Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Peer to Peer Lending Platforms and Regulatory Compliance

Posted by Vijayashankar Na on July 4, 2017
Posted in Cyber Law  | 2 Comments

Peer to Peer Lending (P2P lending) is a relatively recent innovation in the “FinTech” business space. It is an interesting development enabled by the development of technology platforms which can bring together people with complimentary needs instantly.

The Uber, Ola platforms are similar. BlaBla cars and other car pooling mechanisms are also similar attempts. Out of these, taxi operators have now been brought under a regulatory regime as if the technology platforms are themselves taxi operators. Even the GST has specified the manner in which these taxi operations will be taxed. States have already passed legislations in their transport laws on regulatory mechanisms for these entities. E Commerce market places including OLX or Quikr etc dealing with “Goods” on a peer to peer basis also have been operating for some time under the regulations of ITA 2000/8.

However, P2P lending is in the financial sector and may have to be dealt with differently when it comes to regulations. P2P lending is a system where persons with surplus money to invest will directly lend to persons who require to borrow. It therefore comes close to what may be called “Banking” which is a heavily regulated sector by tradition. Apart from Banking regulation act, RBI act, there could be other legislation that limit the rate of interest or manner of recovery etc. We need to therefore look at this sector differently from other technology platforms dealing with C2C transactions.

We are aware that the classic definition of “Banking” is “Accepting Deposits from public for the purpose of lending”.

According to RBI Act,(Section 5), Banking is defined as

 “banking” means the accepting, for the purpose of lending or investment, of deposits of money from the public, repayable on demand or otherwise, and withdrawal by cheque, draft, order or otherwise;)

The P2P lending IT Start Ups are proposing to set up a platform which will register “Borrowers” and “Lenders” and try to match the borrowers and lenders in to a personal loan contract. In between the service provider takes the “Commission” or “Brokerage” or “Service Charges”.

Unlike a Bank, the P2P platform does not borrow and pay interest to the depositor and also does not lend and collect interest from the borrower. It therefore remains outside the transaction and acts only as a match maker.

There is no doubt that this so called “Innovation” does overlap with the function of “Banking” and requires RBI to take a policy view.

Currently, any entity that tries to take public money is either working  as a “Bank” or “NBFC” or a “Payment Bank” under the regulations of RBI or as an entity that is regulated under the issue of securities by SEBI. Individual Money lenders are not permitted to release public advertisements and collect deposits from the public. It is however possible for individuals to borrow money from other individuals directly on one to one basis by private negotiation.

Apart from these regulations on who can take deposits from the public and how, there are regulations on the maximum interest that can be charged as well as Tax Deduction at Source. There are State level laws on “Chit Funds” that also may affect loans within a common group.

One of the main risks that RBI has to worry about is “If a large number of public are lured into investing in the P2P platform based on the brand name of the platform and if they are unable to recover their money and the platform goes bust, then will the RBI have served a public cause.

The Sharda scam and various other Chitfund scams which we have seen through out our lives indicate that when money is collected from the public at rates of interest that are higher than what is offered in the Banks, public will not be able to identify it under a “Risk-Reward” equation. They will move money from Banks and hope to earn more without understanding the difference in Risks associated with the lending. The failure of CRB Capital Markets around 1996 introduced the “Credit Rating Scheme” for Deposits of NBFCs. This accelerated a huge shake up in the then thriving NBFC industry and hurt even major players. Only a handful of them like Sundaram Finance and Shriram survived.

The risk of such scams re-surfacing in the form of P2P lending cannot be ruled out. Hence “Regulation of P2P platforms” is extremely critical for a healthy development of the Financial Services activity.

Innovation cannot be Destructive in the guise of being Disruptive:

In the last month there have been a buzz in the industry that RBI is about to come up with a guideline for P2P lending.

In particular I draw the attention of the public to the following articles:

‘RBI guidelines on P2P lending platform likely by June-July’-Economic Times

RBI proposes P2P lending regulations-Livemint.com

RBI Finalises Norms For P2P Lending Platforms; Final Guidelines To Be Out In 2-3 Weeks-inc42.com

RBI guidelines to act as a growth catalyst for P2P business-Yourstory.com

RBI guidelines to act as a growth catalyst for P2P business Investors eye RBI move

Investors to eye RBI Move to regulate P2P lending-Luthra &Luthra

In April 2016, RBI had released a consultative paper for public comments on the proposed P2P lending platforms. Afterwards like many consultative papers, this had also gone into hiding and it appears to have suddenly re-surfaced in the last week. This obviously indicates a Public Relations Exercise undertaken by some vested interests which wanted to create a favourable mood in the market before RBI comes out with its announcement.

