Digital Consumer Lending: Need for prudential measures and addressing consumer protection

-Siddarth Goel (finserv@vinodkothari.com)

Introduction

“If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck”

The above phrase is the popular duck test which implies abductive reasoning to identify an unknown subject by observing its habitual characteristics. The idea of using this duck test phraseology is to determine the role and function performed by the digital lending platforms in consumer credit.

Recently the Reserve Bank of India (RBI) has constituted a working group to study how to make access to financial products and services more fair, efficient, and inclusive.[1]  With many news instances lately surrounding the series of unfortunate events on charging of usurious interest rate by certain online lenders and misery surrounding the threats and public shaming of some of the borrowers by these lenders. The RBI issued a caution statement through its press release dated December 23, 2020, against unauthorised digital lending platforms/mobile applications. The RBI reiterated that the legitimate public lending activities can be undertaken by Banks, Non-Banking Financial Companies (NBFCs) registered with RBI, and other entities who are regulated by the State Governments under statutory provisions, such as the money lending acts of the concerned states. The circular further mandates disclosure of banks/NBFCs upfront by the digital lender to customers upfront.

There is no denying the fact that these digital lending platforms have benefits over traditional banks in form of lower transaction costs and credit integration of the unbanked or people not having any recourse to traditional bank lending. Further, there are some self-regulatory initiatives from the digital lending industry itself.[2] However, there is a regulatory tradeoff in the lender’s interest and over-regulation to protect consumers when dealing with large digital lending service providers. A recent judgment by the Bombay High Court ruled that:

“The demand of outstanding loan amount from the person who was in default in payment of loan amount, during the course of employment as a duty, at any stretch of imagination cannot be said to be any intention to aid or to instigate or to abet the deceased to commit the suicide,”[3]

This pronouncement of the court is not under criticism here and is right in its all sense given the facts of the case being dealt with. The fact there needs to be a recovery process in place and fair terms to be followed by banks/NBFCs and especially by the digital lending platforms while dealing with customers. There is a need to achieve a middle ground on prudential regulation of these digital lending platforms and addressing consumer protection issues emanating from such online lending. The regulator’s job is not only to oversee the prudential regulation of the financial products and services being offered to the consumers but has to protect the interest of customers attached to such products and services. It is argued through this paper that there is a need to put in place a better governing system for digital lending platforms to address the systemic as well as consumer protection concerns. Therefore, the onus of consumer protection is on the regulator (RBI) since the current legislative framework or guidelines do not provide adequate consumer protection, especially in digital consumer credit lending.

Global Regulatory Approaches

US

The Office of the Comptroller of the Currency (OCC) has laid a Special Purpose National Bank (SPNV) charters for fintech companies.[4] The OCC charter begins reviewing applications, whereby SPNV are held to the same rigorous standards of safety and soundness, fair access, and fair treatment of customers that apply to all national banks and federal savings associations.

The SPNV that engages in federal consumer financial law, i.e. in provides ‘financial products and services to the consumer’ is regulated by the ‘Consumer Financial Protection Bureau (CFPB)’. The other factors involved in application assessment are business plans that should articulate a clear path and timeline to profitability. While the applicant should have adequate capital and liquidity to support the projected volume. Other relevant considerations considered by OCC are organizers and management with appropriate skills and experience.

The key element of a business plan is the proposed applicant’s risk management framework i.e. the ability of the applicant to identify, measure, monitor, and control risks. The business plan should also describe the bank’s proposed internal system of controls to monitor and mitigate risk, including management information systems. There is a need to provide a risk assessment with the business plan. A realistic understanding of risk and there should be management’s assessment of all risks inherent in the proposed business model needs to be shown.

The charter guides that the ongoing capital levels of the applicant should commensurate with risk and complexity as proposed in the activity. There is minimum leverage that an SPNV can undertake and regulatory capital is required for measuring capital levels relative to the applicant’s assets and off-balance sheet exposures.

The scope and purpose of CFPB are very broad and covers:

“scope of coverage” set forth in subsection (a) includes specified activities (e.g., offering or providing: origination, brokerage, or servicing of consumer mortgage loans; payday loans; or private education loans) as well as a means for the CFPB to expand the coverage through specified actions (e.g., a rulemaking to designate “larger market participants”).[5]

CFPB is established through the enactment of Dood-Frank Wall Street Reform and Consumer Protection Act. The primary function of CFPB is to enforce consumer protection laws and supervise regulated entities that provide consumer financial products and services.

“(5)CONSUMER FINANCIAL PRODUCT OR SERVICES  The term “consumer financial product or service” means any financial product or service that is described in one or more categories under—paragraph (15) and is offered or provided for use by consumers primarily for personal, family, or household purposes; or **

“(15)Financial product or service-

(A)In general The term “financial product or service” means—(i)extending credit and servicing loans, including acquiring, purchasing, selling, brokering, or other extensions of credit (other than solely extending commercial credit to a person who originates consumer credit transactions);”

Thus CFPB is well placed as a separate institution to protect consumer interest and covers a wide range of financial products and services including extending credit, servicing, selling, brokering, and others. The regulatory environment has been put in place by the OCC to check the viability of fintech business models and there are adequate consumer protection laws.

EU

EU’s technologically neutral regulatory and supervisory systems intend to capture not only traditional financial services but also innovative business models. The current dealing with the credit agreements is EU directive 2008/48/EC of on credit agreements for consumers (Consumer Credit Directive – ‘Directive’). While the process of harmonising the legislative framework is under process as the report of the commission to the EU parliament raised some serious concerns.[6] The commission report identified that the directive has been partially effective in ensuring high standards of consumer protection. Despite the directive focussing on disclosure of annual percentage rate of charge to the customers, early payment, and credit databases. The report cited that the primary reason for the directive being impractical is because of the exclusion of the consumer credit market from the scope of the directive.

The report recognised the increase and future of consumer credit through digitisation. Further the rigid prescriptions of formats for information disclosure which is viable in pre-contractual stages, i.e. where a contract is to be subsequently entered in a paper format. There is no consumer benefit in an increasingly digital environment, especially in situations where consumers prefer a fast and smooth credit-granting process. The report highlighted the need to review certain provisions of the directive, particularly on the scope and the credit-granting process (including the pre-contractual information and creditworthiness assessment).

China

China has one of the biggest markets for online mico-lending business. The unique partnership of banks and online lending platforms using innovative technologies has been the prime reason for the surge in the market. However, recently the People’s Bank of China (PBOC) and China Banking and Insurance Regulatory Commission (CBIRC) issued draft rules to regulate online mico-lending business. Under the draft rules, there is a requirement for online underwriting consumer loans fintech platform to have a minimum fund contribution of at least 30 % in a loan originated for banks. Further mico-lenders sourcing customer data from e-commerce have to share information with the central bank.

