Digital Lending Policy

1. PREAMBLE

Ramchandra Leasing and Finance Limited (“the Company”), a Non-Banking Financial Company – Investment and Credit Company (NBFC-ICC), ND-NSI, is committed to conducting all digital lending activities in strict compliance with the Reserve Bank of India (Digital Lending) Directions, 2025, issued vide circular DOR.STR.REC.19/21.07.001/2025-26 dated May 8, 2025.

This Policy establishes a comprehensive governance, operational, technological, data-handling and customer- protection framework that shall govern all digital lending activities undertaken:

1. Directly by the Company (self-owned DLAs, web portals, IT systems), and

2. Through Lending Service Providers (LSPs) and their Digital Lending Apps (DLAs) engaged by the Company.

The Company upholds the principles of transparency, fair conduct, responsible lending, data minimisation, secure processing, informed consent, and customer protection.

2. PURPOSE AND SCOPE

The purpose of this Policy is to establish a comprehensive governance and compliance framework for all digital lending activities of the Company. It applies to the entire digital lending lifecycle, including digital customer onboarding, KYC verification, digital loan application processing, credit assessment and approval, loan disbursal and repayment, loan servicing, monitoring and collections, grievance redressal, data collection, usage, storage, retention and processing, engagement and oversight of Lending Service Providers (LSPs) and Digital Lending Apps (DLAs), regulatory reporting to the Reserve Bank of India (RBI), and the management of Default Loss Guarantee (DLG) arrangements wherever applicable.

This Policy extends to all digital systems, platforms and technological infrastructure owned, hosted, licensed, rented or accessed by the Company, and governs every workflow, process, outsourced activity and data flow connected with digital lending operations. It is binding upon all employees, officers and directors of the Company, as well as all LSPs, DLAs, outsourced agencies, third-party service providers and their authorised representatives who perform or support any function related to digital lending. All such individuals and entities are required to adhere strictly and continuously to the provisions of this Policy.

3. Unless stated otherwise, definitions shall be as per the Reserve Bank of India (Digital Lending) Directions, 2025, including:

TELEFAX. 0265 - 3268100

CIN. L65910GJ1993PLC018912

Email. rlandfl@gmail.com

Web. www.ramchandrafinance.in

Regd. Office. 201, Rudra Plaza Complex, Dandia Bazar Main Road, Dandia Bazar, Vadodara - 390 001

Branch. Ashok Stores, Khot Chawi, L.T. Road, Opp. Goyal Shopping Centre. Borivali (W), Mumbai - 400092.

1. RE – Regulated Entity (the Company)

2. LSP – Lending Service Provider

3. DLA – Digital Lending App

4. DLG – Default Loss Guarantee

5. KFS – Key Fact Statement

6. APR – Annual Percentage Rate

7. Cooling-off Period – As mandated under Para 10 of the RBI Directions

4. GOVERNANCE FRAMEWORK AND RBI-COMPLIANT STRUCTURE

The Company adopts a governance structure ensuring that digital lending operations remain fully compliant with RBI’s Digital Lending Guidelines. All digital processes shall at all times remain under the direct control, supervision and monitoring of the Company, and no outsourcing arrangement, technology integration or third-party involvement shall dilute or transfer any regulatory responsibility of the Company.

Senior management shall ensure that all digital platforms and interfaces accurately reflect the Company’s approved interest rates, disclosures, terms, KFS, loan agreements, sanction letters, and customer-conduct standards.

The Compliance Officer together with the Risk Management function shall conduct periodic reviews of digital processes, information-security systems, partner integrations, and data-handling practices to ensure continuous regulatory adherence.

The Board shall shall be kept consistently informed through periodic reports covering the performance of digital lending channels, technology and cybersecurity risks, customer grievances, digital fraud patterns, and key compliance indicators.

5. DIGITAL ONBOARDING, KYC AND CUSTOMER AUTHENTICATION

The Company shall implement RBI-compliant digital onboarding mechanisms to ensure that customer identity verification is carried out strictly in accordance with the applicable KYC Master Directions.

