RBI Digital Lending Guidelines: Safeguards Borrower Data Security

lines: Safeguards BorrowerThe Reserve Bank of India (“RBI“) released its guidelines on Digital Lending on September 02, 2022 (“Guidelines“) for immediate implementation from such date.1 The Guidelines are applicable to existing customers availing fresh loans as well as any new customers getting onboarded from the date of the circular. A transition period, till November 30, 2022, has been provided, to regulated entities (“REs”) to institute adequate systems and processes to ensure that existing digital loans (sanctioned as on the date of the circular) are also in compliance with the Guidelines.

Digital lending, as defined under the Guidelines, is a remote and automated lending process, administered largely by the use of seamless digital technologies for customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service. Digital lending involves not only traditional banks but also FinTech entities such as Lending Service Providers (“LSPs“) and Digital Lending Apps/Platforms (“DLAs“). These FinTech entities have introduced innovative methods of designing the delivery of credit products and their servicing, thereby gaining prominence in India.

LSPs act as an agent of an RE who carries out one or more of the lender’s functions or part thereof in customer acquisition, underwriting support, pricing support, servicing, monitoring, recovery of specific loan or loan portfolio on behalf of the RE. DLAs are mobile and web-based applications with a user interface that facilitates digital lending services. These include apps of the REs as well as those operated by LSPs engaged by the REs for extending any credit facilitation services. The onus of ensuring that LSPs and DLAs comply with the Guidelines is on the REs.

Since FinTech platforms collect massive amounts of data from customers, including sensitive personal information and financial records, the RBI raised concerns regarding breach of data privacy of customers by such entities. A Working Group constituted by the RBI inter alia discussed these data privacy concerns in its report dated November 18, 2021 (“Report“).2 It was noted that FinTech platforms track information such as customers’ spending and social media patterns to generate an alternative credit score for determining their risk profile. While accepting the terms and conditions/terms of services of these platforms, customers are generally not conscious of the fact that they are signing away their privacy rights. It was highlighted in the Report that certain lending apps are collecting users’ entire phone contacts, media, gallery, etc. and using it to harass borrowers and their contacts in case of delays in repayment.

The Working Group observed that although there is still uncertainty on whether FinTech platforms can be considered as intermediaries, the definition of ‘intermediary’ under the Information Technology Act, 2000 was in fact wide enough to include the LSPs and DLAs within its purview. With this backdrop and in view of the current lacunae in Indian data privacy laws, the Guidelines have introduced the following measures to mitigate the data privacy concerns:

  1. Collection of Data 

Under the Guidelines, the REs need to ensure the following:

(a) Any collection of data by their DLAs and DLAs of their LSPs is ‘need-based’ and with prior and explicit consent of the borrower having audit trail.
(b) DLAs desist from accessing mobile phone resources like file and media, contact list, call logs, telephone functions and etc.
(c) A one-time access needs to be taken to obtain access to the camera, microphone, location or any other facility necessary for the purpose of on-boarding/ KYC requirements only, with the explicit consent of the borrower.
(d) The borrower is to be provided with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data and if required, make the app delete/forget the data. The purpose of obtaining a borrower’s consent needs to be disclosed at each stage.

  1. Sharing Data with Third Parties

Explicit consent of the borrower is required to be taken before sharing any personal information with any third party, except for cases where such sharing is required as per statutory or regulatory requirement.

  1. Storage of Data 

Under the Guidelines, the REs need to ensure the following:

(a) The LSPs/DLAs engaged by them do not store personal information of borrowers except some basic minimal data (viz., name, address, contact details of the customer, etc.) that may be required to carry out their operations.
(b) Clear policy guidelines regarding the storage of customer data including the type of data that can be stored, the length of time for which data can be stored, restrictions on the use of data, data destruction protocol, standards for handling security breach, etc., are put in place and also disclosed by DLAs of the REs and of the LSP engaged by the RE prominently on their website and the apps at all times.
(c) No biometric data is stored/ collected in the systems associated with the DLA of REs/ their LSPs, unless allowed under extant statutory guidelines.
(d) All data is stored only in servers located within India, while ensuring compliance with statutory obligations/ regulatory instructions.

  1. Privacy Policy 

Another compliance feature that the REs need to take care of is ensuring that the DLAs and LSPs engaged by them have a comprehensive privacy policy compliant with applicable laws, associated regulations and RBI guidelines. For access and collection of personal information of borrowers, DLAs of REs/LSPs should make the comprehensive privacy policy available publicly. Details of third parties (where applicable) allowed to collect personal information through the DLA shall also be disclosed in the privacy policy.

It is pertinent to note that the REs will be responsible for the data privacy and security of the customer’s personal information. The REs must ensure that the LSPs and DLAs comply with the above mandates. The REs need to also ensure that they and the LSPs engaged by them comply with various technology standards/ requirements on cybersecurity stipulated by RBI and other agencies, or as may be specified from time to time, for undertaking digital lending.

The RBI has taken a borrower centric approach in the Guidelines with an aim to balance innovation and the use of technology with data privacy. With the Data Protection Bill, 2021 being recently withdrawn by the government, the Guidelines are a necessary step towards closing the gap in law with respect to collection, handling and storage of borrower data by credit institutions.