Face code of conduct

CONTEXT

In today’s rapidly evolving digital landscape, the financial industry has witnessed a significant transformation, particularly in the realm of lending. With the advent of digital lending platforms, access to credit has become more convenient and inclusive for individuals and businesses across India. Millions of customers have trusted and adopted digital loans, enhancing their participation in an inclusive digital economy. The robust digital public infrastructure and policy framework by the Government of India has played instrumental role in boosting the digital lending. Regulators, policymakers and the financial lending community see enormous potential in digital/fintech lending1 to deliver financial inclusion. However, the promise and long-term sustainability of digital lending hinges on customer trust and confidence in it to meet life goals and improve their financial situation. An inclusive, suitable, transparent, responsible, and secure lending ecosystem underpins customer trust and empowerment and requires a strong foundation built on responsible finance and ethical practices by lenders. This is where a comprehensive Code for digital lenders becomes crucial. Universal customer protection principles in financial services apply equally well to digital loans. Nonetheless, the unique characteristic of digital loan journeys, risks, and interaction of technology and data requires differential and nuanced implementation of the principles. RBI Digital Lending Guidelines (DLG) and many other regulations comprehensively cover customer interests and protection in digital lending. This Code is a self-regulatory standard committed by FACE members to advance customers ’interests and safeguard against harm. It builds on and complements the regulatory norms as the bedrock in driving a robust lending ecosystem and adopting responsible lending with clear and measurable rules for all market participants. The Code reflects the rights and standards customers are entitled to as guarantees that FACE members voluntarily commit to. We drafted the Code keeping the customers in mind with fairness, good faith, and reasonability as underlying themes. For comprehensiveness, the Code incorporates regulatory instructions where relevant and necessary.

COVERAGE

The Code squarely focuses on protecting and advancing the interests and outcomes of customers of digital loans by adding, complementing, and reinforcing customer protection and conduct laws and regulations. The Code does not aim to substitute and contravene customers’ legal rights and protection under various regulations and laws. In case of contradiction or discrepancy, the laws and regulations will always prevail over the Code. The Code does not cover many other obligations companies may have under various laws/regulations, including governance, prudential, risk management, reporting, employees, technology, investors, and corporate social responsibility while recognising that they have a bearing on customer outcomes. The Code defines the customer widely as an individual(s) or entity(s) of digital lending2 , having an existing loan or planning to take a loan. The Code is mandatory for all FACE members, both regulated and non-regulated entities directly interfacing with customers in facilitating digital loans. We expect members to implement the changes to align with the Code within three months of the release date. New FACE members will have three months to implement the Code. Given the spirit behind the Code, we invite the digital lending community beyond our membership to adopt and follow the Code voluntarily. The Code is subject to review and changes by the FACE Board with feedback from members and stakeholders to align with evolving regulations, market environment, technologies and customer learnings to ensure that the Code maintains stewardship of ethical lending practices. Any changes in the Code will be notified to members with timelines of adherence to such changes.

A Code of Conduct (Code) serves as a guiding framework that outlines the principles, values, and standards that digital lenders must adhere to in their operations. It sets the expectations for responsible behaviour and promotes a culture of transparency, fairness, and integrity. In the context of the Indian market, where financial inclusion is a pressing goal, a robust Code becomes even more important to safeguard the interests of customers and maintain overall stability and trust in the lending ecosystem. Responsible finance lies at the core of a Code. It emphasises the need for digital lenders to act in the best interests of their customers, ensuring that lending practices are fair, transparent, and aligned with the customers’ financial well-being. This includes providing clear and accurate information about loan terms, interest rates, fees, and repayment obligations. Responsible finance also encompasses assessing customers’ creditworthiness and establishing appropriate safeguards to prevent over-indebtedness. The pillars of ethics, integrity, governance, and values-based behaviour form the foundation of a strong Code. These principles guide digital lenders in making ethical decisions, conducting themselves with integrity, and upholding the highest standards of corporate governance. They promote a culture of compliance, risk management, and accountability, where lenders prioritise the longterm interests of their customers and the sustainability of the lending industry as a whole. A well-defined Code also plays a vital role in fostering trust and confidence among customers and investors alike. By adhering to ethical practices and demonstrating a commitment to responsible finance, digital lenders can build strong relationships with their customers, earning their trust and loyalty. Moreover, a transparent and accountable lending industry attracts more investors and capital, fueling the growth and sustainability of the digital lending ecosystem in India. As the digital lending landscape continues to evolve, it is essential for industry participants, regulators, and stakeholders to collaborate in developing and enforcing a comprehensive Code. This code should be adaptable to changing market dynamics and incorporate emerging technologies, while also upholding the principles of responsible finance, ethics, integrity, governance, and valuesbased behaviour.

