DLAI Code of Conduct

Digital Lending Industry Code of Conduct for Responsible Digital Lending

CODE OF CONDUCT FOR RESPONSIBLE DIGITAL LENDING

I. INTRODUCTION AND IMPLEMENTATION

In furtherance of DLAI’s commitment towards creating an industry-led self-regulatory body and aligning its values with the applicable regulatory directions, the Digital Lenders’ Association of India (“DLAI”) is introducing this 2nd edition of its code of conduct (“Code of Conduct”). The erstwhile Code of Conduct dated is henceforth discontinued and this Code of Conduct (2nd edition) is instituted in its place. The Code of Conduct will come into effect from September 23,2023.

Industry self-governance, by virtue of being developed by members of the industry themselves, can lead to more appropriate mechanism for self-regulation with higher compliance rates and higher standards of governance and client protection. Further, selfregulation encourages members to look beyond their immediate short-term goals and internalize the larger impact of their business – such as ensuring effective mechanism for customer protection, furthering financial, digital and frauds related education for customers and employees alike, and striving for the development of its members, the industry, and the ecosystem as a whole, which in turn leads to a healthier and more profitable ecosystem in the long run. With the recent rapid growth in the digital lending industry in India, there is a need for industry participants to adhere to a strong Code of Conduct to prevent the rise of unscrupulous practices that harm the digital lending ecosystem by reducing the confidence of customers, regulators, and other market participants. Safeguarding the interests of customers provides the industry with trust and legitimacy, which will ultimately benefit the digital lending industry as a whole and the members individually.

The revised Code of Conduct is centered around 8 (eight) core elements. The Code of Conduct sets out the processes and guidelines under each core element to actualize each such element into clear actionable points. This Code of Conduct must be viewed as a minimum industry standard. Consequently, this Code of Conduct is binding on every member of DLAI engaged in the business of digital lending, whether such member is regulated or not. The applicability of this Code of Conduct is set out in Section II (Applicability) below.

The Reserve Bank of India (“RBI”) issued the ‘Guidelines on Digital Lending’ dated September 02, 2022 (“Digital Lending Guidelines”)1, pursuant to which the RBI shifted away from the light touch approach it had traditionally adopted in respect of digital lending and has prescribed a robust regulatory framework for digital lending in India. The Digital Lending Guidelines identify two key participants in the digital lending ecosystem:

The onus of compliance with the Digital Lending Guidelines is directly on the REs and not on the lending service providers/digital lending applications. However, the RE is required to ensure compliance by lending service providers/ digital lending applications, which may be achieved by way of appropriate contractual arrangements between REs and lending service providers/ digital lending applications. The introduction of the Digital Lending Guidelines has necessitated the current revisions to the Code of Conduct.

Each member of DLAI is required to incorporate the Code of Conduct as a part of its fair practices code. This Code of Conduct is required to be displayed by all members at every point of customer interface – especially on the member’s website and/or the digital lending application through which lending activities may be undertaken by the member.

Any concerned person may contact DLAI for any queries, information, or clarifications regarding the implementation of the Code of Conduct at: sro@dlai.in.

II. APPLICABILITY

1. This Code of Conduct is a set of principles, processes, and guidelines that is binding on every ordinary member of DLAI which is an RE2, lending service provider3, digital lending application4, or any other entity offering digital lending5 products or service to customers or facilitating digital lending as a support service (“Member”) in respect of their digital lending activities. The associate members of DLAI are encouraged to voluntarily adopt relevant provisions of this code of conduct.

2. This Code of Conduct applies to each Member in all its dealings, interactions, communications, arrangements, and transactions in respect of any digital lending product, service or related activity provided, undertaken or facilitated by such Member to any individual, person, or business (“customer”).

3. Units and functionaries of the DLAI Self-Regulatory Organization (“DLAI SRO”) referenced in this Code of Conduct shall have the meaning ascribed to them in the table below:

Units and Functionaries Meaning
Enforcement Committee The committee established under the DLAI SRO, which shall act as the first forum for reviewing non-compliances by Members, dispute resolution inter-se Members and for addressing market threats.
SRO Committee The committee established under the DLAI SRO, which shall act as the appellate forum to the Enforcement Committee for reviewing noncompliances by Members, dispute resolution inter-se Members and for addressing market threats.

