Contributed By Jerome Merchant + Partners
India’s expansion into one of the fastest growing fintech markets in the world continued throughout 2019. According to the Report of the National Investment Promotion and Facilitation Agency (Government of India, 2019), the key drivers behind the growth in the sector include the following:
Other key events that have shaped the fintech industry in India over the last 12 months include the Government’s measures to allow for on-tap licences for small finance banks, bringing P2P lenders within the overall financial services regulatory framework, the regulatory sandbox of the Reserve Bank of India (RBI) and the National Common Mobility Card, which is a transport card that enables the user to pay for travel, toll duties and retail shopping, and to withdraw money.
The overall stability in the sector is evidenced by continuously increasing collaboration between banks and fintech startups in the form of supplementary offerings, partnerships, acquisitions, incubators and investment, greater adoption of digital payments on the consumer end, and the adoption of technology like artificial intelligence (AI), machine learning (ML), blockchain and robo-advisory services by banks.
The Next 12 Months
A distillation of the views of industry experts suggests that a major trend in the fintech sector in 2020 will be developing technologies, including software and APIs to build solutions to reduce distressed assets and to build services that will lead to improved credit recovery. The industry may also see the first major state-backed cryptocurrency pegged to fiat along with the extension of blockchain initiatives.
The expansion of the alternative lending ecosystem will be a key focus area in 2020, driven by technology-enabled “alternative” lenders such as P2P players, mobile lending platforms, pay later loans, crowdfunding, or invoice financing, and AI in the banking and financial services sector to improve productivity and efficiency. Accordingly, the expected outlook for this sector over the next 12 months is summarised as follows:
In May 2019, the RBI released a vision document for ensuring a safe, secure, convenient, quick and affordable e-payment system, as it expects the number of digital transactions to increase more than four times to 8,707 crore in December 2021. The "Payment and Settlement Systems in India: Vision 2019 - 2021", with its core theme of "Empowering Exceptional (E)payment Experience", seeks to achieve "a highly digital and cash-lite society" through the goal posts of competition, cost-effectiveness, convenience and confidence (the 4Cs). In addition to the initiatives under the vision document, the proposed data privacy legislation is expected to have a significant impact on the manner in which the industry operates in 2020 and beyond.
The predominant fintech business models that are popular among Indian consumers and fintech players are as follows:
Payment systems are governed and regulated by the Payments and Settlements Act, 2007 (PSS Act). Any person operating a "payment system" is required to register with the RBI and comply with the provisions of the PSS Act and the rules and regulations framed thereunder.
A "payment system" is defined as a system that enables payment to be effected between “a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange”, and “includes the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations”. Therefore, any activity that effects a settlement of a payment between a payer, on the one hand, and a payee or beneficiary on the other, constitutes a payment system and will require registration under the PSS Act.
Pre-Paid Instruments (PPIs) are governed by the Master Direction on Issuance and Operation of Pre-paid Payment Instruments in India dated 11 October 2017 and issued by the RBI (Prepaid Instrument Directions). PPIs can be issued through various methods, such as cards, e-wallets or digital accounts, and are primarily of three types: closed, semi-closed and open. A PPI that can be used only for the purchase of goods or services sold by the issuer and not by any other third person is a “closed prepaid instrument” and does not qualify as a payment system. Consequently, the issuer of such PPI does not need to obtain any prior authorisation from the RBI, nor does it need to comply with the PSS Act or the Prepaid Instrument Directions. However, for the purposes of issuing a semi-closed PPI, which is capable of being used for the purchase of goods and services by customers with clearly identified merchants (other than the issuer of the prepaid instrument), the issuer will be required to register as a payment system with the RBI, and to comply with the requirements of the Prepaid Instrument Directions. An open PPI is issued only by banks (approved by RBI) and can be used at any merchant for the purchase of goods and services, including financial services, remittance facilities, etc. Cash withdrawal at ATMs/Points of Sale (PoS) terminals/Business Correspondents (BCs) is also allowed through such PPIs. The Prepaid Instrument Directions stipulate certain additional requirements, as follows:
In addition to the Prepaid Instrument Directions, the RBI has specific master directions on the issuance of credit cards and debit cards by banks and non-banking financial institutions. The regulatory framework in India also allows for customers to make transfers to or from other PPI providers or banks for e-wallets and cards, in accordance with the Prepaid Payment Instruments – Operational Guidelines for Interoperability dated 16 October 2018 (Interoperability Guidelines) and issued by the RBI.
