FinTechRBI’s Digital Lending Guidelines: An Overview

INTRODUCTION

When we think of lending money to fulfill our needs, we start to imagine the lengthy and monotonous process involved. The traditional lending methods were not just time-consuming but they were not sufficiently efficient as per the contemporary requirements. However, with the advent of digital lending methods, the process has revolutionized completely. Anyone in urgent need of capital can now access funds not only through banks but also via money lending apps that claim to offer instant, collateral-free loans. This development has made the lending process more efficient and better aligned with the current economic needs of the nation.

With the rapid expansion of digital lending in India, the need for a regulatory authority to curb misuse, fraud, and unethical practices has become increasingly important. The Reserve Bank of India (“RBI”) plays a crucial role in this regard by monitoring the operations of digital lending platforms and ensuring the protection of consumers against unfair practices.

RBI’S DIGITAL LENDING GUIDELINES

On August 10, 2022, the RBI introduced Lending Guidelines to establish a structured regulatory framework for fintech companies and digital lending applications (“DLAs”). These guidelines were formulated based on recommendations from the Working Group on Digital Lending, including Lending through Online Platforms and Mobile Apps (“WGDL”). The aim of these regulations is to tackle issues like the involvement of unregulated third parties, misleading lending practices, breach of data privacy, exploitative business operations, exorbitant interest rates, and unethical methods of loan recovery.

The framework establishes guidelines for entities regulated by the RBI Regulatory Authorities (“RAs”), their associated Lending Service Providers (“LSPs”), and the Digital Lending Apps (“DLAs”) operated by both RAs and LSPs. To implement these regulations, the RBI has immediately adopted several recommendations made by the WGDL, while others are still under consideration for future enforcement. Due to the technical complexities involved, certain aspects require wider consultation with Government bodies and industry stakeholders before they can be fully implemented.

A. Customer Protection and Conduct Requirements

i. Loan Disbursal, Servicing, and Repayment

Borrowers must repay loans directly to the lender’s bank account—no third-party accounts allowed. Loan amounts should be transferred straight to the borrower’s account, unless specific regulations or co-lending arrangements apply. Loan payments should never be routed through LSPs or their LAs unless explicitly permitted by guidelines.

ii. Fees, Charges, and Interest

Any fees payable to LSPs are the responsibility of the lender, not the borrower. If penal interest is charged, it must be calculated on the remaining loan balance and clearly disclosed in the Key Fact Statement (“KFS”) on an annualized basis.

iii. Borrower Disclosures

1. Annual Percentage Rate (APR)

Lenders must clearly disclose the total cost of digital loans, including the APR, in the KFS before loan approval.

2. Key Fact Statement (KFS)

Borrowers must receive a standardized KFS detailing APR, repayment terms, recovery process, and grievance redressal before loan approval. No hidden charges—only fees listed in the KFS can be applied. Borrowers must receive all loan documents (KFS, loan terms, sanction letters, account statements, privacy policies) via registered email or SMS.

3. Transparency About Loan Service Providers

The Lenders must publicly list their DLAs and LSPs, including their roles. DLAs should prominently display product details, loan limits, and costs during onboarding so borrowers know what they’re signing up for. Borrowers must be informed about recovery agents when the loan is sanctioned and if there’s a change in recovery responsibility. The DLAs and LSPs must have easily accessible information on loan products, lender details, customer support, and grievance redressal.

4. Resolving Complaints

The Lenders and their LSPs must appoint grievance redressal officers to handle complaints related to digital lending. Contact details of these officers must be available on websites and included in the KFS. If a complaint isn’t resolved within 30 days, borrowers can escalate it to the RBI’s Complaint Management System (“CMS”) or other designated authorities.

5. Assessing Borrower Eligibility

Lenders must evaluate a borrower’s financial status (age, occupation, income) before approving loans. Credit limits cannot be increased automatically—borrowers must explicitly agree to any changes.

6. Cooling-Off Period

The Borrowers have the right to exit a digital loan within a cooling-off period by repaying only the principal and applicable (“APR”) without penalties. The minimum cooling-off period is three days for loans longer than seven days and one day for shorter loans. Prepayment of loans must always be allowed as per RBI guidelines.

7. Due Diligence for Loan Service Providers (LSPs)

The Lenders must thoroughly assess LSPs before partnering with them to ensure they meet technical, privacy, and regulatory standards and regular reviews of LSPs’ conduct are mandatory. Recovery agents must follow ethical and legal standards set by RBI.

B. Technology and Data Protection Guidelines

1. Collecting and Using Borrower Data

The DLAs and LSPs must collect only necessary borrower data and only with explicit borrower consent. The access to contacts, call logs, and media files is strictly prohibited. Apps can request one-time access to the camera, microphone, or location only for KYC verification. And borrowers must be able to control data sharing, revoke consent, and request data deletion. The data sharing with third parties requires borrower consent, except for legal or regulatory reasons.

2. Data Storage Rules

The LSPs and DLAs cannot store borrower data except for basic details like name, address, and contact information. And lenders must establish clear policies for data storage, security, and handling breaches, and make these policies publicly available. It must be noted that biometric data cannot be stored unless legally permitted. All borrower data must be stored on servers located in India.

3. Privacy and Security Standards

The DLAs and LSPs must have publicly accessible privacy policies that comply with regulations. If any third party collects borrower data, it must be clearly disclosed in the privacy policy. The lenders and LSPs must follow RBI’s cybersecurity and technology standards for digital lending.

C. Regulatory Compliance

Reporting to Credit Information Companies (“CICs”)

All digital lending transactions must be reported to CICs, regardless of loan tenure or type. Digital lending products, including short-term and deferred payment loans, must be reported. The LSPs handling deferred payment credit products must follow RBI’s outsourcing guidelines.

AMLEGALS REMARKS

Since the introduction of digital lending services by lending apps and websites the entire arena of lending services has seen a herculean change. The process of lending capital, which was earlier considered lengthy and filled with excessive formalities and paperwork, has now turned into a simpler and more efficient procedure.

The financial regulating bodies, like the RBI, have an immense role to play in this new age of financial digitization. By introducing the new guidelines, the RBI has taken a crucial step in ensuring the protection of consumers from misuse and fraud, as well as in maintaining the usability of the digital financial platforms.

– Team AMLEGALS assisted by Mr. Ashish Singh (Intern)

For any queries or feedback, feel free to reach out to rohit.lalwani@amlegals.com or mridusha.guha@amlegals.com