Digital onboarding may be facilitated through Aadhaar-based authentication, CKYC, video-based KYC, digital document upload or any other mode permitted by law; however, all decisions relating to KYC verification, authentication, acceptance or rejection shall be taken solely by the Company. , Lending Service Providers (LSPs) and Digital Lending Apps (DLAs) may support the customer in uploading or transmitting documents, or may provide the front-end user interface, but they shall not perform or influence the outcome of the KYC verification process, nor shall they engage in any activity that constitutes KYC approval or rejection.

The Company shall ensure that no customer is onboarded digitally without full completion of the mandated KYC requirements. All digital KYC artefacts, including video recordings, photographs, documents and audit trails, shall be stored securely in compliance with RBI’s data-storage and security requirements. Access to such artefacts shall be strictly controlled and monitored. One-time access to device features such as the camera, microphone or location shall be taken only with the borrower’s explicit, informed consent and strictly for the limited purpose of facilitating KYC or onboarding.

6. DIGITAL LOAN APPLICATION, ASSESSMENT AND APPROVAL

All digital platforms, including those operated through LSPs and DLAs shall present borrowers with complete, accurate, and easily understandable disclosures covering eligibility criteria, required documentation, interest rates, fees and charges, repayment structures, penal charges the applicable cooling-off period, and the grievance redressal mechanism. Borrowers shall be given full opportunity to review all loan terms and conditions in detail prior to accepting the loan. These disclosures shall be prominently displayed on the digital interface before any loan execution or acceptance.

All credit assessment and underwriting decisions shall be undertaken solely by the Company. LSPs and DLAs are strictly prohibited from carrying out, influencing or participating in underwriting, credit scoring, approval, sanction or rejection of loan applications. . While the Company may deploy automated tools, algorithms or rule-based engines to assist in the credit assessment process, such tools shall operate entirely under the Company’s control, and their logic, parameters and outputs shall be documented, periodically reviewed and subjected to audit.

Approval, rejection, and communication of the credit decision shall be executed by the Company through its official systems, and borrowers shall receive a clear digital intimation of the outcome, along with any required disclosures. No LSP or DLA shall independently communicate a credit decision to a borrower or imply that they have authority to approve or reject a loan.

7. KEY FACT STATEMENT, DIGITAL AGREEMENTS AND BORROWER CONSENT

The Company shall provide every borrower with a Key Fact Statement (KFS) clearly disclosing the complete, transparent and itemised cost of the loan, including Annual Percentage Rate (APR), interest charges, processing fees, taxes, third-party charges, penal charges and the total cost of credit. The KFS shall require explicit borrower acknowledgment and shall be automatically delivered to the borrower through secure digital channels.

Loan agreements shall be executed digitally in a legally valid and enforceable manner and digitally signed copies of the sanction letter, loan agreement, terms and conditions and privacy policies shall be sent immediately to the borrower’s registered contact details. Borrower consent shall be obtained through secure, timestamped digital mechanisms and shall be free, informed and purpose-specific. No clause shall be hidden, pre-selected, ambiguous or obfuscated.

Consent shall be obtained distinctly for data access, use, storage, sharing and collection. DLAs and LSPs shall not seek or obtain blanket consent or permissions beyond what is strictly necessary for onboarding and loan processing.

8. COOLING PERIOD

The Company shall provide every borrower with a Board-approved cooling-off period in accordance with RBI’s Digital Lending Directions. The cooling-off period shall not be less than one day and shall allow the borrower to exit the loan without penalty. If a borrower chooses to withdraw during this period, they shall be required to repay only the principal amount and the proportionate APR corresponding to the period for which the loan was actually availed. No penalty, additional interest or extra charge shall be levied. The Company may retain only a reasonable processing fee, provided that such fee was clearly disclosed in the Key Fact Statement (KFS).

9. DISBURSEMENT AND REPAYMENT ARCHITECTURE

The Company shall ensure that all loan disbursements are made only into the borrower’s bank account in full compliance with RBI’s Digital Lending Directions. Disbursement into third-party, proxy, intermediary, merchant or pooled accounts is strictly prohibited.