Remittances and transfers of monies may be made through the various instruments that are permitted to be used through existing money transfer systems, such as RTGS, NEFT, IMPS and UPI.
The primary compensatory models for entities that operate in the fintech space are as follows:
The regulatory framework in India does not distinguish between a legacy player and a new entrant to the fintech market in any business that is regulated by the RBI, such as payments, credit facilities, the operation of cards, or PPI instruments and P2P lending.
In August 2019, the RBI prescribed detailed guidelines and an operational framework on a regulatory sandbox to be set up in the fintech space. Late in 2019, it also announced that its first sandbox will be in the "Retail Payments" space. The RBI noted "mobile payments including feature-phone-based payment services", "offline payment solutions" and "contactless payments" as potential categories for inclusion. Experimentation and the testing of new products and services is likely to commence in the first half of 2020.
The RBI has laid down various eligibility criteria for sandbox applicants, including that:
The securites regulator – the Securities and Exchange Board of India (SEBI) – issued a circular in May 2019 laying down the framework for an innovation sandbox, wherein fintech firms and entities not regulated by SEBI will be provided an offline testing environment for their products or solutions.
The products/services or solutions should be intended for the securities or commodities market in India, with the help of the datasets available in the sandbox, and should be able to reach secure solutions that have clear benefits for consumers and the capital markets.
The data sets include data from depositories, stock exchanges and Registrars and Transfer Agents (RTAs) in a phased manner to conduct their testing, depending upon the validations. Such data shall be governed by comprehensive confidentiality and end-user agreements. The testing on the datasets shall be conducted offline, in isolation from the live market, but with configurations similar to the live market for testing the innovative solutions.
As regards payments and related activities such as the issuance of cards, PPIs and P2P lending, the RBI continues to be the sole regulator of industry participants.
Fintech participants operating in the securities and insurance space are regulated by SEBI and the Insurance Regulatory and Development Authority of India (IRDAI).
Unlike for banks and registered non-banking financial companies (NBFCs), there are no express regulations governing outsourcing by fintech players. However, as a general principle it must be assumed that the core functions of a regulated entity (ie, an entity registered with the RBI) should not be outsourced, and all functions that are outsourced must adhere to the outsourcing regulations governing banks and NBFCs.
The salient conditions that must be complied with in any outsourcing arrangement are as follows:
It is important to note that the Prepaid Instrument Directions require a PPI entity to comply with the following conditions in respect of its third party service provider:
The RBI has been very active in taking regulatory action against players in the payment space for violations of regulatory norms. Such violations include breach of data processing compliances, mis-selling, incorrect transactions and dealings. In 2019, fines ranging from USD1 million to USD30 million were imposed on various players. Companies have also been directed to temporarily suspend their operations so as to ensure that regulatory compliances are met before business re-commences.
The treatment of data collected by fintech entities from their customers (Customer Data) will need to comply with the requirements of the Information and Technology Act, 2000 (IT Act), read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Security Practices Rules). The IT Act and the Security Practices Rules provide for certain statutory provisions in the treatment of “personal information” and “personal sensitive information”. The Security Practices Rules define “Personal Information” to mean any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available to a body corporate, is capable of identifying such person; “sensitive personal data or information of a person” is defined to mean information of a person relating to:
While Customer Data will not always qualify as “sensitive personal data or information”, it would qualify as “personal information” if, coupled with other information available to the fintech company, there is a possibility of identifying the customer concerned. Accordingly, the fintech company will be required to maintain the confidentiality of the Customer Data, and not disclose it to any third parties. The fintech company will also have to store the data using reasonable security processes, as prescribed under the IT Act and Security Practices Rules. Pursuant to Rule 11 of the Security Practices Rules, the Payment Co will be deemed to be compliant with maintaining reasonable security processes if it adopts any technology that meets IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under the IT Act.
Rules 4 and 6 of the Security Practices Rules require any body corporate that collects, receives, possesses, stores, deals or handles “personal information” to obtain prior permission from the provider of such information before such information is disclosed to any third party, unless such consent is already obtained pursuant to a contract between the body corporate and the provider of such information.
