Introduction
Buy Now Pay Later (BNPL) services in India are rapidly growing in popularity because they facilitate quick, interest-free purchases with little to no documentation, thus, transforming consumer credit. Fintech services specifically tailored to younger consumers appeal to the digitally connected youth by providing a credit line to the youth that enables them to fulfill their desires but does not burden them with high interest rates. However, the rise in availability of credit options has also resulted in systemic concerns regarding consumer protection, predatory lending, and regulatory loopholes.
With the intent of increasing scrutiny in the sector, the Reserve Bank of India (RBI) established the Digital Lending Guidelines (DLG) in 2022 with the aim of improving data privacy, responsibility, and transparency in digital lending practices. The guidelines seek to cover the entire value chain of digital lenders. This includes BNPL services provided through third-party vendors, by calling upon regulated institutions or banks (REs) and Non-Banking Financial Companies (NBFCs) to supervise and control lending actions facilitated through Lending Service Providers (LSPs).
Understanding the BNPL Framework
BNPL models function by allowing consumers to split their payments into manageable instalments, often without interest, while making purchases online or at point-of-sale. These platforms typically partner with NBFCs or banks that underwrite the loan, while the BNPL provider handles the customer interface and servicing.
However, in many instances, BNPL providers were operating in a regulatory grey zone, where they either issued short-term credit without proper underwriting or used prepaid instruments to disguise loan disbursements, raising concerns under the Payment and Settlement Systems Act, 2007 and the RBI’s Fair Practices Code.
RBI Guidelines on Digital Lending and their Impact on BNPL
The Guidelines on Digital Lending by the RBI are part of the regulator’s broader digitalization efforts to systematize the legal structure of lending, mitigate risk, and protect consumers. These guidelines apply to all REs like NBFCs and banks, but the most tangible impact has been felt by BNPL models that work with third-party fintech’s and partnering LSPs.
As mentioned previously, one of the key restrictions under the guidelines is that disbursals and repayments have to take place from the borrower’s account to the bank account of the REs and vice versa. Any movement through third party wallets or non-bank fintech accounts is prohibited. This single regulation greatly hinders the BNPL business model because traditionally, payment facilitators, PFS, or wallets were used for one-click checkouts.
REs have been directed by the RBI to ensure all loan agreements are executed by the RE and the borrower together with all the necessary disclosures and documents provided to the borrower within arm’s reach. This effectively removes the ability for LSPs to obscure the true lender and loose informal strings of credit behind loans concealed with disguises.
For the BNPL models, this is highly concerning with regards to enforceability of contracts, especially in cases where KYC, due diligence, or formal documentation is not undertaken prior to offering a digital credit line.
Aside from that, the information guidelines are very much focused on privacy alongside customer complaint redressal which is also an infringement of transparency around fees and charges; something many BNPL operators have traditionally been quite careless about.
The manner in which BNPL loans were previously dispensed is no longer tenable under the RBI’s compliance framework. These loans had no clear repayment schedules, were laden with hidden penalties, and other disclosures that were poorly defined.
Impact on BNPL Players
The policies have changed the playing field of operation greatly for BNPLs, especially for those without direct NBFC licenses who were operating under stealthy surrogate frameworks. The rule that REs alone may grant and receive repayments on loans irrevocably fractures BNPL provider’s business models from triggering credit ‘through wallets or payment instruments.
In addition, the loss on passthrough loan accounts leaves fintech with no option of holding or managing credit funds which blurs boundaries delineated between technology platforms and lenders. This is in line with RBI’s policy of making REs fully bearing the brunt of having to comply with regulations, consumer grievance mechanisms, and risk management activities.
Moreover, the BNPL sector was previously outside the realm of truth-in-lending with no verifiable APR disclosures while marketing their services. Also aggressively promoted “zero-cost EMI” offers were equally devoid of any reality.
Data Protection and Compliance Challenges under the DPDP Act, 2023
The Digital Personal Data Protection Act, 2023 (DPDP) has further raised the bar for compliance in digital lending ecosystems. BNPL platforms, by design, rely heavily on real-time data analytics and behavioral profiling to extend micro-credit. This includes access to transaction data, browsing history, social media behavior, and device metadata most of which constitutes personal data under the DPDP framework.
The DPDP Act introduces stringent obligations on data fiduciaries with respect to purpose limitation, data minimization, notice requirements, and consent mechanisms. BNPL platforms, many of which function as data fiduciaries, must now re-evaluate their data collection practices, particularly in relation to non-essential data used for credit scoring or risk profiling. Failure to demonstrate lawful processing under the Act could invite significant penalties, in addition to reputational harm.
Additionally, the use of dark patterns or consent fatigue mechanisms to obtain user approval for data collection may not satisfy the ‘free, informed, specific, and unambiguous’ standard of consent required under the Act. For example, obtaining blanket consent through bundled terms and conditions or checkboxes would no longer be defensible.
Further, with the introduction of cross-border data transfer restrictions and the obligation to appoint data protection officers in certain cases, many BNPL firms especially those with foreign investment or data-processing dependencies outside India must revisit their organisational and operational structures.
Legal Enforceability and Risk Allocation
The enforceability of all BNPL transactions depends upon the existence of a valid contract with legally compliant disclosures and documentation. Prior to the issuance of guidelines, a number of BNPL operators utilized a one-click or platform-level “accept” buttons to capture borrower consent through in-app prompts. However, this may not meet the evidentiary requirements mandated by the Indian Contract Act, 1872, especially in situations where the borrower disputes the existence of a debt or challenges the onerous terms stipulated in fraudulent agreements.
In addition, some of these BNPL products offered micro-credit without properly evaluating the lending were severely lacking in the proposed borrowers were able to repay, thereby raising potential issues of predatory lending and exploitative recovery practices. This not only raises concerns relating to unconscionability and lack of procedural fairness but also invites litigation and regulatory scrutiny for FinTech’s and their partner NBFCs.
These are precisely the issues that the RBI sought to make address with its call for mandatory loan agreements and uniform loan documentation, as well as establishing direct contractual relationships with the REs and the borrowers. From now on, as a matter of policy, fintech need to embrace within their smart contracts the delineation of robust recoverable defenses, liabilities, and obligations, for otherwise, the scrutiny of both recoverability and liability is likely to arise in court.
AMLEGALS Remarks
The RBI’s Digital Lending Guidelines are a defining moment for regulating fintech innovations such as BNPL in India. These guidelines impose greater responsibility on REs by requiring greater accountability and clarity and levelling the digital credit playing field, thus fostering responsible practices in the issuance of digital credit.
BNPL segments, although initially disrupted, can now construct robust, compliant frameworks that will help rebuild consumer and regulatory confidence. In a broader context, the synergistic focus of technological advancement and clear regulations will shape the future of digital lending in India. In this transforming environment, attention to legal compliance, data management, and compliance with risk will not be discretionary, but rather obligatory.
– Team AMLEGALS
For any queries or feedback, feel free to reach out to laksha.bhavnani@amlegals.com or hiteashi.desai@amlegals.com
Navigation
Practice Areas
© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.
