06 Jan 2023

Guidelines-on-Digital-Lending

Guidelines-on-Digital-Lending

RBI/2022-23/111
DOR.CRE.REC.66/21.07.001/2022-23

September 02, 2022

All Commercial Banks,
Primary (Urban) Co-operative Banks, State Co-operative Banks,
District Central Co-operative Banks; and
Non-Banking Financial Companies (including Housing Finance Companies)

Madam/ Sir,

Guidelines on Digital Lending

A reference is invited to para 7 of the RBI Press Release “Recommendations of the Working Group on Digital Lending – Implementation” dated August 10, 2022. Detailed guidelines on recommendations of the Working Group accepted for immediate implementation are attached as Annex I to this circular.

2. It is reiterated that outsourcing arrangements entered by Regulated Entities (REs) with a Lending Service Provider (LSP)/ Digital Lending App (DLA) does not diminish the REs’ obligations and they shall continue to conform to the extant guidelines on outsourcing1. The REs are advised to ensure that the LSPs engaged by them and the DLAs (either of the RE or of the LSP engaged by the RE) comply with the guidelines contained in this circular.

3. It is further advised that the instructions contained in this circular shall be applicable to the ‘existing customers availing fresh loans’ and to ‘new customers getting onboarded’, from the date of this circular. However, in order to ensure a smooth transition, REs shall be given time till November 30, 2022, to put in place adequate systems and processes to ensure that ‘existing digital loans’ (sanctioned as on the date of the circular) are also in compliance with these guidelines in both letter and spirit.

4. These directions are issued under sections 21, 35A and 56 of the Banking Regulation Act, 1949, sections 45JA, 45L and 45M of the Reserve Bank of India Act, 1934, sections 30A and 32 of the National Housing Bank Act, 1987, section 6 of the Factoring Regulation Act, 2011 and section 11 of the Credit Information Companies (Regulation) Act, 2005.

Yours faithfully,

(Manoranjan Mishra)
Chief General Manager


Annex I

Guidelines on Digital Lending

1. Scope of Application: These guidelines are applicable to digital lending extended by:

1.1. All Commercial Banks,

1.2. Primary (Urban) Co-operative Banks, State Co-operative Banks, District Central Co-operative Banks; and

1.3. Non-Banking Financial Companies (including Housing Finance Companies)

2. Definitions

2.1. Annual Percentage Rate (APR): APR is the effective annualised rate charged to the borrower of a digital loan. APR shall be based on an all-inclusive cost and margin including cost of funds, credit cost and operating cost, processing fee, verification charges, maintenance charges, etc., and exclude contingent charges like penal charges, late payment charges, etc.

2.2. Cooling off/look-up period: A cooling off/ look-up period is the time window as determined by the Board of the RE which shall be given to borrowers for exiting digital loans, in case a borrower decides not to continue with the loan.

2.3. Digital Lending: A remote and automated lending process, largely by use of seamless digital technologies for customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service.

2.4. Digital Lending Apps/Platforms (DLAs): Mobile and web-based applications with user interface that facilitate digital lending services. DLAs will include apps of the Regulated Entities (REs) as well as those operated by Lending Service Providers (LSPs) engaged by REs for extending any credit facilitation services in conformity with extant outsourcing guidelines issued by the Reserve Bank.

2.5. Lending Service Provider (LSP): An agent of a Regulated Entity who carries out one or more of lender’s functions or part thereof in customer acquisition, underwriting support, pricing support, servicing, monitoring, recovery of specific loan or loan portfolio on behalf of REs in conformity with extant outsourcing guidelines issued by the Reserve Bank.

2.6. Regulated Entities (REs): The entities to whom this circular is applicable as stated at Para 1 of these guidelines.

A. Customer Protection and Conduct requirements

3. Loan Disbursal, Servicing and Repayment - REs shall ensure that all loan servicing, repayment, etc., shall be executed by the borrower directly in the RE’s bank account without any pass-through account/ pool account of any third party. The disbursements shall always be made into the bank account of the borrower except for disbursals covered exclusively under statutory or regulatory mandate (of RBI or of any other regulator), flow of money between REs for co-lending transactions2 and disbursals for specific end use, provided the loan is disbursed directly into the bank account of the end-beneficiary. REs shall ensure that in no case, disbursal is made to a third-party account, including the accounts of LSPs and their DLAs, except as provided for in these guidelines.

4. Collection of fees, charges, etc.

4.1. Payment of Fees/Charges: REs shall ensure that any fees, charges, etc., payable to LSPs are paid directly by them (REs) and are not charged by LSP to the borrower directly.

4.2. Penal Interest/ Charges: The penal interest/charges levied, if any, on the borrowers shall be based on the outstanding amount of the loan. Further, rate of such penal charges shall be disclosed upfront on an annualized basis to the borrower in the Key Fact Statement (KFS).

5. Disclosures to borrowers

5.1. Annual Percentage Rate (APR) - APR as all-inclusive cost of digital loans for the borrower shall be disclosed upfront by REs and shall also be a part of the Key Fact Statement.

