The Reserve Bank of India (RBI) has issued guidelines to all lenders, including banks, to avoid misuse of data of borrowers using digital lending apps. As per the guidelines issued by reserve Bank of IndiaRegulated entities may not store borrowers’ data except for some basic minimum information. As per the guidelines, a lender can store information such as name, address, contact details of the customer, etc., which are required for processing and disbursing the loan and its repayment. The borrower’s biometric information cannot be stored by digital lending apps.

The guidelines issued by RBI cover the following regulated entities – all commercial banks, primary (urban) co-operative banks, state co-operative banks, district central co-operative banks; and non-banking financial companies (including housing finance companies)

RBI guidelines on digital lending aim to protect borrowers:

• The guidelines clearly state that digital lending apps cannot access mobile phone resources such as files and media, contact lists, call logs, telephone functions, etc. One-time access to camera, microphone, location or any other feature can be obtained. Purpose of onboarding/ KYC Requirements only with the explicit consent of the borrower.
• Borrowers should be informed about the storage of customer data including the type of data to be stored, the time up to which the data can be stored, restrictions on data access, data destruction protocols, security breaches to be dealt with standard etc. The information should be made available on their website and apps at all times.
• A Key Facts Statement (KFS) to the borrower prior to the execution of the contract in a standardized format for all digital loan products, at the time of disbursement of loans using the digital app.
• The borrower should be informed about the all-inclusive cost of digital loans and key facts should also be a part of the statement.
• Penal interest/charges, if any, to be levied on the borrowers will be based on the outstanding amount of the loan. Further, the rate of such penal charge shall be disclosed on an annual basis to the borrower in the key fact statement.
• Any fee charges etc. payable to the lending service providers should be paid by the regulated entities and the borrowers should not be charged for the same.
• The key fact statement should contain details of annual percentage rate, recovery mechanism, details of Grievance Redressal Officer specially designated to deal with matters related to digital loans/fintech and cooling-off/look-up period. The cooling-off/look-up period is the time given to the borrower to exit the digital loan, in case a borrower decides not to continue with the loan.
• Any fee which is not mentioned in the main fact statement is not recovered from the borrowers at any stage during the loan tenure.
• Intimation will be sent to the borrowers on their verified email/SMS on successful execution of loan agreement/transaction. The information should be sent on regulated entity (bank) letterhead and should include key facts statement, summary of loan product, sanction letter, terms and conditions, account statement, LSP/DLA’s privacy policies with respect to borrowers. data, etc.
• At the time of sign-up/onboarding stage, information regarding product features, credit limit and cost, etc., must be given to the borrowers.
• Banks and NBFCs should publish their digital lending apps and the list of loan service providers engaged by them on their websites.
• The details of the Nodal Grievance Redressal Officer should also be displayed on the websites of banks, NBFCs, loan service providers, digital lending apps and key fact details.
• Digital lending apps and websites should allow the borrower to lodge his complaint.
• If the complaint lodged by the borrower is not resolved within 30 days, he can lodge a complaint on the Grievance Management System (CMS) portal under the Reserve Bank-Integrated Ombudsman Scheme (RB-IOS). For entities not currently covered under RB-IOS, complaints can be lodged as per the grievance redressal mechanism prescribed by the Reserve Bank.
• Capturing the economic profile of the borrowers covering (age, occupation, income, etc.) before extending any loan to banks, NBFCs through their own digital lending apps and/or loan service providers engaged by them so that the assessment can be made. creditworthiness of the borrower in an auditable manner.
• There shall be no automatic increase in the credit limit unless the explicit consent of the borrower for each such increase is taken on record.
• During the cooling-off/look-up period, the borrower will be given a clear option to exit the digital loan by paying the principal and proportionate APR without any penalty during this period. The cooling-off period will be determined by the Board of the Bank, NBFC. The period so stipulated shall not be less than three days for loans of seven days or more and not less than one day for loans of ten days less than seven days. For borrowers who continue with the loan beyond the look-up period, prepayment will continue to be allowed as per extant RBI guidelines.
• The borrower has to consent or refuse the use of specific data, restrict disclosure to third parties, data retention, revoke previously given consent to collect personal data and, if necessary, allow the App to delete/delete the data. The option to forget will be provided.
• The explicit consent of the borrower shall be obtained before sharing personal information with any third party, except in cases where such sharing is required by statutory or regulatory requirements.
• Unless permitted under extant statutory guidelines, no biometric data is stored/collected in the systems linked to the Digital Loan App of Regulated Entities/their loan service providers.
• Banks and NBFCs shall ensure that any lending made through their digital lending app and/or digital lending app of the lending service providers is reported to credit information companies (such as CIBIL) irrespective of the nature/duration thereof.
• Credit information companies need to be informed about any expansion of structured digital loan products by banks, NBFCs and/or credit service providers employed by them, including short-term, unsecured/secured credit or deferred payments.
• Regulated Entities shall ensure that all loan servicing, repayment etc., are executed by the borrower directly into the bank account of Regulated Entities without any third party pass-through account/pool account. The disbursements shall always be made to the borrower’s bank account, except for disbursements specifically covered under statutory or regulatory orders (of RBI or any other regulator), flow of funds between regulated entities for co-lending transactions and specific final Disbursement for utilization, provided the loan is disbursed directly into the bank account of the end-beneficiary. Regulated Entities shall ensure that the disbursements are not made to any third party account, including the accounts of lending service providers and their digital lending apps, in any case, except as provided in these guidelines.