of Scheduled Castes and Scheduled Tribes.
Section 2(8) excludes a loan advanced by a bank, cooperative societies from definition of loans

Section 7 provides that No money-lender shall charge interest on any loan at a rate exceeding by more than two per cent the rate charged by commercial banks on similar loans granted by them. The total interest payable on a loan shall not exceed the quantum of the principal.

Section 15 provides that Money-lender advancing smaller amount or receiving higher interest than that specified in the accounts to be punishable

Section 25 - Penalty for collection of interest in excess of the rate prescribed under Section 7

Annex H - Rules to stop Debt Traps by CFPB, USA

1. Full-payment test: Lenders are required to determine whether the borrower can afford the loan payments and still meet basic living expenses and major financial obligations. For payday and auto title loans that are due in one lump sum, full payment means being able to afford to pay the total loan amount, plus fees and finance charges within two weeks or a month. For longer-term loans with a balloon payment, full payment means being able to afford the payments in the month with the highest total payments on the loan. The rule also caps the number of loans that can be made in quick succession at three.

2. Principal-payoff option for certain short-term loans: Consumers may take out a short-term loan of up to $500 without the full-payment test if it is structured to allow the borrower to get out of debt more gradually. Under this option, consumers may take out one loan that meets the restrictions and pay it off in full. For those needing more time to repay, lenders may offer up to two extensions, but only if the borrower pays off at least one-third of the original principal each time. To prevent debt traps, these loans cannot be offered to borrowers with recent or outstanding short-term or balloon-payment loans. Further, lenders cannot make more than three such loans in quick succession, and they cannot make loans under this option if the consumer has already had more than six short-term loans or been in debt on short-term loans for more than 90 days over a rolling 12-month period. The principal-payoff option is not available for loans for which the lender takes an auto title as collateral.

3. Less risky loan options: Loans that pose less risk to consumers do not require the full-payment test or the principal-payoff option. This includes loans made by a lender who makes 2,500 or fewer covered short-term or balloon-payment loans per year and derives no more than 10 percent of its revenue from such loans. These are usually small personal loans made by community banks or credit unions to existing customers or members. In addition, the rule does not cover loans that generally meet the parameters of “payday alternative loans” authorized by the National Credit Union Administration. These are low-cost loans which cannot have a balloon payment with strict limitations on the number of loans that can be made over six months. The rule also excludes from coverage certain no-cost advances and advances of earned wages made under wage-advance programs offered by employers or their business partners.

4. Debit attempt cutoff: The rule also includes a debit attempt cutoff that applies to short-term loans, balloon-payment loans, and longer-term loans with an annual percentage rate over 36 percent that includes authorization for the lender to access the borrower’s checking or prepaid account. After two straight unsuccessful attempts, the lender cannot debit the account again unless the lender gets a new authorization from the borrower. The lender must give consumers written notice before making a debit attempt at an irregular interval or amount. These protections will give consumers a chance to dispute any unauthorized or erroneous debit attempts, and to arrange to cover unanticipated payments that are due. This should mean fewer consumers being debited for payments they did not authorize or anticipate or charged multiplying fees for returned payments and insufficient funds.

October 2017



1) Cornelli, G, J Frost, L Gambacorta, R Rau, R Wardrop and T Ziegler (2020): ‘FinTech and BigTech credit: a new database’, BIS Working Papers, No 887, September.

2) ‘Digitally Delivered Credit: Consumer Protection Issues and Policy Responses to New Models of Digital Lending’, Policy Guidance Note and Results from Regulators Survey, November 2017, Alliance for Financial Inclusion

3) Fernando Restoy (February 2021): ‘FinTech regulation: how to achieve a level playing field’, Occasional Paper, No 17, Bank for International Settlements

4) ‘FinTech credit: Market structure, business models and financial stability implications’- Report prepared by a Working Group established by the Committee on the Global Financial System (CGFS) and the Financial Stability Board (FSB), May 22, 2017

5) Johannes Ehrentraud, Denise Garcia Ocampo, Camila Quevedo Vega (August 2020): ‘Regulating FinTech financing: digital banks and fintech platforms’, FSI Insights on policy implementation, No 27. Bank for International Settlements

6) John Owens (July 2018), ‘Responsible Digital Credit: What does responsible digital credit look like?’, Center for Financial Inclusion

7) Nigel Fletcher (2007): ‘Challenges for regulating financial fraud in cyberspace’, Journal of Financial Crime Vol. 14 No. 2, 2007 pp. 190-207

8) Oya Pinar Ardic, Joyce A. Ibrahim, Nataliya Mylenko (January 2011), ‘Consumer Protection Laws and Regulations in Deposit and Loan Services’, Policy Research Working Paper, 5536, World Bank

9) Report of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (Chairman: G. Gopalakrishna), January 2011, Reserve Bank of India

10) Report of the Technical Group Set up to Review Legislations on Money Lending (Chairman: S.C. Gupta), July 2007, Reserve Bank of India

11) Speech by Anand Sinha, Former Deputy Governor, Reserve Bank of India ‘Strengthening Governance in Microfinance Institutions (MFIs) - Some Random Thoughts’, April 27, 2012

12) Speech by Agustín Carstens, General Manager, Bank for International Settlements, ‘BigTech in finance and new challenges for public policy’, December 4, 2018

13) Speech by Fernando Restoy, Chairman, Financial Stability Institute, Bank for International Settlements ‘Regulating FinTech: what is going on, and where are the challenges?’, October 16, 2019

14) Speech by M. Rajeshwar Rao, Deputy Governor, Reserve Bank of India ‘NBFC Regulation- Looking ahead’, November 6, 2020

15) Speech by R Gandhi, Former Deputy Governor, Reserve Bank of India, ‘Regulating financial innovation - P2P lending platforms design challenges’, May 17, 2016.

