RBI WG Report sets the stage for regulation of digital lending

Ikigai Law
7 min readMay 23, 2022

This post analyses the impact of the RBI Working Group’s Report on Digital Lending Apps. It covers key recommendations made by the Working Group relating to credit-risk sharing, data privacy and security, artificial intelligence and buy-now-pay-later products.

Regulation of digital lending in India now seems imminent. The RBI has been questioning buy-now-pay-later (BNPL) providers about their business models, credit risk sharing arrangements, data collection practices and credit-scoring algorithms. To understand what direction the RBI may take, we decided to analyse the RBI report which could form the bedrock of the future regulation.

In November 2021, the RBI released its much-awaited report (Report) on regulation of digital lending apps (DLAs). Much to the industry’s relief, it steers clear of imposing any licensing requirements on digital lenders. But if the Report’s recommendations are implemented, some digital lenders may have to change their existing business models and gear-up to bear increased compliance cost. Before we dive into the Report, let’s recap. The RBI commissioned this Report in January 2021. Around this time, rogue digital lenders were making headlines. Alarmed by this, the RBI constituted a Working Group (WG) to suggest a regulatory framework for digital lending. Now, let’s unpack the Report.

Ban on FLDG

WG Recommendation: The Report recommends a prohibition on unregulated DLAs bearing credit risk -including through first-loan-default guarantees (FLDG).

Current Market Practice: Regulated Entities (REs) want unregulated DLAs (as partners) to have enough skin-in-the-game so that they can trust DLAs’ services for loan underwriting. So REs enter into FLDG arrangements with DLAs.

Impact: If unregulated DLAs cannot offer FLDG, REs will be reluctant to extend loans to borrowers referred by them. Risk-sharing arrangements like FLDG ensure that unregulated DLAs adopt rigorous standards while assisting REs with underwriting borrowers. As unregulated DLAs will have to compensate REs for any borrower defaults. If FLDG arrangements are prohibited, unregulated DLAs will be incentivized to chase volume at the cost of quality. This could lead to lax underwriting standards for loans and ballooning of NPAs.

Alternatives: RBI WG’s concern that through FLDGs and other synthetic arrangements, unregulated DLAs may pose operational risk is valid. But prohibiting FLDG entirely may not be the most optimal way forward (because of the concerns highlighted above). Instead, FLDG should be capped at an appropriate level and monitoring mechanisms can be put in place. Recent media reports suggest that the RBI is considering capping FLDG at 15–20% and allowing only REs to enter into FLDG arrangements with each other.

Data Privacy and Security

WG Recommendations: The Report recommends that DLAs should seek prior, informed, explicit and auditable consent of the borrower for collecting her personal data. Borrowers should be able to revoke consent and make DLAs erase their personal data. DLAs should take separate consent for different types of data they access. All security breaches should also be reported to customers.

Current Market Practice: The core value proposition offered by DLAs is their ability to use alternative data sources for underwriting borrowers. DLAs rely on a large number of data points while evaluating the credit-worthiness of a borrower. A borrower’s payments data, social media usage, contact lists, location etc. are all used to paint a picture of her education, employment, expenses and lifestyle. By leveraging these alternative data sources, DLAs can promote financial inclusion and extend loans to ‘new-to-credit’ and ‘thin-file’ borrowers.

Impact: If the recommendations are implemented, DLAs will have to send multiple notifications to seek consent for different types of data collected. If consent is required even for accessing publicly available information like social media posts, it may limit the range of alternative data available for underwriting and reduce the accuracy of credit risk assessment. From the borrowers’ perspective, being bombarded with consent seeking notifications may lead to consent fatigue. And such information overload may prevent borrowers from developing a meaningful understanding of what is happening to their data. Further, a blanket right to data erasure can cause practical difficulties in servicing and recovery of loans if this right is exercised before the debt is repaid. Finally, reporting of all security breaches could cause unnecessary panic as many vulnerabilities are caused by minor errors or bugs which are routinely fixed by companies.

Alternatives: The WG’s concern about safeguarding borrowers’ data is legitimate. It is also backed by past experience of rogue DLAs misusing personal data to harass borrowers. However, to ensure regulatory consistency and prevent jurisdictional overlap, the Report’s recommendations should be aligned with the Personal Data Protection Bill 2019 (PDP Bill). The Joint Parliamentary Committee (JPC) examining the PDP Bill submitted its report in December 2021 but media reports indicate that the government may be drafting a fresh law. In its current form, the PDP Bill recognizes ‘credit scoring’ as a reasonable purpose for which data can be collected and processed even without the consent of the data principal. Further, the PDP Bill empowers a person to seek erasure of her personal data but only if the data is no longer necessary for the purpose for which it was collected. Finally, the PDP Bill requires reporting of security breaches only to the Data Protection Authority (DPA) and only if there is risk of harm. Once the PDP Bill or a re-drafted version of it is enacted, DPA as a specialized regulator will be best placed to address data privacy and security concerns raised by DLAs. In the interim, the proposed Self-Regulatory Organization can prescribe minimum standards for data collection, processing, sharing and storage by DLAs.

Artificial Intelligence

WG Recommendation: The Report recommends that any AI/ML systems used for credit risk assessment should be transparent, explainable, non-discriminatory and auditable.

Current Market Practice: As the volume of data for digital lending is too large for any human to handle, DLAs use proprietary AI/ML systems to process the data and assign a credit rating to the borrower. Indian fintech executives believe that the quality of credit underwriting algorithms will become a key differentiator in the industry. These technologies are still in their early days and they are not infallible. But the low NPAs achieved by fintech players like BharatPe and Cred give us reasons to be hopeful.

Impact: If the WG’s recommendations are implemented in the form of prescriptive regulation, it could pull the brakes on development of emerging technologies like AI/ML for digital lending. Ensuring transparency, accountability and fairness of AI/ML systems are important goals but they may not be technically feasible yet. DLAs also invest heavily into developing proprietary AI/ML systems and they could lose their competitive edge if transparency obligations require disclosure of the raw code of these systems.

Alternatives: MEITY and NITI Aayog have been working on regulation of AI over the past few years. The JPC examining the PDP Bill has also recommended disclosing the fairness of algorithms and methods of data processing to users. Considering the existing body of work developed by different wings of the government on this issue, a coordinated approach is required. If AI/ML systems are not properly designed, they can perpetuate social inequalities and exclude creditworthy borrowers on arbitrary grounds. But, as the AI/ML technology is still emerging, it may be best to adopt a principle-based approach which grants adequate flexibility to DLAs about the specific features and design of their AI/ML systems. The regulations must not mandate disclosure of trade secrets like raw code. Instead, DLAs can be required to disclose relevant parameters based on which they assess a person’s creditworthiness to check for discriminatory parameters like gender, caste, religion, race etc.


WG Recommendation: The Report recommends that short-term unsecured loans like BNPL products should be regulated as balance sheet lending.

Current Market Practice: BNPL comes in many avatars. Some BNPL providers help merchants accept deferred payments from their customers and they do not facilitate any loans from REs. They basically help customers open a khata with onboarded merchants. Then there are BNPL players which help customers avail loans from REs, which customers can use to pay merchants. These loans are sometimes not recorded as balance sheet lending because there is no interest payable on these loans.

Impact: Fintech players which merely enable merchants to offer operational credit without facilitating any loan from an RE will not fall within the ambit of this recommendation. But funds loaned by an RE to facilitate BNPL purchases will have to be recorded as balance sheet lending even if there is zero interest charged.

Alternatives: BNPL products which involve sourcing a loan from REs should be regulated as balance-sheet lending. These point-of-sale loans must be reported to credit bureaus to prevent over indebtedness and KYC of borrowers must be conducted. But at the same time, regulation of zero interest BNPL loans should be light-touch as they do not pose the same risks as interest bearing loans. BNPL players generate most of their revenue through commissions received from merchants and not through late charges paid by customers. So, they are incentivized to ensure timely repayment and it does not serve their interests to keep customers stuck in revolving debt. Some BNPL products also offer greater visibility about the end-use of the funds as they can only be spent to buy goods and services from onboarded merchants. Therefore, all BNPL loans do not require the same kind of heavy-handed regulation as traditional interest carrying loans.

Keep the baby, throw the bathwater

DLAs and REs both bring unique advantages to the lending ecosystem. REs have earned consumer trust. And DLAs bring-in the tech stack and knack for distribution. They offer proprietary credit evaluation algorithms, which help REs underwrite borrowers more accurately, reduce NPAs and build their loan-book. DLAs have also set up large distribution channels. DLAs like Paytm, MobiKwik and Razorpay have helped REs disburse loans worth several hundred crores.

The Report lists technological neutrality, principle-based regulation and addressing regulatory arbitrage as its guiding principles. These principles set the right tone and if they are implemented while keeping sight of commercial realities, we could have a goldilocks moment in digital lending regulation. Which will allow DLAs to aid post-pandemic economic recovery by bridging the existing credit gap, reducing NPAs and creating bespoke credit products. And keep rogue players and predatory lending in check.

This post has been authored by the fintech team at Ikigai Law.



Ikigai Law

An award-winning law firm helping innovation-led companies find efficient solutions to their legal and business challenges