Australia

The main legislation that governs the consumer credit industry is the National Consumer Credit Protection Act (“National Credit Act”) and the National Credit Code. Australian Securities & Investments Commission (ASIC) is Australia’s integrated authority for corporate, markets, financial services, and consumer credit regulator. ASIC is a consumer credit regulator that administers the National Credit Act and regulates businesses engaging in consumer credit activities including banks, credit unions, finance companies, along with others. The ASIC has issued guidelines to obtain licensing for credit activities such as money lenders and financial intermediaries.[7] Credit licensing is needed for three sorts of entities.

  • engage in credit activities as a credit provider or lessor
  • engage in credit activities other than as a credit provider or lessor (e.g. as a credit representative or broker)
  • engage in all credit activities

The applicants of credit licensing are obligated to have adequate financial resources and have to ensure compliance with other supervisory arrangements to engage in credit activates.

UK

Financial Conduct Authority (FCA) is the regulator for consumer credit firms in the UK. The primary objective of FCA ensues; a secure and appropriate degree of protection for consumers, protect and enhance the integrity of the UK financial system, promote effective competition in the interest of consumers.[8] The consumer credit firms have to obtain authorisation from FCA before carrying on consumer credit activities. The consumer credit activities include a plethora of credit functions including entering into a credit agreement as a lender, credit broking, debt adjusting, debt collection, debt counselling, credit information companies, debt administration, providing credit references, and others. FCA has been successful in laying down detailed rules for the price cap on high-cost short-term credit.[9] The price total cost cap on high-cost short-term credit (HCSTC loans) including payday loans, the borrowers must never have to pay more in fees and interest than 100% of what they borrowed. Further, there are rules on credit broking that provides brokers from charging fees to customers or requesting payment details unless authorised by FCA.[10] The fee charged from customers is to be reported quarterly and all brokers (including online credit broking) need to make clear that they are advertising as a credit broker and not a lender. There are no fixed capital requirements for the credit firms, however, adequate financial resources need to be maintained and there is a need to have a business plan all the time for authorisation purposes.

Digital lending models and concerns in India

Countries across the globe have taken different approaches to regulate consumer lending and digital lending platforms. They have addressed prudential regulation concerns of these credit institutions along with consumer protection being the top priority under their respective framework and legislations. However, these lending platforms need to be looked at through the current governing regulatory framework from an Indian perspective.

The typical credit intermediation could be performed by way of; peer to peer (P2P) lending model, notary model (bank-based) guaranteed return model, balance sheet model, and others. P2P lending platforms are heavily regulated and hence are not of primary concern herein. Online digital lending platforms engaged in consumer lending are of significance as they affect investor’s and borrowers’ interests and series of legal complexions arise owing to their agency lending models.[11] Therefore careful anatomy of these models is important for investors and consumer protection in India.

Should digital lending be regulated?

Under the current system, only banks, NBFCs, and money lenders can undertake lending activities. The regulated banks and NBFCs also undertake online consumer lending either through their website/platforms or through third-party lending platforms. These unregulated third-party digital lending platforms count on their sophisticated credit underwriting analytics software and engage in consumer lending services. Under the simplest version of the bank-based lending model, the fintech lending platform offers loan matching services but the loan is originated in books of a partnering bank or NBFC. Thus the platform serves as an agent that brings lenders (Financial institutions) and borrowers (customers) together. Therefore RBI has mandated fintech platforms has to abide by certain roles and responsibilities of Direct Selling Agent (DSA) as under Fair Practice Code ‘FPC’ and partner banks/NBFCs have to ensure Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Service (‘outsourcing code’).[12] In the simplest of bank-based models, the banks bear the credit risk of the borrowers and the platform earns their revenues by way of fees and service charges on the transaction. Since banks and NBFCs are prudentially regulated and have to comply with Basel capital norms, there are not real systemic concerns.

However, the situation alters materially when such a third-party lending platform adopts balance sheet lending or guaranteed return models. In the former, the servicer platform retains part of the credit risk on its book and could also give some sort of loss support in form of a guarantee to its originating partner NBFC or bank.[13] While in the latter case it a pure guarantee where the third-party lending platform contractually promises returns on funds lent through their platforms. There is a devil in detailed scrutiny of these business models. We have earlier highlighted the regulatory issues in detail around fintech practices and app-based lending in our write up titled ‘Lender’s piggybacking: NBFCs lending on Fintech platforms’ gurantees’.

From the prudential regulation perspective in hindsight, banks, and NBFCs originating through these third-party lending platforms are not aware of the overall exposure of the platforms to the banking system. Hence there is a presence of counterparty default risk of the platform itself from the perspective of originating banks and NBFCs. In a real sense, there is a kind of tri-party arrangement where funds flow from ‘originator’ (regulated bank/NBFC) to the ‘platform’ (digital service provider) and ultimately to the ‘borrower'(Customer). The unregulated platform assumes the credit risk of the borrower, and the originating bank (or NBFC) assumes the risk of the unregulated lending platform.

Curbing unregulated lending

In the balance sheet and guaranteed return models, an undercapitalized entity takes credit risk. In the balance sheet model, the lending platform is directly taking the credit risk and may or may not have to get itself registered as NBFC with RBI. The registration requirement as an NBFC emanates if the financial assets and financial income of the platform is more than 50 % of its total asset and income of such business (‘principal business criteria’ see footnote 12). While in the guaranteed return model there is a form of synthetic lending and there is absolutely no legal requirement for the lending platform to get themselves registered as NBFC. The online lending platform in the guaranteed return model serves as a loan facilitator from origination to credit absorption. There is a regulatory arbitrage in this activity. Since technically this activity is not covered under the “financial activity” and the spread earned in not “financial income” therefore there is no requirement for these entities to get registered as NBFCs.[14]

Any sort of guarantee or loss support provided by the third-party lending platform to its partner bank/NBFC is a synthetic exposure. In synthetic lending, the digital lending platform is taking a risk on the underlying borrower without actually taking direct credit risk. Additionally, there are financial reporting issues and conflict of interest or misalignment of incentives, i.e. the entities do not have to abide by IND AS and can show these guarantees as contingent liabilities. On the contrary, they charge heavy interest rates from customers to earn a higher spread. Hence synthetic lending provides all the incentives for these third-party lending platforms to enter into risky lending which leads to the generation of sub-prime assets. The originating banks and NBFCs have to abide by minimum capital requirements and other regulatory norms. Hence the sub-prime generation of consumer credit loans is supplemented by heavy returns offered to the banks. It is argued that the guaranteed returns function as a Credit Default Swap ‘CDS’ which is not regulated as CDS. Thus the online lending platform escapes the regulatory purview and it is shown in the latter part this leads to poor credit discipline in consumer lending and consumer protection is often put on the back burner.