INCLUSIVITY

1. Do not discriminate3 against customers based on personal identities or attributes like religion, caste, gender, colour, beliefs, marital status, sexual preference, age, physical abilities, or other characteristics.
2. Treat the customer with professional integrity, dignity, empathy, and respect as per accepted socio-cultural and civil norms. Never resort to physical/verbal/ mental harassment, threats, or intimidation - either directly by own teams or appointed/outsourced agencies.
3. Use data or credit models, including AI/ML models, in a way that does not lead to unfair discrimination or bias against specific identities. Periodically6 assess and update the credit underwriting algorithm for their use of comprehensive, objective, and diverse datasets and outcomes to identify and address prejudices.
4. Document and audit7 the underwriting model logic for reliability and attribution to outcomes and potential unfair discrimination in determining creditworthiness, risk profile and pricing.
5. Take proactive measures8 to solicit the participation of specific excluded groups for reasons such as lack of digital awareness, education, disability, age, gender, steady income, tailored to their specific challenges while avoiding missell or pushing unsuitable products which are not in tandem with customer’s awareness and needs.

APPROPRIATENESS

6. Capture sufficient and need-based information on a customer (with their informed prior consent and privacy/safety safeguards9) and verify the accuracy of information to know their identity (name, dob/age, KYC IDs), contactibility (email, phone number, location), credit need and repayment capacity (occupation, income, cashflows, existing credit obligations, past credit behaviours and alternate data points such as purchase/transaction history) in an auditable way.
7. Ask customers to give accurate information, including KYC, contact details, income, and liabilities, and promptly update their details for any change, including material changes in their financial circumstances.
8. In line with regulatory instructions10, leverage comprehensive, multiple, and diverse objective data points11 necessary for evaluating customers’ creditworthiness continuously, with explicit and informed customer consent, complying with data protection/retention practices.
9. Verify the accuracy of information of the customer to assess eligibility and take the onus to offer suitable credit considering target customers’12 needs, financial circumstances, cashflow cycles, preferences, existing debt/repayment obligations, borrowing requirements13, repayment capacity14 and risk profile.
10. Use the customers’ latest information (with customer consent) from the credit bureaus for existing debt/repayment obligations and repayment behaviour, to avoid over-indebtedness.
11. Caution and educate the customer to borrow carefully, considering the ability and affordability to repay throughout the loan duration after clearly explaining all terms and conditions of the loan product.
12. Develop secure and customer-friendly interfaces on DLAs/websites to avoid the risk of mistaken transactions and unauthorised use.
13. Take reasonable and appropriate steps to ensure customers do not use credit for harmful or illegal activities in line with anti-money laundering and counterterrorist financing (AML/CFT) laws, such as terrorism, narcotics, substance abuse, gambling, and firearms.
14. Give prior and timely notice to customers for changes in credit-line limit with the option to opt-out but an increase in credit limit should only be with the explicit recorded consent of the customer15.
15. Provide customer convenient options to pre-close the contract, including during the cooling-off period or early repayments anytime as per regulatory directions with necessary information about charges, terms and conditions and related consequences16.
16. Provide customer options to restructure the loan and repayment terms, in line with regulatory directions.
17. Formulate an interest rate framework that factors the industry benchmarking and affordability and suitability for the customers along with the cost of funds, risk, operational cost, and commercial viability.
18. Formulate the charges (processing fee, disciplinary/penal charges17, contingency fee) to strike a reasonable balance between commercial viability and not unduly increasing the customer’s indebtedness and financial burden considering the outstanding loan and their peculiar circumstances and characteristics like economic vulnerability, disability, income etc.
19. Apply changes in the pricing prospectively and with a reasonable notice period of at least 15 working days with an option to opt-out if the customer chooses.
20. Take customer feedback to understand if the loan served the intended purpose.
21. Assess customers leverage on a sample basis across various dimensions/ cohorts/products to understand markers of over-leveraging or stress.
22. Ensure that the loan transactions to and from the customer follow the DLG18.
23. Ensure that apps, websites, and other digital channels used to provide or support loans or services meet the most appropriate technology and cybersecurity standards, including customer-facing digital interfaces meeting the appropriate standards for accessibility and usability.
24. Adopt safeguards19 for online security in a customer-friendly manner while accessing account over DLA/website and providing disclosure documents, account statements, notices, and other prescribed information, digitally.
25. Assess emerging cybersecurity risks, including those arising from new products, partnerships, and channels. Implement new security measures as needed.
26. Ensure privacy of customer data in partnership agreements with thirdparty agencies.

TRANSPARENCY

27. Formulate disclosures keeping the intended customer in mind. The disclosure should be simple, legible, and unambiguous, covering all key terms and conditions. It should avoid any falsehood/deception. Disclosures should be communicated at appropriate times20 in manner and language easily understandable to customers for customers make informed decisions.

28. Provide practical and most important information through FAQs or other user-friendly ways to customers to explain products, benefits, risks and costs of digital loans and how to safeguard account and personal information and mitigate against cyber frauds, illegal lending apps, etc.