4. All Members of DLAI are obligated to follow this Code of Conduct. Compliance with the Code of Conduct is a necessary condition for membership. The DLAI SRO will enforce adherence by Members, to the Code of Conduct.

5. Any non-adherence with the measures set out under this Code of Conduct will trigger the governance and enforcement measures set out in clause 7 (Actions) of Part H (Governance and Enforcement) of Section IV (Code of Conduct) below.

6. All other REs, lending service providers, digital lending applications, and other entities offering digital lending products or services to customers, or which facilitate digital lending as a support service are strongly encouraged to voluntarily adopt the Code of Conduct as a measure of best practice.

7. This Code of Conduct aligns with and is in addition to all laws and regulations applicable to digital lending operations and its ancillary services, including all current regulations and directions issued by any statutory, regulatory, or Governmental body, including, without limitation, the RBI, SEBI, Central and State Governments, from time to time and by no means aims to override any applicable law or regulatory guidance. When there is any conflict or inconsistency between this Code of Conduct and any applicable law or regulation in India, such law or regulation will prevail.

This Code of Conduct is subject to review by the board of directors of DLAI (“Board”) from time to time.

III. REGULATORY FRAMEWORK FOR DIGITAL LENDING

(ADHERENCE WITH THE DIGITAL LENDING GUIDELINES)

References to paragraph numbers below are references to the relevant paragraphs of the Digital Lending Guidelines

1. The fund flow must be directly between the borrower and the RE (except for disbursals covered exclusively under statutory or regulatory mandate). The funds cannot flow through the account of a lending service provider or their digital lending application. Similarly, any fees, charges, etc. payable to the lending service provider shall be paid by the REs and no funds shall flow from the borrower to the lending service provider. (Paragraphs 3 and 4) The RBI has clarified that any payment aggregator also acting as a lending service provider or such RE’s digital lending application will need to comply with the Digital Lending Guidelines.

2. REs shall provide a key fact statement to the borrower before execution of the contract (which must be in the prescribed format) for all digital lending products. The key fact statement shall contain details of annual percentage rate (which must be disclosed upfront as an all-inclusive cost of digital loan to the borrower), recovery mechanism, details of nodal grievance redressal officer, cooling off period, penal interest or charges (if any, based on outstanding amount of the loan) levied on the borrowers. Fees or charges not mentioned in the key fact statement cannot be charged by the REs at any stage. (Paragraphs 4.2, 5.1, and 5.2)

3. The REs shall ensure that, in absence of physical documents, the digitally signed documents on the letterhead of the RE shall automatically flow to the registered and verified email/SMS of the borrower upon execution of the loan contract. (Paragraph 5.3) RE shall ensure that where physical documents are executed, the borrowers shall be delivered a copy of such documents.

4. The list of lending service providers of the REs, the digital lending applications of the REs, and their lending service providers or any other party (e.g., In-app advertising) shall be prominently published on the website of the REs along with details of activities for which they have been engaged. (Paragraph 5.4)

5. The digital lending applications of both the REs and their lending service providers shall prominently display information relating to product features, loan limit, cost, etc., at the signup/on-boarding stage and must also have links to the REs’ website where detailed information about the loan products, the lender, the lending service providers, particulars of the customer care details, link to the RBI’s Sachet Portal, privacy policy, etc., prominently provided at a single place can be easily accessed by the borrower. (Paragraphs 5.5 and 5.7)

6. The REs shall inform the borrower about the details of the lending service provider and/or any other intermediatory acting as recovery agent and authorised to approach the borrower for recovery, at the time of sanctioning the loan amount and while appointing a lending service provider as a recovery agent or change in recovery agent. (Paragraph 5.6)

7. REs shall ensure that they and their lending service providers have a nodal grievance redressal officer to deal with fintech/digital lending-related and digital lending application-related complaints raised by the borrowers. The REs’ and their lending service providers’ websites and their digital lending applications and the key fact statement shall prominently display the contact details of the nodal grievance redressal officer. The REs’ and their lending service providers’ websites and their digital lending applications shall provide the facility to lodge complaints. The responsibility of grievance redressal shall remain with the REs and if the complaint is not resolved within 30 days, the borrower can lodge a complaint over the Complaint Management System portal under the RBI Ombudsman Scheme. (Paragraph 6)

