FinTech 2019 Comparisons

Last Updated June 06, 2019

Contributed By J Sagar Associates

Law and Practice

Authors



J Sagar Associates has a reputed FinTech practice and their clients in this sector include banks, non-banking financial companies (NBFCs), payment system providers, card network-providers, early-stage start-ups and several other FinTech players leveraging disruptive technology and business models. The firm’s practice leverages the experience and in-depth technical expertise of attorneys across practice areas and offers clients access to time-tested strategies and holistic advice. JSA’s attorneys are well positioned to assist clients navigate through the complex legal, regulatory and compliance landscape within which FinTech businesses and their technologies operate.

Driven by the government’s financial inclusion efforts and policy initiatives, increased smartphone penetration and an innovation-focused start-up landscape, FinTech has grown exponentially in India. 2018 witnessed consistent growth in the digital payments vertical. The notable developments during the last twelve months are summarised below.

  • E-wallet transformation – faced with stiff competition from other players in the payments industry, e-wallet providers began incorporating more day-to-day customer-centric use cases into their systems. These features include automated bill or premium payments, simplified e-commerce transactions, etc. Many e-wallet players also transitioned to hybrid models to offer customers multiple products as one seamless integrated offering. These include a payment gateway, an e-commerce marketplace and an e-wallet.
  • Collaboration with banks – in 2018, traditional banks also increased their collaboration with FinTech companies to supplement their offerings by leveraging the latter’s technological expertise. To this end, several banks have partnered with start-ups in areas such as customer acquisition, process automation, credit profiling, etc.
  • Alternative lending – there was significant growth in the alternative lending space in 2018. Powered by artificial intelligence (AI) and data analytics tools, alternative lending companies have acquired a sizeable chunk of the retail, and micro and small enterprises (MSE) loan market, and have targeted borrowers who are data-rich but collateral-poor.
  • Growth of UPI – the unified payment interface (UPI) platform (discussed below) also grew exponentially over the last year. A recent report by the National Payments Corporation of India (NPCI) states that the number of monthly transactions over the UPI platform passed 500 million in November 2018. For context, card transactions saw a growth of 22% in volume and 18% in value in November 2018 against November 2017. During the same period, mobile wallets grew 86% in volume and 72% in value, and UPI grew 400% and 753% respectively. Notably, UPI 2.0 was introduced in August 2018 and provides an overdraft facility that is expected to introduce thousands of end users to a new form of credit.
  • FinTech deals – the overall expansion of the FinTech industry is also reflected in the number and volume of deals in the country. Together with China, India dominated the Asian deal market, with four massive deals in the FinTech space in H1 of 2018. India’s total FinTech venture capital (VC) deal volume rose to an all-time high of 31 deals in Q2 of 2018. Annual returns on FinTech investments in India are the highest worldwide at 29%, compared to Asia's average of 25% and the global standard of 20%.

Looking Ahead

There are several important issues/developments that are likely to impact the growth of this sector in the coming year, including the following.

  • Establishment of Payments Regulatory Board (PRB) – as discussed above, the government of India has received recommendations for the establishment of a Payments Regulatory Board to govern payment systems. This proposal is part of the government’s broader plans to amend the Payment and Settlement Systems Act (PSSA) and update Indian payment system regulations.
  • Regulations to govern intermediaries and payment gateways – in February 2019 the Reserve Bank of India (RBI) indicated forthcoming regulations to govern the activities of payment intermediaries such as payment gateways and aggregators. The goal of such regulations would be to create transparency and accountability in the operations of such entities, particularly in respect of grievance redressal for failed transactions, security of consumer data, and charges and transaction discount rates (TDRs) imposed by these entities on merchants and customers.
  • Regulatory sandbox – in September 2018, the RBI announced plans to set up a regulatory sandbox for FinTech and a data science lab. The RBI is expected to collaborate with the Institute for Development and Research in Banking Technology (IDRBT) for this mandate. The scope of such regulatory sandbox is still unclear and it remains to be seen whether unlicensed FinTech companies would be eligible to participate.
  • Localisation measures under proposed data protection law – the Indian government proposes to enact legislation to overhaul the existing data protection regime in India. In July 2018, a committee of experts constituted by the government released a first draft of the Personal Data Protection Bill, 2018 (PDP Bill). The PDP Bill (as presently drafted) requires each data controller to ensure that (i) at least one ‘serving copy’ of all personal information processed by it is stored on a server or data centre located in India and (ii) any ‘critical personal data’ collected by it is stored and processed only on servers in India. The PDP Bill does not define the term ‘critical personal data’, but instead leaves it to the government of India to do so. If the PDP Bill is enacted in its present form and the government notifies ‘critical personal data’ to include an individual’s bank account information and/or financial data then FinTech entities would be prohibited from storing or transferring any financial data pertaining to their customers outside India.

Digital payments in India are presently dominated by prepaid payment instruments (PPIs) and debit cards (by volume), and the real-time gross settlement (RTGS) system and National Electronic Funds Transfer (NEFT) system (by value).

PPIs

PPIs, most commonly mobile wallets, are instruments that facilitate the purchase of goods and services against value stored on such instruments. India has one of the fastest-growing markets in terms of mobile wallet adoption. Mobile wallet transactions rose from INR24 billion in 2013 to INR955 billion in 2017 and surpassed the INR1 trillion mark in early 2018. Companies such as PayTM and MobiKwik offer semi-closed PPIs that allow customers to use stored value to purchase goods and services from an array of registered merchants. Through these e-wallets, a customer can make utility bill payments, pay tolls and restaurant bills, buy groceries (online and offline), book flight or train tickets, buy gold and invest in securities.

RTGS and NEFT

The RTGS and NEFT systems allow for fund transfers between bank accounts. The RTGS system enables continuous real-time settlement and is meant primarily for large-value transactions. The minimum transaction value for RTGS is INR200,000, making it a predominantly business-to-business (B2B) facility. The NEFT, on the other hand, is a net-settlement payment system that facilitates retail and peer-to-peer (P2P) interbank transfers. RTGS and NEFT are operated by the RBI and can only be used by licensed banks.

IMPS

Immediate Payment Service (IMPS) is an instant payment interbank electronic fund transfer system that is operated and maintained by the NPCI. Unlike RTGS and NEFT, the IMPS service is available 24/7 throughout the year, including on bank holidays. Currently, there are 53 commercial banks, 101 rural/district/urban and co-operative banks, and 24 PPI providers who have signed up for the IMPS service.

UPI

Although not yet as popular as mobile wallets, another payment system that is fast becoming the preferred option for retail payments is UPI, which is an instant real-time payment system developed by the NPCI that facilitates interbank transactions. The interface is regulated by the RBI and allows immediate money-transfer through mobile devices 24/7/365, and enables P2P and peer-to-merchant (P2M) transactions, as well as push-and-pull transactions. Owing to the inter-operability offered by the platform, several start-up ventures, and established FinTech and BigTech companies have created payment products based on UPI. Google launched the Tez App (now GPay) in 2017, which is currently one of the most popular applications on the UPI platform. Facebook’s WhatsApp and Amazon have recently released UPI payment applications for a limited number of users.

All players in the digital payments space are governed by the Payment and Settlement Systems Act, 2007 (PSSA), which governs and regulates all modes of payment systems in India, and authorises the RBI to regulate payment system participants. Any person or entity that intends on operating a payment system in India is required to obtain an authorisation under the PSSA and thereafter comply with its provisions.

