On August 10, the Reserve Bank of India (RBI) released their recommendations on digital lending. This is a significant moment, especially since the Indian government recently withdrew the data protection bill that aimed to protect consumers from the risks of digitalization and data proliferation. The bill, launched in 2019, was designed in light of concerns about data misuse by private players. A new bill is proposed as an alternative. However, while India awaits this, data regulation depends on sectoral regulations. These new recommendations on digital lending will help to regulate the multitude of digital lending apps that have exploded across India, and how they use consumer data.
Background on India’s Digital Lending Regulations
In this age of rapid digitalization, innovation opportunities grow as fast as the risks they pose to consumers, making it challenging for regulators to keep abreast of the changes. The RBI Working Group on digital lending reported that the volume of digital credit has grown twelve-fold between 2017 and 2020. CGAP’s research on risks in digital financial services (DFS) reveals that as of 2021 there are over 60 identified consumer risks, compared to only seven risks identified in 2015; and this list only continues to evolve.
India has been at the epicenter of DFS growth, but this growth has been accompanied by growing concerns about consumer risks.
India has been at the epicenter of DFS growth, driven by extensive investments by the government in digital infrastructure, India Stack – a comprehensive digital identity, payments and data management system, and investments. The digital investment market in India is projected to be worth $14.3 billion in 2025, growing at a 5-year CAGR of 22.4 percent. This growth in DFS has been accompanied by growing concerns about consumer risks, such as high failure rates in digital payments, fraud, and poor redressal, among other challenges. Digital lending has been leading the charge on both innovations and rising consumer risks and, in response, the Reserve Bank of India (RBI) constituted a working group on digital lending in 2021.
This is not the first time the RBI has needed to formulate regulations to protect consumers. The RBI’s past interventions in microfinance and digital payments have allowed them to balance their conflicting goals of inclusion, consumer protection, stability, and growth-led innovation.
Digitalization and modularization of financial services create new regulatory challenges. Three challenges that stand out in the Indian context are lower entry barriers, India’s complex legal regime, and the absence of guidelines about what consumer data apps can collect.
To allow innovation, entry barriers are low, a concern raised in the working group’s report especially as the market matures – a problem that previously has been seen and addressed by regulators in Kenya. In India, this led to the creation of lending apps, several of which were fraudulent and predatory, and were launched during the pandemic when demand was high due to consumers’ loss or drop in income, loss of jobs, and health shocks.
India’s complex and fragmented regulatory and legal regime has been written about extensively in the past, and was acknowledged as a challenge by the RBI Working Group on digital lending in their recent report. In an era of modularization, where efficiency in delivery of digital credit is driven by partnerships with banks and non-bank finance companies, call centers, collection agents, and others, not all entities are directly regulated by RBI. This adds a layer of complexity to India’s already complex legal system that governs lending.
Earlier this month, India’s government withdrew the data protection bill, which sought to empower citizens with rights related to their data. The removal of this bill now creates challenges for consumers in India, especially women and minority groups who can be targeted and don’t have control over how their data is used. Recent research in India showed that the very act of going online can violate societal expectations of women. Besides the obstacle this creates in narrowing the gender gap in India, the lack of laws and guidelines has led digital lending apps to seek disproportionate permissions, and then use consumer data to “debt shame” consumers who delay repayments. The prospect of social censure can be a powerful barrier for women in adopting DFS.
Digital environments exacerbate financial services risks that have existed for a long time.
It is worth repeating that digital environments exacerbate financial services risks that have existed for a long time. There are several ways that we see risks evolve in a digital era. Digital lenders in India communicate about prices in different ways, making it harder for consumers to compare and choose. Digital lenders requested processing fees upfront, regardless of whether or not a loan would be disbursed – a scheme profitable for lenders, but detrimental to consumers. Complaint channels in a digital environment are often non-existent or dehumanized, causing many consumers to resort to social media to air their complaints. The absence of well-designed complaint channels can be a barrier to consistent use and can contribute to a lack of trust, especially among women. Finally, credit reporting during the pandemic took a backseat due to loan moratoria, and the modularized nature of digital lending meant that fintech lenders would often not report to credit bureaus, weakening existing credit reporting mechanisms even as the digital lending space evolved.
Positives of the New Recommendations
Not all digital lending is bad. We know that timely access to affordable loans can help smooth cash flows, address emergency liquidity requirements, and offer consumers greater choice. Therefore, the RBI’s recommendations based on the working group’s report are an encouraging first step to addressing consumer risks before trust in digital lending is eroded.
The recommendations for implementation made by the RBI on August 10, include direct execution of loans, mandates to reveal the annualized percentage rate (APR), and a cooling off period that allows consumers to change their minds.
Now with these recommendations in place, regulated entities – institutions that are directly regulated by the RBI – must disburse directly to borrowers’ bank accounts, except in a narrow set of cases of co-lending transactions. This is a positive step that reduces the bargaining power of intermediaries that may be involved and clearly positions that the risk of lending lies with banks and non-banks and not the originators of loans. Therefore, the onus of consumer protection lies with the institution taking on the risk of lending.
The mandate to reveal the APR creates a standard playing field for all lenders and allows consumers to compare rates – a crucial step. Finally, the cooling off period with loans is an excellent move and sets a positive precedent for regulators in other jurisdictions. While this feature is normally associated with insurance products, the extension to loans provides consumers with choice and the ability to change their minds without facing financial losses. However, the operationalization of this recommendation will require consultation with market players, since it does impact lenders’ cash flows.
Even though these guidelines are not a perfect replacement for a comprehensive data protection bill, they do protect against misuse of consumer data gathered through digital lending apps.
While India awaits a new data protection bill and eventually a new law, individual regulators must safeguard consumers’ data privacy interests. Even though these guidelines are not a perfect replacement for a comprehensive data protection bill, they do protect against misuse of consumer data gathered through digital lending apps. They prevent disproportionate permissions from being sought by lending apps, allow access to camera, microphone, and location data as a one-time event during onboarding or checking KYC, and outline standards to be achieved in case of a security breach.
Gaps That Still Need to Be Filled
More is needed to establish a common understanding of consumer protection risks and redress mechanisms among all regulated entities and institutions involved in the delivery of loans.
While being transparent about APR is a positive first step, in a market with hundreds of lending apps and several more that launch daily, consumers must be able to compare lenders. This need presents a market opportunity: while price comparison sites exist for insurance products, it is time to have them for digital loans. Ideally, lenders would compete to provide the best terms to borrowers but we likely will need to wait some time for this advancement.
Complaint channels need to be redesigned to be consumer-friendly and regulators need to use appropriate market monitoring tools to analyze and identify early warnings. This also presents an opportunity to test and evaluate consumer complaint mechanisms that exist – an area of emerging research interest for CFI.
And finally, the RBI proposes that underwriting algorithms used by lenders should be subject to audits. The RBI noted that while this recommendation was accepted in principle, it would require further examination prior to implementation. This is an important first step to ensure that high-stakes algorithms aren’t further cementing financial exclusion. At the same time, algorithmic auditing, particularly by regulators of private sector algorithms, is a nascent field and must balance accountability with a company’s proprietary intellectual property. Global research on this topic is just beginning and partnerships with regulators would enable practical action.