Compliance Handbook

COMPLIANCES APPLICABLE IN RELATION TO LENDING

COMPLIANCES APPLICABLE IN RELATION TO LENDING

A. Compliances under the Guidelines on Digital Lending dated 2 September 2022

1.1 The Digital Lending Guidelines prescribe the compliance requirements on REs (i.e. all banks and NBFCs) in relation to their DLAs and the DLAs of their LSP which include the following:

(a) An RE / lender is required to ensure that their DLAs and DLAs of their LSPs also display detailed information about the loan products which may include particulars such as eligibility criteria, features, documents required, steps on how to apply for the loan products and indicative list of fees and charges, interest and gradation of risk in relation to determination of the interest percentage.

(b) RE / lender must ensure that their DLA or the DLA of the LSP include particulars of customer care and grievance redressal, links to the privacy policy and terms and conditions as well as any other customer facing policy. A link also needs to be provided to the website of the RE / lender where such policies can be viewed at a prominent single place for ease of accessibility.

(c) RE / lender must prominently publish the list of their DLAs, LSPs engaged by them and DLAs of such LSPs along the work performed by such LSPs on their website and DLA.

(d) RE / lender shall ensure that their DLAs or DLAs of their LSPs at on-boarding stage itself prominently displays information relating to the loan product including features, loan limit and cost, etc., so as to make the customers aware of these aspects.

(e) A facility of lodging complaint shall also be made available on the DLAs used by an RE / lender.

(f) RE / lender shall provide a ‘Key Fact Statement’ (“KFS”) to the customers before the execution of the contract in a standardized format for all digital lending products.

(g) RE / lender should publicly make available their or their LSPs privacy policies on their DLA.

1.2 Digital Lending Guidelines also impose certain additional obligations and restrictions in relation to digital lending. Some of the key restrictions and compliance requirements are set out below:

(a) Restrictions on usage of third-party accounts: A restriction is placed on disbursals or repayments, or loan servicing being routed through or pooled in the accounts of any third parties. RE / lenders are required to ensure that all repayments are made by the customers directly into their bank accounts and similarly all disbursals are made into the bank accounts of the customers. The only exceptions to the above considered are: (i) disbursals covered exclusively under statutory or regulatory mandate (of RBI or of any other regulator); (ii) flow of money between REs for co-lending transactions; (iii) disbursals for specific end use, provided the loan is disbursed directly into the bank account of the end-beneficiary; and (iv) Where a physical interface is used for recovery of delinquent loans.

(b) Obligations before and during loan execution: A KFS in a standardised format, detailing aspects like the annual percentage rate (“APR”), recovery mechanisms, grievance redressal contacts, and the cooling-off period available to the customer must be provided. Loan documents, such as KFS, loan summaries, sanction letters, and terms and conditions, must be digitally signed and automatically sent to customers upon loan agreement execution.

(c) Data Collection: RE / lender must ensure that data collection through their DLAs or DLAs of LSPs must be on a need-based manner, with explicit consent of the customers. Audit trails must be maintained in relation to collection of data from customers. Customers must be provided with the options to restrict data usage, revoke consent, and request data deletion. Customer information shall only be shared with third parties on obtaining explicit consent for the same from customers.

(d) Access to phone resources: Phone data of the customer, such as files, media, contact list, call logs, etc. must not be accessed by the DLA or LSP. However, one-time access for the camera, microphone, location or any other facility necessary for on-boarding and / or KYC requirements is permitted, only with the explicit consent of the customer. A restriction is prescribed on storage or collection of biometric data by the DLA and LSP of RE / lender.

(e) Storage of customer data: All customer data must be stored on servers located in India, with stringent protocols to prevent unauthorised access.

(f) Grievance redressal and regulatory compliance: Additionally, RE / lender and LSPs must establish robust grievance redressal mechanisms, including designated officers for handling digital lending-related complaints. If complaints are unresolved within 30 days, customer can escalate them to the RBI Complaint Management System (“CMS”).

(g) Assessment of creditworthiness of borrowers: RE / lender must ensure that creditworthiness assessments must be auditable, and there must be no automatic credit limit increases without explicit customer consent.

B. Fair Practice Code related compliances

2.1 The Scale Based Regulations requires NBFCs having a customer interface to ensure compliance with the requirements set out in relation to the ‘fair practice code’ and having a board approved policy based on the guidelines set out in the Scale Based Regulations. Similarly, requirements to comply with the ‘fair practices code’ are also imposed on banks engaged in lending through various circulars issued by the RBI such as Guidelines on Fair Practices Code for Lenders dated 5 May 2003 and subsequent circulars such as Fair Practices Code for Lenders – Charging of Interest dated 29 April 2024.

2.2 All banks and NBFCs are further directed to ensure that they have a robust board approved policy for complying with the requirements specified in relation to the fair practices code as applicable.

2.3 The key requirements under the fair practices code are detailed below:

(a) All loan application forms need to include information about the fees/charges, if any, payable for processing, pre-payment options, interest rates, penal charges and any other matter which affects the interest of the customer.

(b) All lenders shall give an acknowledgement for receipt of the loan applications. The timeframe within which loan applications will be processed would be indicated in the acknowledgement of such applications.