Furthermore, the Government has introduced comprehensive legislation on data privacy, and the implications of such law on the data management systems of fintech companies will have to be examined once such law comes into force.
All data relating to payment transactions of the customer will be required to be stored in India.
There is no distinction made between the applicability of privacy laws to fintech and legacy players.
Players in India’s fintech segment continue to have issues on know-your-customer (KYC) norms as well as rules for customer data access and use. Entities are still seeking further regulatory clarity on offline and electronic KYC mechanisms as against having to comply with the physical verification. Recently, the RBI has permitted video-based authentication of KYC compliances, and has taken steps to allow for more offline/online non-physical methods of KYC verification. However, the use of biometrics and Aadhaar-based data is still limited and adds to the compliance costs of fintech players. There is no distinction made between the applicability of KYC laws to fintech and legacy players.
The RBI requires both banks and payment settlement system operators to adhere to policies and processes to ensure cybersecurity. Such measures include conducting third party audits, risk profiling/transaction monitoring, centralised security control to monitor transactions on a real-time basis, disaster recovery and step-in mechanisms, and immediate customer response to any fraudulent transaction reporting. There is no material distinction made between the applicability of cybersecurity laws to fintech and legacy players.
Any social media tool that undertakes a regulated activity will be subject to the same regulations as any other fintech player. For example, the WhatsApp money remittance service is regulated like any other payment system operator, independent of its chat application.
The PPI Master Directions and applicable regulations applicable to banks and NBFCs require third party audit firms to undertake audits to ensure compliance with financial conditions related to their licence and regulatory conditions. Cybersecurity and information technology system audits are also required to be conducted by third party audit firms. All of these reports are required to be submitted to the RBI on a quarterly or annual basis.
Furthermore, fintech players are increasingly having their systems and processes audited for ISO and similar standards to increase customer and third party confidence in their business models.
It is common for entities to offer regulated and unregulated products and services. However, in most such cases, the entities through which regulated and unregulated products/services are offered will be distinct. Furthermore, where there are different regulators that monitor a service or product, such as between the RBI and SEBI, then the entities through which the services and products are offered will also be separate.
The regulators carefully consider these structures, but as long as no lines are crossed whereby a service or product that is intended to be regulated is being offered in an unregulated manner merely on account of breaking up the offering through nifty structuring, there is no regulatory push back.
From a regulatory perspective, robo-advisers do not need any specific or different business model. The use of robo-advisers in the banking, securities, wealth or insurance areas is adopted into the tools of the relevant business and deployed accordingly. The use of robo-advisers does not increase or decrease an entity's levels of registration or regulatory compliance.
In India, legacy players havebeen very quick to adapt and use robo-advisers in their businesses over the last few years. Private sector banks use robo-adviser-based solutions in developing tools for customer satisfaction, new products and services and improvements.
Needless to say, the most major deployment of robo-advisers has occurred in the wealth management, advisory and insurance space, in developing custom-made trading and wealth solutions.
The “best execution of customer trades” is directly related to the level of investment that the fintech player makes in developing bespoke solutions for its customers. For high net worth premium clients, banks and fintech firms provide very tailormade robo-advisory services and are therefore able to enhance the levels of best execution – ie, optimal returns and minimal cost of investment.
However, for a majority of fintech firms that target relatively less premium segments of the market, robo-advisory services tend to address the broad requirements of a particular customer class by making decisions based on the mean, and therefore provide less than optimal results for customers.
The overall framework governing the extending of loans and the entities providing loans is regulated by the RBI. For example, financial institutions such as banks and non-banking financial companies are carefully regulated by the RBI and have specific frameworks governing the manner of set up as well as functioning.
With regard to lending to individuals, in October 2017 the RBI notified the Master Direction – Non-Banking Financial Company – Peer to Peer Lending Platforms (Reserve Bank) Direction, 2017 (NBFC P2P Directions), and notified that Peer to Peer lending service providers (NBFC P2P) need to be registered as a NBFC vide following the eligibility criteria stated in the NBFC P2P Directions, which state that such NBFC-P2P platforms may only act as an intermediary platform that connects lenders and borrowers.
The NBFC P2P Directions further make it compulsory for any NBFC P2P to undertake credit assessment and risk profiling of the borrowers, and to disclose the same to the prospective lenders. In addition to the mandate required to be followed vide the NBFC P2P Directions, NBFC P2P platforms also provide ad-hoc services such as providing the loan documentation used by lenders and borrowers in relation to the loan.
