Reserve Bank of India‘s move to allow fintech companies to access credit information via credit bureaus is a positive move, but ownership and control issues remain unresolved, writes Kaushal Mathpal


s per the Reserve Bank of India’s (RBI) latest digital lending report dated 18 November 2021, digital lending has grown 12-fold between 2017 and 2020. This meteoric rise is attributed to fintech players that have technologically enabled the struggling non-banking financial company (NBFC) sector to reach the forefront of the digital revolution.

For fintech, there may be a different suite of products for acquiring customers such as wallets, Unified Payments Interface (UPI), facilitating bill/card payments, etc. However, with UPI gaining momentum and transaction fees/charges (more specifically referred to as merchant discount rates, or MDR) plummeting amid growing competition, lending is the only chance of making some real revenue for such companies.

Lending in India is strongly regulated by the RBI and requires creating a fine balance between risk exposure and the creditworthiness of the potential borrower. New age fintech companies may have access to various customer data points based on their behaviour over their platforms, however, it’s still far from the entire picture to make a lending decision. That’s where credit information companies (CICs) come into play. These are the third-party independent agencies that collect data pertaining to loans, credit cards and other financial information from their members.

The CICs collect this data from members and assign risk-based scoring that is reflective of their potential creditworthiness. The credit score helps these financial institutions conceptualise new product offerings to target these customers on the basis of their risk profile. Thus banks and financial institutions act both as a supplier of necessary information to determine the credit score and primary users for their future lending portfolios.

Until the end of 2021, only banks and NBFCs were the “specified users” under the Credit Information Companies (Regulation), 2005 (CIC Act), and hence were able to access the customer’s credit information. As such, the membership of CICs was exclusive to banks and NBFCs only. The CIC Act empowered the RBI to specify the criteria for any other institutions as “specified user”. In January 2022, in a positive move for the fintech space, the RBI released the criteria for the specified user in terms of the Credit Information Companies (Amendment) Regulations, 2021, paving the way for fintech companies to access credit information through credit bureaus.

Before delving deeper into the RBI’s criteria, some perspective is needed as to why this development has taken place.


Back when fintech was gaining momentum, pre-2019, it offered a great value proposition for expediting the credit approval process through this technological intervention by bringing down the turnaround time from days to mere hours. In order to arrive at a decision on granting credit, fintech companies needed access to credit information available with credit bureaus.

However, as mentioned above, under the CIC Act, only banks or NBFCs could have access to this data. In order to facilitate fintech companies, a middle ground, or loophole, was identified and fintech companies were given access to credit information through the lender’s credentials. At an operational level, a sub-user ID of lender’s credentials was created to give access to fintech partners to fetch consumer details.

This is similar to having a G-suite ID at an institutional level, and creating different e-mail IDs for employees under the institutional ID. Only in this case, instead of employees of lenders gaining access to the CIC portal for fetching credit data, these sub-user IDs were allocated to fintech companies for fetching customer credit scores for facilitation of loans.

It is important to note that fintech companies were facilitating loans for multiple lenders and the same file was processed with different lenders simultaneously. This led to the following major issues:

  • Customer’s information being fetched from such lender’s CIC credentials, even to whom the loan application was never sent for processing;
  • Excessive fetching of credit information without proper consent; and
  • Storing/disclosure/usage of such confidential data by fintech companies for their analytical purposes and cross-selling/up-selling of new products.

In addition, credit information was being fetched for recovery purposes by fintech companies as most of its partnerships with NBFCs and banks were modelled over the first loss default guarantee arrangement that ensured that fintech companies had skin in the game. Further, since a customer file was processed with multiple lenders at the same, many times his or her credit score was also accessed multiple times. Such repeated credit enquiries were interpreted as a customer’s eagerness for a loan, causing the customer’s credit scores to nosedive and leading to a large number of complaints and disputes with credit bureaus.