While the PSSA sets out general compliances that apply to all payment systems, individual business models are regulated by specific regulations issued by the RBI from time to time. These regulations may set out, among other things, the following aspects of a business model:

  • eligibility criteria for applicants, including capital requirements;
  • standards and protocols to be implemented by the system-provider;
  • know your customer (KYC) and anti-money laundering (AML) compliances to be adhered to by the system-provider;
  • transaction limits and fraud-prevention compliances applicable to the payment system;
  • fund management obligations, such as float and escrow requirements, credits/debits permitted, etc;
  • reporting obligations to be adhered to by the payment system-provider and its participants; and
  • dispute resolution mechanisms to be provided to participants.

For instance, PPIs and mobile wallets are governed by the RBI’s Master Direction on Issuance and Operation of Prepaid Payment Instruments (PPI Master Directions), which divide PPIs into three categories: (i) closed loop, (ii) semi-closed loop and (iii) open loop, and prescribe the compliances applicable to entities issuing each of these categories of PPIs in India. The PPI Master Directions, for example, require all non-bank semi-closed loop PPI providers to maintain an amount equal to the outstanding balance of all PPIs issued in an escrow account with any scheduled Indian bank. The RBI has prescribed the permitted credits/debits that may be made from that escrow account and requires the system provider to submit quarterly and annual audit reports certifying that it has been maintaining adequate balance in that escrow account.

Similarly, card network-providers are governed by specific regulations issued by the RBI from time to time regarding debit/credit card operations. These entities are also subject to specific terms and conditions that may be imposed under the licence granted by the RBI under the PSSA. For instance, the RBI has issued several circulars to banks and authorised card network-providers mandating the implementation of two-factor authentication (2FA) for all domestic card-not-present transactions. In 2016, the RBI exempted low-value transactions (less than INR2,000) from this 2FA requirement. The original directive and the subsequent exemption were issued by the RBI under the PSSA.

Regulations applicable to the FinTech industry do not vary significantly from those applicable to legacy players in India, primarily because these entities are regulated by a common regulator: the RBI. Although there have been proposals for the establishment of an independent authority to regulate the payments industry, these proposals have faced stiff resistance from the RBI.

In most cases, the compliances and obligations applicable to traditional financial institutions are more onerous than those applicable to their newer counterparts. Traditional banks and non-banking financial institutions are subject to more demanding capitalisation requirements, reporting requirements, consumer grievance redressal obligations and other operational restrictions. A FinTech company could, for instance, outsource parts of its operations with relative ease. A similar outsourcing arrangement in a bank would be subject to numerous restrictions and requirements, including requirements to include specific clauses and provisions in outsourcing agreements. Banks and non-banking finance companies are also required to have several committees and policies in place. Such requirements do not always apply to ordinary FinTech companies.

India does not yet have a regulatory sandbox for payments. In response to a recommendation submitted by an inter-regulatory working group in 2018, the RBI is said to be working on a regulatory sandbox for FinTech and digital banking. When launched, this sandbox will likely be maintained by the Institute for Development and Research in Banking Technology in collaboration with the RBI.

At present, the RBI is the sole regulator with jurisdiction over participants in the digital payments vertical. Notably, an inter-ministerial panel set up by the government of India to update the PSSA had recommended setting up an independent payment regulatory board (PRB) to regulate the payments sector. The RBI was not in favour of this proposal and submitted a dissenting note that recommended that the PRB remains within the purview of the RBI. It remains to be seen whether the recommendations of the panel will prevail and, if so, the manner in which the jurisdictions of the RBI and PRB are demarcated.

Where an outsourcing FinTech entity is not a bank or a licensed NBFC, Indian regulations currently do not impose any mandatory obligations on such entity’s outsourcing partner. However, the RBI ordinarily prohibits licensed entities from outsourcing regulated functions as part of its licence conditions, meaning that only non-core functions may be outsourced.

The outsourcing of IT service functions by banks is regulated by the RBI’s Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (RBI IT Guidelines). As per Chapter 4 of the RBI IT Guidelines, service-providers/vendors are required to retain the ability to isolate and identify clearly a bank’s information, documents, records and assets to protect confidentiality. If a service-provider/vendor acts as an outsourcing agent for multiple banks, strong safeguards should be put in place so that there is no comingling of information, documents, records and assets.

The RBI IT Guidelines contain detailed guidance on the contents of IT outsourcing contracts proposed to be entered by Indian banks. Such a contract is required to be in writing and should consider any specific risks or concerns identified during the risk evaluation or due diligence process. The RBI IT Guidelines prescribe certain minimum requirements for such contractual arrangements, including the following.

  • Performance standard – key performance metrics should be defined for each outsourced activity. This may be included in a ‘service level agreement’ or similar document.
  • Access rights – the bank should retain the ability to access all books, records and information relevant to the outsourced activity, which are available with the service-provider/vendor.
  • Audit and inspection – the bank should retain the right to conduct periodic audits on the service-provider/vendor, in relation to the services provided to the bank. Similarly, the contract should explicitly permit the RBI to access the bank’s documents and records that are stored or processed by the service-provider, including any data provided in electronic form. The service-provider/vendor should explicitly recognise the right of the RBI to cause an inspection to be conducted on the service-provider/vendor as well as its books and accounts, by one or more of its officers or other persons.
  • Subcontracting – the contract should contain covenants limiting subcontracting by the service-provider/vendor. Prior approval/consent of the bank should be prescribed for the use of subcontractors by the service-provider/vendor.

Notably, the PPI Master Directions impose the following compliances and requirements on PPI providers in respect of their outsourcing operations:

  • the PPI provider’s contract with its service provider must, amongst others, provide for rights of audit/inspection by the RBI;
  • the RBI must have access to all information resources (online/in person) that are consumed by the PPI provider and such resources must be made accessible to RBI officials when sought;
  • the PPI provider must adhere to the relevant legal and regulatory requirements relating to geographical location of infrastructure and localisation of data;
  • the PPI provider must review security processes and controls being followed by service-providers regularly; and
  • the PPI provider’s contract with its service-provider must impose an obligation on the service-provider to disclose any security breaches that occur in the service-provider’s ICT infrastructure or process.

In March 2018, the RBI imposed a monetary penalty of INR50 million on Airtel Payments Bank for violating the RBI’s operational guidelines for payment banks and KYC directions. Airtel Payments Bank had allegedly opened bank accounts for customers without their clear and specific consent.

In November 2018, the RBI imposed a penalty of INR10 million on FINO Payments Bank for opening new bank accounts despite specific directions from the RBI to refrain from doing so. Earlier in 2018, FINO Payments Bank had been banned from onboarding new customers until it had put appropriate systems and processes in place to adhere to the RBI’s operational guidelines, particularly the limits placed on customer deposits. Similar directions were also issued to PayTM Payments Bank, in response to lapses in the company’s regulatory compliance and adherence to the RBI’s operational guidelines.

Privacy Laws

At present, Indian data privacy laws consist of the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules). As per the Privacy Rules, an entity (the Data Collector) that collects or processes sensitive personal data (including bank account information and payment instrument details) (SPDI) pertaining to an individual (Data Subject) is required to:

  • provide a privacy policy;
  • provide a mandatory notice/disclosure to the Data Subject before collecting information;
  • appoint and provide details of a grievance officer;
  • allow Data Subjects to access and update information;
  • ensure that data collected is not retained for longer than necessary under applicable law;
  • obtain the prior consent of the Data Subject while collecting SPDI;
  • implement reasonable security measures and standards to protect this information; and
  • ensure compliance with requirements for the transfer and of SPDI.

Notably, obligations, compliances and regulations prescribed under the IT Act and Privacy Rules apply uniformly to new FinTech entrants and legacy players. That said, it may be noted that Indian banks also owe a fiduciary obligation towards their customers, which includes a duty to maintain confidentiality. Consequently, in the event of any unauthorised disclosure of an individual’s confidential financial information, a bank may incur liability for breach of its fiduciary duties, over and above its statutory liability for breach of the IT Act and Privacy Rules.