A “participant” is defined under the NBFC P2P Directions as “a person who has entered into an arrangement with an NBFC-P2P to lend on it or to avail of loan facilitation services provided by it.” The usage of the word “person” by the NBFC P2P Directions grants a wide interpretation to the nature of entities who are eligible to use NBFC P2P platforms for the purposes of borrowing and lending. The NBFC P2P Directions provide for prudential norms that must be followed while allowing “participants” to transact on such NBFC P2P platforms.
With regard to borrowing, the NBFC P2P Directions have set hard limits on the amounts that may be borrowed by any single “participant”. Also, any and all loans as availed through the NBFC P2P platform are only unsecured loans – ie, a lender may not mandate any borrower to provide any security or hypothecate any asset in lieu of advancing any funds. Furthermore, any and all loans availed through these NBFC P2P platforms shall be subject to a maximum maturity period of 36 months.
However, platforms that assist only banks, NBFCs and other regulated financial institutions to identify borrowers are not to be treated as P2P platforms. In cases where retail lenders other than banks or NBFCs or AIFIs use the platform for lending, the platform will have to register separately as an NBFC-P2P.
Underwriting is a credit-rating system that enables a credit institution to assess the creditworthiness and capacity of a borrower to repay his loan and advances, and to discharge his other obligations in respect of credit facility availed or to be availed by him. The process of underwriting facilitates the lending institutions' access to the credit profile of the borrower, enabling the lenders to have better information about the borrower, which enables the lender to undergo a more reliable and streamlined lending exercise.
In India, Credit Information Companies (CICs) provide underwriting services to the credit institutions, enabling the credit institution to undertake an informed credit decision. The regulatory framework governing the process of the collection of a borrower’s data by the credit institutions is set out under the Credit Information Companies (Regulation) Act, 2005, read with Credit Information Companies (Regulation) Regulations, 2006 (CICRA).
Under the NBFC P2P Directions, in order to underwrite the lenders’ risk, it is mandatory for the NBFC-P2P platforms to undertake credit assessment and risk profiling of the borrowers, and to disclose the same to the prospective lenders on their platform. There is no restriction and/or obligation on the lenders to undertake their own additional underwriting processes different from the one undertaken by the NBFC-P2P platform.
Under the NBFC P2P Directions, P2P lenders are under no obligations to disclose the sources of funds that are utilised by them to grant loans on the NBFC P2P platforms. Furthermore, such lenders on the NBFC P2P platforms are not required to provide any certification regarding their wealth, unless they are seeking to offer funds greater than INR1,000,000 across all NBFC P2P platforms. It is abundantly clarified that vide Regulation 6 of NBFC P2P Directions, no NBFC P2P shall be allowed to accept deposits of any kind, nor to loan out of its own funds.
Since the NBFC P2P Directions came into effect, the Digital Lender’s Association of India (DLAI) has recommended that the low thresholds therein should be revised in order to ensure greater participation among high net worth individuals, family offices, etc. The RBI has now increased the previous limit of INR1,000,000 for lenders to INR5,000,000. Any lender seeking to offer more than INR1,000,000 for lending across multiple NBFC P2P platforms shall be required to provide a net worth certificate from a Chartered Accountant.
Other financial institutions that provide loans to individuals (either online or offline) (such as banks or non-banking financial companies) deploy funds/loans to individuals, subject to maintaining the statutorily prescribed credit ratios and adequacy norms. The source of funds is either in the form of equity or debt availed from financial institutions, which is then utilised to conduct their lending activities.
The syndication of loans is a common feature of online lending. The same can also be structured as a co-lending, whereby the particular fintech lender co-lends with a larger financial institution to enable it to service the client’s requirements. Therefore, the fintech lender has the ability to leverage the financial recourses of the larger financial institution through a co-lending model.
In India, payment and settlement systems are regulated by the PSS Act, read with the Payment and Settlement System Regulations, 2008 (PSS Regulations). Under Section 4 of the PSS Act, no person other than the RBI can commence or operate a payment system in India unless explicitly authorised by the RBI. The RBI has authorised payment system operators of pre-paid payment instruments, card payment systems, cross-border in-bound and out-bound money transfers, Automated Teller Machine (ATM) networks, payment settlement systems and centralised money clearing systems.