29. Communicate in English and in languages available on DLAs, but if the customer requires, provide explanations in the language they understand and feel comfortable in.

30. Explain key technical/legal terms in plain English or local languages whenever required by the customer.

31. Encourage customers to read the key terms and conditions21 and harness customer-friendly financial education tools to build customers’ understanding and confidence in making informed decisions and choices for credit.

32. Provide up-to-date information about the company and pre-sale information about products/services, as under, on DLA/website ■ Trading and registered name and contact details ■ Digital lending partnerships with specific functions, including partnerships with regulated entities, loan service providers, recovery agencies, and links to their websites, if available. ■ Product disclosure documents (features, eligibility, amount, tenure, repayment schedule, KFS) ■ Pricing including interest rate, processing fee, APR, penal charges on late payments 22and other contingent fees, including how these fees will be computed and the cap (min and max) amount of these fees with clear examples ■ Most important and standard terms and conditions ■ Sample loan agreement ■ Complaints redressal process including TAT, escalation mechanism to RBI, as applicable. ■ Modes of repayments, including conditions for pre-closures/part-payments, if applicable ■ Privacy policy23 with explanation on what, why and how of data collected, used, processed, stored, shared with third parties and protected

33. Inform the customers about loan terms and conditions in line with RBI DLG and Fair Practices Code24 to cover all critical points as per Annex. Make this information readily available in a user-friendly manner to customers in their loan documents, DLA app login, and website. Material information for customers including loan schedules, pricing, penalties, and customer grievance redressal, the impact of default or delayed payment, the recovery process should be available explicitly and prominently for customers’ easy reference.

34. Allow the customers access to their loan account details for the whole contract period through secure log-in to DLA/website, including the account details, statement, repayment schedule, amounts due, segregated by interests, principal, penalties, receipts for payments, closure, notices etc. Assist a customer who is facing any difficulty accessing loan account details over DLA/website login.

35. Inform the customer about the rejection of the loan application, along with reasons, professionally and maintain an open attitude towards customers whose digital loan applications have not been considered positively.

36. Notify the customer at least 15 working days before any changes in the loan contract to the customer’s detriment or disadvantage, such as introducing new fees or increasing existing fees, with the option to close the contract without any financial penalty.

37. If a change in the terms and conditions is not to the customer’s disadvantage, it can be made immediately, but the customer should be notified within 30 days.

38. Send timely reminders (before the due date) to customers for upcoming payment obligations, clearly highlighting the due date, auto-debit of instalment if applicable, the amount due, means of payment, and consequences/penal changes of defaulting on payment obligations.

39. Submit accurate and timely data of the customers to the credit bureaus.

PRIVACY

40. Inform the customer about company’s privacy policy with respect to customer data.
41. Collect proportionate and reasonable information that is necessary for the clearly-stated purpose within a well-defined consent framework defined in the privacy policy as under ■ registry of data collected from customers, when and how25 and for what purpose ■ whether the data is mandatory or optional and the implication of not sharing optional data in accessing the products/services ■ what and how data will be sourced from26, shared with and used by third parties, including details of the third parties ■ how data will be stored and secured, including inscription, the retention period of data ■ potential of harm and risks ■ cybersecurity processes to protect data and funds ■ customer rights and options to revoke and change consent, including the editing/updating and destruction of data ■ process in case of data breach, including intimation to the customer, measures to address the breach and mitigate the effects of the breach
42. Use the customer’s personal data for only purposes that have been notified.
43. Capture, use, transmit, share, retain, store, and destroy customer data in line with prevailing regulations and laws.
44. Ensure customers have meaningful choice and control over their data— including through informed consent based on clear, simple, comprehensive, and appropriate privacy disclosures in relevant languages.
45. Provide customers modular choice when giving consent. For example, selecting optional data points they want to share, or say third parties with whom data can be shared etc.
46. Give clear options to customers to give/withdraw consent on the use of their data and operationalise customer consent in a timely manner with auditable trails for the same. The process for withdrawal of consent should be as intuitive as the process for giving consent.
47. Put appropriate technical and operational safeguards and periodically upgrade them against cyber frauds, identity theft, and misuse of KYC and other personal information, including process to deal with data theft, breach, or compromise.
48. Support the customers who are victims of identity theft in getting all information necessary to clarify the case without undue delay and according to clear procedures. Do not burden them with any costs associated with the fraudulent digital loan.
49. Educate customers about security safeguards to protect them against unauthorised use of personal/financial data that may lead to fraud including reporting suspicious transactions.