From the prudential regulation perspective restricting banks/NBFCs from undertaking any sort of guaranteed return or loss support protection, can curb the underlying emergence of systemic risk from counterparty default. While a legal stipulation to the effect that NBFCs/Banks lending through the third-party unregulated platform, to strictly lend independently i.e. on a non-risk sharing basis of the credit risk. Counterintuitively, the unregulated online lending platforms have to seek registration as an NBFC if they want to have direct exposure to the underlying borrower, subject to fulfillment of ‘principal business criteria’.[15] Such a governing framework will reduce the incentives for banks and NBFCs to exploit excessive risk-taking through this regulatory arbitrage opportunity.

Ensuring Fairness and Consumer Protection

There are serious concerns of fair dealing and consumer protection aspects that have arisen lately from digital online lending platforms. The loans outsourced by Banks and NBFCs over digital lending platforms have to adhere to the FPC and Outsourcing code.

The fairness in a loan transaction calls for transparent disclosure to the borrower all information about fees/charges payable for processing the loan application, disbursed, pre-payment options and charges, the penalty for delayed repayments, and such other information at the time of disbursal of the loan. Such information should also be displayed on the website of the banks for all categories of loan products. It may be mentioned that levying such charges subsequently without disclosing the same to the borrower is an unfair practice.[16]

Such a legal requirement gives rise to the age-old question of consumer law, yet the most debatable aspect. That mere disclosure to the borrower of the loan terms in an agreement even though the customer did not understand the underlying obligations is a fair contract (?) It is argued that let alone the disclosures of obligations in digital lending transactions, customers are not even aware of their remedies. Under the current RBI regulatory framework, they have the remedy to approach grievance redressal authorities of the originating bank/NBFC or may approach the banking ombudsman. However, things become even more peculiar in cases where loans are being sourced or processed through third-party digital platforms. The customers in the majority of the cases are unaware of the fact that the ultimate originator of the loan is a bank/NBFC. The only remedy for such a customer is to seek refuge under the Consumer Protection Act 2019 by way of proving the loan agreement is the one as ‘unfair contract’.

“2(46) “unfair contract” means a contract between a manufacturer or trader or service provider on one hand, and a consumer on the other, having such terms which cause significant change in the rights of such consumer, including the following, namely:— (i) requiring manifestly excessive security deposits to be given by a consumer for the performance of contractual obligations; or (ii) imposing any penalty on the consumer, for the breach of contract thereof which is wholly disproportionate to the loss occurred due to such breach to the other party to the contract; or (iii) refusing to accept early repayment of debts on payment of applicable penalty; or (iv) entitling a party to the contract to terminate such contract unilaterally, without reasonable cause; or (v) permitting or has the effect of permitting one party to assign the contract to the detriment of the other party who is a consumer, without his consent; or (vi) imposing on the consumer any unreasonable charge, obligation or condition which puts such consumer to disadvantage;

It is pertinent to note that neither the scope of consumer financial agreements is regulated in India, nor are the third-party digital lending platforms required to obtain authorisation from RBI. There are instances of high-interest rates and exorbitant fees charged by the online consumer lending platforms which are unfair and detrimental to customers’ interests. The current legislative framework provides that the NBFCs shall furnish a copy of the loan agreement as understood by the borrower along with a copy of each of all enclosures quoted in the loan agreement to all the borrowers at the time of sanction/disbursement of loans.[17] However, like the persisting problem in the EU 2008/48/EC directive, even FPC is not well placed to govern digital lending agreements and disclosures. Taking a queue from the problems recognised by the EU parliamentary committee report. There is no consumer benefit in an increasingly digital environment, especially in situations where there are fast and smooth credit-granting processes. The pre-contractual information on the disclosure of annualised interest rate and capping of the total cost to a customer in consumer credit loans is central to consumer protection.

The UK legislation has been pro-active in addressing the underlying unfair contractual concerns, by fixation of maximum daily interest rates and maximum default fees with an overall cost cap of 100% that could be charged in short-term high-interest rates loan agreements. It is argued that in this Laissez-faire world the financial services business models which are based on imposing an unreasonable charge, obligations that could put consumers to disadvantage should anyways be curbed. Therefore a legal certainty in this regard would save vulnerable customers to seek the consumer court’s remedy in case of usurious and unfair lending.

The master circular on loan and advances provide for disclosure of the details of recovery agency firms/companies to the borrower by the originating bank/NBFC.[18] Further, there is a requirement for such recovery agent to disclose to the borrower about the antecedents of the bank/NBFC they are recovering for.  However, this condition is barely even followed or adhered to and the vulnerable consumers are exposed to all sorts of threats and forceful tactics. As one could appreciate in jurisdictions of the US, UK, Australia discussed above, consumer lending and ancillary services are under the purview of concerned regulators. From the customer protection perspective, at least some sort of authorization or registration requirement with the RBI to keep the check and balances system in place is important for consumer protection. The loan recovery business is sensitive hence there is a need for a proper guiding framework and/or registration requirement of the agents acting as recovery agents on behalf of banks/NBFCs. The mere registration requirement and revocation of same in case of unprofessional activities will serve as a stick to check their consumer dealing practices.

The financial services intermediaries (other than Banks/NBFCs) providing services like credit broking, debt adjusting, debt collection, debt counselling, credit information, debt administration, credit referencing to be licensed by the regulator. The banks/NBFCs dealing with the licensed market intermediaries would go much farther in the successful implementation of FPC and addressing consumer protection concerns from the current system.

Conclusion

From the perspective of sound financial markets and fair consumer practices, it is always prudent to allow only those entities in credit lending businesses that are best placed to bear the credit risk and losses emanating from them. Thus, there is a dearth of a comprehensive legislative framework in consumer lending from origination to debt collection and its administration including the business of providing credit references through digital lending platforms. There may not be a material foreseeable requirement for regulating digital lending platforms completely. However, there is a need to curb synthetic lending by third-party digital lending platforms. Since a risk-taking entity without adequate capitalization will tend to get into generating risky assets with high returns. The off-balance sheet guarantee commitments of these entities force them to be aggressive towards their customers to sustain their businesses. This write-up has explored various regulatory approaches, where jurisdictions like the US and UK, and Australia being the good comparable in addressing consumer protection concerns emanating from online digital lending platforms. Henceforth, a well-framed consumer protection system especially in financial products and services would go much farther in the development and integration of credit through digital lending platforms in the economy.

 

[1] Reserve Bank of India – Press Releases (rbi.org.in), dated January 13, 2020

[2] Digital lending Association of India, Code of Conduct available at https://www.dlai.in/dlai-code-of-conduct/

[3] Rohit Nalawade Vs. State of Maharashtra High Court of Bombay Criminal Application (APL) NO. 1052 OF 2018 < https://images.assettype.com/barandbench/2021-01/cf03e52e-fedd-4a34-baf6-25dbb55dbf29/Rohit_Nalawade_v__State_of_Maharashtra___Anr.pdf>

[4] https://www.occ.gov/topics/supervision-and-examination/responsible-innovation/comments/pub-special-purpose-nat-bank-charters-fintech.pdf

[5]  12 USC 5514(a); Pay day loans are the short term, high interest bearing loans that are generally due on the consumer’s next payday after the loan is taken.