Looks very similar to the behind the scene machinations seen in the Bitcoin regulation push. Like in the Bitcoin push, here also there seems to the Finance Ministry which is involved in the policy making. According to one of the sources, the comment “The guidelines should be out soon. The norms will be out before July-end.” was attributed to a Finance Ministry official and not RBI.

Finance ministry also seems to have given a micro instruction that  it proposes “to register these institutions as Non-Banking Financial Companies (NBFC)” completely taking over the decision making from RBI to itself.

As per the proposed guidelines which is no longer a secret and already fixed for RBI to sign on the dotted line, the regulatory framework would majorly encompass the following regulations:

  • Permitted Activity: The platform could be registered only as an intermediary and will be prohibited from giving any assured return either directly or indirectly. It will be allowed to opine on the suitability of a lender and creditworthiness of a borrower and will prohibit the platforms being used for any cross-border transaction.
  • Prudential Requirements: Prudential requirements will include a minimum capital of INR 2 Cr, with a prescribed leverage ratio and prudential limits on maximum contribution by a lender to a borrower/segment of activity.
  • Governance Requirements: This includes a set criterion for promoters, directors, and the CEO, with preference to a financial sector background. Also, the guidelines may also require the P2P lender to have a brick and mortar place of business in India.
  • Business Continuity Plan (BCP): The platforms need to put in place adequate risk management systems for smooth operations. A BCP and backup for the data needs to be put in place since the platform also acts as a custodian of the agreements/cheques etc.
  • Customer Interface: Confidentiality of customer data and data security would be the responsibility of the platform. P2P lending platforms may be prohibited from promising or suggesting a promise of extraordinary returns. Also, the current regulations applicable to other NBFCs will be made applicable to the P2P platforms in regard to recovery practice.
  • Reporting Requirements: Platforms will need to submit regular reports on their financial position, loans arranged each quarter, complaints etc. to the Reserve Bank. The bank may come out with a detailed reporting requirement.

The indications are therefore clear that some influential entity has ensured that the Finance Ministry will take the decision and push it down the throat of RBI as in the case of the Bitcoin regulation.

In the light of this development we saw a news report today in Times of India stating that a new venture “billionloans.com” has raised $1 million funding from Reliance owned Reliance Capital Trust

Fine. We now know why there is so much interest in the guidelines being issued to regulate P2P lending. Now we can wait for the actual guidelines to come out.

While I donot cast any aspersions on the new venture referred to above, when I made a cursory glance at the website, it was clear that the project is in a shoddy state of compliance and if this is an indication of the “Due Diligence” that Reliance Capital has done, it reflects poorly on their expertise.

At the same time, unless there is a major change, it appears that Mr Bala’s reputation will be at stake in this venture. I would take this opportunity to alert him that associating with a finance activity with low level of compliance culture is a huge risk. There is no need to remind us of what is the problem Sahara Chairman is having. In the past even General Manek Shah and Sachin Tendulkar had difficult times due their association with some companies.

My first impression on billionloans.com website was that they have simply lifted the terms and conditions from a US company. It is otherwise funny to see that dispute resolution is by a binding arbitration under the laws of US by the US based Arbitration Council.

The first para of the dispute clause states

“This Agreement is governed by the laws of the State of California, USA, without regard to its choice of law or conflict of law provisions. If any dispute arises between you and billionloans, including, without limitation, any dispute arising from or relating to the Website or the Program, you agree that all such disputes will be determined exclusively by final and binding arbitration, in accordance with the then existing commercial rules of the American Arbitration Association in San Francisco.

The arbitration shall be heard and adjudicated by one arbitrator to be selected by you and billionloans…”

“Any award will be final, binding and conclusive upon the parties, subject only to judicial review provided by California statute, and a judgment rendered on the arbitration award can be entered in any court having jurisdiction thereof…

Notwithstanding the foregoing, either you or billionloans may seek any injunctive relief in a state or federal court in San Francisco, California, as may be necessary to preserve rights pending the completion of arbitration and billionloans may seek any injunctive relief in a state or federal court in San Francisco, California, or another court of competent jurisdiction, at any time against any violations of Section 2 (Proprietary Rights) or Section 3 (Acceptable Use) of this Agreement.”

The Company should know that India has an Arbitration Act and if they want to sell their services in India they need to abide by the Indian regulations.

The second para of the clause does mention Indian laws by stating

“This Agreement shall be construed and interpreted in accordance with the laws of India and the courts and tribunals in Bangalore shall alone have the jurisdiction thereof. . If any dispute arises between you and billionloans, including, without limitation, any dispute arising from or relating to the Website or the Program, you agree that all such disputes will be determined exclusively by final and binding arbitration, in accordance with the laws of India and the courts and tribunals in Bangalore shall alone have the jurisdiction thereof.”