CICs and lenders were well aware of these issues but ignored them for obvious business reasons. For lenders, especially NBFCs, fintech companies were cash cows that inflated their assets under management, supported by the generous first loss default guarantee arrangements. On the other hand, the CICs had plausible deniability as technically the reports were being fetched by lenders only, and they had legal agreements in place putting the liabilities on the lender’s head.


In September 2019, the RBI vide its letter addressed to financial institutions and CICs, took note of these issues and objected to the industry-wide practices, reminding them of the principles of customer confidentiality and privacy laid down under chapter VI of the Credit Information Companies (Regulation) Act, 2005.

This created some temporary stumbling blocks for fintech companies. However, they were quick to innovate and move to the direct-to-consumer (D2C) model (i.e., acting as an agent for individuals) for accessing credit information. The CICs also quickly realised the pivot towards the D2C model and came up with certain restrictions and/or due diligence mechanisms for fintech companies, such as obtaining fresh consent from customer every six months, stricter information security and internal controls, audit coverage and monitoring.

In the meantime, big fintech and industry bodies were continually lobbying for easier access to credit information. The government couldn’t have avoided this push for much longer and ultimately amended the CIC Regulation in November 2021. This expanded the scope of the specified user to entities working for the benefit of the credit institution, provided they satisfied the criteria laid down by the RBI.


The RBI released criteria for such entities on 5 January 2022, with the broad criteria for “specified user” as below:

  • Entity incorporated in India;
  • Net worth of INR20 million (USD263,000);
  • Entity to be owned and controlled by resident Indian citizen;
  • CISA (Certified Information Systems Auditor) certification; and
  • Diversification of ownership.

This development by the RBI is a welcome step as it seeks to put in place a minimum net worth for fintech entities with robust security and technological standards. This is a positive step intended to ensure that customer confidentiality and privacy principles are taken to the implementation level.

However, on the downside, the ownership and control criteria being with resident Indian companies and citizens does not bode well for the current industry scenario. The Indian fintech market has been a hotbed for FDI and has attracted investment up to USD1.9 billion until December 2021, despite the pandemic. Further, one-third of the nation’s unicorns are from the fintech space. The government has also allowed FDI of up to 100% in fintech.

It is important to note that fintech is a capital-intensive space and FDI is a major source of funding for such entities. The fundraising among foreign investors leads to the dilution of founders’ and promoters’ shares (who are mostly Indian), thus effectively diluting the ownership and control to parties outside the country.

The RBI also requires such entities to have a diversified ownership structure. This principally requires dilution of share capital among several entities or individuals. Considering that foreign venture capital funds are a main source of funding for these fintech entities, it will fail to adhere to this criterion. This in fact is contrary to the above-mentioned “ownership and control” criteria, as it implies that the regulator expects such entities to diversify only among the resident entities/individual, which doesn’t seem to go in line with FDI regulations allowing 100% funding under the automatic route.

The strength, volumes and economies of scale that the Indian fintech market is currently driving, and its future potential, is not unknown to the regulator. The RBI realises its potential and has set up a new department that works on laying out new regulations and policies for the fintech sector.

The stricter norms may have stemmed from RBI’s concerns about confidentiality and privacy of customer credit data, and its unsolicited use by foreign and domestic entities. There have been crackdowns on various fintech companies, such as Cashbean and Kudos, for their linkage with China and for running an illegal lending app in India. Similarly, the recent news of celebrities Sunny Leone and Rajkumar Rao, whose PAN cards were illegally used to obtain loans, caused grave concerns about the confidentiality of customer data.

Despite the RBI’s conservative approach on the specified user, the new criteria are still a positive development given the regulator’s efforts to bring harmony between traditional banking and fintech norms. But with the current regulations, a larger chunk of the fintech companies will be left out and will continue to rely on the D2C model for accessing credit information, which has its own set of challenges. It is hoped that the criteria will be a temporary measure, and will eventually fall in line with larger regulatory oversight being planned for the fintech industry.

Kaushal Mathpal is a senior corporate counsel at Bharatpe. subscripton ad blue 2022