[6] EU, ‘Report from the Commission to the European Parliament and the Council: on the implementation of Directive 2008/48/EC on credit agreement for consumers’, dated November, 05, 2020, available at < https://ec.europa.eu/transparency/regdoc/rep/1/2020/EN/COM-2020-963-F1-EN-MAIN-PART-1.PDF>

[7] https://asic.gov.au/for-finance-professionals/credit-licensees/applying-for-and-managing-your-credit-licence/faqs-getting-a-credit-licence/

[8] FCA guide to consumer credit firms, available at < https://www.fca.org.uk/publication/finalised-guidance/consumer-credit-being-regulated-guide.pdf>

[9] FCA, ‘Detailed rules for price cap on high-cost short-term credit’, available at < https://www.fca.org.uk/publication/policy/ps14-16.pdf>

[10] FCA, Credit Broking and fees, available at < https://www.fca.org.uk/publication/policy/ps14-18.pdf>

[11] Bank of International Settlements ‘FinTech Credit : Market structure, business models and financial stability implications’, 22 May 2017, FSB Report

[12] See our write up on ‘ Extension of FPC on lending through digital platforms’ , available at < http://vinodkothari.com/2020/06/extension-of-fpc-on-lending-through-digital-platforms/>

[13] Where the unregulated platform assumes the complete credit risk of the borrower there is no interlinkage with the partner bank and NBFC. The only issue that arises is from the registration requirement as NBFC which we have discussed in the next section. Also see our write up titled ‘Question of Definition: What Exactly is an NBFC’ available at http://vinodkothari.com/nbfcs/definition-of-nbfcs-concept-of-principality-of-business/

[14] The qualifying criteria to register as an NBFC has been discussed in our write up titled ‘Question of Definition: What Exactly is an NBFC’ available at http://vinodkothari.com/nbfcs/definition-of-nbfcs-concept-of-principality-of-business/

[15] see our write up titled ‘Question of Definition: What Exactly is an NBFC’ available at http://vinodkothari.com/nbfcs/definition-of-nbfcs-concept-of-principality-of-business/

[16] Para 2.5.2, RBI Guidelines on Fair Practices Code for Lender

[17] Para 29 of the guidelines on Fair Practices Code, Master Direction on systemically/non-systemically important NBFCs.

[18] Para 2.6, Master Circular on ‘Loans and Advances – Statutory and Other Restrictions’ dated July 01, 2015;

 

Our Other Related Write-Ups

Lenders’ piggybacking: NBFCs lending on Fintech platforms’ guarantees – Vinod Kothari Consultants

Extension of FPC on lending through digital platforms – Vinod Kothari Consultants

Fintech Framework: Regulatory responses to financial innovation – Vinod Kothari Consultants

One-stop guide for all Regulatory Sandbox Frameworks – Vinod Kothari Consultants

 

Recent Trends in Crypto-Industry: India & Abroad

-Megha Mittal

(mittal@vinodkothari.com)

“Opportunity amidst tragedy” would likely be the most suitable phrase to summarise the journey of cryptos during the Global Pandemic- with disruption taking a toll on people and economies, and physical proximities massively restrictred, cryptos have outshone traditional assets, by virtue of its inherent features- easy liquidity, access and digitalisation.

Further, as countries around the globe attempt to stimulate their economies by opening floodgates of liquid funds, the ‘digital natives’ have and are expected to increasingly venture into adventure-some investments- think, cryptos. And while such adventurous investing may be short-lived, the results may infact have a long-lasting impact- it is this expected impact that has sets the ‘bull’ stage for cryptos in times to come.

In this brief note, we cover the recent highlights and developments in the crypto-industry, also discussing developments in the relatively new concepts of stablecoins, crypto-lending.

Read more

Extension of FPC on lending through digital platforms

A new requirement or reiteration by the RBI?

– Anita Baid (finserv@vinodkothari.com)

Ever since its evolution, the basic need for fintech entities has been the use of electronic platforms for entering into financial transactions. The financial sector has already witnessed a shift from transactions involving huge amount of paper-work to paperless transactions[1]. With the digitalization of transactions, the need for service providers has also seen a rise. There is a need for various kinds of service providers at different stages including sourcing, customer identification, disbursal of loan, servicing and maintenance of customer data. Usually the services are being provided by a single platform entity enabling them to execute the entire transaction digitally on the platform or application, without requiring any physical interaction between the parties to the transaction.

The digital application/platform based lending model in India works as a partnership between a tech platform entity and an NBFC. The technology platform entity or fintech entity manages the working of the application or website through the use of advanced technology to undertake credit appraisals, while the financial entity, such as a bank or NBFC, assumes the credit risk on its balance sheet by lending to the customers who use the digital platform[2].

In recent times many digital platforms have emerged in the financial sector who are being engaged by banks and NBFCs to provide loans to their customers. Most of these platforms are not registered as P2P lending platform since they assist only banks, NBFCs and other regulated AIFIs to identify borrowers[3]. Accordingly, electronic platforms serving as Direct Service Agents (DSA)/ Business Correspondents for banks and/or NBFCs fall outside the purview of the NBFC-P2P Directions. Banks and NBFCs have th following options to lend-

  1. By direct physical interface or
  2. Through their own digital platforms or
  3. Through a digital lending platform under an outsourcing arrangement.

The digitalization of credit intermediation process though is beneficial for both borrowers as well as lenders however, concerns were raised due to non-transparency of transactions and violation of extant guidelines on outsourcing of financial services and Fair Practices Code[4]. The RBI has also been receiving several complaints against the lending platforms which primarily relate to exorbitant interest rates, non-transparent methods to calculate interest, harsh recovery measures, unauthorised use of personal data and bad behavior. The existing outsourcing guidelines issued by RBI for banks and NBFCs clearly state that the outsourcing of any activity by NBFC does not diminish its obligations, and those of its Board and senior management, who have the ultimate responsibility for the outsourced activity. Considering the same, the RBI has again emphasized on the need to comply with the regulatory instructions on outsourcing, FPC and IT services[5].

We have discussed the instructions laid down by RBI and the implications herein below-

Disclosure of platform as agent

The RBI requires banks and NBFCs to disclose the names of digital lending platforms engaged as agents on their respective website. This is to ensure that the customers are aware that the lender may approach them through these lending platforms or the customer may approach the lender through them.