In the light of the first para, I donot know what is the force of the second para and whether it will stand. What it could mean is that after the arbitration by the US arbitration tribunal, if there is an appeal it can be taken up in the Bangalore Court and we all know that it will be thrown out in the first sitting itself.

I want RBI to be aware that this is the attitude of the P2P Platforms that they may register and permit raising money from the Indian public. If tomorrow a scam surfaces, RBI cannot say they were not forewarned.

As regards the risk of loss for the lenders, the platform engages the services of “Field Partners” who will be the local agents who will have direct contact with the borrower or the lender. They will be like the branch managers of the finance companies who will be there today and vanish tomorrow and not liable for the repayments. They will be mules who will take the blame while the Platform owners may say they are not liable.  These mules will be helpless and take the blame if the investor loses his money. The “Field Partner” may also be the local muscle man who is using your money for funding his lending activity and will be untouchable if there is a dispute.

The repayment terms include the following wordings

“If, for any reason, the Field Partner(s) are unable to collect Loan repayments directly from the Borrowers or if billionloans, for any reason, is unable to collect Loan repayments directly from the Field Partner(s), repayment of your Loan could be at risk of partial or total delay or non-repayment and a loss of some or all of your principal could occur.

You hereby acknowledge and agree that billionloans is obligated to repay only such Loan principal to the extent actually received by billionloans from a Field Partner with respect to a Borrower. None of billionloans, its Field Partner(s) or any Borrower will have any obligation to pay interest on the Loan or other fees or amounts (other that as expressly set forth above) to you or any other Lender in connection with any Loan you make. billionloans and Field Partners charge fees and interest on loans posted on the Website to Borrowers, for example, cover their operational expenses……If for any reason less than 100% of your Loan is repaid, you agree that billionloans and its Field Partners shall have no liability therefor, and you hereby release and forever hold harmless billionloans and its Field Partners for any loss you may incur. You should consult with your accountant and/or tax advisors to determine the appropriate tax treatment of such a loss..”

This essentially protects the platform and its agents and places the entire credit risk on the lenders who have no control on the recovery process and have to blindly trust the “Field Agents” that the P2P platform engages.

The aggregate liability that the P2P platform owner is accepting is indicated here

“Notwithstanding anything contained in these terms of use, billionloans’s aggregate liablilty to the Lenders, Field Partners and/or Borrowers for any damages shall not exceed the amount of total introducers fees received by billionloans from the user and end user..”

What this means is that in the unlikely event of a liability arising, Billionloans will payback the 2% or 3% commission that it has collected on the transaction. (P.S: There is an exception however in case of Date Protection related loss).

Another issue which most of the P2P service providers need to check now is the impact of GST on the transaction. Both the lender and the borrower needs to pay GST since they avail service from the platform and the Field agents. The net return of the lender gets adjusted for the tax effect which will be 18% either way on the service charges. Since both parties are likely to be unregistered but the intermediary is registered, there could be “Reverse Charge” for the platform owner and he may have to jack up the fees to cover this loss ultimately recovering it from the service users.

While billionloans collects sensitive personal information, there is no recognition that the Company is either liable under Section 43A or under 79 indicating how unprepared they are in running a business of this nature.

I am not sure if other P2P lenders who are also in the market as are as bad as billionloans.com in designing their terms but it is unlikely that they will be much better.

It is such entities that the RBI is now required to register and for the sake of being considered progressive, have to cannibalize Bank’s deposits and simultaneously endanger the community’s interests.

Bank interests are likely to remain low and come down further in the coming months and at that time if the P2P lenders enter the market with funds from Venture capitals to advertise, it would not be difficult for them to divert not only Bank deposits into their coffers but also poach into the profitable consumer loan portfolio of Banks.

Unless the P2P platform is owned, managed along with liability ownership, by a licensed banking institution that maintains Capital as per the Basel II/III norms, the P2P lending is a high risk venture from the point of view of the public interest.

I suppose RBI will be strong enough to resist the pressure from the Finance Ministry and uphold what is correct from the principal of prudent lending.

I wish RBI as well as the Finance Ministry under Mr Arun Jaitely responds to this post with its views. In the meantime, members of the public who happen to view this may kindly share this with other prudent Bankers and send in their comments.

I have sent an e-mail to billionloans.com in the morning itself seeking their comments and if they provide any rejoinder, I will be happy to publish it here.

I suppose that some corrective action will be taken by billionloans though there is a major change required in their business model if this business has to come anywhere near acceptance in India.

