In news–The Reserve Bank of India (RBI) has recently issued guidelines to all lenders including banks to protect the data of borrowers using digital lending apps from being misused.
Key guidelines-
- These new regulations are based on recommendations from a working group set up in January 2021 on ‘Digital lending including lending through online platforms and mobile apps’ (WGDL).
- RBI has categorised digital lenders into three groups:
- Entities which are regulated by the RBI and are allowed to carry out lending business.
- Entities that are authorized to carry out lending as per other statutory or regulatory provisions but are not regulated by the RBI.
- Entities lending outside the purview of any statutory or regulatory provisions.
- As per the guidelines, the regulated entities cannot store borrowers’ data except for some basic minimal information.
- The guidelines say that a lender can store information such as the name, address, contact details of the customer etc. that are required to process and disburse the loan and repayment of it.
- Biometric information of the borrower cannot be stored by digital lending apps.
- The guidelines issued are applicable to existing customers availing fresh loans and to new customers getting on boarded from September 2, 2022.
- However, in order to ensure a smooth transition, Regulated Entities shall be given time till November 30, 2022, to put in place adequate systems and processes to ensure that ‘existing digital loans’ (sanctioned as on the date of the circular) are also in compliance with these guidelines in both letter and spirit.
- The guidelines issued by the RBI cover the following regulated entities –
- All Commercial Banks.
- Primary (Urban) Co-operative Banks.
- State Co-operative Banks.
- District Central Co-operative Banks and
- Non-Banking Financial Companies (including Housing Finance Companies).
- The guidelines explicitly state that digital lending apps cannot access mobile phone resources such as file and media, contact lists, call logs, telephone functions, etc.
- One-time access can be taken for camera, microphone, location or any other facility necessary for the purpose of onboarding/ KYC requirements only, with the explicit consent of the borrower.
- The borrowers must be informed about the storage of customer data including the type of data that can be stored, the length of time for which data can be stored, restrictions on the use of data, data destruction protocol, standards for handling security breach, etc.
- At the time of disbursing the loans using digital apps, a Key Fact Statement (KFS) to the borrower before the execution of the contract in a standardized format for all digital lending products.
- The borrower must be informed about the all-inclusive cost of digital loans and should also be a part of the Key Fact Statement.
- All loan disbursals and repayments are to be executed between the bank accounts of the borrower and the entity. This eliminates the presence of a nodal pass-through or pool account of the Lending Service Providers (LSPs)
- LSPs operate in collaboration with Non-Banking Financial Companies (NBFCs) who disburse credit to customers using the former’s platform.