PROMOTION

50. Advertisements of products and services should comply with Fair Advertising Standards by Advertising Standard Council of India.27
51. Advertise responsibly, building knowledge of customers and avoiding false promises. Take precaution that promotional material is not misleading or deceptive by omitting or hiding material information including risks28 or presenting it in an vague or untimely manner.
52. Disclose fees or late charges clearly and upfront for ‘pay later’ products in the language and manner understandable to customer and not give the impression that such products are invariably ‘suitable’ and ‘no-cost’, and ‘riskfree’ to customers.
53. Do not ■ exploit customers’ lack of knowledge or experience to suggest that incurring liabilities through digital loans may solve persistent financial problems or excessive debt ■ sell credit as a solution to deal with financial stress ■ push customers to unsustainable spending behaviour harming their financial health. ■ exploit customers’ data patterns to drive irresponsible borrowing and debt traps.
54. Desist messages that may violate the reputation of other companies operating in the market.
55. Take explicit opt-in from customers to receive promotional material and provide an option for an easy opt-out.
56. Avoid aggressive solicitation, particularly where in-person marketing channels are used.
57. Take separate and specific customer consent to pass the customer’s details (name, email, phone and address) to any company, including group companies, for marketing and advertising purposes.
58. May inform customers about another company’s services or products, but no information about the customer should be passed to the other company or within group companies without customer consent.

RECOVERIES

59. Institute a standard operating procedure for customers approaching for support financial hardship, including new mutually acceptable payment arrangements based on objectively analysing customers’ financial circumstances, repayment capacity30 and past behaviour.
60. Guide customers to connect with free and independent debt counselling services, where appropriate.
61. Train employees to empathically deal with such customers.
62. Repeatedly31 notify about consequences of overdue repayment, including penal charges, legal proceedings, reporting to the credit bureau and involvement of recovery agency/agents.
63. Strive for an amicable resolution and propose measures and methods of payment that will allow the repayment of outstanding liabilities in the least inconvenient manner for the customer.
64. Inform the customer if the company assigns a recovery agency for the collection.
65. Institute a clear SOP on recoveries for employees, and third-party recovery agents, covering sequential steps for recovery, a point of contact to which customers can reach out for discussion, ethical standards, and escalation matrix.
66. Always maintain decorum and civility in customer communication, regardless of channel mode. Do not abuse, threaten or harass customers. Recovery agents must avoid heavy-arm recovery tactics such as harassment over social media, in physical spaces, reaching out to customers’ contacts, threatening the abuse of sensitive private information among others.
67. Ensure that recovery agents (in-house or outsourced) do not resort to intimidation or harassment of any kind, either verbal or physical, against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude upon the privacy of the debtors’ family members, referees and friends, sending inappropriate messages either on mobile or through social media, making threatening and/ or anonymous calls, persistently calling the customer and/or calling the customer before 8:00 a.m. and after 7:00 p.m. for recovery of overdue loans, making false and misleading representations, etc32.
68. Supervise the activities of recovery agents/employees and their adherence to debt collection practices as per RBI’s Fair Practices Code, Directions on Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs and Notification on Outsourcing of Financial Services - Responsibilities of regulated entities employing Recovery Agents and take appropriate action for violations.
69. Investigate reported cases of infringement of customers’ rights because of debt collection activities and have a policy in place to spell out action taken in the event of such complaints being found to be true.
70. Do not share personal information with recovery agents; ensure payment is deposited directly to a lender’s bank account.
71. Use optimum technology solutions like dialers and automated digital nudges.

REDRESSAL

72. Institute a user-friendly, timely, clear and robust redressal mechanism with clear policy, dedicated function/resources, pathways to file complaints (DLA, toll free numbers WhatsApp numbers, email ids, social media handles) escalation mechanisms, responsibilities, expected turnaround time, and reporting.
73. Prominently display redressal mechanism (channels, escalation, and TAT for various categories of complaints) on DLA, websites, physical locations if any and any communication shared with the customer.
74. Ensure that customer understands the redressal mechanism and encourage them to contact the company directly for any complaints, service requests and questions and dealing with financial difficulties33.
75. Provide transparent and convenient access to the customer to resolve their queries, service requests and complaints. Ideally, there should be an accessible and transparent In-App redressal mechanism as the first port of call for customers.
76. Educate customers about their right and responsibility to use legitimate grievance redressal channels to raise issues related to but not limited to ■ Disclosure related to loan availed ■ Update and correction in their data and records, including contact details ■ Transaction failures ■ Misbehaviour during recoveries ■ Misuse and violation of data consent, rights or privacy ■ Request account statements ■ Help in understanding terms and conditions. ■ Understanding the reason for the rejection of their loan or a reduction in their credit limit. ■ Procedure for recoveries
77. Acknowledge all customer requests for queries, service requests and complaints within three working days along with expected TAT and address them in a reasonable time frame, not crossing 30 working days.
78. In cases where complaint resolution lies with another third-party (for example, related to product/service purchase online), guide the customers to the appropriate channels and support them in obtaining redress
79. If the customer is unsatisfied with resolutions within 30 days of complaints, direct the customer to other regulatory avenues of recourse, such as the Ombudsman.