The RBI introduced technology-based solutions for the improvement of the payment and settlement system infrastructure, including the National Electronic Funds Transfer (NEFT) System, which facilitates one-to-one funds transfer requirements of individuals/corporates, and the Real Time Gross Settlement (RTGS) System, which funds transfer systems where the transfer of money takes place from one bank to another in "real time" and on a "gross" basis. However, each system has its limitations in terms of amounts that may be transferred and the speed at which transference occurs.
In order to make money transfer smoother and more seamless, the National Payments Corporation of India has developed the UPI, which is a real-time payment system for facilitating inter-bank transactions. It is worth noting that all these payment rails – NEFT, RTGS and UPI – have been developed and authorised by central governmental corporations.
However, certain companies have obtained licences to operate as payment rails under the PSS Regulations, such as One97 Communications Limited and PhonePe Private Limited.
The market practice to date has been to implement UPI or provide separate access to a payment gateway within the application as a payment method of choice in order to avoid the requirement to obtain a licence as a “payment settlement system” under the PSS Regulations read with the PSS Act. Therefore, this model enables a fintech platform to provide a platform whereby the funds are routed through authorised payment gateways and thereby not trigger the requirement to obtain a registration from the RBI.
As India is an exchange-controlled economy, any inflow or outflow of foreign exchange is regulated under the prevalent foreign exchange regulations prescribed by the RBI.
For example, with respect to individuals, the RBI has issued a "Master Direction on Liberalised Remittance Scheme" (LR Scheme) governing the framework for the remittance of funds abroad by the resident individuals for the transactions facilitated through a current account or capital account. The LR Scheme limits the amount allowed to be remitted per financial year by a resident individual to USD250,000. The cap amount includes within its scope all the remittances for current account transactions, such as private visit, gift/donation, going abroad on employment, emigration, maintenance of close relatives abroad, business trip, medical treatment abroad and studies abroad, in addition to capital account transactions as described below. Funds can be remitted abroad by an individual under the LR Scheme for only the permitted capital account transactions specifically.
PPIs for cross-border payments are only allowed to be used for foreign-denominated transactions that meet the criteria as mandated under the Prepaid Instrument Directions. Therefore, KYC-compliant reloadable semi-closed and open system PPIs, issued by Authorised Dealer Category-I banks, are permitted to be used in cross-border outward transactions for permissible current account transactions under FEMA viz. purchase of goods and services. This facility shall be enabled only on the explicit request of a PPI holder. Furthermore, the Prepaid Instrument Directions have clarified that such PPIs shall only be used for current account transactions as permitted by the RBI, and shall not be used for any capital account transaction as permitted under the LR Scheme.
Any entity used for the pooling of funds is essentially regulated by SEBI. Therefore, investment vehicles such as mutual funds, venture capital funds, alternate investment funds, infrastructure investment trusts, real estate investment trusts, collective investment schemes, etc, are all regulated and require appropriate registrations to be obtained. In the process of obtaining registrations, the sponsor/manager of such investment vehicles is also vetted and regulated.
For example, an Alternative Investment Fund (AIF) is a privately pooled investment vehicle that collects funds from investors (Indian or foreign) for investing in accordance with the defined investment policy, for the benefit of its investors. An AIF can be established in the form of a trust, a company, a limited liability partnership or a body corporate, and is regulated by the Securities and Exchange Board of India (Alternative Investment Funds) Regulations, 2012 (AIF Regulations). As per these AIF Regulations, any change in sponsor or investment manager requires prior approval from SEBI.
Having said this, sub-advisers or other third party advisory entities engaged by investment vehicles are not required to obtain any registration from SEBI (subject to the activities performed by such entities).
SEBI is an investor-friendly regulator, so regulations are drafted in a manner so as to ensure the alignment of the interests of the sponsors and managers of the funds along with the unit holders (investors).
The private placement memorandums for each fund/investment vehicle require appropriate disclosures and risk analysis, so as the investor is informed and cognisant of the investment risk. In addition, certain regulations prescribe the sponsors/investment managers of the investment vehicle to have sufficient “skin in the game”. For example, with AIFs, sponsors and managers are required to provide a minimum contribution of 2.5% or INR50,000,000, whichever is lower. This has been termed as “continuing interest” – as capital is drawn down or positions are unwound, the capital required to be maintained will change vis-à-vis the situation.