8. REs shall capture the economic profile of the borrowers before extending any loan to assess the borrower’s creditworthiness. REs shall also ensure that the credit limit of the borrower is not increased without explicit consent taken on record. (Paragraph 7)

9. The borrower shall be given an explicit option to exit the digital loan by paying the principal and proportionate annual percentage rate without any additional penalty during the coolingoff/looking-up period. The Board of the RE shall determine the duration of the cooling-off period which must be at least three days for loans having a duration of seven days and a maximum of one day for loans having a duration less than seven days. Pre-payment shall be allowed to borrowers continuing after the cooling-off period as per RBI’s extant guidelines. (Paragraph 8)

10. REs shall conduct enhanced due diligence with respect to technical abilities, data privacy policies and storage systems, fairness in conduct with borrowers, and ability to comply with regulations and statutes, before entering into partnership with a lending service provider for digital lending. REs shall carry out periodic review of the conduct of their lending service providers and impart necessary guidance to the lending service providers acting as recovery agents to discharge their duties responsibly and in compliance with extant instructions. (Paragraph 9)

11. REs shall ensure that any collection of data by the REs’ or their lending service providers’ digital lending applications is need-based and on explicit prior consent of the borrower having an audit trail. REs shall ensure that the digital lending applications desist from accessing mobile phone resources like file and media, contact list, call logs, telephony functions, etc. A one-time access for camera, microphone, location, etc., necessary for on-boarding/KYC requirements may be taken with the explicit consent of the borrower. (Paragraph 10.1)

12. The borrower shall be provided with an option to give or deny consent for the use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data, and make the application delete/forget the data. (Paragraph 10.2)

13. The purpose of obtaining borrowers’ consent needs to be disclosed at each stage of interface with the borrowers. (Paragraph 10.3) 14. Explicit consent of the borrower shall be taken before sharing personal information with any third party, except for cases where such sharing is required as per statutory or regulatory requirements. (Paragraph 10.4)

15. REs are also required to ensure that (a) the lending service providers they engage with do not store the personal information of borrowers except some basic minimal data (viz., name, address, contact details of the customer, etc.) that may be required to carry out their operations; (b) clear policy guidelines regarding the storage of customer data including the type of data that can be stored, the length of time for which data can be stored, restrictions on the use of data, data destruction protocol, standards for handling security breach, etc., are put in place; (c) the data sets that are collected by a lending service provider or a digital lending application is disclosed prominently on its website and application at all times; and (d) each lending service provider that it partners with has a comprehensive privacy policy in place that is in compliance with applicable laws, rules, and regulations. (Paragraph 11)

16. REs must ensure that all data is stored only on servers located in India. Further, REs must also ensure that no biometric data of any customer is stored by any lending service provider or any digital lending application. (Paragraph 11)

17. REs shall ensure that their digital lending applications and lending service providers engaged by them have a comprehensive privacy policy (including details of third parties allowed to collect personal information through the digital lending applications) compliant with applicable laws, associated regulations, and RBI guidelines. For access and collection of personal information of borrowers, digital lending applications of REs/ lending service providers should make the comprehensive privacy policy available publicly. (Paragraph 12)

18. REs shall ensure that they and their lending service providers comply with various technology standards/requirements on cybersecurity stipulated by RBI and other agencies, or as may be specified from time to time, for undertaking digital lending. (Paragraph 13)

19. REs shall ensure that any lending done through their digital lending application and/or digital lending applications of their lending service providers is reported to credit information companies irrespective of its nature/ tenor. REs shall ensure that lending service providers associated with such deferred payment credit products shall abide by the extant outsourcing guidelines issued by the RBI. (Paragraph 14)

20. REs must ensure adherence with the extant regulatory guidelines while entering into loss sharing arrangements in case of default.6 (Paragraph 15)

IV. CODE OF CONDUCT

THE CODE OF CONDUCT IS CENTERED AROUND 8 (EIGHT) CORE ELEMENTS:

A. Transparency and Disclosures

1. Every Member must ensure to display the Code of Conduct as part of their fair practices code (similar to Banks and NBFCs) at the point of customer interface in English– including on the Member’s website (if any) and the digital lending application through which the lending activities are undertaken by the Member. In addition to English, each Member must ensure that the Code of Conduct is made available in a language understandable by its target customer group, given their geographical and regional location.

