Digital Lending: Less Grey, More Work (#55)
RBI's digital lending rules focus on transparency and limiting non-RE involvement
Welcome to the 55th issue of Unit Economics. For today’s write up, I review and share thoughts on the Digital Lending regulatory framework released by the RBI this week. Dive in!
Credit is booming in India. Bank credit has been up by double digits (12-14% YoY) lately, significantly higher than the rate of growth in the years before. Strong demand for housing and consumption loans appear to be aiding retail loan disbursals. Corporate credit growth is performing similarly impressively, with increased utilization of working capital and more aggressive capital expenditure plans taking the rate of growth to a seven-year high.
The unsecured side of credit is smaller but shining as brightly. Buy Now Pay Later (BNPL) services, for instance, have been growing at 21% YoY for the past 6 months, finding stronger customer acceptance and more takers for providers.
The news of the state of the credit system must be thrilling to the Reserve Bank of India (RBI), which has a statuary responsibility to guard the system. The developments, over the last few years, however – also signal a landscape that is changing faster than usual. And the uptick in loan disbursals, especially of unsecured credit, necessitates a review of the business conduct and consumer protection practices concerning digital lending.
Quite understandably then, realizing the challenges of the innovative lending practices followed the Digital Lending Apps (DLAs), the central bank – in Jan, 2021 - set up a Working Group on Digital Lending (WGDL) to study and provide their recommendations on making the digital credit system, including lending through online platforms and mobile apps, more secure.
In Nov, 2021, the Working Group came back with an elaborate and almost incredible report filled with a long list of recommendations and suggestions. The concerns, and suggestions thereon, were primarily related to fighting unbridled engagement of third parties, mis-selling, breach of data privacy, unfair business conduct, charging of exorbitant interest rates, and unethical recovery practices. The report was published on the RBI website, with the objective of inviting comments from key stakeholders, which showed a mature dialogue-driven process of arriving at decisions on any of the recommendations.
And this week, after roughly ten months of discussion, the central bank moved toward action on some of those key recommendations. These were enclosed in a regulatory framework that mandates certain practices within the digital lending ecosystem for RBI’s Regulated Entities (REs), their Lending Service Providers (LSPs), and Digital Lending Apps (DLAs) of REs or their LSPs.
For ease of consumption, the central bank divided the regulatory framework into three areas of focus and provided guidance on whether the decision on the recommendation required immediate implementation, further examination, or was presented only for consideration of the Government of India. For this write-up, the focus is on guidelines requiring urgent notice. With that, I share the text of some key recommendations and my thoughts on them below.
Customer Protection and Conduct Requirements
“REs have to ensure that all loan servicing, repayment, etc., shall be executed directly in their bank account without any pass-through account/ pool account of any third party. The disbursements shall always be made into the bank account of the borrower. Exceptions would be considered for disbursals covered exclusively under statutory or regulatory mandate…”
Takeaway: On face value, this amounts to a system-wide change in practices of digital lending apps, which today often involve a pass-through pool account to have complete visibility and control of the money movement for loan servicing and repayments at a customer-level. Instead, now, the collections will need to be directly posted and settled to the Bank’s or NBFC’s collections / repayment account, and disbursals will need similar execution.
Further, APIs need to be in place for the lender to post any transactions to the DLAs, which will help the DLAs account for the customer’s loan servicing and repayment amounts in their lending management systems (LMS). This is required for the DLAs to show a real-time accounting of the dues and available credit balances to their customers. The regulation, however, does leave room for a bit of grey with the clause on exceptions, which should interest the digital lending legal teams for some time.
The recommendation from WGDL had earlier also noted an exception for “Borrowers having only PPI account, and no bank account, can be disbursed loan in fully KYC compliant PPIs” in Nov, 2021. However, the RBI – unfortunately – has stayed muted on similar treatment for full-KYC PPIs, and appears to maintain a strict stance for all credit-backed prepaid instruments. We have to continue to remain patient on the treatment for credit on PPIs.
“All-inclusive cost of digital loans as an Annual Percentage Rate (APR) to be disclosed upfront by REs”
Takeaway: moving toward a fair and standard framework of reasonable pricing, the RBI has mandated the REs to clearly disclose the Annual Percentage Rate (APR) upfront to their customers. The APR, WGDL recommended, should factor in all contingent costs and abide by the definition for the cost of digital Short Term Consumer Credit (STCC)/micro credit that the RBI may define. The transparency would help customers compare different loans more fairly, and help make decisions on availing or repayments with a better mental accounting of the costs.