ADHERENCE FRAMEWORK

COMPANIES

1. Inform and create awareness amongst customers, employees, management, and partners about the commitment to the Code and make it publicly available on the website/DLA.
2. Ensure that all policies, processes, tech-stacks and systems align to norms of the Code and vet any changes for adherence to standards in a timely manner.
3. Take responsibility that all the partners/third-party service providers of various kinds involved with technology, operations, and recoveries are equally aligned to follow the Code relation to any products or services covered by this Code
4. Regularly review and audit the functions for adherence to Code and share the report with Senior management and Board
5. Educate and train all employees on the Code for understanding and commitment to inculcate the culture of adherence to the Code.
6. Train agents and employees interfacing with the customer about product features, regulatory responsibilities, fair treatment of customers, recourse procedures, explaining disclosure documents on request, and acting with sensitivity and respect if the customer is in a vulnerable position and financial hardship.
7. Leverage CGRM to understand lapses and take corrective actions.
8. Carefully choose a recovery agency with comprehensive due-diligence on all relevant aspects.
9. Maintain rigorous oversight on the recovery process for mishandling customer information, misbehaviour with customers or their references, abusive and intrusive communication, social shaming, harassment etc.
10. Conduct due diligence on recovery agencies and their agents on set parameters and provide training on soft skills, communication, dealing with aggrieved/agitated customers,
11. Encourage whistleblowing within the company for violation of the Code with a policy for safeguarding the interests of the whistle-blower, redressal committees etc
12. Display adherence to the Code in public and private communications to customers and other stakeholders as a trust mark to showcase that the company is committed to adhering to the Code.

FACE

1. As per FACE Article of Association (AoA), a member must abide by the Code. Please refer to Annex 2 for relevant sections from AoA on SRO.
2. FACE may ask for self-certification and undertaking from a member on adherence with the Code, as necessary for membership renewal.
3. Each Member will designate a Code Compliance Officer with FACE to take responsibility for Code, including dissemination and awareness within the company, clarification, compliance and response to questions related to nonadherence to Code.
4. An SRO Committee within FACE will examine the evidence34 of nonadherence to the Code by Members and act as per the process laid out by the Board. This will be guided by regulatory directions, instructions and suggestions.