Reference may also be made to the draft PDP Bill that was prepared by a committee of experts and submitted to the government of India in July 2018. Further details regarding the features of the PDP Bill have been provided below.

Anti-money Laundering Laws

The Prevention of Money Laundering Act, 2002 (PMLA) provides the core legal framework for the prevention of money laundering in India. The PMLA and the rules framed thereunder impose an obligation on banking companies, financial institutions (which includes payment system providers) and intermediaries (collectively Reporting Entities, or REs,) to verify the identity of customers, maintain records pertaining to transactions and report certain suspicious transactions to the government of India.

As per the PMLA, an RE is required to report the following categories of transactions to the Financial Intelligence Unit–India (FIU-IND) in such form and manner as may be prescribed from time to time.

  • Cash transactions reports – an RE is required to report all cash transactions undertaken on the payment system that have a value of more than INR1 million (or its equivalent in foreign currency). An RE is also required to report all series of cash transactions undertaken on the payment system that are integrally connected with each other that have been individually valued below INR1 million (or its equivalent in foreign currency) where such series of transactions have taken place within a month and the monthly aggregate exceeds an amount of INR1 million (or its equivalent in foreign currency).
  • Suspicious transaction reports – an RE is required to report any transaction or attempted transaction undertaken on the payment system that:
      1. gives rise to a reasonable ground of suspicion that it may involve proceeds of an offence specified under the PMLA, regardless of the value involved;
      2. appears to be made in circumstances of unusual or unjustified complexity;
      3. appears to have no economic rationale or bona fide purpose; or
      4. gives rise to a reasonable ground of suspicion that it may involve financing of activities relating to terrorism.
  • Cross-border wire-transfer reports – an RE is required to report all cross-border wire-transfers of more than INR5 million (or its equivalent in foreign currency) where the origin or destination of funds is in India.

Cybersecurity Laws

The RBI has issued various regulations and directions to entities regarding the cybersecurity measures to be implemented by banks, non-banking financial institutions and other payment service providers. In July 2016, the RBI issued a notification on Cyber Security Framework in Banks that requires banks to, among other things:

  • formulate and implement a board-approved cybersecurity policy, which must be distinct and separate from the bank’s broader IT and information security policy;
  • test for vulnerabilities at reasonable intervals;
  • set up and operationalise a Security Operations Centre (SOC) to monitor and manage cyber risks in real time;
  • implement a cybersecurity and resilience framework, the minimum baseline for which is set out in Annex 1 of the RBI guidelines;
  • formulate and implement a Cyber Crisis Management Plan (CCMP) that covers detection, response, recovery and containment; and
  • report cybersecurity incidents to the RBI in a prescribed format.

Notably, the PPI Master Directions place similar, albeit less onerous, compliance requirements on mobile wallet-providers. Among other things, an entity operating a mobile wallet must:

  • conduct an annual cybersecurity audit on its systems through an empanelled auditor;
  • implement application life cycle security, which includes conducting source code audits by a professionally competent service-provider;
  • constitute a SOC for centralised and co-ordinated monitoring and management of security incidents;
  • implement anti-phishing measures;
  • implement risk-based transaction monitoring;
  • implement disaster recovery measures to recover rapidly from cyber-attacks or other incidents and safely resume critical operations; and
  • report cybersecurity incidents immediately to the RBI.

The use of social media and similar tools by FinTech companies is not currently regulated under Indian law.

Besides regulators such as the RBI, the activities of participants in the payments industry are reviewed by audit firms appointed by such entities.

Financial Audit

The PPI Master Directions require every licensed PPI provider to submit a certificate signed by its auditors (in a prescribed form) on a quarterly basis certifying that the entity has been maintaining adequate balance in its escrow account to cover the outstanding value of all PPIs issued by it. System-providers must also submit an annual certificate (in a prescribed form) confirming such compliance.

Information Systems Audit

In addition, the PPI Master Directions require non-bank PPI providers to submit a Systems Audit Report, including the results of a cybersecurity audit, on an annual basis to the RBI. The scope of such audit must include:

  • review and testing of security controls;
  • review and testing of technology deployed to ensure that the authorised payment system is being operated in a safe, secure, sound and efficient manner;
  • evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing systems and applications, documentation, etc;
  • evaluation of information security governance and processes;
  • measuring compliance as per security best practices; and
  • commenting on the deviations, if any, in the processes followed from the process flow submitted to the RBI while seeking authorisation.

Participants in the payments industry offer regulated products in conjunction with unregulated products and services. The usual practice is for such services to be offered through different legal entities. SPVs are set up to operate regulated services and are capitalised only to the extent necessary under law. The SPV’s parent or affiliate entity operates unregulated verticals and it is usually this entity that receives a substantial portion of any incoming foreign investment. This is also the entity that incurs expenses in relation to marketing, R&D and corporate partnerships.

For example, PayTM group, one of India’s largest payment system and PPI providers, consists of the following entities, among others:

  • One97 Communications Limited, the parent company for the PayTM group;
  • PayTM E-commerce Private Limited, which operates the PayTM Mall platform, an e-commerce marketplace; and
  • Paytm Payments Bank Limited, which operates the PayTM Payments Bank that subsumed PayTM’s mobile wallet business in 2017.

The asset class does not require different business models.

In India, legacy players have implemented a spectrum of solutions introduced by robo-advisers, which are used:

  • for the purpose of offering simple financial planning models that are offered on an intermediaries website;
  • to allow investors to choose (based on their risk appetite) from a list of investment funds, securities and portfolios that are considered as low, medium or high risk;
  • to determine the probability of a customer achieving his or her investment goal, which is done with the help of customers providing personalised investor information such as age, financial condition, risk tolerance, income, educational level and investing experience; and
  • to generate a general or a specific list of securities or portfolios that an intermediary could recommend or that an investor could choose to meet his or her investment goal.

Best execution of customer trades would require an adviser to carry out a transaction that is most beneficial with the lowest cost to a customer.

Robo-advisers do not guarantee best execution of customer trades because typically most of the robo-advisers have been designed to provide investment goal-based algorithmic advice to customers. Therefore, the advice is programmed to meet the needs of customers with similar self-selected goals based on customer responses given in their questionnaires. However, these questionnaires provided to the customers can neither be modified nor can the responses be qualified by customers. Accordingly, when the scope of the advice is limited to the investment goals of customers, robo-advisers do not guarantee best execution of customer trades.

Additionally, robo-advisers are not designed to verify the complete financial circumstance of customers and other investments made by customers. Without performing a complete due diligence on the customer’s financial circumstance, robo-advisers have no way of knowing if their advice would guarantee best execution of customer trades.

Online lending in India is mostly conducted on peer-to-peer lending platforms (P2P Platforms), which is regulated by the RBI and the applicable regulations are the Master Directions – Non-Banking Financial Company – Peer to Peer Lending Platforms (Reserve Bank) Directions, 2017 (P2P Master Directions).

A P2P Platform can be established by a company incorporated in India. Such company is also required to be registered with the RBI as a non-banking financial institution in accordance with the terms of the P2P Master Directions (NBFC-P2P). Under the P2P Master Directions, an NBFC-P2P acts as an intermediary providing an online platform that connects prospective borrowers with prospective lenders and facilitates easier and quicker grant of loans by providing services such as due diligence, credit assessment and risk-profiling of prospective borrowers, and assisting in the finalisation of loan agreements and other relevant documents, to be entered between the lenders and borrowers on a P2P Platform.

