By Prof Neelam Rani & Jatinder Handoo
The Indian Ministry of Electronics and Information Technology (MeITY) has recently released Digital Data Protection Bill 2022 (DDPB) for public comment. Although the bill appears better than the previous version, a comparative analysis with RBI’s guidelines on Digital Lending 2022 shows some friction for a few basic points like data localisation, customer consent and period of data retention. For a long time, the paucity of data privacy law and related literacy among consumers has created a widely conspicuous void in customers’ data privacy and client protection framework. The phenomenon has been more prevalent while dealing with unregulated app-based lenders. Many borrowers have reported acute harassment from digital debt collectors and have committed suicides in India. Why customers get trapped into app-based lending ecosystem, this article touches upon some of the contours and suggests some practical action points beyond regulations.
Coming back to the DDPB 2022 and a quick comparison with EU’s GDPR regulations shows that the Indian bill could have been sharper especially related to chapter 3 (Art 12-21) of GDPR. Looking at Customer’s pain points with technology and regulatory lens, it is high time to have an accountable, data principal friendly lucidly drafted data protection law. The law, regulation and literacy becomes important because It is expected that the market size of digital lending in India will grow exponentially in next few years and will become $1.3 trillion by 2030, as per Inc42’s report ‘State Of Indian Fintech Ecosystem Q3 2022.
Also Read: RBI’s Digital Lending Guidelines: Key takeaways for consumers and the way forward
Technology is Amoral
India is a huge market and digital lending is growing at an accelerated pace, At an aggregated basis, RBI-regulated member companies of India’s Premier Industry association of digital lending firms – FACE has reported that its members disbursed over 1.6 Cr loans totalling value of INR 14,016 Cr in Q2 FY 22-23. We are yet to know the quantum of digital credit being disbursed by unregulated app-based lenders. Other than money part, in digital lending ecosystem, a significantly high volume of unfettered data flows from one entity to another in absence of GDPR-type dedicated data protection and privacy laws.
While technology is a great enabler and has the potential to make finance more inclusive and accessible especially to the last mile customers. However, the flip side is – ‘technology is amoral’ and thus can be abusive and exclusionary as well. Not just in India, customer data and privacy abuses have also been reported from countries with the highest penetration of digital lending like China where examples of exploitation, fraud, and privacy violation of female borrowers have amply been reported. As a regulatory response to the menace of unethical lending by fake apps, the Reserve Bank of India came up with regulatory guidelines for ‘regulated digital lenders’ in August 2022. Even then, cases of data, privacy abuses and client harassment leading to suicides have not stopped, recently there were reports of suicides from the states of Andhra Pradesh and Maharashtra in the months of September-October 2022.
Need For a Strong Data, Privacy and Client Protection Framework
A report by Transunion on credit inclusion published in 2022 reported that India has the highest number of credit unserved population – around 571 million which is around 67% of adult population and 170 million are underserved which is around 19% of the adult population of India. On top of that, it is the young segment of consumers who are the most underserved; Millennials (31%) and Gen X (34%). It is also noteworthy that India’s over 65% of young population who is connected with mobile internet has surpassed the highest downloads (more than 1 billion downloads) of financial apps in 2021 which indicates that traction on fintech lending side is very high among youth in India.
Customers’ transaction data is an underlying asset for prudent underwriting of credit risk. Privacy is something which due to lack of literacy, many take for granted, thus, the plot revolves around a triangle of client-level ‘Data, Privacy and Protection framework’ (DPP Framework). Using alternate data points, evaluated by algorithms which decide in just a few seconds whom to lend and how much, with or without accessing the repayment capacity of borrowers leads to extreme situations, as have been the case with fake lending apps.
In an open API-driven lending ecosystem, multiple data, credit, and risk intermediaries are involved in the digital lending value chain, additionally there is already a paperless, presence-less, Cashless, and consent-based framework (Indiastack) in place. While for techfins, neo banks and new generation smart lenders, consumer data is fuel to run a loan-mill, new variants of packet-based digital lending like payday loans, Buy Now Pay Later, Instacredit, small ticket quick loans etc. are common products pushed by digilenders. This fast credit is expedited by accessible personal and transactional data of consumers harvested from online ecosystem which makes it more convenient, swift, and profitable for digital lenders to deliver credit remotely in a trustless ecosystem. The packet loans are particularly targeted for thin-file, new-to-credit young customers, housewives and even school or college goers who have low credit scores.
While the separation of chaff from grain is important, there is no reason to paint all digital lenders with the same brush.
In India, lack of credible credit score is a considerable impediment to achieving access to credit. This is the prominent reason why most ‘new to credit’ customers are deprived of formal credit services due to a low or non-existent credit score. Alternative data sources unlock a gamut of opportunities to empower such consumer groups. It also serves as a significant value addition to borrowers and lenders. It helps fintech firms to tap into the unbanked and underbanked population.
While the convenience of having access to fintech-driven credit is impeccable and ideally any potential customer with capacity and intent to re-pay on time should have such access round the clock, there is an equally important concerning side in terms of data privacy and consent misuse risk, which in many cases, overweigh benefits of digital lending, particularly in absence of a digital and data literacy and consumer data protection law in India.
Also Read: RBI’s digital lending norms aim to end misselling, unethical recovery practices
The misuse of consent and data privacy has been observed in case of app-based lenders. While many digital lenders hugely rely upon technology to cut through cost structure and many of them discount introducing softer aspects of human behaviour in the operational model, thus risking the entire value chain of the business. In the end, it is worth mentioning as once said by Bill Gates “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” Thus, besides technology-driven lending, it is equally important to strengthen ecosystem to keep operations efficient, so that technology can magnify efficiency gains.
Finally, the Proactive Role of Policy and Regulation – The Way Forward
The Government of India and RBI have been extremely proactive in making timely interventions to curb unethical and unregulated lending through fake apps in India. Steps like the draft of DDPB 2022, and Digital Lending Guidelines (by RBI) are welcome steps, yet a lot could be achieved through cooperation.
In addition to Policy and regulatory interventions, there is a greater role of market players like digital lenders, data intermediaries and prominent industry associations etc. to keep digital lending space healthy, transparent and customer friendly. The industry collectively, in addition to RBI guidelines, must invest in customers’ digital literacy (data and privacy) initiatives in partnership with third sector players. Cross-sectoral networks must be leveraged and educated.
A vertically integrated cooperation with mobile services platforms at an ongoing basis must be initiated to weed out fake apps and its variants. Strengthening of subject matter knowledge and seamless coordination with officers of Economic Offences wing at State and district levels to support law and order machinery must be done frequently by industry associations and financial regulator. Industry players must create and popularise avenues for client grievances redressal mechanism which would buttress initiatives taken by RBI and Government of India.
Lastly, to reduce mushrooming of unregulated app-based lenders, regulatory sandbox experiments may be undertaken to allow thus far unregulated players to enter into formal financial space, with light regulation based on differential modelling in proportional to the risk they add to the existing ecosystem. For greater market stability and client protection in digital lending space, a sustainable approach based on out-of-the-box solutions like establishing innovation offices for facilitation of regulator–innovator interactions and interpretation of regulatory requirements for innovative digital lending models and use of suptech technologies like RBI’s Daksh must be made to plug the necessary gaps in the ecosystem to facilitate a sustainable model of digital lending in India.
(Prof Neelam Rani is an Associate Professor and Jatinder Handoo is a scholar at the Indian Institute of Management, Shillong. Views expressed above are personal)