ANNEXURES

RELEVANT CLAUSES FROM DLG

Sl no Guidelines A Loan disbursal, servicing and repayment 1 Loan disbursement is always made into the bank account of the borrower in all cases expect Loan disbursals for REs for co-lending transactions and disbursals for specific end use, provided the loan is disbursed directly into the bank account of the endbeneficiary 2 All Repayments and other servicings is executed by the borrower directly in the RE’s bank account without any pass-through account/ pool account of any third party 3 In no case, disbursal is made to a third-party account, including the accounts of LSPs and their DLAs. B Collection of fees, charges, etc. 4 Any fees, charges, etc., payable to LSPs are paid directly by REs and are not charged by LSP to the borrower directly. 5 The penal interest/charges levied, if any, on the borrowers is based on the outstanding amount of the loan. 6 Rate of such penal charges is disclosed upfront on an annualized basis to the borrower in the Key Fact Statement (KFS). C Disclosures to borrowers 7 The borrower gets a KFS from RE before the execution of the contract in a standardized format (Annex II of DLG) for all digital lending products 8 The KFS to borrower contains the details of APR, the recovery mechanism, details of the grievance redressal officer designated specifically to deal with the digital lending matter and the cooling-off/ look-up period. APR as an all-inclusive cost of digital loans for the borrower is disclosed upfront by REs and also is a part of the KFS 9 Any fees, charges, etc., which are not mentioned in the KFS is not charged by the REs to the borrower at any stage during the term of the loan 10 Digitally signed documents: KFS, summary of loan product, sanction letter, terms and conditions, account statements, privacy policies of the LSPs/DLAs with respect to borrowers data, etc.(on the letter head of the RE) automatically flows to the borrowers on their registered and verified email/ SMS upon execution of the loan contract/ transactions. 11 The list of DLAs (of RE or of LSPs) and list of LSPs with the details of the activities for which LSPs have been engaged, are prominently published on the website of the REs. 12 Product information: DLAs belonging to REs or LSP at the on-boarding/sign-up stage, prominently display information relating to the product features, loan limit and cost, etc., so as to make the borrowers aware of these aspects Sl no Guidelines 13 Details of recovery agent: Borrower gets a communication from RE about the LSP acting as recovery agent who is authorised to approach the borrower for recovery, at the time of sanctioning of the loan and also at the time of passing on the recovery responsibilities to an LSP or change in the LSP. 14 Link to website: DLAs belonging to RE or LSPs have links to REs’ website where further/ detailed information about the loan products, the lender, the LSP, particulars of customer care, link to Sachet Portal, privacy policies, etc. can be accessed by the borrowers. Also confirms that all such details are available at a prominent single place on the website for ease of accessibility. D Grievance Redressal 15 REs and LSPs have a suitable nodal grievance redressal officer to deal with digital lending related complaints/ issues raised by the borrowers. 16 Contact details of grievance redressal officers is prominently displayed on the websites of the RE, its LSPs, on DLAs and also in the KFS provided to the borrower. 17 Facility of lodging complaint is available on the DLA and on the website of REs and LSPs. E Assessing the borrower’s creditworthines 18 REs and LSPs capture the economic profile of the borrowers covering (age, occupation, income, etc.), before extending any loan over DLAs, with a view to assessing the borrower’s creditworthiness in an auditable way. 19 There is no automatic increase in credit limit unless explicit consent of borrower is taken on record for each such increase. 20 Cooling off/look-up period is explicitly offered to the borrower to exit the digital loan by paying the principal and the proportionate APR without any penalty during this period. 21 The Board of the RE determines the cooling-off period, offered to the customer. 22 Cooling off/look-up period offered is not less than three days for loans having tenor of seven days or more and one day for loans having tenor of less than seven days. F Due diligence and other requirements with respect to LSPs 23 REs to conduct due diligence before entering into a partnership with a LSP for digital lending, taking into account its technical abilities, data privacy policies and storage systems, fairness in conduct with borrowers and ability to comply with regulations and statutes 24 REs to carry out periodic review of the conduct of the LSPs engaged by them. 25 REs to impart necessary guidance to LSPs acting as recovery agents to discharge their duties responsibly and comply with Circular DOR.ORG.REC.65/21.04.158/2022-23 G Collection, usage and sharing of data with third parties 26 Any collection of data by DLAs (belonging to RE or LSP) is need-based and with prior and explicit consent of the borrower having audit trail. 27 DLAs (belonging to RE or LSP) desist from accessing mobile phone resources like file and media, contact list, call logs, telephony functions,etc Sl no Guidelines 28 DLAs (belonging to RE or LSP)s only take one-time access for camera, microphone, location or any other facility necessary for the purpose of on-boarding/ KYC requirements only, with the explicit consent of the borrower. 29 The borrower is provided with an option to give/ deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data and if required, make the app delete/ forget the data 30 The purpose of obtaining borrowers’ consent is disclosed at each stage of interface with the borrowers. 31 Explicit consent of the borrower is taken before sharing personal information with any third party, except for cases where such sharing is required as per statutory or regulatory requirement H Storage of data 32 LSPs/DLAs engaged by RE do not store personal information of borrowers except some basic minimal data (viz., name, address, contact details of the customer, etc.) that may be required to carry out their operations. 33 Clear policy guidelines by RE regarding the storage of customer data including the type of data that can be stored, the length of time for which data can be stored, restrictions on the use of data, data destruction protocol, standards for handling security breach, etc., are put in place and displayed prominently on DLAs/Website of REs and LSPs at all times 34 No biometric data is stored/ collected in the systems associated with the DLA of REs/ their LSPs, unless allowed under extant statutory guidelines 35 All data is stored only in servers located within India, while ensuring compliance with statutory obligations/ regulatory instructions. I Comprehensive privacy policy 36 DLAs and LSPs engaged by RE have a comprehensive privacy policy compliant with applicable laws, associated regulations and RBI guidelines. 37 For access and collection of personal information of borrowers, DLAs of REs/LSPs comprehensive privacy policy is available publicly 38 Details of third parties (where applicable) allowed to collect personal information through the DLA is disclosed in the privacy policy. 39 REs and LSPs engaged by REs comply with various technology standards/ requirements on cybersecurity stipulated by RBI and other agencies, or as may be specified from time to time, for undertaking digital lending. J Reporting to Credit Information Companies (CICs) 40 Any lending done through RE's DLAs and/or DLAs of LSPs is reported to CICs irrespective of its nature/ tenor including extension of structured digital lending products over a merchant platform

