Between Lenders’ Access to Phone Data and Digital Privacy, RBI Must Strike the Right Balance

In 2022, the Reserve Bank of India (RBI), India’s financial sector regulator, notified the guidelines on digital lending, which bars digital lenders’ mobile applications from accessing borrowers’ ‘mobile phone resources like file and media, contact list, call logs, telephony functions, etc’, and allows a one-time access to ‘camera, microphone, location or any other facility’ for onboarding borrowers, with their explicit consent.

This decision was caused by predatory lending practices, like threatening to leak debtors’ morphed images and calling their phone contacts (also known as debt shaming), that became common over the last few years. Similar instances in other developing countries prompted Google to bar personal loan apps from accessing users’ sensitive data in 2023. 

However, by completely prohibiting access to certain mobile phone datasets and severely limiting access to others, the RBI overregulated for a few reasons.

The issue

Firstly, in India, access to credit is skewed towards individuals with rich credit history and high income. Less than 13% of Indians aged over 15 years borrow from formal sources. This credit gap led to the emergence of digital lenders who rely on alternate data to service users with little to no credit history. With 900 million mobile-based internet users, mobile phone data of Indian users is valuable. 

Patterns of social networks derived from phones indicate users’ financial health, and predict loan defaults. Contacts capture the extent of customers’ social network based on the total number of unique numbers in the users’ contact list, and their economic strength. Similarly, call logs signal the breadth and strength of individuals’ social connections based on the frequency of missed calls and the duration of incoming and outgoing calls.

A study shows that a credit underwriting model that factors in call logs, contacts and other mobile data (a) outperforms traditional models, which rely on credit scores and financial information, and (b) facilitates loans to underserved users.

By fully prohibiting access to call logs and contact data, the RBI guidelines hinder digital lenders’ credit assessment process and limit financial inclusion. 

Second, post-disbursal monitoring of personal loans – also encouraged by the RBI governor – is critical because delinquency levels are high in low-value loans, and vintage delinquency, which reflects the percentage of loans that have become delinquent within 12 months of origination, is relatively high at 8.2%. 

To assess borrowers’ repayment capability, lenders can currently access their bank statements after disbursal through an RBI-authorised framework. Similarly, mobile phone data can act as early warning signals based on which lenders can segment borrowers by default risk, and take swift loan recovery actions. For instance, SMSes indicating non-payment of other EMI payments or a sudden pause in salary credits after loan disbursal can act as early warning signals indicating the borrower’s ability to repay.

Crucially, loan default risk is one of the barriers for financial inclusion. By denying access to mobile phone data for collection, the restrictions disincentivise digital lenders from servicing underserved users.

Third, instead of restricting misuse of data or barring unethical practices agnostic of the data source, the RBI guidelines solely curb access to mobile phone data. As a result, this rule-based approach has led to clever workarounds – lenders are now parsing bank statements to track borrowers’ locations based on real-time payment transactions for loan recovery. The approach also misses a critical point that mobile phone data is not the only source of data for unethical lending practices. Invasive collection practices can occur regardless of the data source.

A better strategy

Globally, India has the highest future credit demand amongst new-to-credit customers. Without access to formal credit, borrowers endure unchecked arbitrary operations of moneylenders. Digital lending improves financial inclusion and borrowers’ financial well-being and big data, including mobile phone data, is critical for digital lending. 

Policies must balance customer privacy concerns and access to credit. Digital lenders, therefore, should be allowed to access mobile phone data for loan appraisal, disbursal and collection with the below checks:

1. Lenders should limit access to necessary mobile phone data (with users’ consent) and avoid taking overarching permissions. Since users are willing to grant access for legitimate requirements, lenders should disclose the purposes in the user interface to facilitate informed consent. For instance, access should be limited to financial SMSes and not extend to personal SMSes through necessary technology configurations; only selected photos chosen by the user should be accessed instead of the entire gallery. Lenders should avoid taking invasive permissions like access to redirect calls or edit call logs on a user’s mobile device.
2. Perpetual and daily access of mobile phone data are intrusive and can cause discomfort to users. Similar to limits on access to bank statements, frequency of access to mobile phone data should be subject to a monthly cap and the period of access should be coterminous with loan tenure.
   
3. The RBI released a circular barring lenders from intruding the privacy of debtors’ social connections. This should be enforced. The RBI must collaborate with the self-regulatory organisations for fintechs and lenders, and the Data Protection Board (once instituted) to promote responsible data and credit recovery practices, while curbing and punishing data misuse and coercive conduct. 

For this, India can also look to Kenya, a fellow lower-middle income country, which addressed the issue of widespread borrower harassment. While digital lenders retained access to mobile phone data required for loan servicing and collection, specific credit collection practices like unauthorisedly contacting borrowers’ contacts (phone contacts or otherwise) were barred and penalised.

Digital lenders were also required to comply with data protection laws. Collaboration between Kenya’s data protection authority and the digital finance industry association led to a 75% drop in harassment cases in 2024.

Priyanka is a technology lawyer based in Bangalore. She thanks Radhika Maheshwari and Gautham Sunjay for their inputs.

The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.