Hidden cracks in BNPL services: Beware of what you sign up for
Every time we sign up for an app or an online service, we seldom glance through the legal terms and conditions (T&Cs), thanks to the complex language they are written in.
What’s the worst that could happen? The service provider may use your email and name for promotional services or sell the same to a third party.
However, in the case of credit services, a lack of awareness of the legal T&Cs could possibly send you into credit distress.
A recent study by Chennai-based policy research institution Dvara Research ‘The costs of using Buy Now, Pay Later (BNPL) products’ breaks down the practices of major BNPL players in India and identifies some of the key customer protection concerns in the market.
Some consumers may be aware of the technical jargon and details laid down in T&C documents (about customer eligibility, personal data access, the identity of the financier, repayment tenure, and various penalties and charges). Some may even take the help of a legal expert to comprehend the documents.
But first-time consumers of BNPL services may not be able to comprehend what they are signing up for. In some cases, customers may find it difficult to even locate and access T&Cs; this gets exacerbated when BNPL products are embedded as a payment option that customers can use to make payments at the point of sale.
Concealed info on price and penalties
The researchers at Dvara Research reviewed the T&Cs (both publicly available and after downloading the BNPL application) of 10 popular BNPL providers in India—Ola Money Postpaid, Amazon Pay Later, Paytm Postpaid,, Unicard, , , , , and —to identify the clauses that diverged from regulations or raised consumer protection concerns.
According to the findings of Dvara’s report, the Key Facts Statement (KFS) and important terms provided by BNPL players are not always available or reliable.
While most BNPL providers provided a KFS, some did not do so. In some cases where KFS was provided, it omitted key details such as pricing, customer obligations, and penalties. This contravenes the Reserve Bank of India's (RBI) Circular on Display of Information by banks.
“Customers have to go through the long-form T&Cs to understand the product better. However, as observed with FlexMoney, the long-form document may also omit important information on charges and repayment procedure. This leaves customers without accessible information about the BNPL product they are purchasing,” says the report.
Who is the financier?
The central bank recently came down heavily on BNPL players following its circular barring non-banks from loading credit lines into pre-paid instruments (PPIs).
This means that fintechs that offer credit service (BNPL players) on prepaid instruments (wallets like Paytm, PhonePe, Google Pay, MobiKwik, Oxigen, Ola Money, and Amazon Pay) via non-banks, will not be allowed to do so. The facility will only be available to banks and NBFCs.
Now, looking at the T&Cs, a lot of BNPL players tend not to mention clearly who their financiers are, according to the report.
Amazon PayLater and Ola PostPaid clearly disclose the name(s) of the bank or NBFC that provides credit, while providers like ZestMoney and Unicard do not disclose the financier’s identity until the customer’s loan is sanctioned.
However, in a clarification issued by Unicard, the company claims to provide two T&C for PPI and loan, respectively, where the former doesn't mention the name to "avoid confusion for the customers" while the latter always puts out the same.
"Also, our website carries detailed T&C for each NBFC, which anyone can access without being a Uni customer. We have four NBFCs partners namely DMI, Lendbox, Liquiloans & Northern Arc," says Unicard spokesperson.
FlexMoney had only a general set of T&Cs and Dvara’s researcher did not receive any financier document or credit contract even after the volunteer was sanctioned the credit line. The name of the financier was mentioned at the end of the onboarding process after the credit line was sanctioned.
This contravenes the RBI’s circular on loans sourced by banks and NBFCs through digital lending platforms.
Moreover, even the financiers do not display the names of their digital lending partners on their websites.
“Barring financiers like Hero Fincorp, Quadrillion Finance, Aphelion Finance and PayU Finance, most other financing partners like HDFC Bank, Northern Arc Capital and IDFC First Bank did not display the name of their digital lending partner on their websites,” the report states.
This also makes it difficult for customers to verify if their BNPL provider has tied up with the advertised financier.
‘Buyer beware’ approach
The findings disclose that most of the players place the “burden” of ensuring the “suitability of the credit” on the buyer. Some providers like Amazon Pay Later and Unicard explicitly place the responsibility of assessing the suitability of the credit line on the customer.
“This ‘buyer beware’ approach is problematic and contravenes the Right to Suitability that customers have under the RBI Charter of Customer Rights Provisions; these can compound customer protection concerns,” the report states.
Evidence suggests that many customers who avail themselves of the BNPL services are rarely aware that they are entering into a credit contract. In India, such declarations are not direct. Instead, clauses like ‘providers reserve the right to reject credit application’ imply that BNPL products have an underlying credit contract.
This is one of the major reasons for credit distress.
Customers with no technical know-how end up opting for BNPL without fully understanding their repayment obligations (owing to comprehensive and incomprehensible T&Cs) or borrow more than they can afford.
“Offering BNPL products as a payment option or doing so without checking customers’ ability to afford the product can push customers into distress,” the experts say.
Data protection concerns
The recent controversy around Razorpay and Alt News has once again put the spotlight on data security and user consent.
In the case of BNPL, it was found that credit reporting practices are rarely disclosed to customers. While it is disclosed that platforms could access customers’ credit information for making credit assessments, none of the providers who were studied, barring PayTM PostPaid, disclosed whether they report customers’ repayments to credit bureaus.
“We also noticed that one of the volunteer’s credit score had reduced by as much as 10 points after their application to a BNPL provider was denied. The T&Cs also omitted detailed disclosures about how BNPL use can impact customers’ credit scores,” the report states.
A lot of personal information (including education information, occupation information and contact information) also goes into the BNPL data bank during the onboarding and verification processes.
However, the privacy policies that governed the use of personal data were often “broad” and “non-specific”, giving providers a wide leeway in how they could use personal data.
Unspecified charges on customers
It was noticed that players like ZestMoney and Kissht have put up an option in their general T&Cs to charge “unspecified and non-refundable processing fees” even when customers’ loans are cancelled by the provider.
Kissht mentions that these charges are applicable even if the loan is not disbursed to the customer. The non-disclosure of fees amount “can make it difficult for customers to gauge the costs of borrowing from these providers,” the report notes. This adds to the violation of the Fair Practice Codes relating to the disclosure of all processing fees and charges.
The analysis raises an important question—do you ever track the changes in T&C of the provider once the service is availed?
The customer is expected to periodically visit the provider’s website to review the changes in the T&Cs, if any, rather than be informed of the changes they tend to agree to upon sign-up. “This places undue burden on the customers for compliance.”
“Our findings suggest that BNPL providers largely align with the RBI’s customer protection framework for financiers, including the Fair Practices Code for banks and NBFCs and the Outsourcing Guidelines for banks and NBFCs. However, many practices and T&Cs deviate from these codes, vacating key customer protection safeguards,” the report states.
(The story was updated with a clarification issued by Uni on the disclosure of its NBFC partners' name in T&Cs).