16) Speech by Shaktikanta Das, Governor, Reserve Bank of India, ‘Opportunities and Challenges of FinTech’, March 25, 2019

17) Speech by Shaktikanta Das, Governor, Reserve Bank of India, ‘Financial Sector in the New Decade’, March 25, 2021

18) ‘India FinTech Report 2021’ Report by The Digital Fifth

1 Banking 5.00 by Bernardo Nicolletti, 2021

2 ‘FinTech credit: Market structure, business models and financial stability implications’- Report prepared by a Working Group established by the Committee on the Global Financial System (CGFS) and the Financial Stability Board (FSB), May 22, 2017

3 Cornelli, G, J Frost, L Gambacorta, R Rau, R Wardrop and T Ziegler (2020): ‘Fintech and BigTech credit: a new database’, BIS Working Papers, no 887, September.

4 Methodology adopted by Shri Rahul Sasi, member of this Group

5 during January 01, 2020 to March 31, 2021



8 Humans Judged by Machines, Frank Pasquade, 2021

9 Selected provisions of Section 186 of the Companies Act on ‘Loan and investment by company’ - Sub-section 2: No company shall directly or indirectly (a) give any loan to any person or other body corporate; (b) give any guarantee or provide security in connection with a loan to any other body corporate or person; and (c) acquire by way of subscription, purchase or otherwise, the securities of any other body corporate, exceeding sixty per cent of its paid-up share capital, free reserves and securities premium account or one hundred per cent of its free reserves and securities premium account, whichever is more.
Sub-section 7: No loan shall be given under this section at a rate of interest lower than the prevailing yield of one year, three year, five year or ten year Government Security closest to the tenor of the loan.

10 Johannes Ehrentraud, Denise Garcia Ocampo, Camila Quevedo Vega (2020): “Regulating fintech financing: digital banks and fintech platforms”, FSI Insights on policy implementation, No 27



13 Zetzsche et al. 2018

14 Fernando Restoy (2021): “Fintech regulation: how to achieve a level playing field”, Occasional Paper, No 17

15 The Ministry of Electronics and Information Technology, has power under section 69A of the Information Technology Act read with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009.

16 Section 67C of the IT Act: Preservation and retention of information by intermediaries. – (1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe. (2) any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with an imprisonment for a term which may extend to three years and also be liable to fine.

17 Section 72A of the IT Act: Punishment for disclosure of information in breach of lawful contract.–Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.



20 Book “Weapons of Math Destruction” by Cathy O’Neil, 2016

21 Nigel Fletcher (2007): Challenges for regulating financial fraud in cyberspace, Journal of Financial Crime Vol. 14 No. 2, 2007 pp. 190-207

22 In cyberspace, a criminal can carry out a crime in secret against innocent third parties. By the time, they realise that they have been victim of a crime; it may be too late for the authorities to identify the criminal.

23 The international scope of cyberspace makes it hard to determine jurisdiction.

24 Ease and feasibility of collecting sufficient evidence to prosecute





29 Section 43A of the IT Act: Compensation for failure to protect data. –Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. Explanation.–For the purposes of this section,– (i) ―body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities; (ii) ―reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit; (iii) ―sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit

30 Example: Indonesia’s Financial Services Authority has stipulated that all registered and licensed lending platforms are only allowed to access three features on user’s smartphones, namely the camera, microphone, and location. If the platforms access data from any other source than these three features, authority will either cancel their registration or at least ask the IT Ministry to immediately block the application.

31 para 2.5. of Master Circular on ‘Loans and Advances – Statutory and Other Restrictions’ dated July 01, 2015

32 para 28 to 39 of Master Directions on Non-Banking Financial Company, 2016





37 applicable to registered NBFCs which (a) are authorized to accept deposits; or (b) have customer interface, with asset size of one billion rupees or above, as on date of the audited balance sheet of previous financial year.




41 and


43 FSI - Regulating fintech financing: digital banks and fintech platforms


45 The State Government may, by notification in the Official Gazette, direct that it shall not apply to any area, class of persons, or class of transactions which it may specify in its notification.

46 Sub-Committee of the Central Board of Directors of RBI to study issues and concerns in the MFI sector

47 The Reserve Bank Master Directions as applicable to banks/NBFCs have clearly laid down guidelines for grievance redressal mechanism to be adopted by its regulated entities, including for redress of grievances related to outsourced services. A circular (DOR (NBFC) (PD) CC. No.112/03.10.001/2019-20 dated June 24, 2020) was also issued to address various concerns emanating from loans sourced by banks/NBFCs over digital lending platforms which inter-alia covered steps to ensure effective grievance redressal.