(c) All documents as required for considering the loan application shall be specified in the loan application itself. If additional details / documents are required, the lenders should intimate the customers immediately.

(d) For all categories of loans and irrespective of any threshold limits, the lenders are expected to process the application without delay. In case the application is rejected, the lender will convey in writing to the applicant the reasons for rejection within one month.

(e) Lenders must not discriminate on grounds of sex, caste and religion in the matter of lending.

(f) The relevant lender would convey to the customer the credit limit along with the terms and conditions thereof through the KFS and obtain the customer's confirmation that they have understood and accepted the terms and conditions in the KFS. Banks must also ensure that all terms and conditions are communicated through authorised officials of the banks as well.

(g) Under the Scale Based Regulations, all communications with the customer should be in the vernacular language of the customer. The Scale Based Regulations further require all NBFCs to ensure that the loan agreements, KFS, sanction letter and other customer facing documents are provided in the vernacular language of the customer. All enclosures and annexures relevant to the loan agreements shall also be shared with the customer to ensure they have full visibility over the terms of loan. For banks, the KFS must be provided in the vernacular language of the customer. Other requirements such as ensuring all documents relevant to the loan are shared with the customer also apply to banks.

(h) Sanction letters shall include timeline and place of return of original movable / immovable property documents.

(i) The RBI notification on ‘Reset of Floating Interest Rate on Equated Monthly Instalments (EMI) based Personal Loans’ dated 18 August 2023 mandate that all applicable charges for switching loans from floating to fixed rate, if applicable, and any other service charges / administrative costs incidental to the exercise of the above options need to be transparently disclosed in the sanction letter by the lenders.

(j) All lenders should also clearly communicate to the customers about the possible impact of change in benchmark interest rate on the loan leading to changes in the equated monthly instalments (“EMI”) and / or tenor or both.

(k) The rate of interest and the approach for gradations of risk and rationale for charging different rate of interest to different categories of borrowers to be disclosed explicitly in the sanction letter in addition to the KFS.

(l) The sanction letter shall include details in relation to the amount of loan sanctioned along with the terms and conditions including annualised rate of interest and method of application of such interest.

(m) In the RBI Notification on ‘Responsible Lending Conduct – Release of Movable / Immovable Property Documents on Repayment/ Settlement of Personal Loans’ dated 13 September 2023, all lenders are required to ensure that they release all the original movable / immovable property documents and remove charges registered with any registry within a period of 30 days after full repayment/ settlement of the loan account. In case of delay for reasons attributable to the lender, they shall compensate the customer at a rate of ₹5,000/- for each day of delay.

(n) The acceptance of the terms and conditions mentioned in the sanction letter by the customer needs to be kept on record by NBFCs.

(o) Lenders should give notice of any change in the terms and conditions including interest rates, service charges etc. Lenders should also ensure that changes in interest rates and charges are made only prospectively and suitable language to this effect should be incorporated in the loan agreement.

(p) The Fair Practices Code for Lenders – Charging of Interest circular dated 29 April 2024 requires all lenders to ensure that charging of interest on a loan should be from the date of actual disbursement of the funds to the customer and should not be reckoned from the date of sanction of the loan or date of execution of the loan agreement. Further interest must only be charged on the outstanding amounts and only for the period for which the loan is outstanding. In the event the customer makes payment of any amounts in advance, the interest should be calculated on the remaining outstanding amount and not the entire loan amount.

(q) The circular on ‘Fair Lending Practice - Penal Charges in Loan Accounts’ dated 18 August 2023, requires all lenders to ensure that any penalty, if charged, for non-compliance of material terms and conditions of loan contract by the customer shall be treated as ‘penal charges’ and shall not be levied in the form of ‘penal interest’ that is added to the rate of interest charged on the advances. Further, there must not be any capitalisation of penal charges i.e., no further interest computed on such charges.

(r) All lenders must have a board approved policy on penal charges or any similar charges on loans and such charges must be disclosed to the customers in the KFS and loan agreement as elaborated in sub-paragraph (a) above.

(s) Lenders must ensure that they do not interfere in the affairs of the customers once the loans have been issued or in any manner harass the customers for repayment of claims.

(t) In the matter of recovery of loans, the lenders should not resort to undue harassment viz. persistently bothering the customers at odd hours, use of muscle power for recovery of loans, etc.

(u) Lenders should ensure that their DLAs display a board approved policy for ensuring compliance with the ‘fair practice code’ as set out in the Scale Based Regulations.

(v) All lenders shall share / make accessible to the customers, a statement at the end of each quarter which shall at the minimum, contain details of the principal amount and interest recovered till date, EMI amount, number of EMIs left and annualized rate of interest / APR for the entire tenor of the loan.

(w) Any decision to recall / accelerate payment or performance under the agreement shall be in consonance with the terms specified in the loan agreement.

(x) In the case of receipt of request for transfer of customers account, either from the customer directly or from other banks / FIs which propose to take over the loan, banks are required to convey their consent or objection, if any, within 21 days from the date of receipt of request.

C. Requirements in relation to outsourcing of services to third parties

3.1 The term “Outsourcing” is defined under the Scale Based Regulations, as well as the Bank Outsourcing Guidelines to mean the use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the bank / NBFC itself, now or in the future. Examples of outsourcing services under the Scale Based Regulations include loan origination, credit card, document processing, marketing and research, supervision of loans, data processing etc. and the Bank Outsourcing Guidelines also include back office related activities as part of the services that may be outsourced. Some of the key obligations under the Scale Based Regulations and Bank Outsourcing Guidelines are detailed below:

(a) Board approved policy: All NBFCs and banks are required to have a board approved outsourcing policy which shall set out the criteria for selection of activities and service providers to whom such activities will be outsourced, as well as the extent of delegation of authority considering risks and materiality of the outsourced activity. The policy shall also prescribe systems for monitoring the outsourced activities. Core functions such as internal audit, compliance function and decision-making functions like determining compliance with Know-Your-Customer norms for opening deposit accounts, providing sanction for loans (including retail loans) and management of investment portfolio shall not be outsourced.

(b) Consideration of risks associated with outsourcing: NBFCs and banks outsourcing any services shall take into account risks such as strategic, reputational, legal, compliance, systemic, counterparty and operational risks when outsourcing any of its activities and shall also consider risks associated with exiting the outsourcing arrangement.

(c) Due Diligence of service provider: All NBFCs and banks must conduct a due diligence of the service provider which should take into consideration qualitative and quantitative, financial, operational and reputational factors before outsourcing any services to such service provider. They also rely upon market feedback and independent reviews of the service provider at the time of conducting the due diligence exercise. The Scale Based Regulations and Bank Outsourcing Guidelines prescribe factors to be considered while conducting due diligence of the Service Provider.

(d) Outsourcing Agreement: All NBFCs and banks must ensure that the agreement with outsourced service provider is clearly drafted and the defines the scope of outsourced activities and performance standards. In addition to the same the NBFCs and banks must also ensure certain rights in its agreements with outsourced service providers as detailed in paragraph 5.5 of Annex XIII of the Scale Based Regulations and paragraph 5.5 of the Bank Outsourcing Guidelines. For example, REs should ensure that Buyer Apps ensure that all data collected by them for providing any services in relation to the credit products are stored in India with specific rights provided to the RE and the RBI to audit the services provided by the Buyer Apps.

3.2 IT Outsourcing

As REs have been extensively leveraging Information Technology (IT) and IT enabled Services (ITeS) to support their business models, products and services offered to their customers, the various risks associated with outsourcing such services to third party service providers need to be addressed. The IT Outsourcing Master Directions provides the guidelines to be followed by regulated entities for ‘Outsourcing of IT Services’. The term ‘Outsourcing of IT Services’ is defined in an inclusive manner and also includes the following activities:

(a) Information technology infrastructure management, maintenance and support (hardware, software or firmware);
(b) Network and security solutions, maintenance (hardware, software or firmware);
(c) Application development, maintenance and testing; application service provider including ATM switch application service providers;
(d) Services and operations related to data centres;
(e) Cloud computing services;
(f) Managed security services; and
(g) Management of information technology infrastructure and technology services associated with payment system ecosystem.

3.3 Exclusions to IT Outsourcing

Reference is made to Appendix – III of the IT Outsourcing Master Directions, which prescribes a list of services which do not fall within the ambit of ‘Outsourcing of IT Services’ and entities which are not deemed to be third party service providers.

3.4 Board approved IT outsourcing policy

The IT Outsourcing Master Directions requires all RE to have a board approved outsourcing policy for IT outsourcing which shall set out the criteria for selection of activities and service providers to whom such activities will be outsourced, parameters for defining material outsourcing, delegation of authority depending on risk and materiality, disaster recovery and business continuity plans, systems to monitor and review the operations of these activities and termination processes and exit strategies. Where services of a cloud service provider are availed by the RE, the IT outsourcing policy should also cover all processes related to cloud computing services such as generation of data, data collected by cloud, erasure / deletion of data from the cloud servers and from the regulated entity’s systems. Further, the policy should also explicitly list out activities which can be moved to the cloud, address various stakeholder interests and safety, and include compliance with appropriate regulatory requirements associated with data classification and continuous monitoring of the cloud service providers.

3.5 Due Diligence of the service provider

In addition to the due diligence requirements set out in 3.1(c) above as applicable in case of outsourcing under the Scale Based Regulations and Bank Outsourcing Guidelines, REs must also consider aspects such as details of the technology, infrastructure stability, security and internal control, data backup arrangements, capability to segregate data of the regulated entity, information/ cyber security risk assessment etc., when conducting due diligence of IT service providers.

3.6 IT Outsourcing Agreement

The IT Outsourcing Master Directions also prescribe certain provisions to be specifically included in the outsourcing agreement with their service providers. REs who are outsourcing any IT service to a third party service provider should ensure that the requirements mentioned in paragraph 16 of the IT Outsourcing Master Directions are included in the agreements with such service providers.

3.7 Arrangements with cloud service providers

Appendix-I of the IT Outsourcing Master Directions also prescribe additional obligations in relation availing the services of cloud service providers.