Data privacy, security of the customer’s personal information shall be RE’s responsibility
The RBI has issued directions that in order to ensure a smooth transition, Regulated Entities (REs) be given time until November 30, 2022, to put in place adequate systems and processes to ensure that existing digital loans are also in compliance with these guidelines. It is also advised that the instructions will be immediately applicable to existing customers availing new loans and new customers getting onboarded.
The RBI has reiterated in a communication to all commercial banks, primary (urban) co-operative banks, state co-operative banks, district central co-operative banks, and non-banking financial companies (including housing finance companies) that outsourcing arrangements entered into by REs with a lending service provider (LSP)/ digital lending app (DLA) do not diminish the REs’ obligations and they must continue to conform to the existing outsourcing guidelines. REs are advised to ensure that the LSPs they engage and the DLA (either of the RE or of the LSP engaged by the RE) follow the guidelines.
REs must ensure that any fees and charges payable to LSPs are paid directly by them (REs) and are not charged directly to the borrower by the LSP. Annual percentage rate (APR) will be based on an all-inclusive cost and margin, which includes the cost of funds, credit cost and operating cost, processing fee, verification charges, maintenance charges, and so on, and excludes contingent charges such as penal charges, and late payment charges.
REs must ensure that all loan servicing and repayment will be executed by the borrower directly in the RE’s bank account without any pass-through account/ pool account of any third party. The disbursements should always be made into the bank account of the borrower except for disbursals covered exclusively under statutory or regulatory mandate (of RBI or of any other regulator), flow of money between REs for co-lending transactions and disbursals for specific end use, provided the loan is disbursed directly into the bank account of the end-beneficiary. REs must ensure that in no case, disbursal is made to a third-party account, including the accounts of LSPs and their DLAs, except as provided for in these guidelines.
REs shall ensure that LSPs/DLAs engaged by them do not store personal information of borrowers except some basic minimal data (name, address, contact details of the customer etc.) that may be required to carry out their operations. Responsibility regarding data privacy and security of the customer’s personal information will be that of the RE.