Regulations also prescribe statutory information that has to be provided by the sponsors/investment managers to the investors. Further, SEBI stipulates that the sponsor/investment manager is to ensure that the interest of the contributors/investors is of paramount importance and hence appropriate conflict of interest policies are be adopted by such entities.
The AIF Regulations do not impose any obligations on the sponsors and/or managers of funds mandating the investigation of unlawful behaviour. However, there is a general premise that the sponsors/investment managers are to act in the best interest of the fund/investors.
SEBI, however, has been armed via the same AIF Regulations to inspect documentation and call for information from the funds if it receives any information or complaint, or even to take suo moto action if it has reason to believe that there is any unlawful or suspicious behaviour happening at the fund level. The limited obligation on the fund and its sponsor and/or manager is to assist and co-operate with SEBI in any investigation being conducted in this regard.
The principal marketplaces and trading platforms for financial products in India are recognised stock exchanges that deal with trading in capital market instruments, and electronic trading platforms that govern trading in financial products not covered by a stock exchange.
Stock exchanges are governed by the Ministry of Finance, SEBI and the RBI. The Ministry of Finance regulates through the Department of Economic Affairs – Capital Markets Division, which is responsible for formulating policies regarding the orderly growth and development of the securities markets (ie, share, debt and derivatives), and for protecting the interest of the investors. In particular, it is responsible for:
The principal statutes governing stock exchanges are the Depositories Act, 1996, the Securities Contracts (Regulation) Act, 1956 and the Securities and Exchange Board of India Act, 1992.
SEBI is the regulatory authority established under the SEBI Act 1992, and is the principal regulator for stock exchanges in India. SEBI’s primary functions include protecting investor interests, and promoting and regulating the Indian securities markets. All financial intermediaries permitted by their respective regulators to participate in the Indian securities markets are governed by SEBI regulations, whether domestic or foreign.
The RBI is governed by the Reserve Bank of India Act, 1934, and is responsible for implementing monetary and credit policies, issuing currency notes, and being banker to the government, regulator of the banking system, manager of foreign exchange, and regulator of payment and settlement systems, while continuously working towards the development of Indian financial markets. The RBI regulates financial markets and systems through different legislation. It regulates the foreign exchange markets through the Foreign Exchange Management Act, 1999. In the role of a securities market participant, exchanges are also required to set out and implement rules and regulations to govern the securities market. These rules and regulations extend to member registration, securities listings, transaction monitoring, members' compliance with SEBI/RBI regulations, and investor protection. Each exchange has a set of regulations specifically applicable to each of its trading segments.
Trading segments in Indian stock exchanges include equities, bonds, derivatives, commodities, exchange traded funds, securitised receipts, units of mutual funds, investment funds and investment trusts. Commodities trading that occurs on specific commodity exchanges is also governed by SEBI.
Trading in forex and currency assets, interest rate swaps and other banking-related derivatives is typically governed by the RBI and undertaken with at least one counterparty being a regulated dealer in foreign exchange or banks.
The RBI has issued regulations governing electronic trading platforms (ETP), which define an ETP as any electronic system, other than a recognised stock exchange, on which transactions in securities, money market instruments, foreign exchange instruments, derivatives or other instruments of a like nature are traded. The regulations specifically deal with platforms that allow for algorothmic trading, and such ETPs are required to put a framework in place for the testing and on-boarding of algo systems, to ensure that such facilities are offered in a transparent and non-discriminatory manner, and to ensure that their systems and controls are adequate and effective for monitoring and managing risks arising from algo systems. ETPs are required to do the following in their operation:
ETPs that are operated by banks for bilateral transactions with their clients and do not allow access to the markets are not required to comply with ETP regulations.
Please see 7.1 Permissible Trading Platforms.
By way of a circular dated 6 April 2018, the RBI has mandated that entities regulated by the RBI shall not deal in Virtual Currencies (VCs) or provide services for facilitating any person or entity dealing with or settling VCs. Such services include maintaining accounts, registering, trading, settling, clearing, giving loans against virtual tokens, accepting them as collateral, opening accounts of exchanges dealing with them and the transfer/receipt of money in accounts relating to the purchase/sale of VCs. The RBI circular has, therefore, effectively shut down the cryptocurrency exchange and trading business in India, given that regulated entities are not permitted to deal with such VCs. VCs are viewed by the RBI as a potential currency, and hence it has refused to classify it as a permitted instrument for dealing in India. The order of the RBI has been challenged before the Supreme Court of India, but it is unlikely to be struck down given that the regulation of VCs is a policy matter of the RBI.