However, there are arrangements wherein the platform is not appointed as an agent as such. This is quite common in case of e-commerce website who provide an option to the borrower at the time of check out to avail funding from the listed banks or NBFCs. This may actually not be regarded as outsourcing per se since once the customer selects the option to avail finance through a particular financial entity, they are redirected to the website or application of the respective lender. The e-commerce platform is not involved in the entire process of the financial transaction between the borrower and the lender. In our view, such an arrangement may not be required to be disclosed as an agent of the lender.

Disclosure of lender’s name

Just like the lender is required to disclose the name of the agent, the agent should also disclose the name of the actual lender. RBI has directed the digital lending platforms engaged as agents to disclose upfront to the customer, the name of the bank or NBFC on whose behalf they are interacting with them.

Several fintech platforms are involved in balance sheet lending. Here, the lending happens from the balance sheet of the lender however, the fintech entity is the one assuming the risk associated with the transaction. Lender’s money is used to lend to customers which shows up as an asset on the balance sheet of the lending entity. However, the borrower may not be aware about who the actual lender is and sees the platform as the interface for providing the facility.

Considering the risk of incomplete disclosure of facts the RBI mandates the disclosure of the lender’s name to the borrower. In this regard, the loan agreement or the GTC must clearly specify the name of the actual lender and in case of multiple lender, the name along with the loan proportion must be specified.

Issuance of sanction letter

Another requirement prescribed by the RBI is that immediately after sanction but before execution of the loan agreement, a sanction letter should be issued to the borrower on the letter head of the bank/ NBFC concerned.

Issue a sanction letter to the borrower on the letterhead of the NBFC may seem illogical since the lending happens on the online platform. The sanction letter may be shared either through email or vide an in-app notification or otherwise. Such sanction letter shall be issued on the platform itself immediately after sanction but before execution of the loan agreement.

Further, the FPC requires lender NBFCs to display annualised interest rates in all their communications with the borrowers. However, most of the NBFCs show monthly interest rates in the name of their ‘marketing strategy’. This practice though have not been highlighted by the RBI must be taken seriously.

Sharing of loan agreement

The FPC laid down by RBI requires that a copy of the loan agreement along with a copy each of all enclosures quoted in the loan agreement must be furnished to all borrowers at the time of sanction/ disbursement of loans. However, in case of lending done over electronic platforms there is no physical loan agreement that is executed.

Given that e-agreements are generally held as valid and enforceable in the courts, there is no such insistence on execution of physical agreements. The electronic execution versions are more feasible in terms of cost and time involved. In fact in most of the cases, the loan agreements are mere General Terms and Conditions (GTC) in the form of click wrap agreements.

Usually, the terms and conditions of the loan or the GTC is displayed on the platform wherein the acceptance of the borrower is recorded. In such a circumstance, necessary arrangements should be made for the borrower to peruse the loan agreement at any time. The loan agreement may also be in the form of a mail containing detailed terms and conditions, along with an option for the borrower to accept the same.

The requirement from compliance perspective is to ensure that the borrower has access to the executed loan agreement and all the terms and conditions pertaining to the loan are captured therein.

Monitoring by the lender

Effective oversight and monitoring should be ensured over the digital lending platforms engaged by the banks/ NBFCs. As RBI does not regulate the platform entities, hence the only way to regulate the transaction is though the lenders behind these platforms.

The outsourcing guidelines require the retention of ultimate control of the outsourced activity with the lender. Further, the platform should not impede or interfere with the ability of the NBFC to effectively oversee and manage its activities nor shall it impede the RBI in carrying out its supervisory functions and objectives. These should be captured in the servicing agreement as well as be implemented practically.

Grievance Redressal Mechanism (GRM)

Much of the new-age lending is enabled by automated lending platforms of fintech companies. The fintech company is the sourcing partner, and the NBFC is the funding partner. However, the grievance of the customer may range from issue with the usage of platform to the non-disclosure of the terms of loan.

A challenge that may arise is to segregate the grievance on the basis of who is responsible for the same- the platform or the lender. There must be proper mechanism to ensure such segregation and adequate efforts shall be made towards creation of awareness about the grievance redressal mechanism.

[1] Read our detailed write up here- http://vinodkothari.com/2020/03/moving-to-contactless-lending/

[2] Read our detailed write up here- http://vinodkothari.com/2020/03/fintech-regulatory-responses-to-finnovation/

[3] RBI’s FAQs on P2P lending platform- https://www.rbi.org.in/Scripts/FAQView.aspx?Id=124

[4] Read our detailed write up here- http://vinodkothari.com/2019/09/the-cult-of-easy-borrowing/

[5] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11920&Mode=0

 

 

The Rise of Stablecoins amidst Instability

-Megha Mittal

(mittal@vinodkothari.com

The past few years have witnessed an array of technological developments and innovations, especially in Fintech; and while the world focused on Bitcoins and other cryptos, a new entrant ‘Stablecoin’ slowly crept its way into the limelight. With the primary motive of shielding its users from the high volatility associated with cryptos, and promises of boosting cross-border payments and remittance, ‘Stablecoins’ emerged in 2018, and now have become the focal point of discussion of several international bodies including the Financial Standards Board (FSB), G20, Financial Action Task Force (FATF) and International Organization of Securities Commission (IOSCO).

Additionally, the widespread notion that the desperate need of cross-border payments and remittances during the ongoing COVID-crisis may prove to be a defining moment for stablecoins, has drawn all the more attention towards the need of establishing regulations and legal framework pertaining to Stablecoins.

In this article, we shall have an insight as to what Stablecoins, (Global Stable Coinss) are, its modality, its current status of acceptance by the international bodies, and how the ongoing COVID crisis, may act as a catalyst for its rise.

Read more

Fintech Framework: Regulatory responses to financial innovation

Timothy Lopes, Executive, Vinod Kothari Consultants

finserv@vinodkothari.com

The world of financial services is continually witnessing a growth spree evidenced by new and innovative ways of providing financial services with the use of enabling technology. Financial services coupled with technology, more commonly referred to as ‘Fintech’, is the modern day trend for provision of financial services as opposed to the traditional methods prevalent in the industry.

Rapid advances in technology coupled with financial innovation with respect to delivery of financial services and inclusion gives rise to all forms of fintech enabled services such as digital banking, digital app-based lending, crowd funding, e-money or other electronic payment services, robo advice and crypto assets.

In India too, we are witnessing rapid increase in digital app-based lending, prepaid payment instruments and digital payments. The trend shows that even a cash driven economy like India is moving to digitisation wherein cash is merely used as a way to store value as an economic asset rather than to make payments.

“Cash is King, but Digital is Divine.”

  • Reserve Bank of India[1]

The Financial Stability Institute (‘FSI’), one of the bodies of the Bank for International Settlement issued a report titled “Policy responses to fintech: a cross country overview”[2] wherein different regulatory responses and policy changes to fintech were analysed after conducting a survey of 31 jurisdictions, which however, did not include India.

