The Reserve Bank of India’s decision to allow fintech companies to access credit information through credit bureaus is a positive move, but ownership and control issues remain unresolved, writes Kaushal Mathpal
According to the latest Reserve Bank of India (RBI) Digital Lending Report dated November 18, 2021, digital lending grew 12 times between 2017 and 2020. This meteoric rise is attributed to fintech players who have technologically enabled to the struggling non-bank financial company (NBFC) to reach the forefront of the digital revolution.
For fintech, there may be a different suite of products to acquire customers such as wallets, Unified Payments Interface (UPI), facilitate bill/card payments, etc. However, with UPI gaining traction and transaction fees/fees (more specifically referred to as Merchant Discount Rates, or MDRs) collapsing amid growing competition, loans are the only chance to generate real revenue for these businesses.
Lending in India is heavily regulated by the RBI and requires creating the right balance between risk exposure and the creditworthiness of the potential borrower. New era fintech companies may have access to various customer data points based on their behavior on their platforms, however, it is still a long way from having the full picture to make a lending decision. This is where credit information companies (CICs) come in. These are the independent third-party agencies that collect loan, credit card, and other financial information from their members.
CICs collect this data from members and assign a risk-based rating that reflects their potential creditworthiness. The credit score helps these financial institutions conceptualize new product offerings to target these customers based on their risk profile. Thus, banks and financial institutions act both as providers of information needed to determine credit ratings and as primary users of their future loan portfolios.
Until the end of 2021, only banks and NBFCs were “specified users” under the Credit Information Companies (Regulation), 2005 (CIC Act), and therefore could access customer credit information. As such, CIC membership was exclusive to banks and NBFCs only. The CIC Act empowered the RBI to specify the criteria for any other institution as a “specified user”. In January 2022, in a positive move for the fintech space, the RBI released the Criteria for Specified User under the Credit Reporting Firms (Amendment) Regulations 2021, paving the way for fintech businesses to access credit information through credit bureaus.
Before delving deeper into the RBI criteria, it is necessary to understand why this development has taken place.
CHOOSING THE MIDDLE WAY
Back when fintech was gaining momentum, before 2019, it offered a great value proposition to speed up the credit approval process through this technology intervention by reducing turnaround time from days to hours only. In order to reach a credit granting decision, fintech companies had to have access to credit information available from credit bureaus.
However, as mentioned above, under the CIC Act, only banks or NBFCs could have access to this data. In order to facilitate fintech companies, a middle ground, or loophole, was identified and fintech companies were granted access to credit information via lender credentials. At the operational level, a Lender Credentials Subuser ID has been created to provide access to fintech partners to retrieve consumer details.
This is similar to having a G-suite ID at the institutional level and creating different email IDs for employees under the Institutional ID. Only in this case, instead of lenders’ employees having access to the CIC portal to retrieve credit data, these subuser IDs were assigned to fintech companies to retrieve customer credit scores to facilitate lending.
It is important to note that fintech companies facilitated loans for several lenders and the same file was processed simultaneously with different lenders. This led to the following major issues:
- Customer information extracted from that lender’s CIC credentials, even to whom the loan application was never sent for processing;
- Excessive extraction of credit information without proper consent; and
- Storage/disclosure/use of this confidential data by fintech companies for purposes of analysis and cross-selling/up-selling of new products.
In addition, credit information was retrieved for collection purposes by fintech companies, as most of its partnerships with NBFCs and banks were modeled on the first loss default guarantee agreement which ensured that companies financial technology had skin in the game. Moreover, since a client file was processed with several lenders at the same time, his credit score was often consulted several times. These repeated credit inquiries were interpreted as a customer’s eagerness to obtain a loan, causing the customer’s credit scores to plummet and leading to a large number of complaints and disputes with the credit bureaus.
CIC and the lenders were well aware of these issues, but ignored them for obvious business reasons. For lenders, especially NBFCs, fintech companies were cash cows that were inflating their assets under management, backed by the generous first-loss default collateral provisions. On the other hand, CICs had plausible deniability because technically the reports were only picked up by the lenders, and they had legal agreements in place that put the responsibilities on the head of the lender.
In September 2019, the RBI, in its letter to financial institutions and CICs, took note of these issues and opposed the industry-wide practices, reminding them of the principles of privacy and privacy. customer privacy set out in Chapter VI of the Credit Reporting Companies Act. (Regulation) Act 2005.
This has created temporary stumbling blocks for fintech companies. However, they were quick to innovate and move to the direct-to-consumer (D2C) model (i.e., acting as an agent for individuals) for accessing credit information. CICs also quickly pivoted to the D2C model and proposed certain restrictions and/or due diligence mechanisms for fintech companies, such as obtaining new customer consent every six months, information security and tighter internal controls, audit coverage and oversight.
In the meantime, major fintech and industry bodies were continually pushing for easier access to credit information. The government could not have avoided this push any longer and finally amended the CIC regulations in November 2021. This widened the scope of the specified user to entities working on behalf of the credit institution, provided that they meet the criteria set by the RBI.
FINTECH DEPENDENCE ON FDI
The RBI published criteria for these entities on January 5, 2022, with the general criteria for “specified user” as below:
- Entity incorporated in India;
- Net worth of INR 20 million (USD 263,000);
- Entity owned and controlled by a resident Indian citizen;
- CISA certification (Certified Information Systems Auditor); and
- Diversification of ownership.
This development by the RBI is a welcome step as it seeks to establish minimum net worth for fintech entities with robust security and technology standards. This is a positive step intended to ensure that the principles of client confidentiality and privacy are applied at the implementation level.
However, on the other hand, the ownership and control criteria applied to resident Indian companies and citizens does not bode well for the current industry scenario. India’s fintech market has been a hotbed of FDI and has attracted up to $1.9 billion in investments through December 2021, despite the pandemic. Additionally, a third of the country’s unicorns come from the fintech space. The government has also authorized up to 100% FDI in fintech.
It is important to note that fintech is a capital-intensive space and FDI is a major source of funding for these entities. Raising funds from foreign investors leads to the dilution of the shares of founders and promoters (who are mostly Indian), thus diluting ownership and control to parties outside the country.
The RBI also requires these entities to have a diversified ownership structure. This mainly requires a dilution of social capital between several entities or individuals. Considering that foreign venture capital funds are a main source of funding for these fintech entities, it will not meet this criterion. This is in fact contrary to the “ownership and control” criteria mentioned above, as it implies that the regulator expects these entities to diversify only among resident entities/individuals, which does not seem to go into the sense of FDI regulations allowing 100% financing under the automatic route.
The strength, volumes and economies of scale that the Indian fintech market is currently generating, as well as its future potential, are not unknown to the regulator. The RBI is realizing its potential and has set up a new department that is working on developing new regulations and policies for the fintech sector.
The stricter standards may stem from RBI’s concerns about the privacy and confidentiality of customer credit data, and its unsolicited use by foreign and domestic entities. There have been crackdowns on various fintech companies, such as Cashbean and Kudos, for their connection to China and for operating an illegal lending app in India. Similarly, recent news of celebrities Sunny Leone and Rajkumar Rao whose PAN cards were illegally used to obtain loans has raised serious concerns about the privacy of customer data.
Despite the RBI’s conservative approach to specified user, the new criteria are still a positive development given the regulator’s efforts to harmonize traditional and fintech banking standards. But with current regulations, more fintech companies will be left behind and will continue to rely on the D2C model to access credit information, which presents its own challenges. It is hoped that the criteria will be a temporary measure and will eventually align with broader regulatory oversight planned for the fintech industry.
Kaushal Mathpal is Senior Legal Counsel at Bharatpe.