RBI’s Shield for Borrowers against Digital Lending

[By Rajeev Dadhich]

The author is a student at the Institute of Law, Nirma University.

The Digital Lending route has acquired prominence, which raised Reserve Bank of India’s  (“RBI”) concerns over the unbridled engagement of third parties, mis-selling, breach of data privacy, unfair business conduct, charging of exorbitant interest rates, and unethical recovery practices. To curb these concerns, on November 18, 2021, RBI released the Report of the ‘Working Group on digital lending including lending through online platforms and mobile apps’ (“the Report”), which targets the enhancement of customer protection and making the digital lending ecosystem safe and sound while encouraging innovation.

Moving a step forward, on August 10, 2022, RBI issued a Press Release ‘Recommendations of the Working group on Digital Lending’ (“the Press Release”), which targets implementing the recommendations the Working Group gave.

Against the backdrop, this article provides the scope of the Press Release and analyze the recommendations. Further, this article provides a detailed discussion on key factors of the Press Release like the cooling-off period, data privacy, reporting mechanism, and framework on FLDG. Lastly, the article provides concluding remarks and suggestions.

Scope of the guideline issued

The guideline comprises three Annexures which broadly illustrate three types of entities included in the digital lending process:

  • Annexures I: Entities regulated by the RBI and permitted to carry out lending business;
  • Annexures II: Entities authorized to carry out a lending as per other statutory/regulatory provisions but not regulated by RBI; and
  • Annexures III: Entities lending outside the purview of any statutory/ regulatory provisions.

First, the recommendation envisaged under Annexure I is implemented with immediate effect. This guideline will regulate not only Regulated entities (“REs”) but also the Lending Service Providers (“LSPs”)/ Digital Lending Apps (“DLAs”) engaged by REs to extend various permissible credit facilitation services. The entities included in the ambit of REs have been defined under Regulation 3 of KYC Direction, 2016.

Second, in furtherance of Annexure II, the respective regulator/ controlling authority still requires some deliberations before implementing them. The non-regulated entities are defined in question 4 of FAQ published by RBI as stock exchange, and housing finance companies.

Third, with respect to Annexure III, the Working Group has suggested specific legislative and institutional interventions for consideration by the Central Government.

Recommendations implemented with immediate effect

Operational Conduct and Customer Protection

  • The disbursement of the loan, repayment of loan, etc. shall directly take place between REs and borrowers, and there shall be no intervention of any third party viz LSPs in transferring the loan or repayment amount.
  • LSPs will operate as an agent of RE and will carry out functions like customer acquisition, underwriting support, pricing support, etc. RE shall monitor the activities of LSPs and be accountable for the same. Further, REs shall be liable to pay any fees applicable to LSPs, and no fees can be directly charged on borrowers by LSPs.
  • Annual Percentage Rate (“APR”): The APR is required to be disclosed to the borrowers. The APR means all-inclusive cost and margin including the cost of funds, processing fee, maintenance charges, etc., except contingent charges like penal charges, late payment charges, etc.
  • The borrowers should be provided with a cooling-off/ look-up period, which means an exit opportunity without the levy of any penalty for a certain period by just paying the principal and APR amount.
  • A Grievance Redressal Officer (“GRO”) should be appointed who will be dealing with borrowers’ complaints regarding FinTech and digital lending. The details of the GRO shall be published on the website of the RE, its LSPs, and on DLAs. The responsibility of engaging GRO lies on REs.
  • Key Facts Statement (“KFS”) is required to be disclosed. KFS includes a recovery mechanism, cooling-off/ look-up period, details of grievance redressal, and APR. Further, the consent of the borrower is required to increase the credit limits.

Data Protection of the borrowers

  • DLAs should obtain absolute consent from the borrowers before collecting any data with an option to accept or deny the consent and a right to be forgotten.
  • LSPs are prohibited from storing any personal data of borrowers except the primary data viz name, address, contact details of the customer, etc. REs will be held accountable for data privacy and security of the customer’s personal data.

Regulatory framework

  • In cases where REs is extending credits through new digital products such as ‘Buy Now Pay Later’ (“BNPL”) need to report to CIC and adhere to outsourcing guidelines issued by individual Banks.


This guideline is just the first installment in a three-series process. Till further instructions, the present Press Release will be the operative guideline for Res, LSPs, and DLAs.

