Digital lending goes up; RBI cracks down

India’s vibrant digital lending sector has grown at an unprecedented rate, increasing from USD9 billion in 2009 to USD110 billion a decade later. Participants in the industry include banks and financial institutions regulated by the Reserve Bank of India (RBI), as well as a large number of loan service providers (LSPs), technology vendors, and businesses offering digital lending apps (DLAs) outside the RBI’s regulatory ambit.

The lack of regulatory scrutiny has ensured that this growth has attracted controversy, especially over privacy, with allegations of multiple security incidents, misuse of data and unethical recovery practices plaguing unregulated players. Given the inadequate and antiquated general data protection law, the RBI issued Guidelines on Digital Lending (guidelines) on 2 September 2022 that, among other aspects, create a comprehensive framework to protect consumers’ data within the industry. The guidelines bring unregulated digital lending players within the RBI’s ambit by requiring that regulated players, such as banks and non-banking financial institutions, ensure that unregulated players with which they partner, such as LSPs and companies offering DLAs, comply with them.

The guidelines’ data protection requirements are detailed and significantly alter how businesses implement and maintain their data protection practices under the existing data protection regime. As India awaits a new and comprehensive data protection law, these guidelines may be a precursor of what is to come. Existing data protection derives from the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (rules). Under the rules, consent is the only requirement for collecting certain sensitive categories of personal data; the collection of non-sensitive categories of personal data is not subject to any specific ground of processing. Thresholds for consent are undemanding: consent must be given in writing or through electronic communication and must be capable of withdrawal.

The guidelines go further: explicit consent is necessary for the collection of any type of data; the collection of data must be needs-based, and businesses must demonstrate through audit trails that consent has been given. Consumers have the right to withhold consent, revoke consent already granted and restrict the retention of their data. Businesses must obtain consumers’ explicit consent prior to the disclosure of their data to any third party.

There have been historic instances of digital lending players misusing consumers’ mobile phone contacts for loan recovery purposes, leading to high-profile criminal investigations. The guidelines seek to curb misuse and prohibit DLAs and LSPs from accessing consumers’ files and media on their phones, in their contact lists, and from telephony functions. DLAs and LSPs are prohibited from collecting the biometric data of users unless necessary to comply with statutory obligations. In a significant departure from the rules, the guidelines bar DLAs and LSPs from storing the personal data they collect, with the exception of minimal data such as names, addresses, and contact details required for their operations.

The rules require organisations to publish privacy policies setting out the types of data being collected, the purpose of collection, disclosure details and security practices in place. The guidelines go further and require disclosure of procedures for the storage of customer data, retention periods, data destruction practices, standards for handling security breaches and details of third-party recipients of data. Digital lending players are required to disclose the purpose for which data is collected at every stage of a consumer’s journey, prompting businesses to re-examine and restructure user journeys on apps and websites to ensure compliance.

In line with the RBI’s stance on localisation of payment data, the guidelines require all data connected with this sector be held in India. This condition, coupled with the obligations of regulated entities to ensure their partners and vendors comply with the guidelines’ detailed requirements, has prompted both regulated and unregulated players to rethink contracts, user onboarding journeys, data collection practices, and loan recovery processes as they marry the requirements of the rules with the guidelines. While most industry segments await a comprehensive data protection law, the RBI has already kick-started a serious reckoning with wild west data protection.

Mathew Chacko is the managing partner, Aadya Misra is a senior associate and Shristi Kumar is an associate at Spice Route Legal.