Similarly, all repayments shall be credited directly into the Company’s bank account, and no LSP, DLA or third- party shall collect or route repayments on behalf of the Company. The Company shall also ensure that NACH, UPI mandates or payment instruments comply with NPCI guidelines and do not enable unauthorised debits, remote device control or indirect access to the borrower’s bank account.

All settlement flows shall remain transparent, system-recorded and readily available for audit, regulatory review and internal monitoring.

10. COLLECTIONS & RECOVERY AGENT DISCLOSURE

In accordance with RBI’s Digital Lending Directions, the Company shall ensure that borrowers are informed in advance whenever a recovery agent is appointed or replaced. No recovery agent shall initiate contact with a borrower unless prior intimation has been provided by the Company through an authorised communication channel.

All recovery agents engaged through DLAs or LSPs shall comply strictly with the RBI Recovery Agent Guidelines, the Company’s Collection Policy and all applicable conduct standards. Harassment, intimidation, coercive practices, unauthorised data usage or any form of misconduct shall be strictly prohibited, and any violation shall result in immediate corrective action, including blacklisting of the agency or individual.

11. LSP / DLA ENGAGEMENT & DUE DILIGENCE

The Company shall conduct mandatory due diligence on every Lending Service Provider (LSP) in accordance with RBI’s Digital Lending Directions. This assessment shall cover the LSP’s technical capability, data- protection and security systems, business conduct history, recovery practices and financial stability. No LSP shall be onboarded unless it meets the Company’s standards of operational integrity and regulatory compliance.

Outsourcing to an LSP shall not dilute or transfer any regulatory responsibility of the Company. All digital lending functions performed through LSPs shall remain under the Company’s full control and oversight. No DLA or LSP shall use the Company’s name, branding or license without written authorisation.

The Company shall carry out periodic reviews—at least annually—of each LSP’s compliance, cybersecurity posture, grievance-handling quality and data-access practices. Any gaps shall be addressed through corrective action.

For LSPs operating with multiple lenders, the Company shall ensure that borrowers are provided an unbiased view of available loan options. Such LSPs must disclose unmatched lenders, avoid dark patterns and apply consistent, transparent borrower-matching rules.

12. DATA COLLECTION, USAGE, STORAGE & PRIVACY

The Company shall collect only need-based data required for onboarding, KYC, underwriting, servicing or regulatory purposes, and only on the basis of the borrower’s explicit, informed and purpose-specific consent recorded through a verifiable audit trail. Borrowers shall always have the option to deny or restrict non- essential data permissions.

All data shall be stored strictly on servers located in India, and no biometric data shall be retained. If any data is processed outside India, it shall be deleted within twenty-four hours. The Company shall maintain defined data-retention periods, implement approved destruction protocols and maintain documented breach- handling procedures.

The Company shall publish a clear Privacy Policy describing the data it collects, the purposes of use, sharing with third parties, retention practices, borrower rights and the security measures adopted to protect personal information. This Privacy Policy shall be accessible on all digital platforms of the Company and its LSPs.

13. PROHIBITION ON PREDATORY PRACTICES, FORCED ACCESS AND MISCONDUCT

The Company shall ensure that digital lending is free from predatory, coercive or manipulative behaviour. DLAs or LSPs acting on behalf of the Company shall not access contact lists, photo galleries, location data or other sensitive information without explicit, purpose-specific consent, and shall never threaten borrowers or misuse data.

Collection efforts through digital channels shall adhere strictly to the Company’s Collection Policy and RBI guidelines on recovery conduct. No digital communication shall harass, intimidate or mislead borrowers. Any breach by an LSP or DLA shall be treated as a breach by the Company itself.

14. TECHNOLOGY STANDARDS & CYBERSECURITY

In accordance with Para 15 of the RBI Digital Lending Directions, the Company shall ensure that all technology systems used in digital lending comply with the RBI Cybersecurity Framework, applicable digital payment security norms and the information-security standards prescribed under the IT Act, 2000. The same standards shall be adhered to by all LSPs and DLAs engaged by the Company. Robust safeguards, monitoring mechanisms and periodic reviews shall be maintained to ensure the security, integrity and resilience of all digital lending platforms.

