Digital Data Protection Bill 2022 and challenges of app-based digital lending in India
By Prof Neelam Rani and Jatinder Handoo
The Indian Ministry of Electronics and Information Technology (MeITY) has recently released the Digital Data Protection Bill 2022 (DDPB) for public comment. Although the bill appears better than the previous version, a comparative analysis with RBI’s Digital Lending Guidelines 2022 shows some friction on a few fundamental points such as data localization, customer consent and the period of data retention. For a long time, the lack of privacy legislation and related consumer literacy has created a widely glaring void in customers’ privacy and client protection frameworks. The phenomenon has been more widespread while dealing with unregulated app-based lenders. Many borrowers have reported acute harassment by digital debt collectors and committed suicide in India. Why customers are trapped in app-based lending ecosystems, this article touches on some of the contours and suggests some practical action points beyond regulations.
Coming back to the DDPB 2022 and a quick comparison with the EU GDPR regulations shows that the Indian bill could have been sharper, especially related to chapter 3 (arts 12-21) of the GDPR. When we look at the customer’s pain points with a technology and regulatory lens, it is high time to have a responsible, data task-friendly and clearly drafted law on data protection. The law, regulation and literacy become important because the market size of digital lending in India is expected to grow exponentially in the next few years and will reach $1.3 trillion by 2030, according to Inc42’s report ‘State Of Indian Fintech Ecosystem Q3 2022.
Also read: RBI’s guidelines for digital lending: Important takeaways for consumers and the way forward
Technology is amoral
India is a huge market and digital lending is growing at an accelerated pace. On an aggregate basis, RBI regulated member companies of India’s Premier Industry association of digital lending firms – FACE has reported that its members disbursed over 1.6 Cr loans worth a total of INR 14,016 Cr in Q2 FY 22-23. We do not yet know how much digital credit is paid out by unregulated app-based lenders. Apart from money, in digital lending ecosystems, a significantly high volume of data flows unhindered from one device to another in the absence of GDPR-type dedicated data protection and privacy laws.
While technology is a major enabler and has the potential to make finance more inclusive and accessible, especially for last mile customers. But the flip side is – “technology is amoral” and therefore can also be insulting and exclusionary. Not only in India, customer data and privacy abuses have also been reported from countries with the highest prevalence of digital lending such as China, where examples of exploitation, fraud and privacy violations of female borrowers have been reported abundantly. As a regulatory response to the threat of unethical lending from fake apps, India’s Reserve Bank came up with regulatory guidelines for ‘regulated digital lenders’ in August 2022. Even then, cases of data, privacy abuse and client harassment leading to suicide have not stopped, recently it was reports of suicides from the states of Andhra Pradesh and Maharashtra in the months of September-October 2022.
Need for a strong framework for data, privacy and client protection
A Transunion report on credit inclusion published in 2022 reported that India has the highest number of creditless population – around 571 million which is around 67% of the adult population and 170 million are underserved which is around 19% of the adult population in India. On top of that, it is the young segment of consumers who are the most underserved; Millennials (31%) and Gen X (34%). It is also noteworthy that India’s over 65% of the young population connected to mobile internet has surpassed the highest downloads (more than 1 billion downloads) of financial apps in 2021, indicating that the traction of the fintech lending side is very high among youth in India.
The customers’ transaction data is an underlying asset for sound credit risk insurance. Privacy is something that many people take for granted due to a lack of literacy, and the plot therefore revolves around a client-level triangle “Framework for data, privacy and protection” (DPP Framework). The use of alternative data points, evaluated by algorithms that decide in just a few seconds who to lend and how much, with or without access to the repayment capacity of borrowers, leads to extreme situations, as has been the case with fake loan apps.
In an open API-driven lending ecosystem, several data, credit and risk intermediaries are involved in the digital lending value chain, in addition there is already a paperless, presenceless, cashless and consent-based framework (Indiastack) in place. While for techfins, neo-banks and new generation smart lenders, consumer data is fuel to run a loan factory, new varieties of package-based digital lending such as payday loans, Buy now, pay later, Instacredit, quick loans with small tickets, etc. products pushed by digilender. This rapid credit is accelerated by available consumer personal and transactional data extracted from online ecosystems, making it more convenient, faster and profitable for digital lenders to deliver credit externally in a trustless ecosystem. The package loans are particularly aimed at young customers with thin, new credit, housewives and even school or college goers who have a low credit score.
While separating the chaff from the wheat is important, there is no reason to paint all digital lenders with the same brush.
In India, lack of credible credit scores is a significant barrier to accessing credit. This is the prominent reason why most “new to credit” customers are denied formal credit services due to low or non-existent credit scores. Alternative data sources open up a number of possibilities for strengthening such consumer groups. It also serves as a significant added value for borrowers and lenders. It helps fintech companies tap into the unbanked and underbanked population.
While the convenience of accessing fintech-powered credit is impeccable, and ideally any potential customer with the capacity and intention to repay on time should have such access 24/7, there is an equally important side to privacy and consent. misuse risk, which in many cases outweighs the benefits of digital lending, especially in the absence of a Digital and Computer Literacy and Consumer Data Protection Act in India.
Also Read: RBI’s digital lending norms aim to end mis-selling, unethical mining practices
Abuse of consent and privacy has been observed in the case of app-based lenders. While many digital lenders rely heavily on technology to cut through the cost structure, many of them discount introducing softer aspects of human behavior into the operating model, thereby risking the entire value chain of the business. Finally, it is worth mentioning as once said by Bill Gates “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” In addition to technology-driven lending, it is therefore just as important to strengthen the ecosystem to keep operations efficient, so that technology can increase efficiency gains.
Finally, the proactive role of policy and regulation – The way forward
The Government of India and the RBI have been extremely proactive in making timely interventions to curb unethical and unregulated lending through fake apps in India. Steps like the draft DDPB 2022 and Digital Lending Guidelines (by RBI) are welcome steps, but much can be achieved through collaboration.
In addition to policy and regulatory interventions, there is a greater role for market players such as digital lenders, data brokers and prominent industry associations etc. to keep the digital lending space healthy, transparent and customer-friendly. The industry must collectively, in addition to RBI guidelines, invest in customers’ digital competence (data and privacy) initiatives in collaboration with actors from the third sector. Cross-sector networks must be utilized and educated.
A vertically integrated collaboration with mobile service platforms must be initiated on an ongoing basis to weed out fake apps and its variants. Strengthening expertise and seamless coordination with financial offense officers at state and district levels to support law and order machinery needs to be done frequently by industry associations and financial regulators. Industry players need to create and popularize client grievance mechanism avenues that can support initiatives taken by RBI and Government of India.
Finally, to reduce the mushrooming of unregulated app-based lenders, regulatory sandbox experiments can be conducted to allow so far unregulated actors to enter formal financial spaces, with light regulation based on differential modeling relative to the risk they add to the existing ecosystem. For greater market stability and client protection in the digital lending area, a sustainable approach based on out-of-the-box solutions such as establishing innovation offices for the facilitation of regulator-innovator interactions and interpretation of regulatory requirements for innovative digital lending models and the use of suptech technologies such as RBI’s Daksh needs to be done to plug the necessary gaps in the ecosystem to facilitate a sustainable digital lending model in India.
(Prof Neelam Rani is Associate Professor and Jatinder Handoo is Fellow at Indian Institute of Management, Shillong. Above views are personal)