“REs to provide a Key Fact Statement (KFS) to the borrower before the execution of the contract in standardized format for all digital lending product. Any fees, charge, etc., which is not mentioned in the KFS cannot be charged by the REs to the borrower at any stage during the term of the loan.”
Takeaway: on similar lines to the Most Important Terms & Conditions (MITC) that the DLAs or REs today issue, the Key Fact Statement (KFS) is expected to be a standardized summary of lending terms and conditions that – going forward - will be mandated to be shared in an abridged format to customers via E-mail/SMS (along with the sanction letter). This increases some work for the REs, LSPs, and DLAs, but the process of preparing the statement and the KFS should aide both the lenders and borrowers to gain a better understanding of how their loan operates.
Another guideline, on similar lines, states that the “REs to ensure that digitally signed documents supporting important transactions through DLAs of REs/LSPs,.. with respect to borrowers’ data, etc., shall automatically flow from the lender to the registered/ verified email/ SMS of the borrower upon execution of the loan contract/ transactions”. The focus, here, again lies on a fair standard of disclosure and appears an obvious win for customers.
Further, the RBI mandates that the REs “..ensure their DLAs or DLAs of their LSPs at onboarding/sign-up stage prominently display information relating to the product features, loan limit and cost, etc…”, which only re-enforces the RBI’s stance on transparency of loan information.
“As per extant RBI guidelines, if any complaint lodged by the borrower is not resolved by the RE within the stipulated period (currently 30 days), he/she can lodge a complaint over the Complaint Management System (CMS) portal or other prescribed modes under the Reserve Bank”
Takeaway: Part of why the RBI had to setup a Working Group on Digital Lending was the plethora of customer complaints over social channels on the lending practices from REs, LSPs, and their DLAs. This guideline, by providing a strict resolution timeline for the RE and an alternate channel for escalations, attempts to tackle the issue of poor accountability and customer support and will be welcomed by customers. The next step, to make this fruitful, should be a mandate to clearly communicate this alternative to customers along with KFS and the rest of the loan terms.
“REs to ensure that automatic increases in credit limits are prohibited unless explicit consent of borrower is taken on record of each such increase”
Takeaway: automatic adjustments in credit limits has been a common fintech practice for the Credit Risk teams to manage their portfolio risk from one cycle to the next. But the additional requirement of explicit customer consent on “each” such adjustment likely forces a few tough discussions between the Risk and Product teams going ahead. A second-order effect of this can be a lower credit approval rate on onboarding, especially for the customers that were deemed for lower initial limit, and only gradual increases basis repayment behaviour.
“REs to communicate to the borrower, at the time of sanctioning of the loan and also at the time of passing on the recovery responsibilities to an LSP or change in the LSP responsible for recovery, the details of the LSP acting as recovery agent who is authorised to approach the borrower for recovery”
Takeaway: the field for loan recovery is muddled with multiple parties involved on behalf of the lender to collect pending dues, and is often suscept to practices of misdirection by unauthorized agents – who attempt to fraudulently collect dues. The guidance, here, appears to mitigate part of that risk by mandating REs to clearly communicate details of the authorized LSPs that can approach the borrowers. This, again, would require multiple points of re-enforcement – and even over-communication - for the customers to become aware.
Technology & Data Requirements
“Any collection of data by DLAs should be need-based and with prior and explicit consent of the borrower which can be audited, if required. In any case, DLAs should desist from accessing mobile phone resources such as file and media, contact list, call logs, telephony functions, etc. A one-time access can be taken for camera, microphone, location or any other facility necessary for the purpose of on-boarding/ KYC requirements only with the explicit consent of the borrower”
Takeaway: for lending teams operating in good-faith, these requirements were taken as guidelines almost implicitly and followed as such. But the practice, unfortunately, is an exception – and not the rule. The research from Kotak Securities, also highlighted in this Reddit post, provides a glaring view of the reality. The requirement to take explicit consent, naturally, is important and must be implemented effectively.