Any person in India – including an individual, a body of individuals, a Hindu undivided family, a firm, a society, or any incorporated or unincorporated artificial body – can be a participant (either a lender or a borrower) on a P2P Platform, provided that such person fulfils the applicable eligibility criteria prescribed under a board-approved policy of the relevant NBFC-P2P. All NBFC-P2Ps are mandated by the RBI to have a board-approved policy setting out, inter alia, the eligibility criteria for participants on the P2P Platform of such NBFC-P2P. An NBFC-P2P is not permitted to lend on P2P Platforms.

The other salient features of the framework for the operation of P2P Platforms in India, as laid down by the P2P Master Directions, are set out below:

  • only unsecured loans can be granted;
  • an eligible lender is permitted to provide loans to several borrowers, simultaneously across various P2P platforms, provided that the aggregate amount loans provided by such lender to all borrowers combined, across all P2P Platforms, does not exceed INR1 million and the aggregate amount of loans provided by such lender to a single borrower, across all P2P Platforms, does not exceed INR50,000;
  • similarly, a borrower is permitted simultaneously to borrow funds from several lenders across various P2P Platforms, provided that the aggregate amount of funds borrowed from all lenders across all P2P Platforms combined does not exceed INR1 million;
  • the loans granted on P2P Platforms have a maximum maturity period of 36 months; and
  • subject to the second and third points above, the P2P Master Directions do not specify any limits on the amounts that may be borrowed in a single transaction by a borrower on a P2P Platform.

The P2P Master Directions do not provide a different regulatory framework on the basis of classification of borrowers.

In addition to the above, it should be noted that Indian banks and non-banking financial institutions (NBFCs) also use their own online platforms, to carry out activities associated with their lending process, and/or use online services/platforms established by independent service-providers, to facilitate the lending process by outsourcing activities such as identification of borrowers, collection and preliminary processing of loan applications, and recovery of principal and/or interest to such independent service-providers, in accordance with the applicable regulations prescribed by the RBI in relation to outsourcing of activities by banks and NBFCs. Such activities make the lending process simple, quick and time-efficient. However, it should be noted that in such cases, banks and financial institutions do not lend online directly to their customers.

The lending activity of banks and NBFCs, irrespective of the mode of lending (ie, whether online or not), is governed by their respective credit policies and applicable regulations prescribed by the RBI such as the Master Circular on Loans and Advances – Statutory and Other Restrictions issued by the RBI in relation to banks and the Master Direction – Non-Banking Financial Company – Systemically Important Non-Deposit taking Company and Deposit taking Company (Reserve Bank) Direction, 2016, and the Master Direction – Non-Banking Financial Company – Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016 issued by the RBI in relation to non-banking financial companies.

With a view to underwrite the risk that may be borne by lenders on a P2P Platform (P2P Lenders), NBFC-P2Ps, under the P2P Master Directions, have an obligation to conduct due diligence, and undertake credit assessment and risk-profiling of the prospective borrowers on a P2P Platform. Such details, including the result of credit assessment and risk profiling and credit scores of prospective borrowers, are required to be disclosed by the NBFC-P2P to lenders on the P2P Platform, thereby reducing the risk to a lender in entering into a lending transaction on a P2P Platform. An NBFC-P2P is not permitted to arrange any credit enhancement or provide any form of credit guarantee.

In relation to lenders on P2P Platforms, the P2P Master Directions do not restrict such lenders from using their own underwriting processes, nor do they indicate the underwriting activities that may be undertaken by such lenders. However, as the RBI governs the regulatory framework for P2P Platforms in India, it is a possibility that the RBI may issue suitable guidelines regulating the underwriting processes that may be undertaken independently by the P2P Lenders.

Under the P2P Master Directions, there is no restriction on the sources of funds that may be utilised by the P2P Lenders to grant loans and P2P Lenders are also not required to identify or disclose the sources of funds that they are utilising for granting loans on a P2P Platform. P2P Lenders may, accordingly, lend by utilising their own funds, proceeds of deposits accepted by them in accordance with regulations governing acceptance of deposits, capital raised from other sources or through a combination of any of the aforementioned sources. In relation to fund-raising by way of securitisation, there is no information available in the public domain that suggests that such source of funds is being used by P2P Lenders to grant loans on P2P Platforms.

In this regard, it is to be noted that as per Section 45S of the Reserve Bank of India Act, 1934 (RBI Act), individuals, Hindu undivided families, partnership firms and other unincorporated associations of individuals are prohibited from accepting ‘deposits’ if their business includes any activities of a ‘financial institution’ as set out in the RBI Act, which includes making loans or advances for financing any activity other than the activity in which such person is involved. An NBFC-P2P is not permitted to raise deposits.

The P2P Master Directions are silent on syndication of loans disbursed through P2P Platforms.

Independent organisations such as the Digital Lenders’ Association of India have sought clarifications from the RBI on the scope of syndication of loans disbursed through P2P Platforms. However, no clarifications in this respect have been received from the RBI.

There is no requirement for payment processors to use existing payment rails; they are free to create and implement new payment rails subject to regulatory considerations in place in relation to payment systems. Payment platforms and payment systems in India are governed by the provisions of the PSSA. The RBI is the authority that acts as a regulator of such payment systems under the PSSA.

A ‘payment system’ is defined under the PSSA to mean a system that enables payment to be effected between a payer and a beneficiary – involving clearing, payment or settlement service, or all of them – and includes systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations.

All systems (except stock exchanges and clearing corporations set up under stock exchanges) carrying out clearing, settlement or payment operations, or all of them, are regarded as payment systems. All entities operating such systems are known as system providers. Also, all entities operating money-transfer systems, card-payment systems or similar systems fall within the definition of a system-provider.

Under the PSSA, no person other than the RBI can operate or commence a payment system, unless authorised by the RBI. Any person desirous of commencing or operating a payment system needs to apply for authorisation under the PSSA.

Fund administrators are regulated. Domestic funds (investment funds set up in India) are regulated as mutual funds under the SEBI (Mutual Funds) Regulations, 1996 (MF Regulations); alternative investment funds (AIFs) under the SEBI (AIF) Regulations, 2012 (AIF Regulations); REITs under the SEBI (REIT) Regulations, 2014 (REIT Regulations); infrastructure investment trusts (INVITs) under the SEBI (INVIT) Regulations, 2014 (INVIT Regulations); and collective investment schemes (CIS) under the SEBI (CIS) Regulations, 1999 (CIS Regulations). Offshore funds (investment funds set up outside India that invest in Indian securities or domestic funds) are regulated under the SEBI (Foreign Portfolio Investors) Regulations, 2014 (FPI Regulations) and the SEBI (Foreign Venture Capital Investor) Regulations, 2000 (FVCI Regulations). The RBI also regulates offshore funds through the exchange control regulations, viz the Foreign Exchange Management (Transfer or Issue of Security by a Person Resident outside India) Regulations, 2000 (FEMA 20).

The Securities and Exchange Board of India (SEBI), through all the aforementioned regulations, provides for a manner in which such funds may be registered and regulated, including prescribing eligibility criteria for their administrators, providing restrictions on their activities and prescribing investor-related protections. Such regulations are dependent on the nature of a fund. For instance, an AIF is a privately pooled investment vehicle that collects funds from sophisticated investors, whether Indian or foreign, for investing in accordance with a defined investment policy. The AIF Regulations require funds to register and set out the respective registration processes. The key requirements that apply to an AIF’s investment team of managers and operators include a minimum professional experience of five years in advising or managing pools of capital, or portfolio or investment management, meeting the ‘fit and proper person’ criterion, capital adequacy requirements and infrastructure requirements.