In this write up we try to analyse the various approaches taken by regulators of several jurisdictions to respond to the innovative world of fintech along with analysing the corresponding steps taken in the Indian fintech space.

The Conceptual Framework

Let us first take a look at the conceptual framework revolving in the fintech environment. Various terminology or taxonomies used in the fintech space, are often used interchangeably across jurisdictions. The report by FSI gives a comprehensive overview of the conceptual framework through a fintech tree model, which characterises the fintech environment in three categories as shown in the figure.

Source: FSI report on Policy responses to fintech: a cross-country overview

Let us now discuss each of the fintech activities in detail along with the regulatory responses in India and across the globe.

Digital Banking –

This refers to normal banking activities delivered through electronic means which is the distinguishing factor from traditional banking activities. With the use of advanced technology, several new entities are being set up as digital banks that deliver deposit taking as well as lending activities through mobile based apps or other electronic modes, thereby eliminating the need for physically approaching a bank branch or even opening a bank branch at all. The idea is to deliver banking services ‘on the go’ with a user friendly interface.

Regulatory responses to digital banking –

The FSI survey reveals that most jurisdictions apply the existing banking laws and regulations to digital banking as well. Applicants with a fintech business model must go through the same licensing process as those applicants with a traditional banking business model.

Only a handful of jurisdictions, namely Hong Kong, SAR and Singapore, have put in place specific licensing regimes for digital banks. In the euro area, specific guidance is issued on how credit institution authorisation requirements would apply to applicants with new fintech business models.

Regulatory framework for digital banking in India –

In India, majority of the digital banking services are offered by traditional banks itself, mainly governed by the Payment and Settlement Systems Act, 2007[1], with RBI being the regulatory body overseeing its implementation. The services include, opening savings accounts online even through apps, facilitating instant transfer of funds through the use of innovative products such as the Unified Payments Interface (UPI), which is governed by the National Payments Corporation of India (NPCI), facilitating the use of virtual cards, prepaid payment instruments (PPI), etc. These services may be provided not only by traditional banks alone, but also by non-bank entities.

Fintech balance sheet lending

Typically refers to lending from the balance sheet and assuming the risk on to the balance sheet of the fintech entity. Investors’ money in the fintech entity is used to lend to customers which shows up as an asset on the balance sheet of the lending entity. This is the idea of balance sheet lending. This idea, when facilitated with technological innovation leads to fintech balance sheet lending.

Regulatory responses to fintech balance sheet lending –

As per the FSI survey, most jurisdictions do not have regulations that are specific to fintech balance sheet lending. In a few jurisdictions, the business of making loans requires a banking licence (eg Austria and Germany). In others, specific licensing regimes exist for non-banks that are in the business of granting loans without taking deposits. Only one of the surveyed jurisdictions has introduced a dedicated licensing regime for fintech balance sheet lending.

Regulatory regime in India –

The new age digital app based lending is rapidly advancing in India. With the regulatory framework for Non-Banking Financial Companies (NBFCs), the fintech balance sheet lending model is possible in India. However, this required a net owned fund of Rs. 2 crores and registration with RBI as an NBFC- Investment and Credit Company.

The digital app based lending model in India works as a partnership between a tech platform entity and an NBFC, wherein the tech platform entity (or fintech entity) manages the working of the app through the use of advanced technology to undertake credit appraisals, while the NBFC assumes the credit risk on its balance sheet by lending to the customers who use the app. We have covered this model in detail in a related write up[2].

Loan & Equity Crowd funding

Crowd funding refers to a platform that connects investors and entrepreneurs (equity crowd funding) and borrowers and lenders (loan crowd funding) through an internet based platform. Under equity crowd funding, the platform connects investors with companies looking to raise capital for their venture, whereas under loan crowd funding, the platform connects a borrower with a lender to match their requirements. The borrower and lender have a direct contract among them, with the platform merely facilitating the transaction.

Regulatory responses to crowd funding –

According to the FSI survey, many surveyed jurisdictions introduced fintech-specific regulations that apply to both loan and equity crowd funding considering the similar risks involved, shown in the table below. Around a third of surveyed jurisdictions have fintech-specific regulations exclusively for equity crowd funding. Only a few jurisdictions have a dedicated licensing regime exclusively for loan crowd funding. Often, crowd funding platforms need to be licensed or registered before they can perform crowd funding activities, and satisfy certain conditions.

Table showing regulatory regimes in various jurisdictions

Fintech-specific regulations for crowd funding
Equity Crowd Funding Equity and Loan Crowd Funding Loan Crowd Funding
Argentina           Columbia

Australia             Italy

Austria                Japan

Brazil                   Turkey

China                   United States

Belgium                Peru

Canada                 Philippines

Chile                      Singapore

European Union  Spain

France                   Sweden

Mexico                  UAE

Netherlands         UK

Australia

Brazil

China

Italy

 

Source: FSI Survey

Regulatory regime in India

  1. In case of equity crowd funding –

In 2014, securities market regulator SEBI issued a consultation paper on crowd funding in India[3], which mainly focused on equity crowd funding. However, there was no regulatory framework subsequently issued by SEBI which would govern equity crowd funding in India. At present crowd funding platforms in India have registered themselves as Alternative Investment Funds (AIFs) with SEBI to carry out fund raising activities.

 

  1. In case of loan crowd funding –

The scenario for loan crowd funding, is however, already in place. The RBI has issued the Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017[4] which govern loan crowd funding platforms. Peer to Peer Lending and loan crowd funding are terms used interchangeably. These platforms are required to maintain a net owned fund of not less than 20 million and get themselves registered with RBI to carry out P2P lending activities.

 

As per the Directions, the Platform cannot raise deposits or lend on its own or even provide any guarantee or credit enhancement among other restrictions. The idea is that the platform only acts as a facilitator without taking up the risk on its own balance sheet.

Robo- Advice

An algorithm based system that uses technology to offer advice to investors based on certain inputs, with minimal to no human intervention needed is known as robo-advice, which is one of the most popular fintech services among the investment advisory space.

Regulatory responses to robo-advice –

According to the FSI survey, in principle, robo- and traditional advisers receive the same regulatory treatment. Consequently, the majority of surveyed jurisdictions do not have fintech-specific regulations for providers of robo-advice. Around a third of surveyed jurisdictions have published guidance and set supervisory expectations on issues that are unique to robo-advice as compared to traditional financial advice. In the absence of robo-specific regulations, several authorities provide somewhat more general information on existing regulatory requirements.

Regulatory regime in India –

In India, there is no specific regulatory framework for those providing robo-advice. All investment advisers are governed by SEBI under the Investment Advisers Regulations, 2013[5]. Under the regulations every investment adviser would have to get themselves registered with SEBI after fulfilling the eligibility conditions. The SEBI regulations would also apply to those offering robo-advice to investors, as there is no specific restriction on using automated tools by investment advisers.