However, the usage of the word “desist” to accessing mobile phone resources introduces some ambiguity to the guidance, and appears to only discourage – but not mandate – the access of such permissions for the DLAs. My understanding is that DLAs would continue to take explicit permission for these, and portray each such collection as “need-based”. This is not necessarily bad, since the information – if used with the right intention - can help DLAs make better underwriting decisions on customers and improve their portfolio health.
“The borrower should be provided with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect his personal data and if required, make the app delete/ forget the data.”
Takeaway: this can appear onerous to the lenders, since most of such functionalities are hardly prioritized for development despite hundreds of support tickets on them. My take is that given the guideline does not mandate the capability to be provided on the app, these will likely be built as SOPs for the customer support team and initially resolved manually by tech teams on a case-by-case basis as per customer requests.
“Clear policy guidelines regarding the storage of customer data including the type of data that can be held, the length of time data can be held, restrictions on the use of data, data destruction protocol, standards for handling security breach, etc., shall also be disclosed by DLAs prominently on their website and app at all times”
Takeaway: the guideline, here, is again aggressive on the lender to be transparent concerning any data collected from the borrower, and requires new processes to be built for disclosure of details of such customer data. In practice, I believe the disclosures will likely be kept within certain sections on the policy documents and will hardly be displayed more “prominently” than that. If you were playing safe, maybe a few FAQs hyperlinked to the disclosures can be added in-app and on websites to meet the criteria.
“REs to ensure that DLAs of REs/LSPs should have links to REs’ website where further/ detailed information about the loan products, the lender, the LSP, particulars of customer care, link to Sachet Portal, privacy policies, etc. can be accessed by the borrowers”
Takeaway: over the last few years, the RBI had raised concerns with the banks on the lack of visibility of the REs in the digital lending processes where customers interacted directly with LSPs or DLAs. This guideline hopes to register the backlinks to all parties involved in loan servicing by providing customers visibility of the REs involved and should help reduce some of the hue and cry from customers.
Regulatory Framework
“REs to ensure that any lending done through DLAs is reported to CICs irrespective of its nature/tenor”
Takeaways: the lack of standard reporting standards has introduced a big gap in the actual state of customers’ credit profiles, and that visible in bureau reports. The problem has swelled to such an extent that there is hardly consistency in the names and number of credit accounts across the four bureaus for a credit-active customer. The guideline is much needed and, going ahead, should at least force the REs to be more diligent in forcing reporting of any such loans to CICs.
“Extension of new digital lending products by REs over a merchant platform involving short term, unsecured/ secured credits or deferred payments need to be reported to credit bureaus by the REs”
Takeaway: this brings the new-age unsecured credit, including Buy now pay later, into the ambit of credit required to be reported to credit bureaus. Some, who infamously have avoided doing so, should be spending their weekends on resolving this. The guideline, however, remains silent on the loan classification of such credit, which has been a puzzle for the lenders themselves. Further, it would have helped to mandate REs to disclose their reporting practice to the customer before sanctioning the loan, along with precautions on how their behaviour on enquiry and repayment may impact bureau scores. Regardless, this is a good start to bringing some of the practices back on track.
Final few thoughts
Although cumbersome, the guidelines provide lenders clarity in multiple areas where guesswork was common. Further, the verbiage and the decisions highlight a risk-averse and customer-centric approach to the credit system from the RBI – which helps lenders understand the central bank’s position, and should aide them in making more appropriate decisions when faced with ambiguity.
The actions in the regulatory framework largely concerned fair disclosures and communication of loan terms, data storage, bureau reporting, and limiting involvement of the non-REs in the processes of loan origination, money movement, and collection of data and repayments. This provides ample points of discussion and areas of work for the REs, LSPs, and DLAs for the next couple of quarters. Meanwhile, it also offers the central bank and other statutory bodies time to come back with more detailed policy guidelines on each of these processes for better standardization.
Particularly, the industry will await more clarity on exclusion terms for loan servicing and collections, on the involvement of PPIs as the source of funds, on the definition of APRs, and on practices involving data storage, loan recovery via third-parties, and loan classification for bureau reporting.
The regulatory framework kickstarts what should be a defining period for digital lending, and the RBI is definitely in the mood to keep everyone busy :)
If you have any views or feedback to share on the topic, feel free to add a response below or to share your thoughts with me over Linkedin. In case you feel your friends or family would be interested in reading about payments, feel free to share the blog with them as well. See you in a couple of weeks!