Further, under the AIF Regulations, funds are registered as separate categories depending on their activities:

  • Category I funds receive incentives from the government, SEBI or other regulating agencies, including social venture funds, infrastructure funds, venture capital funds and SME funds;
  • Category II funds are allowed to invest anywhere in any combination, but cannot take debts, except for day-to-day operation purposes (they include private equity funds and debt funds); and
  • Category III funds make short-term investments and then sell, like hedge funds.

Most SEBI regulations governing funds provide for obligations where fund administrators are required to keep investors apprised of a fund’s activities by providing regular statutory updates. The nature of disclosures may vary between types of funds, but the intention is to protect investors. For instance, the AIF Regulations prescribe certain conditions for sponsors or managers of a fund to ensure protection for investors in such funds. In order to ensure that interest of the manager/sponsor is aligned with interest of the investors, the AIF Regulations require the sponsor/manager to have a certain continuing interest in the AIF that cannot be through the waiver of management fees. For Category I and II AIFs, such interest must not be less than 2.5% of the corpus or INR50 million, whichever is lesser, and for Category III AIFs, the interest must be not less than 5% of the corpus or INR100 million, whichever is lesser.

Further, AIF Regulations require AIFs to include certain information in their placement memorandum and file such memorandum with SEBI. AIF Regulations also require that if there is a change in control of the manager or sponsor of the AIF or the AIF itself, prior approval of SEBI must be obtained. The incoming manager of an AIF must also satisfy the adequacy requirements set out in the AIF Regulations.

While, under the fund-related regulations, there is no affirmative duty on fund administrations to look for suspicious or unlawful behaviour, SEBI has the right to inspect, either on its own accord or upon receipt of information or complaint, functioning of a fund. For instance, as per the AIF Regulations, a duty is cast upon every officer to assist and provide SEBI with relevant information pertaining to conduct of affairs of the AIF.

There are two types of trading platforms permissible in India: recognised stock exchanges and electronic trading platforms.

Recognised stock exchanges are recognised by central government and are governed by the provisions of the Securities Contracts (Regulation) Act, 1956 (Securities Act), which  permits only those exchanges that have been recognised by the central government to function in any notified state or area. It prescribes the requirements that a company must comply with before its shares can be listed on any recognised stock exchange in the country.

SEBI is the regulatory body that acts as a principal regulator of stock exchanges in India. SEBI’s primary functions include protecting investor interests, and promoting and regulating the Indian securities markets. All financial intermediaries permitted by their respective regulators to participate in the Indian securities markets are governed by SEBI regulations, whether domestic or foreign. The RBI also regulates aspects affecting trading such as manager of foreign exchange, and regulator of payment and settlement systems.

The Bombay Stock Exchange (BSE) and National Stock Exchange (NSE) are the leading stock exchanges in India. The RBI released the Electronic Trading Platform (Reserve Bank) Directions, 2018 to regulate entities operating electronic trading platforms (ETPs), which means any electronic system, other than a recognised stock exchange, on which transactions in eligible instruments (ie, securities, money market instruments, foreign exchange instruments, derivatives or other instruments of like nature, as may be notified by the RBI from time to time) are contracted. ETPs need to be authorised by the RBI. However, ETPs operated by banks for their customers (acting as users) on a bilateral basis are exempt from registration with the RBI. Details of ETPs are provided in 8.1 Creation and Usage Regulations. The ETP framework was promulgated primarily with the objective of regulating electronic trading platforms for financial instruments regulated by the RBI; eg, OTC derivatives. The ETPs encourage transparency in pricing, processing efficiency, improved risk controls, better market surveillance and are aimed to curb market abuse and unfair trading practices.

The following broad asset classes exist in India: equity, debt, commodities, real estate and cash. All asset classes (other than real estate) are ultimately regulated and monitored by the Ministry of Finance, SEBI and the RBI.Real estate comprising of real property as an asset class is regulated by Real Estate Regulatory Authorities (RERA) established in each state under the Real Estate (Regulation and Development) Act, 2016.

The rules and regulations applicable to such asset classes extend to member registration, securities listing, transaction monitoring, compliance by members with SEBI/RBI regulations, investor protection, etc. The NSE has a set of rules and regulations specifically applicable to each of its trading segments. The NSE as an entity regulated by SEBI undergoes regular inspections by it to ensure compliance.

In 2015, the regulatory body of commodities trading, Forward Market Commission (FMC), merged with SEBI. Commodity trading in these exchanges requires standard agreements as per the instructions so that trades can be executed without visual inspection.

The REIT platform is regulated by SEBI and similar to mutual funds, it pools money from investors, which is invested in commercial properties to generate income.

Currently foreign exchange trading is in the interbank segment with participant banks holding authorised dealer (AD) licences granted by the RBI under the Foreign Exchange Management Act, 1999 with trading with certain existing trading platforms and settled by the Clearing Corporation of India (CCIL) through a process of multilateral netting. Retail customers buy or sell foreign exchange through AD banks. The RBI has proposed a framework for foreign exchange trading platforms for retail investors with the objective of developing a foreign exchange platform (along the lines of the FX-Clear interbank USD/INR spot trading platform of the CCIL) for retail participants encouraging transparent and fair pricing in the retail foreign exchange market. However, this framework has not come into effect yet.

Since as early as 2013, the RBI had begun cautioning Indians about the risks and potential misuses of crypto-currency. A lack of understanding about how crypto-currency works in India has given rise to fraudulent and predatory schemes. Moreover, the recent global outlook on crypto-currency in relation to its volatility of price and use in criminal and illegal activities, including global ransomware attacks, has added urgency to the need for a government policy on crypto-currency. The RBI has asked its own regulated entities (such as banks) to stop providing services to individuals or business entities dealing in or providing services for facilitating any person or entity in dealing with or settling crypto-currencies or virtual currencies (including bitcoins), by way of a circular issued on 6 April 2018 (RBI Crypto Circular). Services that have been prohibited include maintaining accounts, registering, trading, settling, clearing, giving loans against virtual tokens, accepting them as collateral, opening accounts of exchanges dealing with them and the transfer or receipt of money in accounts relating to the purchase or sale of virtual currencies.

A central concern for the bitcoin community in India, however, is how the government will define crypto-currency. Although referred to in terms of currency, given its slow transaction times and volatile value, bitcoin operates more like an asset. A decision to classify it as a currency instead of an asset would necessitate a large regulatory apparatus and legislative measures, constituting a serious discouragement for bitcoin usage in India. Crypto-currencies are not legal tender in India. While crypto-currency exchanges are not prohibited to operate, the RBI Crypto Circular restricts the use of banking channels and credit cards in connection with purchasing and selling crypto-currencies, which has made it very difficult for such crypto-currency exchanges to operate. An association representing internet firms has challenged the RBI Crypto Circular before the Supreme Court of India, which is pending a decision by the court.

The primary listing obligations are provided by SEBI in the form of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015. However, the stock exchanges prescribe additional listing requirements that are detailed below.

An NSE listing requires the fulfilment of certain prerequisites for the listing of equity shares, such as a minimum paid-up capital, adherence to any conditions provided under the SEBI Act 1992, Securities Act, Companies Act 2013 and any other notification or circulars passed by the relevant regulators along with at least a three-year track record of the applicant, promoter or partner. Further, there must be no disciplinary action by other stock exchanges and regulatory authorities in the past three years. An NSE listing also requires a track record of redressal mechanism of investor grievance, distribution of shareholding, details of any litigation and details of the director(s) of the company in the past three years.

After the RBI ban on servicing crypto exchanges came into effect for banks, some crypto-currency exchanges in India have moved to P2P transactions to trade crypto-currencies. Currently, the regulatory environment is still emerging and the regulators may soon come up with relevant regulations. However, the P2P variant could only be an interim solution and would not define the future of crypto trading and investment in India.