Digital payment services & e-money

Digital payment services refer to technology enabled electronic payments through different modes. For instance, debit cards, credit cards, internet banking, UPI, mobile wallets, etc. E-money on the other hand would mostly refer to prepaid instruments that facilitate payments electronically or through prepaid cards.

Regulatory responses to digital payment services & e-money –

As per the FSI survey, most surveyed jurisdictions have fintech-specific regulations for digital payment services. Some jurisdictions aim at facilitating the access of non-banks to the payments market. Some jurisdictions have put in place regulatory initiatives to strengthen requirements for non-banks.

Further, most surveyed jurisdictions have a dedicated regulatory framework for e-money services. Non-bank e-money providers are typically restricted from engaging in financial intermediation or other banking activities.

Regulatory regime in India –

The Payment and Settlement Systems Act, 2007 (PSS) of India governs the digital payments and e-money space in India. While several Master Directions are issued by the RBI governing prepaid payment instruments and other payment services, ultimately they draw power from the PSS Act alone. These directions govern both bank and non-bank players in the fintech space.

UPI being a fast mode of virtual payment is however governed by the NPCI which is a body of the RBI.

Other policy measures in India – The regulatory sandbox idea

Both RBI and SEBI have come out with a Regulatory Sandbox (RS) regime[6], wherein fintech companies can test their innovative products under a monitored and controlled environment while obtaining certain regulatory relaxations as the regulator may deem fit.  As per RBI, the objective of the RS is to foster responsible innovation in financial services, promote efficiency and bring benefit to consumers. The focus of the RS will be to encourage innovations intended for use in the Indian market in areas where:

  1. there is absence of governing regulations;
  2. there is a need to temporarily ease regulations for enabling the proposed innovation;
  3. the proposed innovation shows promise of easing/effecting delivery of financial services in a significant way.

RBI has already begun with the first cohort[7] of the RS, the theme of which is –

  • Mobile payments including feature phone based payment services;
  • Offline payment solutions; and
  • Contactless payments.

SEBI, however, has only recently issued the proposal of a regulatory sandbox on 17th February, 2020.

Conclusion

Technology has been advancing at a rapid pace, coupled with innovation in the financial services space. This rapid growth however should not be overlooked by regulators across the globe. Thus, there is a need for policy changes and regulatory intervention to simultaneously govern as well as promote fintech activities, as innovation will not wait for regulation.

While most of regulators around the globe have different approaches to governing the fintech space, the regulatory environment should be such that there is sufficient understanding of fintech business models to enable regulation to fit into such models, while also curbing any unethical activities or risks that may arise out of the fintech business.

[1] https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/86706.pdf

[2] http://vinodkothari.com/2019/09/sharing-of-credit-information-to-fintech-companies-implications-of-rbi-bar/

[3] https://www.sebi.gov.in/sebi_data/attachdocs/1403005615257.pdf

[4] https://rbidocs.rbi.org.in/rdocs/notification/PDFs/MDP2PB9A1F7F3BDAC463EAF1EEE48A43F2F6C.PDF

[5] https://www.sebi.gov.in/legal/regulations/jan-2013/sebi-investment-advisers-regulations-2013-last-amended-on-december-08-2016-_34619.html

[6] https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=938

https://www.sebi.gov.in/media/press-releases/feb-2020/sebi-board-meeting_46013.html

[7] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=48550

[1] Assessment of the progress of digitisation from cash to electronic – https://www.rbi.org.in/Scripts/PublicationsView.aspx?id=19417

[2] https://www.bis.org/fsi/publ/insights23.pdf

Sharing of Credit Information to Fintech Companies: Implications of RBI Bar

-Financial Services Division | Vinod Kothari Consultants Pvt. Ltd.

(finserv@vinodkothari.com)

The RBI recently wrote a letter, dated 16th September, 2019, to banks and NBFCs, censuring them over what seems to have been a prevailing practice – sharing of credit information sourced by NBFCs from Credit Information Companies (CICs), to fintech companies. The RBI reiterated that such sharing of information was not permissible, citing several provisions of the law, and expected the banks/NBFCs to affirm steps taken to ensure compliance within 15 days of the RBI’s letter.

This write-up intends to discuss the provisions of the Credit Information Companies (Regulation) Act, 2005 [CICRA], and related provisions, and the confidentiality of credit information of persons, and the implications of the RBI’s letter referred to above.

Fintech companies’ model

Much of the new-age lending is enabled by automated lending platforms of fintech companies. The typical model works with a partnership between a fintech company and an NBFC. The fintech company is the sourcing partner, and the NBFC is the funding partner. A borrower goes to the platform of the fintech company which provides a user-friendly application process, consisting of some basic steps such as providing the aadhaar card or PAN card details, and a photograph. Now, having got the individual’s basic details, the fintech company may either source the credit score of the individual from one of the CICs, or may use its own algorithm. If the fintech company wants to access the data stored with the CICs, it will have to rely on one of its partner NBFCs, since CIC access is currently allowed to financial sector entities only, who have to mandatorily register themselves as members of all four CICs.

It is here that the RBI sees an issue. If the NBFC allows the credit information sourced from the CIC to be transferred to a fintech company, there is an apparent question as to whether such sharing of information is permissible under the law or not.

We discuss below the provisions of the law relating to use of credit information.

Confidentiality of credit information

By virtue of the very relation between the customer and a banker, a banker gets access to the financial information of its customers. Very often, an individual may not even want to share his financial data even with close family members, but the banker any way has access to the same, all the time. If the banker was to share the financial details of a customer, it would be a clear intrusion into the individual’s privacy, and that too, arising out of a fiduciary relationship.

Therefore, the principle, which has since been reiterated by courts in numerous cases, was developed by UK courts in an old ruling in Tournier v National Provincial and Union Bank of England [1924] 1 KB 461. Halsbury’s Laws of England, Vol 1, 2nd edition, says: “It is an implied term of the contract between a banker and his customer that the banker will not divulge to third persons, without the consent of the customer, express or implied, either the state of the customer’s account, or any of his transactions with the bank or any information relating to the customer acquired through the keeping of his account, unless the banker is compelled to do so by order of a Court, or the circumstances give rise to a public duty of disclosure or the protection of the banker’s own interests requires it.

The above law is followed in India as well.

In Shankarlal Agarwalla v. State Bank of India and Anr. AIR 1987 Cal 29[1], it was held that compulsion to disclose must be confined to the regular exercise by the proper officer to actual legal power to compel disclosure.

In case any information is disclosed without a legal compulsion to disclose, the same is wrongful on the part of the lender.