48 For example, FCA, UK defines APR of 100% and above as High-Cost Short Term Credit (HCSTC)

49 Activities which are intended to generate the fee-based income for the lender especially on small loans.

50 except the territories which, immediately before the 1st November, 1956, were comprised in Part B States. The State Government may, by notification in the Official Gazette, direct that it shall not apply to any area, class of persons, or class of transactions which it may specify in its notification

51 Section 3 : The Courts, in any suit to which this Act applies, whether heard ex parte or otherwise, the Court has reason to believe, —(a) that the interest is excessive; and (b) that the transaction was, as between the parties thereto, substantially unfair, the Court may exercise all or any of the following powers, namely, may, —(i) re-open the transaction, take an account between the parties, and relieve the debtor of all liability in respect of any excessive interest; 3(ii) notwithstanding any agreement, purporting to close previous dealings and to create a new obligation, re-open any account already taken between them and relieve the debtor of all liability in respect of any excessive interest, and if anything has been paid or allowed in account in respect of such liability, order the creditor to repay any sum which it considers to be repayable in respect thereof; (iii) set aside either wholly or in part or revise or alter any security given or agreement made in respect of any loan, and if the creditor has parted with the security, order him to indemnify the debtor in such manner and to such extent as it may deem just: Provided that, in the exercise of these powers, the Court shall not—(i) re-open any agreement purporting to close previous dealings and to create a new obligation which has been entered into by the parties or any persons from whom they claim at a date more than 1 [twelve] years from the date of the transaction; (ii) do anything which affects any decree of a Court.

Section 3(2) In this section “excessive” means in excess of that which the Court deems to be reasonable having regard to the risk incurred as it appeared, or must be taken to have appeared, to the creditor at the date of the loan. (b) In considering whether interest is excessive under this section, the Court shall take into account any amounts charged or paid, whether in money or in kind, for expenses, inquiries, fines, bonuses, premia, renewals or any other charges, and if compound interest is charged, the periods at which it is calculated, and the total advantage which may reasonably be taken to have been expected from the transaction. (c) In considering the question of risk, the Court shall take into account the presence or absence of security and the value thereof, the financial condition of the debtor and the result of any previous transactions of the debtor, by way of loan, so far as the same were known, or must be taken to have been known, to the creditor. (d) In considering whether a transaction was substantially unfair, the Court shall take into account all circumstances materially affecting the relations of the parties at the time of the loan or tending to show that the transaction was unfair, including the necessities or supposed necessities of the debtor at the time of the loan so far as the same were known, or must be taken to have been known, to the creditor. Explanation. —Interest may of itself be sufficient evidence that the transaction was substantially unfair.

52 (1) Notwithstanding anything contained in the Kerala Money-Lenders Act, 1958 (35 of 1958), -

(a) whoever contravenes the provisions of section 3 shall, on conviction, be punished with imprisonment for a term which may extend to three years and also with fine which may extend to fifty thousand rupees;

(b) whoever harasses any debtor mentally or physically or abets such harassment for recovery of any loan, shall, on conviction, be punished with imprisonment for a term which may extend to one year and also with fine which may extend to ten thousand rupees.

(2) Where the person who has advanced the loan or any other person as directed by him, harasses the debtor mentally or physically and consequently and immediately thereafter the debtor commits suicide, the person who advanced the loan, shall, on conviction, be punished with imprisonment for a term which may extend to five years and also with fine which may extend to fifty thousand rupees.

53 Section 35: Notwithstanding anything contained in any law for the time being in force, the Court shall, in any suit to which this Act applies, between the money-lender and the debtor, whether heard ex-parte or otherwise, —(a) re-open any transaction, or any account already taken between the parties; (b) take an account between the parties; (c) reduce the amount charged to the debtor in respect of any excessive interest; (d) if on taking accounts it is found that the money-lender has received more than what is due to him, pass a decree in favour of the debtor in respect of such amount

54 Notwithstanding anything contained in any law for the time being in force, or in any agreement (1) 'no borrower other than a borrower or commercial loan' shall be liable to pay after the commencement of this Act (a) any sum in respect of principal and interest which together with any amount already paid or included in any decree in respect of a loan exceeds twice the principal of the original loan, (b) on account of interest outstanding on the date up to which such liability is computed, a sum greater than the principal outstanding on such date, (c) any interest other than simple interest at a rate per annum not exceeding in the case of—(i) unsecured loans—twelve and a half per centum. (ii) secured loans—ten per centum; where such loan was advanced or such amount was paid or such decree was passed or such interest accrued before or after the commencement of this Act; (2) 'no borrower other than an borrower of commercial loan' shall after the commencement of this Act, be deemed to have been liable to pay before the date of such commencement in respect of interest paid before such date or included in a decree passed before such date, interest rates per annum exceeding those specified in sub-clause (c) of clause (1); (3) a lender shall be entitled to institute a suit at any time after the commencement of this Act in respect of a transaction to which either or both of the preceding clauses applies or apply