The legality of P2P trading platforms is still ambiguous as per the RBI Crypto Circular, which barred not just companies but also individuals who are involved in the purchase and sale of crypto using RBI-regulated entities, such as banks or credit cards. Even in the case of direct transfers among peers, where the exchange would typically act like an escrow may be subject to challenge by the RBI on the basis of the RBI Crypto Circular. Most crypto companies have already implemented AML and KYC guidelines, and are willing to work with the authorities to have necessary regulations in place.

In 2008, SEBI started allowing the first instance of algorithmic trading, a direct market access (DMA) facility that allows buying or selling of orders by institutional clients without manual intervention by brokers. DMA enabled clients to access the exchange trading system through brokers’ infrastructure but without manual intervention. By 2010, the NSE started offering additional co-location server racks on lease to broking firms to improve the speed in algorithmic trading and such automated trading became more accessible to investors.

SEBI issued circulars dated 30 March 2012 and 21 May 2013 that laid down broad guidelines on algorithmic trading and risk control measures to be implemented by stock exchanges and stockbrokers to address the risk emanating from algorithmic trading, including a system of disincentives for a high daily order-to-trade ratio (OTR).

Such risk controls include a price and quantity check to ensure that the price and quantity quoted do not violate the price bands and maximum permissible quantity per order defined by the exchange for the security. SEBI has also introduced certain measures by way of circulars issued from time to time to ensure a level playing field between algorithmic/co-located trading and manual trading.

The RBI has also released directions to regulate electronic trading platforms, the Electronic Trading Platforms (Reserve Bank) Directions, 2018 (ETP Directions) (for any security other than those transacted on recognised stock exchanges). As per the ETP Directions, an ETP operator that provides algorithmic trading is required to put in place a framework for testing and onboarding algo systems, ensure that such facilities are offered in a transparent and non-discriminatory manner, and ensure that their systems and controls are adequate and effective for monitoring and managing risks arising from algo systems. The ETP Directions provide additional obligations in relation to registration and operations of ETPs.

In relation to different classes of assets, the regulations detailed in 7.2 Regulation of Different Asset Classes will be applicable.

All such participants are considered exchange-like platforms.

As per the ETP Directions, all such ETP operators require an authorisation from the RBI before they can operate in India. The ETP Directions prescribe certain eligibility criteria, which include:

  • the entity is incorporated in India;
  • the entity seeking authorisation as an ETP operator or its key managerial personnel is required to have at least three years' experience of operating trading infrastructure in financial markets;
  • the entity is required to maintain a minimum net worth of INR50 million; and
  • the entity is required to obtain and maintain robust technology infrastructure with a high degree of reliability, availability, scalability and security in respect of its systems, data and network, appropriate to support its operations and manage the associated risks, and ensure capability to disseminate trade information on a real-time basis or near real-time basis.

The RBI has the right to call for additional information or seek any clarification before granting its authorisation under the ETP Directions. Further, if the ETP operator violates any terms of the ETP Direction or any applicable laws, the RBI has the right to cancel the authorisation.

SEBI has approved providing a smart order routing (SOR) facility enabling brokers' trading engines systematically to choose the execution destination based on factors viz price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. The NSE and BSE have provided requirements for a best execution policy by its members in accordance with the prescriptions of SEBI. The issues discussed in 3.3 Issues Relating to Best Execution of Customer Trades are applicable to SOR as well.

No such specific distinction has been made under the SEBI guidelines on algorithmic trading.

There are no rules prohibiting payment for order flow.

There is no requirement for any registration of financial research platforms or their participants under Indian law.

While such platforms may not be specifically regulated, they may be categorised as an intermediary under the IT Act. Indian law recognises that in many cases, an entity operating a computer system or platform has little or no control over the purposes for which it is used or the content that is transmitted thereon by third parties. Accordingly, Indian law provides a conditional safe harbour or exemption (Intermediary Exemption) to an entity that operates a website, application or computer system that hosts/provides access to user-generated content.

For this purpose, the IT Act classifies any person "who on behalf of another person, receives, stores, or transmits an electronic record or provides any service with respect to that record" as an Intermediary (Intermediary) and provides such entities protection from the applicability of certain laws and penalties. Because of this broad definition, search engines, online payment sites, online marketplaces, social media platforms and many other internet-based entities qualify as Intermediaries.

Section79 of the IT Act provides that an Intermediary is not liable for any third-party information, data or communication link made available, or hosted by it, if it fulfils certain conditions that have been set out in the IT Act and the Information Technology (Intermediary Guidelines) Rules, 2011 (Intermediary Rules).

On 24 December 2018, the Ministry of Electronics and Information Technology (MeitY) proposed certain key changes to the Intermediary Rules. One of the proposed changes is the addition of a new obligation to require all Intermediaries to deploy artificial intelligence-enabled tools to identify proactively and remove unlawful content from their platforms. While the amendments have not come into force and MeitY is currently assessing public comments in relation to proposed changes, if it is passed by the legislature, Intermediaries will have to monitor their platform proactively for unlawful content.

As per the Intermediary Rules, there is no affirmative duty to curate user-generated content. However, upon receiving actual knowledge of any unlawful content being transmitted or uploaded on the platform/system, the entity must expeditiously remove or disable access to such content. Pursuant to a ruling of the Supreme Court of India, this curative action is required to be taken within 36 hours of the entity receiving (i) a court order or (ii) a notification/order from a government agency requiring it to take down or disable access to such content. Upon removing or disabling obscene content, the entity must preserve the documents and information pertaining to such content for a period of at least 90 days, to enable investigations.

Another condition that an Intermediary is required to fulfil, in order for it to be eligible for an Intermediary Exemption, is to regulate the use of its platform by having in place appropriate rules and regulations, policies and agreements for its users. These rules and regulations should inform users that they are prohibited from uploading, sharing and hosting potentially unlawful content.

As mentioned above, except for curative action and an obligation to make their users aware of prohibitions on uploading unlawful content, there is no other affirmative duty applicable to Intermediaries to act as gatekeepers. They do have to provide their users a simple grievance redressal mechanism, whereby a complaint may be made and resolved. Having said that, Intermediaries typically put in place a monitoring mechanism to ensure removal of unlawful content.

In India, InsurTech companies are registered with the Insurance Regulatory and Development Authority of India (IRDAI) as an insurance company or an insurance web aggregator company. Further, underwriting processes are generally governed by an insurance company’s underwriting policy. Therefore, if an InsurTech company is registered as an insurance web aggregator, it cannot undertake the activity of underwriting.

Before an InsurTech company registered as an insurance company adopts its underwriting policy, an InsurTech must ensure that the underwriting policy has been drafted in accordance with the guidelines provided by the IRDAI. Further, an InsurTech company must file the underwriting policy with the IRDAI after the same has been approved by the InsurTech company’s board.

As per the IRDAI guidelines, InsurTech companies (registered as insurance companies) must ensure that the following details are provided in their underwriting policy of their insurance products:

  • the underwriting philosophy of the insurance company;
  • the cushions that will be built into the rates to cover acquisition costs, promotional expenses, management expenses, catastrophe reserve, profit margin and the credit that will be taken for investment income in the design of rates, terms and conditions of cover, and how they will be modified based on the actual operating ratios of the insurer;
  • the list of products that will fall into retail or commercial product classifications;
  • the role and extent of involvement of the appointed actuary in the review of statistics to determine rates, and terms and conditions of cover in respect of all products;
  • information on the internal audit machinery that will be put in place for ensuring quality in underwriting and compliance with the corporate underwriting policy; and
  • the procedure for reporting to the board on the performance of the management in underwriting the business, including the forms and frequency of such reports.

