BACKGROUND

India’s credit sector has seen phenomenal growth in the last few years supported by a rapid adoption of technology and a shift in the mindset towards borrowing money to meet financial needs. Fintechs have played a key role in driving this growth by bridging the gap between customers and financial institutions. While this surge fosters healthy competition and benefits consumers overall, it also leads to challenges due to the wide range of practices employed by different players in the market.

The growth of the industry can be attributed to digitisation, changes in the economic profile and innovation. Apart from these factors, the regulatory environment has also contributed to (and in some cases been a major force behind) shifts in growth patterns. 

This article attempts to evaluate the regulator’s direction with respect to the lending sector by closely evaluating the recent changes in the regulatory framework and the regulatory actions taken by the Reserve Bank of India (“RBI”) recently.

DEVELOPMENTS IN THE REGULATORY FRAMEWORK 

Below is a quick summary of the major regulatory updates introduced by the RBI for lending institutions:

1. The RBI issued revisions to the Master Direction – Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017 (“P2P Directions”) vide notification dated August 16, 2024.¹ Given the prevailing practices in the industry and the RBI’s continuing crackdown, clarifications on the P2P Directions were a given. The clarifications impose restrictions on various practices in the industry such as promoting peer-to-peer lending models as investment products, collection-linked fees for the platform, providing credit enhancements, back-end transfers of loans from one lender to another (to enable instant withdrawals), etc. all of which were violative of the spirit and intent of the guidelines. 

2. The RBI, in its notification dated April 29, 2024², highlighted various practices adopted by regulated entities (“REs”) while charging interest. These practices fell short of upholding the principles of fairness and transparency necessitated under various guidelines. Accordingly, REs were advised to review and update their policies and practices. 

3. Vide its notification on Investment in Alternative Investment Funds (“AIFs”) dated December 19, 2023³ read with notification dated March 27, 2024⁴, the RBI advised REs to refrain from investing in debt or hybrid instruments of or lending to AIFs that have downstream investments in any of the debtors of such RE. This guidance seems to demotivate any structures or transactions that may potentially lead to the evergreening of loans. 

4. On April 15, 2024⁵, the RBI issued a notification on Key Fact Statement (“KFS”) for Loans and Advances to notify the format for a standard KFS. Post this notification, REs are required to disclose the loan terms by way of a KFS for bank loans, digital loans, retail loans and microfinance loans. This guidance on KFS harmonises the format of KFS for REs and enables comparability of different loan offers.

5. The RBI issued a detailed guidance note on managing and mitigating operational risk on April 30, 2024⁶. It applies to all REs and provides principle-based guidance on managing operational risks. Operational risk can result from various issues such as cyber-attacks, changes in technology, IT failures, geopolitical conflicts, business disruptions, internal or external frauds, execution or delivery errors and third-party dependencies. To tackle this inherent risk REs ought to adopt an operational risk management (“ORM”) framework with three lines of defence, namely- 

• First line: that includes business and finance functions and shall be primarily responsible for identifying and managing risks inherent to products, services, processes, etc.
• Second line: that includes an independent organisational ORM function such as compliance function. The responsibility of this function will be to assess operational risks and controls and follow a maker-checker approach with the first line.
• Third line: This shall be the audit function for verification of the implementation of ORM processes.

6. Vide its notification dated January 31, 2024⁷, the RBI promoted automation and use of technological solutions for compliance monitoring. As per this notification, REs are required to provide for effective communication and collaboration among all stakeholders (by bringing business, compliance and IT teams, senior management, etc. on one platform), have processes to identify, assess, monitor and manage compliance requirements, escalate issues of non-compliance, if any. REs also have to record approval of regulators for deviations or delay in compliance submission and provide a unified dashboard to senior management on compliance position of the RE.

7. The RBI also issued a framework for recognising self-regulatory organisations (“SROs”) for fintechs (on May 30, 2024)⁸ and REs (March 21, 2024)⁹. SROs are typically not-for-profit organisations with representation from various relevant stakeholders. These SROs aim to establish order and enforce compliance in unregulated/quasi-regulated sectors by acting as watchdogs and safeguarding consumer interests. The primary focus is to ensure better compliance, foster innovation and detect early warning signs. SROs are required to implement a standard code of conduct for their members to follow, educate the public about grievance redressal mechanisms, keep the RBI informed about the latest industry developments, etc. Additionally, Fintech Association for Consumer Empowerment (FACE) has been recognised as the first SRO for the fintech sector.