The listing of and trading in different types of securities is governed by the rules and regulations of SEBI and the relevant stock exchanges. SEBI has different regulations governing public and private placements of securities. There are also specific regulations governing the listing of equities, which can typically initially be offered to the public and cannot be privately placed at the time of its initial offer. Other securities, such as bonds, units of mutual funds, investment trusts and securitised receipts, can typically be offered on a public and private basis.
Indian securities regulations are recognised to be reasonably sophisticated and follow the highest level of disclosures consistent with global markets in South East Asia. The regulations also require firms that are publicly listing their securities to follow the norms related to a minimum offer size, minimum contributions from promoters, lock-in requirements, minimum public float, track record over the preceding three years, stricter corporate governance rules and continuous disclosure requirements.
Order handling rules apply for all securities traded on regulated stock exchanges. Trades are required to be made only through registered brokers, and each member is required to maintain a depository account and place a minimum level of margin with its brokers. Trades are ordinarily settled in cash on a T+2 basis. Order handling rules in the ETP environment are not as sophisticated as the stock exchange. However, here too the trade can be undertaken only between registered users such as banks with a counterparty who has a genuine interest in the underlying instrument.
Please see 4 Online Lenders regarding P2P lending platforms.
Unregulated P2P trading platforms do exist in areas such as the raising of capital in private transactions. However, in order not to trigger public offer conditions, such platforms merely serve as a connector between participants, and the actual transaction or trade is purely bilateral.
Given the regulatory environment regarding VCs, the P2P trading platform for cryptocurrencies is extremely muted in India.
Indian stock exchanges have adapted SEBI’s regulations on smart order routing (SOR), which enables best execution in electronic trading, with the trading engine picking up the venue that offers the best price at any given moment.
The SEBI circular on SOR requires brokers to consider the following factors: price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. Salient conditions of the SOR system are set out below:
Order flow rules are well established in regulated trading platforms. In the securities market, payments are made at the time of placing the order for the securities, and such securities are to be credited to the client account immediately on settlement and brokers are not allowed to benefit from any arbitrage on either the monies or the securities.
In April 2008, SEBI introduced algorithmic trading by allowing Direct Market Access (DMA) facilities to institutional clients. In short, DMA allows brokers to provide their infrastructure to clients, and gives clients access to the exchange trading system without any intervention from their brokers. Initially, it was provided only to institutional clients and not retail traders.
Nevertheless, the facility brought down costs for the institutional investor and facilitated better execution by cutting down the time spent in routing the order to the broker and issuing the necessary instructions.
The National Stock Exchange (NSE) started offering an additional 54 co-location server "racks" on lease to broking firms in an effort to improve the speed in trading.
Broker commissions had started shrinking as a result of an increasing number of institutional clients warming up to the Direct Market Access concept. To keep up with the times, brokers started offering automated software to clients.
The new entrants to this space are discount brokers who are essentially brokers who provide facilities at very low brokerage charges. They are able to do this by providing only minimal facilities, unlike full-service brokers who usually provide support as well as training programmes for their clients.
SEBI stipulates conditions to be followed by traders and brokers to keep the algo trading industry safe and risk-controlled. SEBI emphaises effective risk management for algorithmic trading. In order for any algorithm to be approved by the markets, exchanges require a firm to undergo a series of stringent tests if it intends to trade through algo trading. These tests include the number of orders that would be placed per second, the maximum order value of any order placed, and the maximum traded quantity during a particular trading day.
A brief summary of SEBI’s regulations on algorithmic trading is set out below:
The RBI has set out the following conditions for those ETPs that use algorithmic trading systems:
Please see 7.1 Permissible Trading Platforms.
When acting in a principal capacity, market makers in the securities market are required to register as market makers with SEBI to participate in the relevant market. Similarly, platforms that allow for regulated trading outside the stock exchanges, such as ETPs, are required to register with the RBI in order to operate such platforms.
Please see 7.7 Issues Relating to Best Execution of Customer Trades.
From a regulatory perspective, there is no distinction between funds and dealers in the algo trading space.