The ball is however in the Court of RBI and I look forward to a good decision from them. It would not be sufficient if they simply publish a guideline and expect the technology companies to comply. What can be guaranteed is that the technology companies will completely ignore the regulation and do what they want and RBI will keep the responsibility for allowing such businesses to loot public money.

Naavi.org will be closely watching the identity of the particular officer who will eventually pass the regulation and mark him for responsibility if things sour some time in the future.

Naavi

On June 8, 2017, RBI issued an important document containing guidelines for Information Technology Framework for NBFC sector. The Master Direction sets detailed guidelines for managing the IT infrastructure by  NBFCs in order to enhance the safety, security and efficiency of IT operations. The guidelines are on the lines of the Gopala Krishna Working Group (GGWG) recommendations for Banks and cover

  1. IT Governance
  2. IT Policy
  3. Information and Cyber Security
  4. IT Operations
  5. IS Audit
  6. Business Continuity Planning and
  7. IT Services Outsourcing.

Subsequently in 2016, a Cyber Security Framework for Banks was also mandated.

While the directions proceed on expected general principles of Good IT Governance, it is interesting to note that the Information Security has been defined to include “Authenticity” as one of the basic tenets apart from the well known CIA principle (Confidentiality, Integrity and Availability). The Total Information Assurance model which the undersigned recommends is on the similar thought process and infact extends it to the fifth tenet which is “Non Repudiation”. “Non Repudiation” is an extension of “Authenticity” and hence we can equate the new RBI quartet of CIAA as not different from Naavi’s adoption of CIAA and Non Repudiation.

The IS policy is recommended to be built on

  1. Identification and Classification of Information Assets. NBFCs shall maintain detailed inventory of Information Asset with distinct and clear identification of the asset.
  2. Segregation of functions: There should be segregation of the duties of the Security Officer/Group (both physical security as well as cyber security) dealing exclusively with information systems security and the Information Technology division which actually implements the computer systems. The information security function should be adequately resourced in terms of the number of staff, level of skill and tools or techniques like risk assessment, security architecture, vulnerability assessment, forensic assessment, etc. Further, there should be a clear segregation of responsibilities relating to system administration, database administration and transaction processing.
  3. Role based Access Control Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented.
  4. Personnel Security A few authorized application owners/users may have intimate knowledge of financial institution processes and they pose potential threat to systems and data. NBFC should have a process of appropriate check and balance in this regard. Personnel with privileged access like system administrator, cyber security personnel, etc should be subject to rigorous background check and screening.
  5. Physical Security The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. NBFCs need to create a secured environment for physical security of IS Assets such as secure location of critical data, restricted access to sensitive areas like data center etc.
  6. Maker-checker is one of the important principles of authorization in the information systems of financial entities. For each transaction, there must be at least two individuals necessary for its completion as this will reduce the risk of error and will ensure reliability of information.
  7. Incident Management The IS Policy should define what constitutes an incident. NBFCs shall develop and implement processes for preventing, detecting, analysing and responding to information security incidents.
  8. Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail.
  9. Public Key Infrastructure (PKI) NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation.

It is interesting to note that RBI stops at making a suggestion that NBFCs may increase the usage of PKI and does not go for a mandate though any prudent NBFC would like its operations to be fully compliant with the law of the land though the regulatory authority has given them a certain cushion.

A separate mention has been made of a “Cyber Security Policy” though experts would consider both Information Security and Cyber Security as inter dependent.

As indicated in the Cyber Security Framework (CSF) for Banks, the directions require that “The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness. These indicators should be used for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals. The awareness among the stakeholders including employees may also form a part of this assessment.”

Similarly, a “Cyber Crisis Management Plan” has also been suggested which includes DEtection< Response, Recovery and Containment principles. As in the CSF, it has been stated that NBFCs are “Expected” to  be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.

A specific mention has also been made of the necessity to take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.

Additionally, a Cyber Incident Reporting mechanism has also been suggested on the format similar to that meant for the Banks and the reporting has to be done within 24 hours. (Format)

On the mobile, “End to End Encryption” has been mandated to maintain information security. A warning has also been sounded on the risks of using Social Media for marketing and the possibility of malware distribution through this channel.

For smaller NBFCs with an asset size of less than Rs 500 crores, it has been suggested that the appropriate Information Technology policy is put in place by September 30, 2018.

In summary one can observe that RBI like its earlier guidelines, is washing its hands off by sending out a circular. It has been observed that RBI does not normally care to follow up on implementation of any of its Information Security related circulars at least as we have seen in the Banking sector. Hopefully they will be more pro active in implementation since NBFCs are not as powerful as Banks and cannot arm twist the RBI.

Naavi