The Reserve Bank of India, on 14 February 2023, released a detailed set of Frequently Asked Questions (FAQs) clarifying the operational aspects of its digital lending guidelines issued vide Circular DOR.CRE.REC.66/21.07.001/2022-23 dated 2 September 2022. The FAQs address several ambiguities that had emerged since the guidelines took effect, providing much-needed guidance for regulated entities, lending service providers (LSPs), and digital lending applications (DLAs).
Background
The RBI issued comprehensive guidelines on digital lending in September 2022, following the recommendations of a Working Group on Digital Lending. The guidelines introduced a regulatory framework governing the activities of regulated entities (banks and NBFCs) when they extend credit through digital channels, including through third-party lending service providers and digital lending applications. Since the guidelines took effect, market participants raised concerns about interpretive ambiguities, particularly regarding the definition of "digital lending," the applicability of cooling-off periods, and the allocation of compliance responsibilities between regulated entities and their technology partners.
Key Provisions
The FAQs provide the following clarifications:
Scope of digital lending: The RBI clarified that partial digital processes are covered under the guidelines. If the essence of the lending transaction is digital — even if some stages involve physical interfaces — the transaction falls within the regulatory framework. The phrase "largely by use of seamless digital technologies" is interpreted broadly.
Cooling-off period: The FAQs confirm that borrowers must be provided a cooling-off or look-up period during which they can exit the loan without penalty. The period is determined by the regulated entity based on the nature and tenure of the loan product.
Grievance redressal allocation: Only LSPs that directly engage with borrowers are required to appoint grievance redressal personnel. However, the ultimate responsibility for complaint management and resolution rests with the regulated entity (bank or NBFC), regardless of which entity interfaces with the borrower.
Key Fact Statement (KFS): The KFS must be provided to the borrower before the loan agreement is executed and must contain the Annual Percentage Rate (APR), all fees and charges, the cooling-off period, and details of the recovery mechanism.
Data collection limitations: LSPs and DLAs can collect only need-based data from borrowers, with explicit prior consent. The data must be used solely for the purpose for which it was collected. Storing biometric data is prohibited.
First Loss Default Guarantee (FLDG): The FAQs address FLDG arrangements between regulated entities and LSPs, clarifying that such arrangements must comply with securitisation norms and cannot be used to circumvent credit risk transfer regulations.
Implications for Practitioners
These clarifications are critical for the rapidly growing fintech lending ecosystem. Compliance officers at banks and NBFCs that partner with digital lending platforms must review their arrangements against the FAQ guidance, particularly regarding the broad interpretation of "digital lending" that captures hybrid models.
For fintech companies operating as LSPs, the FAQ clarity on grievance redressal is significant: while direct borrower-facing LSPs must have dedicated complaint resolution mechanisms, all LSPs must ensure their processes are integrated with the regulated entity's overarching compliance framework.
Legal advisors to digital lending startups should note the data collection limitations and the prohibition on biometric data storage. Privacy-by-design architecture is no longer optional but a regulatory compliance requirement under the digital lending framework.
The FLDG guidance requires particular attention from NBFCs that rely on LSP partnerships with credit enhancement structures. Such arrangements must be restructured to ensure compliance with both the digital lending guidelines and RBI securitisation norms.