15. REPORTING OF DIGITAL LENDING APPS TO RBI (CIMS PORTAL)

In accordance with Para 17 of the RBI Digital Lending Directions, the Company shall report to the RBI all Digital Lending Apps (DLAs) operated by the Company as well as those operated through its LSPs. Such reporting shall include the DLA name, application links, ownership details, grievance redressal officer particulars and all other required information. The Company shall also promptly report any addition, modification or removal of a DLA.

The Chief Compliance Officer shall certify the accuracy and completeness of all DLA-related submissions, including compliance of the DLA with RBI’s Digital Lending Directions, adherence to data-storage requirements, accuracy of website disclosures and conformity with privacy, consent and data-handling norms.

16. REPORTING TO CREDIT INFORMATION COMPANIES

In accordance with Para 16 of the RBI Digital Lending Directions, the Company shall report all loans sourced through its DLAs and LSPs to the Credit Information Companies, irrespective of the loan tenor or structure. This requirement applies equally to merchant-based BNPL products and other short-tenor or structured digital credit offerings. All such reporting shall be timely, accurate and compliant with applicable CIC guidelines.

17. DEFAULT LOSS GUARANTEE (DLG)

The Company shall ensure full compliance with RBI’s rules on Default Loss Guarantee (DLG). Any DLG arrangement shall be entered into only with a company, the DLG cover shall not exceed five percent of a fixed, non-dynamic DLG set, and the arrangement shall not be treated as a substitute for the Company’s own credit risk assessment. A statutory auditor’s certificate confirming compliance shall be obtained before executing any DLG agreement.

DLG may be invoked only for loans overdue by up to 120 days. LSPs offering DLG shall make the mandatory monthly public disclosures on DLG-backed portfolios in accordance with RBI requirements.

18. WEBSITE DISCLOSURE REQUIREMENTS

As mandated under Para 8(iv), the Company shall display on its website a list of all digital lending products, a list of all DLAs (both own and of LSPs), and a list of all LSPs along with a description of their activities. The website shall also provide the details of the Nodal Grievance Redressal Officer, links to the RBI CMS Portal and the Sachet Portal, the Company’s Privacy Policy, Terms and Conditions, Penal Charges Policy, and information on the Cooling-off Period. All LSPs and DLAs associated with the Company shall link back to the Company’s website to ensure transparency and accessibility of information.

19. MIS, MONITORING, FRAUD CONTROL AND REPORTING

The Company shall maintain robust MIS frameworks enabling real-time tracking of:

• digital applications,
• approval rates
• disbursements,
• repayments
• delinquency flows
• data access logs
• ustomer grievances
• customer grievances
• fraud patterns

Digital fraud prevention systems shall include device-based risk scoring, anomaly detection, velocity checks, identity-fraud controls and continuous monitoring.

The Company shall submit regulatory returns, supervisory reports and special statements as required by the RBI in connection with digital lending.

20. GRIEVANCE REDRESSAL AND CUSTOMER SUPPORT

The Company shall provide borrowers with seamless digital grievance channels accessible through the website, email, telephone and the DLA. Complaints shall be resolved in a transparent, time-bound and fair manner, consistent with the Grievance Redressal Mechanism and the RBI Integrated Ombudsman Scheme.

A Nodal Grievance Redressal Officer shall be appointed, whose details will be displayed on the website, included in the DLA, and in the Key Fact Statement (KFS). All complaints shall be resolved within 30 days.

Borrowers shall be informed at every digital touchpoint of their right to escalate unresolved matters to the RBI Ombudsman. The Company shall ensure regular review of digital grievance data to identify systemic issues and adopt corrective measures.

If a complaint is unresolved or rejected, the borrower may approach the RBI Integrated Ombudsman Scheme (RB-IOS) via the RBI CMS Portal or the RBI CRPC address.

21. REVIEW, AMENDMENTS AND ONGOING COMPLIANCE

This Policy shall be reviewed annually or sooner in response to changes in RBI digital-lending guidelines, cybersecurity notifications, technology developments or operational updates. Any revision shall require approval of the Board of Directors and shall be communicated across all operational and digital channels.