RELEVANT CLAUSES FROM FPC

Sl no Guidelines A Applications for loans and their processing 1 All communications to the borrower shall be in the vernacular language or a language as understood by the borrower. 2 Loan application forms shall include necessary information which affects the interest of the borrower, so that a meaningful comparison with the terms and conditions offered by other NBFCs can be made and informed decision can be taken by the borrower. 3 The loan application form shall indicate the documents required to be submitted with the application form. 4 Applicable NBFCs shall devise a system of giving acknowledgement for receipt of all loan applications. Preferably, the time frame within which loan applications will be disposed of shall also be indicated in the acknowledgement. B Loan appraisal and terms/ conditions 5 Applicable NBFCs shall convey in writing to the borrower in the vernacular language as understood by the borrower by means of sanction letter or otherwise, the amount of loan sanctioned along with the terms and conditions including annualised rate of interest and method of application thereof and keep the acceptance of these terms and conditions by the borrower on its record. 6 NBFCs shall mention the penal interest charged for late repayment in bold in the loan agreement. 7 Applicable NBFCs shall furnish a copy of the loan agreement as understood by the borrower along with a copy each of all enclosures quoted in the loan agreement to all the borrowers at the time of sanction / disbursement of loans. C Disbursement of loans including changes in terms and conditions 8 Applicable NBFCs shall give notice to the borrower in the vernacular language or a language as understood by the borrower of any change in the terms and conditions including disbursement schedule, interest rates, service charges, prepayment charges etc. 9 Applicable NBFCs shall also ensure that changes in interest rates and charges are effected only prospectively. A suitable condition in this regard must be incorporated in the loan agreement. 10 Decision to recall/ accelerate payment or performance under the agreement shall be in consonance with the loan agreement Sl no Guidelines D General 11 Applicable NBFCs shall refrain from interference in the affairs of the borrower except for the purposes provided in the terms and conditions of the loan agreement (unless information, not earlier disclosed by the borrower, has been noticed). 12 In case of receipt of request from the borrower for transfer of borrowal account, the consent or otherwise i.e., objection of the applicable NBFC, if any, shall be conveyed within 21 days from the date of receipt of request. Such transfer shall be as per transparent contractual terms in consonance with law. 13 In the matter of recovery of loans, an applicable NBFC shall not resort to undue harassment viz., persistently bothering the borrowers at odd hours, use muscle power for recovery of loans etc. As complaints from customers also include rude behaviour from the staff of the companies, applicable NBFC shall ensure that the staff are adequately trained to deal with the customers in an appropriate manner. 14 Applicable NBFCs shall not charge foreclosure charges/ pre-payment penalties on any floating rate term loan sanctioned for purposes other than business to individual borrowers, with or without co-obligant(s). E Grievance Redressal Officer 15 At the operational level, all applicable NBFCs shall display the following information prominently, for the benefit of their customers, at their branches / places where business is transacted: (1) The name and contact details (Telephone / Mobile nos. as also email address) of the Grievance Redressal Officer who can be approached by the public for resolution of complaints against the Company. (2) If the complaint/ dispute is not redressed within a period of one month, the customer may appeal to the Officer-in-Charge of the Regional Office of Department of Supervision of RBI (with complete contact details), under whose jurisdiction the registered office of the applicable NBFC falls. F Ombudsman for NBFCs 16 Reserve Bank – Integrated Ombudsman Scheme, 2021: NBFCs covered under the Reserve Bank – Integrated Ombudsman Scheme, 2021 shall appoint Principal Nodal Officer in accordance with directions provided under the said Scheme. 17 Appointment of Internal Ombudsman: NBFCs fulfilling the criteria laid down under the circular on ‘Appointment of Internal Ombudsman by Non-Banking Financial Companies’ dated November 15, 2021 shall appoint the Internal Ombudsman and adhere to the corresponding guidelines. G Language and mode of communicating Fair Practice Code 18 Fair Practices Code (which shall preferably be in the vernacular language or a language as understood by the borrower) based on the directions outlined hereinabove shall be put in place by all applicable NBFCs having customer interface with the approval of their Boards. Sl no Guidelines 19 Applicable NBFCs will have the freedom of drafting the Fair Practices Code, enhancing the scope of the directions but in no way sacrificing the spirit underlying the above directions 20 The same shall be put up on their website, if any, for the information of various stakeholders. H Regulation of excessive interest charged by applicable NBFC 21 The rate of interest and the approach for gradations of risk and rationale for charging different rate of interest to different categories of borrowers shall be disclosed to the borrower or customer in the application form and communicated explicitly in the sanction letter. 22 The rates of interest and the approach for gradation of risks shall also be made available on the website of the companies or published in the relevant newspapers. The information published in the website or otherwise published shall be updated whenever there is a change in the rates of interest. 23 The rate of interest must be annualised rate so that the borrower is aware of the exact rates that would be charged to the account

DISCLOSURE TO CUSTOMERS

■ Details of the lender (name, registration type with RBI, website, email, phone, address) ■ Details of the lending platform (name, website, email, phone, address) and their obligations ■ Loan account details (name of customer/co-borrowers, account number, customer ID, the amount sanctioned, the amount disbursed, date of disbursement, tenure, repayment frequency, number of instalments, cooling-off period, instalment amount, instalment due dates) ■ Loan details (disbursed amount, outstanding, date of disbursement, last payment date, tenure, instalment amount, due date) ■ KFS, as per RBI DLG ■ Periodic account statements showing repayment schedule, transactions and fees; ■ Payment options and conditions for loan repayments, including early/ delayed part/full repayment and closure ■ Procedures and responsibility for unauthorised or mistaken transactions and system outages ■ Grievance redressal mechanism including access details to available channels, procedure, expected turnaround time, escalation and right to escalate the matter to the regulator ■ Consequences of delayed/non-prepayment on the customers, including penal fees, the interest rate for delayed payment (if different from the normal schedule), the recovery process, and reporting to credit bureaus ■ Process for customers dealing with financial difficulties. ■ Recovery procedure in case of default, including list of recovery agencies who may be assigned. ■ Withdrawal rights35, if applicable ■ An illustration regarding classification and/or reporting the customer’s loan account as a stressed loan account in the loan document. ■ Warnings if any. For example, the impact on credit bureau records due to delayed/missed/non-payment, the adverse effect of taking loans beyond the repayment capacity and affordability ■ Lenders and lending platforms’ access and obligations to customer data ■ Customer right and options to give and withdraw consent and update/ change data ■ Applicability, notification period for changes in terms/conditions of the loan agreement ■ Right and responsibility of customers ■ Rights and responsibility of the lender ■ Other general terms and conditions in clear and straightforward language for the customer.

