RBI expands NBFC audit ambit to cover their service providers

Mumbai: The banking regulator has widened the scope of its audits for non-banking financial companies that collaborate with multiple fintech firms acting as loan service providers (LSPs), multiple sources aware of the matter told ET.

As part of this enhanced inspection process, Reserve Bank of India officials are now engaging directly with LSPs, particularly those operating customer-facing apps or platforms that manage loan applications. These inspections focus on critical areas such as compliance with know your customer (KYC) norms, handling of customer data, and practices around customer communication.

"Previously, any queries related to audits or inspections were routed through the regulated entities," said a senior official at an LSP that has a tie-up with a major NBFC in Mumbai. "But this time, some of us at LSPs were called on-site during the annual inspection. The team wanted to understand how these partnerships function, especially the tech stack used for customer onboarding and KYC. They were interested in transparency and how we communicate with customers."

Email sent to the RBI seeking comments remained unanswered.

LSPs are platforms or applications that connect borrowers with lenders, operating on behalf of regulated entities like NBFCs. Their services typically include customer acquisition, underwriting and pricing support, loan monitoring, and recovery, among other functions.

While LSPs themselves are not always directly regulated by RBI, banks and NBFCs are responsible for ensuring partner platforms comply fully with digital lending regulations. These rules prioritise customer protection and transparency.

According to the guidelines, LSPs are prohibited from handling any funds between borrowers and lenders. They are only allowed to collect customer data when necessary and must obtain clear, informed consent from borrowers at every stage of the process. Another person aware of the matter noted the RBI is concerned about over-reliance on a small group of LSPs. The regulator is evaluating concentration risks during its annual audits, especially where the same vendors are used across multiple banks and NBFCs.

"The RBI is wary that excessive dependence on a few LSPs could create systemic risks. If one LSP faces a cyber incident or service disruption, it could have ripple effects across the financial system," the source explained.

Cybersecurity risks are a particular focus, as the regulator is concerned about potential breaches and data leaks from third-party systems.

Digital lending saw rapid growth during the Covid-19 pandemic, but the lack of regulation at the time led to several malpractices such as mis-selling, hidden fees, data breaches, and harassment by loan recovery agents. To tackle these issues while encouraging responsible growth, the RBI introduced digital lending guidelines in September 2022. However, industry executives say that unregulated "fake loan apps" still target vulnerable borrowers by imitating legitimate lenders.