Credit Information Companies and sharing of information

When an RBI Working Group set up in 1999 under the chairmanship of N. H. Siddiqui recommended the formation of CICs in India, the question of confidentiality of credit information was discussed. It was noted by the Working Group that all over the world, there are regulatory controls on sharing of information by credit bureaus:

The Credit Information Bureaus, all over the world, function under a well defined regulatory framework. Where the Bureaus have been set up as part of the Central Bank, the regulatory framework for collection of information, access to that information, privacy of the data, etc., is provided by the Central Bank. Where Bureaus have been set up in the private sector, existence of separate laws ensure protection to the privacy and access to the data collected by the Bureau. In the U.S.A. where Credit Information Bureaus have been set up in the private sector, collection and sharing of information is governed by the provisions of the Fair Credit Reporting Act, 1971 (as amended by the Consumer Credit Reporting Reform Act of 1996). The Fair Credit Reporting Act is enforced by the Federal Trade Commission, a Federal Agency of the U.S. Govt. In the U.K., Credit Bureaus are licensed by the Office of the Fair Trading under the Consumer Credit Act of 1974. The Bureaus are also registered with the Office of the Data Protection Registrar, appointed under the Data Protection Act, 1984 (replaced by the Data Protection Commissioner under the new Act of 1998). In Australia, neither the Reserve Bank of Australia nor the Australian Prudential Regulation Authority (APRA) plays a role in promoting, developing, licensing or supporting Credit Bureaus. APRA holds annual meetings with the major Bureaus in Australia. The sharing of information relating to customers is regulated in Australia by the Privacy Act. This Act is administered by the Privacy Commissioner, who is vested with the responsibility of framing guidelines for protection of privacy principles and to ensure that Bureaus in Australia conform to these guidelines. In New Zealand, a situation similar to that of Australia exists. In Sri Lanka, the Bureau was formed by an Act of Parliament at the initiative of the Central Bank. A Deputy Governor of the Central Bank is the Chairman of the Bureau in Sri Lanka and the Bank is also represented on the Board of the Bureau by a senior officer. In Hong Kong, the Hong Kong Monetary Authority (HKMA), though not being directly involved in the setting up of a credit referencing agency has issued directions to all the authorised institutions recommending their full participation in the sharing and using of credit information through credit referencing agencies within the limits laid down by the Code of Practice on Consumer Credit Data formulated by the Privacy Commissioner. HKMA also monitors the effectiveness of the credit referencing services in Hong Kong, in terms of the amount of credit information disclosed to such agencies, and the level of participating in sharing credit information by authorised institutions.[2]

The inherent safeguards in the CIC Law

CICRA provides the privacy principles which shall guide the CICs, credit institutions and Specified Users in their operations in relation to collection, processing, collating, recording, preservation, secrecy, sharing and usage of credit information. In this regard, the purpose of obtaining information, guidelines for access to credit information of customers, restriction on use of information, procedures and principles for networking of CICs, credit institutions and specified users, etc. must be clearly defined.

Further, no person other than authorised person is allowed to have access to credit information under CICRA. Persons authorised to access credit information are CICs, credit institutions registered with the CICs and other persons as maybe specified by the RBI through regulations.

The Credit Information Companies Regulations provide that other persons who maybe allowed to access credit information are insurance companies, IRDAI, cellular service providers, rating agencies and brokers registered with SEBI, SEBI itself and trading members registered with Commodity Exchange.

Clearly, fintech companies or technology service providers are not authorised to access credit information. Access of information by such companies is a clear violation of CICRA.

Secrecy of customer information: duty of the lender

Paget on the Law of Banking observed that out of the duties of the banker towards the customer among those duties may be reckoned the duty of secrecy. Such duty is a legal one arising out of the contract, not merely a moral one. Breach of it therefore gives a claim for nominal damages or for substantial damages if injury is resulted from the breach.

Further, in case of Kattabomman Transport Corporation Ltd. V. State Bank of India, the Calcutta High Court held that the banker was under a duty to maintain confidentiality. An appeal[3] was filed against this ruling, the outcome of which was the information maybe disclosed by the banks, only when there is a higher duty than the private duty.

NBFCs providing access to the fintech companies is undoubtedly a private duty and thus, is a breach of duty on the part of the lender.

The case of Fintech Companies and NBFC partnership:

The letter of the RBI under discussion, dated 17th September, 2019, has been seen as a challenge to the working of the fintech companies. However, to understand in what way does this affect the working of fintech companies, we need to understand several situations.

Before coming to the same, it must be noted that the RBI’s 17th September circular is not writing a new law. The law on sharing of credit information has always been there, and the inherent protection is very much a part of the CICRA itself. The RBI circular is, at best, a regulatory cognition of an existing issue, and is a note of caution to NBFCs, who, in their enthusiasm to generate business, may not disregard the provisions of the law.

The situations may be as follows:

  • Fintech company using its own algorithm: In this case, the fintech company is relying upon its own proprietary algorithm. It is not relying on any credit bureau information. Therefore, there is no question of any credit information being shared. In fact, even if the fintech uses the score developed by it, without relying on CIC data, with other entities, it is a proprietary information, which may be shared.
  • NBFC sharing credit information with Fintech company, which is sourcing partner for the NBFC: If the NBFC is sharing information with a fintech company, with the intent of using the information for its own lending, can it be argued that there is a breach of the provisions of the CICRA? It may be noted that regulation 9 of the CIC Regulations requires CICs to protect credit information from unauthorised access. As already discussed, access by such fintech companies is unauthorised.
  • NBFC sharing credit information with Fintech company, which is not partnering with the NBFC: In case, the NBFC is not partnering with the NBFC and is still sharing credit information, there seems to be no reason for such sharing other than information trading. Several NBFCs have at many instances, been reported to have engaged in information trading for additional income.
  • NBFC sharing credit information with another NBFC/bank, which is a co-lender: The NBFC may authorise its co-lender to obtain credit information from CICs and the same shall not be an unauthorised access of information, since the co-lender is also a credit institution and is registered with CICs.
  • Bank sharing credit information with another NBFC which is a sourcing partner and not a c0-lender: If the sourcing partner is a member of CICs, it may access the credit information directly from the CICs. If the sourcing partner is not a member of CICs, sharing of credit information is violation of customer privacy, and thus, shall not be allowed.

Conclusion

The credit bureau reports are actually being exchanged in the system without much respect to the privacy of the individual’s data. With the explosion of information over the net, it may even be difficult to establish as to where the information is coming from. Privacy and confidentiality of information is at stake. At the same time, the very claim-to-existence of fintech entities is their ability to process a credit application within no time. Whether there is an effective way to protect the sharing of information stored with CICs is a significant question, and the RBI’s attention to this is timely and significant.

 

[1] https://indiankanoon.org/doc/1300997/

[2] https://www.rbi.org.in/scripts/PublicationReportDetails.aspx?ID=76

[3] https://indiankanoon.org/doc/908914/