2. Members must offer products and services that are not misleading, deceptive, or unclear. Members must ensure that their marketing and advertising material 7 and outreach to customers is not false, misleading, or deceptive.

3. Members must provide relevant information in a key fact statement in a standardized format and in a language that their customers would reasonably understand. 8

4. Members must ensure that detailed terms and conditions of the financial product and services offered, loan limits and cost, etc. are made available to the customer at the onboarding/ customer engagement stage.

5. Members must ensure that digitally and/or physically signed copies of the key fact statement, summary of loan product, sanction letter, loan agreement, and terms and conditions, applicable to the credit products being availed by a borrower are automatically provided to the borrowers on their registered and verified email address or over SMS, on or before disbursement of the loan, in a language which is reasonably understood by the borrower.

6. All RE Members must prominently publish, on their website, a list of their digital lending applications, their active lending service providers (LSP), and the latest version of digital lending applications of their lending service providers, their authorised recovery agents and any other party (for example, in-app advertisers), along with the details of the activities for which each entity has been engaged and whether each entity is a member of DLAI. Every Member must ensure that their names and contact details of active LSPs with customer interface appear on the website of each of the REs they are engaged with.

7. It must be clearly disclosed to the customers that they are taking a loan and that this will have consequences in terms of credit bureau reporting and potential legal action in case of an event of default.

8. The customer must understand that they have an obligation to repay the loan and the exact consequences of non-payment or delayed payment.

9. The customer must understand who the exact loan provider on record is (The RE) and who will be collecting repayments in connection with the loan. In the event the Member is not the lender on record, the customer should understand the role and responsibility of the Member in the process and transaction relating to the provision of financial products and services.

10. Members must ensure that an annual percentage rate is clearly mentioned in the key fact statement which lists all costs and fees applicable to the financial product or service offered, including all upfront fees, processing fees, interest costs, insurance costs, registration fees, provisions, re-arrangement fees, late fees, pre-payment fees or penalties and any other costs charged to the customer.

11. The illustration of all costs, including any contingent or default costs and expenses, must be explicit and clear and provided in a manner that can be understood by the customer.

12. Members must provide illustrative examples of the costs to the customer, including any contingent or default costs, in INR format specific to the financial service or product offered, so that the customer understands all such costs. Members may provide such illustrative examples to the customers in a separate annexure or document set, shared along with the documents in clause 5 above.

13. Members must provide a repayment schedule with detailed repayment information and due dates in a clear manner9. The Member must provide timely information about loan payments due and outstanding loan amounts in a format that the customer clearly understands.

14. Members must inform the borrowers of such look-up period offered to customers in accordance with clause 5 (Look up period) of Part B (Responsible Lending) of this Section IV to repay the digital loan on their websites/ digital lending applications at the time of execution of the loan contract/transactions.

15. RE Members must publish detailed information regarding their financial products – namely about the loan products, the lender, the lending service provider, particulars of customer care, link to the RBI’s Sachet portal, privacy policies, etc. Non-RE Members must provide a link on their website/ digital lending application to direct customers to the webpage of the concerned REs they are engaged with.

16. Members must promptly supply DLAI (SRO) with all other information that may be required by the DLAI (SRO) to ensure compliance with applicable laws, adherence to the Code of Conduct, and higher standards of governance amongst the Members.

B. Responsible Lending

1. Members must follow the principle of ‘suitability of product’. The onus is always on the Member to make fair income and affordability assessments of customers and ensure that financial products and services, including the loan and all charges and fees, are not in excess of a customer’s capacity to pay.