8. Through its notification on regulatory measures towards consumer credit and bank credit to NBFCs dated November 16, 2023¹⁰, the RBI increased the risk weights on unsecured consumer lending (both direct and indirect) and credit card receivables. This resulted in an increase in the capital requirements for the REs engaged in these product segments. Of course, the consumption-based lending industry took a hit after this notification resulting in a year-on-year growth of around 18% – an approximate 2-3% reduction since last year.¹¹

9. Having recognised that there may be instances where credit information was incorrectly submitted by REs or incorrectly maintained by a credit information company (“CIC”), the RBI introduced a strict grievance redressal framework vide its notification dated October 26, 2023¹². This framework is applicable to all REs and CICs. Now, a customer’s request for rectification in the credit information must be disposed of within 30 days. Further, the RBI, vide another notification dated August 8, 2024¹³, reduced the reporting timelines for REs from monthly to fortnightly, in order to ensure an accurate and updated credit status of the customer is reflected. Regarding lapses in credit reporting owing to cancellations of licenses, the RBI vide its notification dated October 10, 2024¹⁴, instructed REs to continue reporting the repayments by their customers until the loan lifecycle is completed or the credit institution is wound up, whichever is earlier. REs would be considered credit institutions under the Credit Information Companies (Regulation) Act, 2005 even after cancellation of their license. CICs are also required to tag such REs as ‘license cancelled entities’ in the credit reports.

10. With an intent to harmonise the regulatory framework for various players in the lending industry, the RBI has issued the following guidelines:

• Master Direction – Reserve Bank of India (Filing of Supervisory Returns) Directions – 2024 dated February 27, 2024¹⁵; and
• Review of the regulatory framework for HFCs and harmonisation of regulations applicable to HFCs and NBFCs dated August 12, 2024¹⁶.

INITIATIVES BY THE REGULATOR

1. The RBI launched the Platform for Regulatory Application, VAlidation and AutHorisation (PRAVAAH) portal to facilitate entities to seek authorisation, licenses or regulatory approvals, etc.¹⁷
2. A fintech repository to capture essential information about fintech entities, their activities, technology uses, etc. was launched.¹⁸
3. The RBI also launched a repository for REs on their adoption of emerging technologies (like AI, ML, Cloud Computing, DLT, Quantum, etc.) called EmTech Repository.¹⁹
4. The RBI also announced the launch of a technology platform that enables frictionless credit named Unified Lending Interface (“ULI”).²⁰ This platform will facilitate a seamless and consent-based flow of digital information, including land records of various states, from multiple data service providers to REs. The ULI architecture will have common and standardised APIs, designed for a ‘plug and play’ approach to ensure digital access to information from diverse sources. 

REGULATORY ACTIONS

The RBI imposed penalties and passed orders for cancelling licenses or imposing an embargo on particular business lines of REs owing to the following reasons:

1. Pricing of loans: Adoption of usurious interest rates in the retail lending space, especially for unsecured personal loans and microfinance loans.
2. Guidelines on Know Your Customer (“KYC”) norms: Failure to undertake risk categorization of customers, failure to carry out periodic updation of KYC, allotting more than one unique customer identification code to the customer, etc.
3. Guidelines on gold loans: Sanctioning gold loans in excess of the prescribed limits on loan-to-value ratio, deviations in assaying and certifying the purity of the gold, disbursal and collection of loans in cash, non-adherence to auction process, and lack of transparency in charges being levied to customer accounts. Read our detailed piece on gold lending here.
4. Liquidity management guidelines: Failure to maintain liquidity coverage ratio as per the prescribed limits, failure to carry out stress testing, etc. 
5. Information technology and cyber security: Breaches in cyber security reporting requirements, absence of a robust IT infrastructure and IT risk management framework, etc. 
6. Governance: Failure to constitute required committees, failure to ensure the independence of the board, failure to ring-fence financial business with the non-financial business of the group, etc. 
7. Consumer protection: Failure to rectify the credit information data within the prescribed timelines, usage of dark patterns, providing access to customer data to the service providers, etc.
8. Fraud prevention: Failure to use robust software that enables effective identification and reporting of suspicious or fraudulent transactions, failure to report frauds, etc. 
9. Fair practice guidelines: Failure to transparently disclose the applicable charges and approach for interest rate gradation, failure to disclose terms and conditions in vernacular language, charging fees that were not adequately disclosed to the customer, failure to disclose details of co-lending products, charging interest on loans from dates prior to the dates of disbursal, etc.
10. Outsourcing guidelines: Outsourcing the decision-making to third parties with respect to KYC norms, outsourcing of core management functions such as credit appraisal and loan sanctioning, etc.
11. Evergreening of loans: Practices such as offering back-to-back renewals of loans, transfer of loans between two financial institutions to avoid recording of NPAs, etc.
12. Hurdle rate structures: Service fee structures where the RE earns a fixed fee from its service provider and the service provider earns the interest charged on the borrower in excess of the fixed fee (commonly known as the hurdle rate structure). 
13. Other guidelines: Failure to carry out due diligence and credit evaluation of the customer, delayed regulatory reporting, irregular or misrepresented regulatory reporting, failure to obtain prior approval of the RBI for change in management, failure to maintain the required minimum net owned funds, etc.

FORMAL AND INFORMAL COMMUNICATIONS

1. The RBI held a meeting with CICs and advised them to improve the data quality, timely redressal of customer complaints, strengthen the internal ombudsman framework, streamline the process for handling data correction requests, strengthen cybersecurity and data privacy through robust information security governance framework and concerns arising out of usage of data for consulting, analytics, etc.
2. The RBI held a meeting with internal ombudsmen of REs to evaluate practices that can enhance grievance redressal mechanisms.
3. The RBI held a meeting with private and public sector banks where it raised concerns on outlier growth in personal loans, adherence to co-lending guidelines, exposure to the NBFC sector, liquidity risk management, information technology and cyber security preparedness, operational resilience, digital frauds and strengthening of the internal rating framework. The Governor also encouraged the banks to actively participate in RBI’s FinTech initiatives and give a further push to the digital banking units (DBUs).

WHERE IS THE LENDING INDUSTRY HEADED?

The Indian lending industry, despite the ever-changing regulatory landscape, is on a high-growth trajectory. One can expect:

• Retail loans to continue being a large chunk of the lending portfolio. Within this segment, unsecured personal loans (i.e., consumption-based loans) are expected to see a slow-down, and other products may see an uptick in growth;
• Personal loans to be substituted by gold loans to some extent; and
• The industry to create more avenues for business loans, MSME loans, project loans, etc. 

Reflecting on the recent regulatory updates, initiatives and actions, several key themes have emerged as the focus area for the regulator, and these are likely to remain central moving forward : (i) prudent and sustainable business practices, (ii) adherence to the intent of the regulations, (iii) cybersecurity, data protection and evolved technology, (iv) shifting focus from consumption-based lending to income and business-support lending.

Given these trends and the regulator’s increasing scrutiny, REs must reassess their current lending products and practices to ensure alignment with the spirit of the law and regulatory expectations. In light of recent regulatory actions, REs would benefit from conducting a comprehensive review of their internal compliance frameworks and processes to avoid potential pitfalls.

[1]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12721&Mode=0

[2] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12678&Mode=0

[3]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12572&Mode=0

[4]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12639&Mode=0.

[5]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12663&Mode=0.

[6]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12679&Mode=0.

[7] https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12603&Mode=0.

[8] https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=58000

[9]https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=57534

[10]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12567&Mode=0.

[11]https://rbi.org.in/Scripts/Data_Sectoral_Deployment.aspx

[12]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12553&Mode=0

[13]https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12718&Mode=0.

[14]https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12739&Mode=0.

[15]https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12613.

[16]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12719&Mode=0

[17]https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=57990

[18]Ibid

[19]Ibid

[20]https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=58449