  • Cooling-off/look-up period

As stated above, the Press Release provides the borrower with the option of a cooling-off/ look-up period. However, it does not specify the timeframe allowed to borrowers under this period, and the same has been left on the deliberation of the board approval policy. It is noted that a cooling-off period is a right of the borrowers to save them from paying the entire interest for the facility period, and the same should be reasonable. Inference can be drawn from Master Direction – Reserve Bank of India (Transfer of Loan Exposures) Directions, 2021, which state that a cooling period shall not be less than 12 months from the date of such transfer. Therefore, a similar timeframe should be allowed for the borrowers in the present digital lending regime.

  • Data Privacy

The Report highlights an exponential increase in complaints regarding the operations of DLAs. The Report explained DLAs as mobile and web-based applications with an interface that facilitate borrowing by a financial consumer from a digital lender. Subsequently, on December 23, 2020, RBI through Press Release cautioned borrowers regarding illegal players, excessive interest rates, hidden charges, breach of data privacy, and regressive recovery process by DLAs.

Moreover, DLAs largely being mobile application poses a potential threat to data stored in mobiles viz sensitive personal data, etc. For instance, the recent data breach of CashMama leaked the personal information of thousands of people bearing names, date of birth, address, etc. Hence, DLAs had access to a pool of data of the borrowers and they were mandated to furnish consent required by apps for the smooth functioning of the apps which was even irrevocable. Also, because of the underlining principle of Caveat Emptor borrowers were left helpless in data breach cases.

Therefore, to protect the interest of the borrowers, the present guideline created a mandate on DLAs to only store data for immediate use with the prior consent of borrowers. Further, borrowers are provided with the rights such as revocable consent, the option to furnish consent or to simply deny it, and the right to be forgotten. As a final stroke, RBI also held REs accountable for monitoring DLA’s activities and liability in case of a data breach.

  • CIC Reporting

The Press Release mandated that REs report all new digital lending products extended over merchant platforms to CICs including BNPL products.  BNPL is defined in the Report as a credit facility to the buyers where they buy products and pay after an agreed period in interest-free installments. BNPL is rapidly covering a large market cap in online payment mode because of its attractive features like instant credit, secure transactions, interest-free repayment, etc. The RBI is concerned with the transparency between BNPL products and the reporting authority because the BNPL players were not reporting loans advanced to regulating authority, which gave a blurred picture of the creditworthiness of the borrowers to the respective financial institutes.

Therefore, the Press Release curbed this concern by mandating BNPL products to be reported to CICs. Due to the limited scope of Press Release till REs, non-regulated entities do not have a mandatory disclosure requirement.

  • Framework of First Loss Default Guarantee (“FLDG”)

FLDG is an arrangement or indemnity provided by the LSPs to the lenders in situations when the borrower defaults the credit risk is borne by the LSPs. The issue with FLDG is that LSPs bear the credit risk without maintaining any regulatory capital or compliance of prudential norms. Also, ultimately LSPs used to pass on these credit risks to borrowers in the form of high platform fees, higher interest rates etc. As of now, RBI in annexure II of the Press Release has kept the fate of FLDG under examination of the Central Bank. However, till the advent of any formal guideline by the RBI, REs should adhere to Master Direction – SSA Directions, 2021.

  • Appointment of GRO

The Press Release mandates the appointment of GRO. However, the guideline does not explicitly restrict LSPs from engaging GRO individually. Now, for an instance where both LSP and RE have appointed GRO individually, and a borrower raised a complaint with both the GRO separately, which GRO will have jurisdiction/ power to address and resolve the complaint? The Press Release is silent on this point. However, the basic interpretation of Annexure-I of the Press Release highlights the responsibility of enabling GRO lies on REs. Hence, the decision passed by GRO engaged by RE holds the binding value over the decision of any other GRO.

Conclusion and the way ahead

The present guideline is just an initial yet important step in regulating the digital lending framework. The RBI will soon release a formal guideline on Regulated Entities and its LSPs and DLAs.

The RBI still has to clear the fog around certain emerging issues like:

  1. The ambiguity around the definition of borrower stills continues as the intention of the Press Release seems to only include ‘individuals’ in the definition of borrowers. However, the Press Release does not explicitly exclude ‘entities’ from the ambit of borrowers.
  2. The RBI needs to define the scope and powers of GRO and whether a GRO can perform the judicial function.
  3. Lastly, SSA direction on FLDG is a temporary guiding framework that still needs some clarification as to how it will be implemented on FLDG.

In nutshell, these guidelines will certainly bring transparency among the stakeholders and will increase borrowers’ trust in digital lending. These guidelines have balanced the stakes of fintech firms and borrowers.



Leave a Reply

Your email address will not be published. Required fields are marked *

Contact Us

Kerwa Dam Road., 
National Law Institute University, Bhopal
Madhya Pradesh, India. 462044​.

write to us at – cbcl@nliu.ac.in