Additionally, InsurTech companies must also abide by the following obligations:

  • the product design, rating, terms and conditions of cover, and underwriting activity at all times must be consistent with the company’s board-approved underwriting policy;
  • the policy remains relevant and updated at all times;
  • the delegation of underwriting authority to different levels of management or specific persons is properly documented and followed;
  • the insurance company has a well-staffed internal audit department to function efficiently; and
  • IT systems are in place with the capability for rating support, a statistical database for analysis of experience, reviewing underwriting of risks, providing support for inspections and for internal audit.

In addition, every InsurTech company must constitute a ‘technical audit department’ to ensure that the underwriting is performed in compliance with the guidelines. The audit must be conducted every six months and the report prepared by the technical audit department must be placed before the InsurTech company’s board of directors.

In India, the main regulations for the insurance business are the Insurance Act, 1938; the Life Insurance Corporation Act, 1956; the General Insurance Business (Nationalisation) Act, 1982; the Marine Insurance Act, 1963; and the Motor Vehicles Act, 1988. However, the Insurance Act, 1938 is the definitive piece of legislation in insurance that covers life and general insurance.

Accordingly, in India, in terms of regulations a broad differentiation has been made and insurance is divided into life insurance and general insurance. Life insurance is an insurance contract in which life risk of an individual is covered with a guarantee to provide compensation of a specified sum on death of the insured or after a specified period of time. General insurance, or non-life insurance, or property and casualty insurance is a contract that covers any risk apart from the risk of life. The insurance is to safeguard a person and his or her property – such as a home, car and other valuables – from fire, theft, flood, storm, accident and so on. The types of general insurance covered are

  • fire insurance;
  • marine insurance;
  • health insurance;
  • motor insurance; and
  • home insurance.

The IRDAI governs all insurance companies and insurance web aggregator companies in India. The insurance companies are given the liberty to decide their own policy terms and conditions, but such terms and conditions must be approved by the IRDAI. It must be noted that, further, the Insurance Act, 1938 provides policyholders a right to override any contrary policy terms in favour of Indian law and jurisdiction.

However, under the Insurance Act, 1938, certain regulatory distinctions have been made between life insurance and general insurance. The Insurance Act, 1938 has made distinctions in terms of the following.

  • Deposits – every insurer must deposit with the RBI a certain amount in cash or approved securities estimated at the market value of the securities on the day of deposit. The required amount of deposit for general and life insurance companies is different.
  • Investments – every insurer is required to invest funds of the policyholders in the manner as set out in the Insurance Act, 1938. However, the funds of the policyholders cannot be invested outside India. The Insurance Act, 1938 has provided for thresholds of investment and the method of investment, which are different for general insurance companies and life insurance companies.
  • Solvency – all insurance companies must ensure that their assets should exceed the value of liabilities by a certain margin, which is called the required solvency margin. Accordingly, the required solvency margin prescribed is different for life insurance and general insurance businesses.

RegTech, a subset of FinTech, was created to handle regulatory challenges in the financial sector through technology. In order to manage regulatory compliances and filings, monitor policies and streamline processes, many financial companies have turned to RegTech companies to provide regulatory technology. In India, the banking and financial sectors have started relying on RegTech companies to provide technology to cope with day-to-day compliances.

The providers of RegTech are regulated based on the sector they provide their services to. For instance, when a financial institution outsources handling of its compliance work to a RegTech company, such financial institution will either be regulated by the RBI, SEBI or IRDAI (Regulators). Accordingly, if the outsourcing entity is an entity regulated by the RBI, providers of RegTech will be regulated under the RBI’s Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks, the RBI’s Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs and/or the RBI’s Master Direction on Information Technology Framework for the NBFC Sector. If the outsourcing entity is regulated by SEBI then providers of RegTech will be regulated under the SEBI Guidelines on Outsourcing of Activities by Intermediaries and the SEBI Circular on Outsourcing of Activities by Stock Exchanges and Clearing Corporations, and if the outsourcing entity is an insurance company then providers of RegTech will be regulated under the Regulatory and Development Authority of India (Outsourcing of Activities by Indian Insurers) Regulations, 2017 (collectively, Outsourcing Guidelines).

Financial service firms are free to enter into an agreement as per industry customs. However, they will also have to ensure compliance with the requirements of the applicable Outsourcing Guidelines. The Outsourcing Guidelines provided by the Regulators have laid down certain key provisions that must be included in the agreements entered into with the service-provider and these Outsourcing Guidelines, amongst other conditions, impose terms that assure performance and accuracy.

As per the Outsourcing Guidelines, financial service firms that seek services of a RegTech company to outsource their financial services must include the following provisions in the agreement entered with the service-provider:

  • define the activities that are being outsourced, including appropriate service and performance standards;
  • provide for continuous monitoring and assessment by the financial services firms of the service-provider so that any necessary corrective measure can be taken immediately;
  • the termination clause and minimum period to execute a termination provision, if deemed necessary, must be included;
  • controls to ensure customer data confidentiality and service-providers' liability in the case of breach of security and leakage of confidential customer-related information shall be incorporated;
  • contingency plans to ensure business continuity;
  • provide for the prior approval/consent by the financial services firms of the use of subcontractors by the service-provider for all or part of an outsourced activity;
  • provide financial services firms with the right to conduct audits on the service provider whether by internal or external auditors, or by agents appointed to act on their behalf and to obtain copies of any audit or review reports and findings made on the service-provider in conjunction with the services performed for financial services firms;
  • specify the responsibilities of the third party with respect to the IT security and contingency plans, insurance cover, business continuity and disaster recovery plans, force majeure clause, etc; and
  • provide for preservation of the documents and data by a third party.

There are no explicit regulations that require RegTech providers to act as 'gatekeepers'. However, regulators require that agreements executed between the financial institutions and the service-providers specifically recognise the right of the regulator (and its authorised representatives) to:

  • examine the books, records, information, systems and the internal control environment of the outsourcing service provider to the extent that they relate to the service being performed for the financial institutions;
  • access any internal audit reports or external audit findings of the outsourcing service-provider that concern the service being provided to the financial institutions; and
  • access the documents, records of transactions and other information provided to, stored or processed by an outsourcing service-provider in relation to a foreign financial institution’s activities and operations in India, within a reasonable time (Audit Rights).

In circumstances where the financial institution outsources its activities to service providers outside India, the terms of the outsourcing agreement must comply with respective local laws and regulations, provided that such arrangement should not impede supervision, access and oversight by the Regulator.

Accordingly, while it may not be expected of the RegTech companies to act as 'gatekeepers', they will be expected to provide assistance to the regulators in the event that they exercise their Audit Rights.

The legacy players in the banking, financial services and insurance sector in India are in the process of adopting blockchain technology (BCT) in its financial services in the following ways:

  • use of BCT in cross-border remittances between banks;
  • to store data, in order to have a single source of customer medical, KYC, claims and other useful records for insurers;
  • to facilitate cross-company data sharing for the specific purposes of reducing fraud and money laundering in the insurance sector;
  • to authenticate, verify and store electronic records for banks;
  • to cater to supply chain and finance; ie, the technology helps suppliers to avail loans against approved invoices by the manufacturer with no need of paperwork; and
  • to provide onboarding solutions for banks, NBFCs and other financial institutions.

At present, there are no regulatory guidelines in place for the adoption of blockchain in banks and financial institutions. However, the RBI is implementing several initiatives to bring into place regulations that can be adopted by banks and financial institutions to implement BCT.

