SUMMARY
Before sourcing or entertaining a new client, business development teams must understand the contours of regulation
The RBI has been monitoring the digital lending space for some time and has formed a working group to recommend changes
Let’s discuss how regulatory frameworks will influence how digital lending companies evolve their technology
For nearly a decade, digital lending has been on the verge of technological disruption. However, it has not had the same level of success as other industries such as ecommerce and logistics. One of the reasons is the regulatory oversight in this industry. The RBI must ensure the financial system’s stability and the protection of consumers’ rights because both consumers and businesses are affected.
The RBI has been monitoring the digital lending space for some time and has formed a working group to recommend changes. Many of the recommendations have now been adopted by the RBI for immediate implementation. Some of them are being researched for wider application.
Let us examine how these regulations will shape the digital lending space. In this article, we will discuss how regulatory frameworks will influence how digital lending companies evolve their technology.
Compliance & Software
Compliance in digital lending business models is inextricably linked to software and technological architecture. A crucial member is now required for the typical software development team, which consists of product managers, designers, QA, and software engineers — the Compliance Officer.
Every decision, no matter how minor or insignificant, has regulatory and compliance ramifications. For instance, logging sensitive customer information such as PAN or Date of Birth to fix a software application bug could be a problem if that log is sent outside of the country for storage or analysis.
Every member of the software team must stay up to date on the latest regulations and wear their compliance hat during all of their daily tasks. When in doubt, they must always consult with a Compliance Officer.
Data Protection
Large-scale data leaks are frequently reported in the news. Companies must invest in safeguarding their customers’ data. The consequences of leaks can be severe, and the regulator may take disciplinary action. As organisations expand, unscrupulous fraudsters seek to exploit vulnerabilities in application software.
Vulnerability Assessment and Penetration Testing (VAPT) of all company software applications is a good way to protect against external threats. It is also recommended to use software protection layers to prevent Denial of Service (DoS) attacks. Database credentials and API keys must be rotated regularly.
External elements are not always to blame; internal teams or outsourced executives are also to blame. Companies that outsource their telemarketing or hire direct sales agents must ensure that the data is only available when needed. Role-Based Access Control (RBAC) is a critical component that must be implemented in all company applications. Access must also be reviewed regularly.
Data Privacy
One side of the coin is the loss of sensitive data due to malicious intent. The unintentional leakage of sensitive data is another frequently overlooked aspect.
Employees and executives, for example, might use free online tools to format or view data such as JSON, HTML, and XML. Executives in charge of operations may even upload sensitive data such as customer ID cards to convert format or right-size the images. These are vulnerabilities that can be mitigated through effective risk management. A regular internal audit of all teams/divisions by compliance and software teams can aid in the identification of these issues.
The amount of data that mobile apps collect from their users is mind-boggling. Some of the data collected by digital lending companies have been misused. The contact list of users is a prime candidate. Customer harassment by digital lending companies calling/messaging mobile contacts has been reported. While customers can deny many of the app permissions, they often do so out of desperation to obtain a loan and ignorance of the consequences.
Users share their data with companies with the expectation that it will be used. Companies must commit to this, and it is their responsibility to follow through. Lending companies are increasingly using and reselling customer data for non-lending purposes. It is no surprise that the RBI is now attempting to correct the situation through appropriate regulation. The regulator’s most recent memo prohibits digital lending companies from collecting any sensitive data from mobile apps.
User Consent
Consent is an important aspect of Data Privacy. Customers must be informed about the data being collected, how it will be used, and given the option to deny or later request deletion of their data.
It is unclear whether the disclosures are adequate. The disclosures could be reviewed and verified by an external auditor. The major technology companies are doing their part to protect the interests of their customers. For example, Google Play is scrutinising all of the popular apps on their platform to ensure that the Data Usage disclosure is present and adequate. Apple’s App Store has always had a strict approval process.
The legal language and length of these disclosures are the problem with informed consent. Users frequently scroll down and accept these terms and conditions. The compliance team must collaborate closely with the design and user experience teams. This will ensure that the user is informed in the simplest way possible and is not confused or unaware of how their data will be used.
Certifications
Regulators require digital lending companies to follow various Information Security & Management (ISM) standards. The RBI has an IT framework for banks and non-bank financial companies. The card industry has a Payment Card Industry Data Security Standard (PCI DSS) standard that all companies that process card-based payments must follow. In addition, there is the global ISO 27001 standard.
The new Data Protection Bill was recently withdrawn to be revised. If cleared quickly, it has the potential to reduce rampant misuse of customer data not only in the lending industry but across industries.
Adopting one or more of these standards, depending on their applicability, will not only be mandatory but will also help gain customer trust. The RBI and other regulators have emphasised the importance of regulated entities not only obtaining these certifications but also ensuring that all of their vendors have the necessary security measures and certifications.
Product & Business Development Lifecycle
All of the above requirements must be woven into the fabric of product and business development at digital lending companies. Before sourcing or entertaining a new client, business development teams must understand the contours of regulation. Product development teams must understand regulatory nuances.
Every minor decision or feature added to the product or customer journey may result in a compliance violation or a security hole. For all of their daily work, software engineers must wear their compliance hats. The compliance officer must educate and raise awareness about the latest regulations that apply to the company not only with the technology teams, but also with all other departments such as customer service, operations, finance, and so on.
Conclusion
Credit and lending services have existed for centuries. What is changing is the delivery of these services via mobile phones and the distribution of sachet sizes to those in need. Technology is a great leveller, allowing the underserved and unserved to gain access to previously inaccessible services. Regulation exists in lending to protect the most vulnerable.
Digital lending companies must accept the regulation and stop exploiting any potential loopholes. They must follow the regulations both in spirit and in letter. All of this requires a significant shift in the culture of software development and technology. The good news is that the regulator is willing to talk and can assist in the technological disruption of lending.