RELEVANT SECTIONS FROM FACE AOA

1. Members will ensure adherence to regulatory and industry standards for digital lending and the Code of Conduct (Code). Board of Members’ will adopt the Code and ensure adherence to these standards and Code along with the regulatory norms prescribed, from time to time, by the Government / Reserve Bank of India / any other regulatory authority.
2. Members will cooperate with SRO functions by sharing information and other necessary documents, as required.
3. The Board shall have the power to expel, initiate and propose the termination of Membership on the occurrence of any of the following event(s): a. Member/Partner who has acted in a manner injurious or inimical to the aims, objectives, interests or the reputation of the Company and/ or the digital lending industry b. Member/Partner disregards the Memorandum of the Company c. There is proven record of mala-fide non-compliance by Members with the Code and regulatory requirements of RBI/other regulatory agencies as established by the Company d. If a Member/Partner is adjudged by any court of law to be a criminal offender e. Member/Partner is dissolved and adjudicated insolvent
4. The Company will function as the Self-Regulatory Organization (SRO) for its Members to promote responsible lending, good governance and customer protection to best serve the interests of digital lending customers. Notwithstanding anything contained in these Articles, the self-regulatory functions of the Company shall be governed by the SRO directions issued by the RBI for digital lending in future.
5. As an SRO, the Company shall frame a Code of Conduct (Code), through a process of discussion with key stakeholders. This Code will be enforced by the SRO. This Code shall be binding on all the Members and will be enforced by the SRO. This CoC may be amended from time to time with the approval of the Board
6. The Company shall constitute an Enforcement Committee (EC) to enforce and exercise oversight amongst Members for adherence to Code and regulatory norms prescribed by the RBI/Government/any other regulatory authority, as under: a. The Board shall have the power to constitute EC and to define their composition, term, powers, functioning and other rules etc. b. A staff of the Company will be designated as a Secretary of the EC and shall participate in the meetings of the EC but will not have any voting rights. c. The “Fit and Proper” criteria will apply to all members of the EC. d. An EC member associated with a concerned Member in any capacity will recuse from any discussion and decision related to the concerned Member and abstain from voting
7. EC will have the following functions a. EC will exercise oversight and enforce Members’ adherence to regulatory norms prescribed by RBI/ Government / any other regulatory authority and the CoC. b. EC actions will be guided by standard Enforcement Guidelines approved by the Board. c. EC may refer cases to Board as deemed necessary. d. The EC will function under the overall supervision of the Board
8. A Member may appeal against the decision of the EC in writing to the Board. The Board decision will be final and binding on the Member

RELEVANT REGULATORY REFERENCES

■ Guidelines on Digital Lending ■ Guidelines on Default Loss Guarantee (DLG) in Digital Lending ■ Loans Sourced by Banks and NBFCs over Digital Lending Platforms: Adherence to Fair Practices Code and Outsourcing Guidelines ■ Master Direction - Non-Banking Financial Company – Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 201636 ■ Master Direction - Non-Banking Financial Company - Systemically Important Non-Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 201637 ■ Outsourcing of Financial Services - Responsibilities of regulated entities employing Recovery Agents ■ Credit Information Companies Regulations, 2006 ■ Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs ■ RBI Draft Circular on Fair Lending Practice - Penal Charges in Loan Accounts ■ Master Direction on Know Your Customer (KYC) ■ Master Direction on Outsourcing of Information Technology Services ■ Data Format for Furnishing of Credit Information to Credit Information Companies and other Regulatory Measures ■ Membership of Credit Information Companies (CICs)

ABOUT FACE

Fintech Association for Customer Empowerment (FACE) is a non-profit industry association representing the fintech/digital lending industry. FACE convenes companies directly involved in fintech lending and other stakeholders to collectively advance fair and responsible digital lending practices through self-regulation and customer protection. The FACE Code aims to reassure and give confidence to the customer to take credit from FACE member companies as they commit to meeting the standards set out in this Code, and the FACE will support and monitor members’ performance in doing so. For any discussion/questions, reach us at [email protected].

Fintech Association for Consumer Empowerment 5 th Floor, Paville House Off Veer Savarkar Marg Prabhadevi Mumbai 400025 [email protected] www.faceofindia.org