In September 2017, IDRBT, RBI’s research arm that focuses on banking technology, released a White Paper on ‘Applications to Blockchain to banking and financial sectors in India’, which provided a road map for adopting BCT in the banking and finance sectors. Some of the recommendations that were made by IDRBT to use BCT in the banking and financial sectors included the following:

  • setting up of a private blockchain for banks’ internal purposes;
  • providing secure and distributed databases of client information between banks;
  • enabling real-time settlement in cross-border payments;
  • automating underwriting process by storing financial data on blockchain; and
  • developing of real-time tools for enforcing anti-money laundering activities and automating creation of letters of credit in trade finance.

Further, in order to gain the experience of the implementation of BCT, IDRBT also conducted a 'proof of concept' on the applicability of BCT to a trade finance application that saw participation from banks, solution providers and the National Payments Corporation of India (an organisation for retail payments in India). The report gave comfort and confidence to the IDRBT to implement BCT in the financial sector.

In November 2017, a working group was set up by the RBI to look into and report on the granular aspects of FinTech and its implications, so that it can review its regulatory framework and respond accordingly as per the changing FinTech scenario. The report identified BCT as one of the technologies that could be implemented in the financial sector. Further, the RBI studied the advantages and disadvantages of the same and observed that BCT was beneficial in terms of transparency and security. However, the two main concerns as reported were lack of co-ordination and the scalability of technology. The report also suggested that many banks have successfully implemented use of BCT in their operations, specifically in the areas of trade finance and cross-border remittances.

Recently, IDRBT also released a blueprint for blockchain platforms in India, which made recommendations on the adoption of BCT in various business and organisational functions, along with procedures and guidelines to ensure interoperability among different entities. Some of the key recommendations made by IDRBT include the following:

  • to implement a codified set of rules for smooth operation and collaboration;
  • set up a governance structure to oversee the implementation of blockchain-based platforms; and
  • create an industry-specific business value framework to analyse the suitability of business applications to migrate to blockchain-based systems.

India is yet to introduce regulations pertaining to blockchain assets. Accordingly, there have been no classifications of blockchain assets implemented by the regulators in India.

See 7.3 Impact of the Emergence of Crypto-currency Exchanges.

See 7.3 Impact of the Emergence of Crypto-currency Exchanges.

See 7.3 Impact of the Emergence of Crypto-currency Exchanges.

The regulators in India have not defined ‘virtual currencies’ or ‘blockchain assets’ in India.

However, the government has clarified that virtual currencies are not considered as a valid legal tender in India.

Through a notification dated 6 April 2018, the RBI has prohibited all entities (that are regulated by the RBI) from dealing in virtual currencies (which includes bitcoins) or providing services for facilitating any persons or entity in dealing with or settling virtual currencies. Further, for those entities that were already providing services for facilitating virtual currency transactions, the RBI had given three months from the date of the notification to exit such relationships.

Further, the Finance Minister of India in the budget speech for 2018 reiterated that the government does not consider crypto-currencies as legal tender or coin and would take all measures to eliminate the use of crypto assets in financing illegitimate activities or as part of a payment system.

At present in India, the personal data of individuals is governed under the IT Act and Privacy Rules. Under the Privacy Rules, Data Subjects have a right to withdraw their consent and correct any personal data held by the data controller. The Indian government is also reviewing the draft PDP Bill, which has been drafted in line with the terms of the General Data Protection Regulation. As per the PDP Bill, the Data Subject would have the following rights:

  • the right to confirmation and access;
  • the right to correction;
  • the right to be forgotten; and
  • the right to data portability.

The current rights under the Privacy Rules of a Data Subject and proposed rights under the PDP Bill of a Data Subject would pose an issue in implementing BCT. The proposed PDP Bill gives a Data Subject the right to be forgotten and under the current Privacy Rules, a Data Subject has the right to correct any personal data held by the data controller. However, any data on the blockchain network is immutable. This would mean that the technology of blockchain, in its present form, would not be able to erase or correct personal data on the network, in the event that an individual exercises his or her right to be forgotten or correct any personal data. Therefore, these rights are in direct conflict with the fundamentals of BCT. A solution that could mitigate this conflict would be to ensure that the data uploaded on the blockchain network is not personal data. However, this would be difficult considering the inclusive nature of the definition of ‘personal data’. Personal data under the Privacy Rules meansany information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person” and under the PDP Bill, personal data means “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.” Therefore, considering the definition of personal data, it would be difficult to segregate personal data from other data that is being uploaded on the blockchain network. However, it must be noted that the PDP Bill will not apply to anonymised data. Therefore, if a blockchain network contains personal data that is anonymised, the PDP Bill does not provide for its Data Subject to exercise his or her right to be forgotten on such data.

To mitigate the issue that may arise due to personal data on the blockchain network, a popular recommendation made by several entities is to introduce the concept of editable blockchain, which will act as an exception function to blockchain to overcome issues that may arise due to regulatory requirements. Any changes to the blockchain will be made by certain authorised administrators who will be governed by certain agreed rules. Therefore, these administrators can only make changes to the blockchain if the same is permitted under these set rules and changes will be implemented in the method as set forth under the rules. However, while this exception will allow modification to be made to the data on the blockchain, it must be noted that any change in the data or transaction will change the original hash, which will reflect that a block has been edited, making such changes detectable. Even though this recommendation goes against the fundamental principle of blockchain being immutable, it would aide in overcoming issues such as regulatory requirements of implementing a Data Subject's right to forget and update his or her personal data, or even to correct errors.

Regulations on open banking have yet to be implemented in India. However, the government through its initiatives has expressed its support and willingness to develop open banking in India. One of the initiatives taken by the government is the implementation of open banking in UPI by the NPCI.

UPI is an initiative by the NPCI, set up with the support of the RBI and Indian Banks Association, that allows account-holders across banks to send and receive money from their smartphones using just their Aadhaar unique identity number, mobile phone number or virtual payments address without entering bank account details. It also enables a customer to pay directly from a bank account to different merchants by providing a unique identity to every bank account. All the transactions carried out under the UPI rails work by using open banking protocols. Subsequently, several private players have also introduced UPIs that work on open banking protocols.

As already discussed, open banking protocol has only been used in UPI and, accordingly, below are the measures set out by the NPCI to ensure security of customer data on the UPI rails.

For the purpose of coping with data privacy and data security concerns, the NPCI has classified data into two types, namely (i) customer data and (ii) customer payment sensitive data. The NPCI has provided guidelines on storing such data.

Customer data would include information such as a customer’s name, mobile number, residential address, email ID, gender, location details (entered by the customer), device details such as App ID, International Mobile Equipment Identity (IMEI) number, transaction-related details, UPI ID, Receiver Registration Number (RRN), transaction ID, time-stamp, beneficiary UPI ID and beneficiary account number. The above-mentioned customer data must be encrypted and stored in the third-party app-provider’s system.

Customer payment sensitive data would include customer account details and customer payment authentication data. Such customer sensitive data must only be stored in the payment service-provider systems. However, data such as an account number can be shown to the customer on the application in a masked format. Further, the NPCI has stated that the last digits of a customer’s debit card number, expiry date, UPI pin and one-time password must not be stored by the third-party app-provider.

J Sagar Associates

fintech@jsalaw.com www.jsalaw.com
Author Business Card

Law and Practice

Authors



J Sagar Associates has a reputed FinTech practice and their clients in this sector include banks, non-banking financial companies (NBFCs), payment system providers, card network-providers, early-stage start-ups and several other FinTech players leveraging disruptive technology and business models. The firm’s practice leverages the experience and in-depth technical expertise of attorneys across practice areas and offers clients access to time-tested strategies and holistic advice. JSA’s attorneys are well positioned to assist clients navigate through the complex legal, regulatory and compliance landscape within which FinTech businesses and their technologies operate.

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.