5.2. Key Fact Statement

5.2.1. REs shall provide a Key Fact Statement (KFS) to the borrower before the execution of the contract in a standardized format for all digital lending products. The format of KFS is provided in Annex-II.

5.2.2. The KFS shall, apart from other necessary information, contain the details of APR, the recovery mechanism, details of grievance redressal officer designated specifically to deal with digital lending/ FinTech related matter and the cooling-off/ look-up period.

5.2.3. Any fees, charges, etc., which are not mentioned in the KFS cannot be charged by the REs to the borrower at any stage during the term of the loan.

5.3. Digitally signed documents – REs shall ensure that digitally signed documents3 (on the letter head of the RE) viz., KFS, summary of loan product, sanction letter, terms and conditions, account statements, privacy policies of the LSPs/DLAs with respect to borrowers data, etc. shall automatically flow to the borrowers on their registered and verified email/ SMS upon execution of the loan contract/ transactions.

5.4. List of LSPs – REs shall prominently publish the list of their DLAs, LSPs engaged by them and DLAs of such LSPs with the details of the activities for which they have been engaged, on their website.

5.5. Product information – REs shall ensure that their DLAs or DLAs of their LSPs at on-boarding/sign-up stage, prominently display information relating to the product features, loan limit and cost, etc., so as to make the borrowers aware of these aspects.

5.6. Details of recovery agent – REs shall communicate to the borrower, at the time of sanctioning of the loan and also at the time of passing on the recovery responsibilities to an LSP or change in the LSP responsible for recovery, the details of the LSP acting as recovery agent who is authorised to approach the borrower for recovery.

5.7. Link to website - REs shall ensure that DLAs of REs and LSPs have links to REs’ website where further/ detailed information about the loan products, the lender, the LSP, particulars of customer care, link to Sachet Portal, privacy policies, etc. can be accessed by the borrowers. It shall be ensured that all such details are available at a prominent single place on the website for ease of accessibility.

6. Grievance Redressal

6.1. Nodal grievance redressal officer - REs shall ensure that they and the LSPs engaged by them shall have a suitable nodal grievance redressal officer to deal with FinTech/ digital lending related complaints/ issues raised by the borrowers. Such grievance redressal officer shall also deal with complaints against their respective DLAs. Contact details of grievance redressal officers shall be prominently displayed on the websites of the RE, its LSPs and on DLAs and also in the KFS provided to the borrower. Further, the facility of lodging complaint shall also be made available on the DLA and on the website as stated above. It is reiterated that responsibility of grievance redressal shall continue to remain with the RE.

6.2. If any complaint lodged by the borrower against RE or the LSP engaged by the RE is not resolved by the RE within the stipulated period (currently 30 days), he/she can lodge a complaint over the Complaint Management System (CMS)4 portal under the Reserve Bank-Integrated Ombudsman Scheme (RB-IOS)5. For entities currently not covered under RB-IOS, complaint may be lodged as per the grievance redressal mechanism prescribed by the Reserve Bank.

7. Assessing the borrower’s creditworthiness

7.1. REs shall capture the economic profile of the borrowers covering (age, occupation, income, etc.), before extending any loan over their own DLAs and/or through LSPs engaged by them, with a view to assessing the borrower’s creditworthiness in an auditable way.

7.2. REs shall ensure that there is no automatic increase in credit limit unless explicit consent of borrower is taken on record for each such increase.

8. Cooling off/look-up period – A borrower shall be given an explicit option to exit digital loan by paying the principal and the proportionate APR without any penalty during this period. The cooling off period shall be determined by the Board of the RE. The period so determined shall not be less than three days for loans having tenor of seven days or more and one day for loans having tenor of less than seven days. For borrowers continuing with the loan even after look-up period, pre-payment shall continue to be allowed as per extant RBI guidelines6.

9. Due diligence and other requirements with respect to LSPs

9.1. REs must conduct enhanced due diligence before entering into a partnership with a LSP for digital lending, taking into account its technical abilities, data privacy policies and storage systems, fairness in conduct with borrowers and ability to comply with regulations and statutes.

9.2. REs shall carry out periodic review of the conduct of the LSPs engaged by them.

9.3. REs shall impart necessary guidance to LSPs acting as recovery agents to discharge their duties responsibly and ensure that they comply with the extant instructions7 in this regard.

B. Technology and Data Requirement

10. Collection, usage and sharing of data with third parties

10.1. REs shall ensure that any collection of data by their DLAs and DLAs of their LSPs is need-based and with prior and explicit consent of the borrower having audit trail. In any case, REs shall also ensure that DLAs desist from accessing mobile phone resources like file and media, contact list, call logs, telephony functions, etc. A one-time access can be taken for camera, microphone, location or any other facility necessary for the purpose of on-boarding/ KYC requirements only, with the explicit consent of the borrower.

10.2. The borrower shall be provided with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data and if required, make the app delete/ forget the data.