2. Members must ensure that an economic profile of each borrower (covering age, occupation, income, etc., or any other borrower data collected which has a direct and tangible link with the economic profiling of the borrower) is captured, to enable credit decision-making by the REs, before extending any loan to any borrower to assess the borrower’s creditworthiness. Members must ensure that the credit decision-making rationale is auditable and the data collected is subject to the conditions contained in Part D (Data Security and Privacy) of this Section IV below.

3. Members cannot increase the credit limit of its borrowers automatically. An explicit consent of the borrower must be taken on record for each such increase in the credit limits.

4. Members will not design pricing models that could ever be considered “predatory” or “usurious”, including but not limited to:

5. Look up period:

6. Members must clearly mention an annual percentage rate in its key fact statement which includes and lists all costs and fees arising from the financial product or service offered, including cost of funds, credit cost and operating cost, processing fee, verification charges, maintenance charges, etc., and excludes contingent charges like penal charges, late payment charges, etc. charged to the customer11.

7. Members must provide clear information related to the amount and mechanism of imposing fines in the event of a delay. Such information should be disclosed upfront to the customer in the key fact statement. A Member cannot impose on the customers any fines, charges, costs, etc. which are not disclosed in the key fact statement.

8. Members must ensure that the late payment penalties levied are reasonable and transparent, non-compounding, and must be levied only on the remaining outstanding value of the loan, in accordance with the policies of the Member framed in this regard.

9. Members must have a system and process of verification and assessment of the financial condition of the customer to assess the eligibility and suitability for the loan or other financial product offered.

10. Members must have a system to ensure the accuracy of the data and information provided by a customer.

C. Fair Interactions

1. Members shall either perform the recovery function in-house or engage a recovery agent12.

2. Members must ensure that borrowers are not unfairly discriminated against on grounds such as religion, caste, gender, marital status, sexual orientation, etc.

3. Members must ensure that there is no undue harassment or intimidation (physical or verbal) of customers, including practices such as calling (or threatening to call) any family member of the customer or any person associated with the customer sending inappropriate messages either on mobile or through social media, making threatening and/ or anonymous calls, etc. The Members must ensure that there is no coercion in the recovery process.

4. Members must ensure that their staff, agents, and representatives are adequately trained to deal with the customers with care and sensitivity, particularly in aspects such as soliciting customers, hours of calling, privacy of customer information and conveying the correct terms and conditions of the products on offer and that their staff, agents and representatives are not rude or humiliating in their dealings with the customer. Members must ensure compliance with the extant RBI guidelines.

5. Members must ensure that their staff, agents, and representatives use respectful language, maintain decorum, and show respect to social and cultural sensitivities. Further, their staff,agents, and representatives must not contact borrowers at odd hours or at inappropriate times such as bereavement, illness, or social occasions such as marriages and births.

6. Members must ensure that their staff, agents, and representatives contact their borrowers only during normal hours (between 8:00 a.m. and 7:00 p.m.) and avoid persistently calling the borrower for recovery of overdue loans.

7. Non-RE Members must ensure that the recovery agent contacts the customer for recovery only after the associated RE has at the time of sanctioning the loan and at the time of allocating the recovery responsibilities and in any case, before the recovery agent contacts the borrower for recovery, shared the name and details of such Member/ the recovery agent with the customers through email/SMS.

D. Data Security and Privacy

1. Members must have a board-approved comprehensive data privacy policy compliant with applicable laws, associated regulations, and RBI guidelines disseminated publicly on its website / digital lending application and further, at every stage where consent of the borrower is taken to access the data of the customer. Such privacy policy must inter alia clearly outline the type of data that can be stored, the length of time for which data can be stored, restrictions on the use of data, data destruction protocol, standards for handling security breaches, and the details of third parties (if any) who are allowed to collect personal information of the customers through the digital lending application of such Member.

2. Members must follow a consent-based architecture for data capture with informed consent provided by the customer following a detailed explanation of the data being captured and used (including sharing of such data with third parties). The Member shall preserve such digital records of customer consent(s) as proof of informed consent.

3. Members are required to practice good faith in the collection, storage, use, and sharing of personal data of customers in respect of their digital lending activities.

Without limiting the generality of the above, Members shall not:

4. Members may access, store, and utilize the personal information of the borrower in respect of their digital lending activities, provided that: