Rachana RautraySenior Associate
Fintechs can enter into default loss guarantee arrangements in digital lending transactions up to 5% of the loan portfolio
On 8 June 2023, the Reserve Bank of India (RBI) issued the Guidelines on Default Loss Guarantee in Digital Lending (DLG Guidelines), setting out the conditions under which RBI regulated lending entities (RE) can enter into default loss guarantee (DLG) arrangements amongst each other, or with lending service providers (LSP).
The DLG Guidelines have been introduced after considerable engagement between RBI and the fintech industry, following RBI’s earlier decision to treat guarantee arrangements between LSPs and REs as ‘synthetic securitisation’ under the RBI’s Guidelines on Digital Lending dated 2 September 2022 (Digital Lending Guidelines). This treatment had led to apprehensions that DLG arrangements could be prohibited in the digital lending ecosystem. In a relief to the fintech industry, the RBI has, through the DLG Guidelines, exempted DLG arrangements conforming to the guidelines from being treated as synthetic securitisation.
In this regard, the DLG Guidelines require all DLGs to be capped at 5% of the loan portfolio and prescribe other requirements regarding the form and manner of the guarantee. The DLG Guidelines also recognise implicit guarantees, which may require fintechs to rethink their existing digital lending arrangements.
(To read our detailed update on the DLG Guidelines, click here.)
Non-banking financial companies outsourcing information technology services are now subject to new risk-based compliances
Pursuant to new directions issued by the RBI, non-banking financial companies (NBFC) and other REs (such as banks) outsourcing information technology (IT) services are required to comply with specific requirements such as undertaking due diligence on IT service providers, putting in place a risk management framework, reporting cyber-attacks, and monitoring and controlling outsourced activities.
On 10 April 2023, the RBI issued the Master Direction on Outsourcing of Information Technology Services (IT MD), which is meant to complement the existing master directions issued by RBI in relation to the outsourcing of financial services by such REs. Under the IT MD, in addition to the aforementioned compliances, REs are also required to implement frameworks for testing robust business continuity and disaster recovery plans, conduct regular audits of the outsourced service provider, and monitor adherence to service level agreements (SLA) and incident response mechanisms. Notably, the IT MD exempts a number of services and vendors from the scope of the directions, for example:
- acquisition of IT software or product or application on a licence or subscription basis,
- maintenance service for IT infrastructure or licensed products provided by original equipment manufacturers and vendors providing business services,
- payment system operators, business correspondent services, SMS gateways.
The IT MD is set to come into effect from 1 October 2023 – although a staggered implementation (including up to 36 months from the issuance of the IT MD) is contemplated for existing agreements, providing relief to REs from having to renegotiate live contracts in a bid to remain compliant. This development also follows a continual trend of sectoral regulators regulating the outsourcing of services such as the Securities and Exchange Board of India’s directions on cloud services in the previous quarter and the Insurance Regulatory and Development Authority of India’s directions on information security in the insurance sector.
Reserve Bank of India permits regulated lending entities to deploy Aadhaar one-time-password based e-Know Your Customer for updating details in non-face-to-face mode and access the Central Know Your Customer Registry for due diligence; prescribes compliances for Video based Customer Identification Process
In a move that will further simplify the Know Your Customer (KYC) process and reduce the need to interface with customers in person or in face-to-face mode, REs may now undertake Aadhaar one time password (OTP) based e-KYC to update customer details in a non-face-to-face mode. It has also been clarified that REs can, at the time of customer due diligence, take the explicit consent of the customer upfront to access the Central KYC Records Registry (CKYCR) for retrieving and downloading their records and information.
These changes were introduced by the RBI through an amendment to the Master Direction – Know Your Customer (KYC) Direction, 2016 (KYC MD). In addition to the above measures, REs that onboard customers in a non-face-to-face mode are now required to adhere to additional due diligence. For instance, if Video based Customer Identification Process (V-CIP) has been introduced by the RE, it must be the first option for online customer onboarding. Additionally, the RE should ensure that once customer due diligence is done, an alternative mobile number is not thereafter linked to the account for OTP or transaction updates. The RE is also required to take other measures such as verification of PAN number and positive confirmation of address. The KYC MD has also separately introduced new compliances for any REs undertaking V-CIP through a cloud-based model - such entities must ensure that they retain ownership of customer data, that all customer data are transferred to the RE’s exclusively owned or leased server, and that no customer data is retained by the cloud and/or technology service provider assisting the RE with V-CIP.
These developments are significant as they come in the backdrop of the growing adoption of non-face-to-face mode of onboarding of customers by entities in the digital lending and peer-to-peer (P2P) lending space. The RBI has introduced these measures both to simplify the way in which such onboarding may be undertaken, as well as ensure that certain due diligence standards are met.
In addition to the developments above, there has also been an increased focus on KYC, anti-money laundering measures and traceability of financial transactions. For instance, while in the previous quarter, virtual asset service providers and similar entities were included within the ambit of ‘reporting entities’ under the Prevention of Money Laundering Act, 2002, this quarter saw the inclusion of directors and secretaries of companies and other similar personnel as reporting entities as well. The upcoming quarter is also anticipated to see developments along similar lines with the Financial Action Task Force scheduled to evaluate India’s processes in November.