10.3. The purpose of obtaining borrowers’ consent needs to be disclosed at each stage of interface with the borrowers.

10.4. Explicit consent of the borrower shall be taken before sharing personal information with any third party, except for cases where such sharing is required as per statutory or regulatory requirement.

11. Storage of data

11.1. REs shall ensure that LSPs/DLAs engaged by them do not store personal information of borrowers except some basic minimal data (viz., name, address, contact details of the customer, etc.) that may be required to carry out their operations. Responsibility regarding data privacy and security of the customer’s personal information will be that of the RE.

11.2. REs shall ensure that clear policy guidelines regarding the storage of customer data including the type of data that can be stored, the length of time for which data can be stored, restrictions on the use of data, data destruction protocol, standards for handling security breach, etc., are put in place and also disclosed by DLAs of the REs and of the LSP engaged by the RE prominently on their website and the apps at all times.

11.3. REs shall ensure that no biometric data is stored/ collected in the systems associated with the DLA of REs/ their LSPs, unless allowed under extant statutory guidelines.

11.4. REs shall ensure that all data is stored only in servers located within India, while ensuring compliance with statutory obligations/ regulatory instructions.

12. Comprehensive privacy policy

12.1. REs shall ensure that their DLAs and LSPs engaged by them have a comprehensive privacy policy compliant with applicable laws, associated regulations and RBI guidelines. For access and collection of personal information of borrowers, DLAs of REs/LSPs should make the comprehensive privacy policy available publicly.

12.2. Details of third parties (where applicable) allowed to collect personal information through the DLA shall also be disclosed in the privacy policy.

13. Technology standards – REs shall ensure that they and the LSPs engaged by them comply with various technology standards/ requirements on cybersecurity stipulated by RBI and other agencies, or as may be specified from time to time, for undertaking digital lending.

C. Regulatory Framework

14. Reporting to Credit Information Companies (CICs)

14.1. As per the provisions of the Credit Information Companies (CIC) (Regulation) Act, 2005; CIC Rules, 2006; CIC Regulations, 2006 and related guidelines issued by RBI from time to time, REs shall ensure that any lending done through their DLAs and/or DLAs of LSPs is reported to CICs irrespective of its nature/ tenor.

14.2. Extension of structured digital lending products by REs and/or LSPs engaged by REs over a merchant platform involving short term, unsecured/ secured credits or deferred payments, need to be reported to CICs by the REs. REs shall ensure that LSPs, if any, associated with such deferred payment credit products shall abide by the extant outsourcing guidelines issued by the Reserve Bank and be guided by these guidelines.

15. Loss sharing arrangement in case of default:

As regards the industry practice of offering financial products involving contractual agreements such as First Loss Default Guarantee (FLDG) in which a third party guarantees to compensate up to a certain percentage of default in a loan portfolio of the RE, it is advised that REs shall adhere to the provisions of the Master Direction – Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021 dated September 24, 2021, especially, synthetic securitisation8 contained in Para (6)(c).


1 Para 2.6 of the Master Circular on “Loans and Advances – Statutory and Other restrictions” dated July 01, 2015; Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks issued vide Circular dated November 03, 2006 as amended from time to time; Para 120 and 120 A of “Master Direction - Non-Banking Financial Company - Systemically Important Non-Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016” dated September 01, 2016, as amended from time to time; Para 106 and 106A of the ‘Master Direction - Non-Banking Financial Company – Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016’ both dated September 01, 2016, as amended from time to time; ‘Guidelines for Managing Risk in Outsourcing of Financial Services by Co-operative Banks’, dated June 28, 2021Circular on ‘Outsourcing of Financial Services - Responsibilities of regulated entities employing Recovery Agents’ dated August 12, 2022, and other related instructions issued by the Reserve Bank from time to time.

2 Co-lending arrangements shall be governed by the extant instructions as laid down in the Circular on Co-lending by Banks and NBFCs to Priority Sector dated November 05, 2020, and other related instructions.

3 Digitally signed means a document signed using digital signature.

4 https://cms.rbi.org.in/

5 Issued vide Notification CEPD. PRD. No.S873/13.01.001/2021-22 dated November 12, 2021

6 In terms of Circular DBR.Dir.BC.No.08/13.03.00/2019-20 for banks and DNBR (PD) CC.No.101/03.10.001/2019-20 for NBFCs on “Levy of Foreclosure Charges /Pre-payment Penalty on Floating Rate Term Loans”, both dated August 02, 2019.

7 Circular DOR.ORG.REC.65/21.04.158/2022-23 on ‘Outsourcing of Financial Services - Responsibilities of regulated entities employing Recovery Agents’ dated August 12, 2022, and other relevant instructions as issued from time to time.

8 “synthetic securitisation” means a structure where credit risk of an underlying pool of exposures is transferred, in whole or in part, through the use of credit derivatives or credit guarantees that serve to hedge the credit risk of the portfolio which remains on the balance sheet of the lender.