Please see 7.8 Rules of Payment for Order Flow.
Financial research as a subject is extremely wide and covers a vast area. While there are no specific regulations governing financial research platforms, SEBI has mandated that research analysts (ie, individuals or body corporates that conduct research on the securities market and allow for the publication of such reports) shall be required to obtain a specific Research Analyst licence and are governed by the SEBI (Research Analyst) Regulations, 2014 (RA Regulations). According to these RA Regulations, any person or entity that is in the business of preparing reports, making buy/sell recommendations, providing target prices, etc, in relation to listed securities or to-be-listed securities is required to obtain registration from SEBI.
In relation to research analysts, the RA Regulations strictly govern the nature of information that can be published, and the manner in which it is required to be published. Due to this, SEBI mandates specifically the quality of the information that is published, due to its price-sensitive nature. Speculative information should not form a part of any report published by entities that are governed by the RA Regulations.
There are limited safeguards in place that restrict incorrect information from being advertised, through the Advertising Code of Conduct, Cable TV Act provisions and the Information Technology Act, 2000. This legislation includes provisions that are read as guiding principles and not negative covenants on the subject. The Government has attempted to curb fake news of late, but there has been concrete legislation passed to this effect.
SEBI has prescribed strict limitations on trading for individuals and entities engaged in the business of research analysis, as under the RA Regulations. These safeguards include monitoring, recording and seeking approval wherever necessary. In addition, the code of conduct for RAs expressly prohibits insider trading and related activities. SEBI is extremely vigilant in this regard, as demonstrated in a recent ruling by the SEBI tribunal, where certain individuals were charged with insider trading by virtue of the fact they were connected on social media and presumed to have shared price-sensitive information on that basis.
In the realm of unregulated entities, there are minimal to no safe-guards against the perils of pump and dump schemes and the spreading of inside information. SEBI does have regulations in place to control the flow of insider information from “connected persons”, but this is limited to the field of listed securities. There are no further regulations and/or safeguards for the general public against the spread of such price-sensitive information.
While it is pertinent to note that SEBI-regulated entities and matters incidental to the listed securities market are covered by SEBI mandates, non-regulated entities do not have a legal obligation and/or duty in this regard. The mechanisms present relate to ensuring that no mis-information or misuse of information is generated by such entities. There is no obligation on any entity to take action or report incidents in this regard to the relevant authorities. However, SEBI is empowered to take suo moto action in this regard if it believes that any of the regulations are being breached by market participants.
Any person who is engaged in the insurance business in India is required to register as an insurer or an appropriate intermediary with the IRDA. Only an entity registered as an “insurer” or “insurance company” is permitted to underwrite a policy. Whether an insurer uses technology and acts as an insurtech business or not, all insurers are required to adhere to the conditions set out by the IRDA on the underwriting of policies.
Irrespective of the use of technology, the insurer will need to consider the following when it writes its underwriting policy:
The IRDAI is the principal regulatory body governing the entire insurance business in India, and administers the principal statutes that have been enacted in respect of the insurance business: the Insurance Act, 1938, the Life Insurance Corporation Act, 1956, the General Insurance Business (Nationalisation) Act, 1982, the Marine Insurance Act, 1963, the Motor Vehicles Act, 1988 and the Indian Contract Act, 1872. The insurance business in India is divided into the two broad categories of life and general insurance. The types of general insurance offered in India are as follows:
Each type of insurer is governed by the IRDAI and is subject to the principal legislation set out above. Conditions governing disclosures, good faith information to customers on premium, exclusions and terms of the policy are consistent across insurers. Distinctions between the treatment of classes of insurers occur in the quantum of funds that general and life insurers are required to maintain, investment restrictions, and rural and priority sector obligations.
Regulation technology (regtech) essentially involves the deployment of technology in the field of financial regulation in order to streamline compliance workflows and processes. The financial industry in India comprises three primary sectors: (i) securities markets; (ii) insurance; and (iii) banking and finance. Their respective regulators are SEBI, the IRDAI and the RBI. The regulators have recognised the need of the hour and have legislated on the regulation on the development of financial technologies for products and/or services as offered via entities under auspices of each named regulator.
Since such technology is often developed by a third party, financial intermediaries from each of the aforementioned sectors engage such third parties for outsourcing such tasks which the developed technology is meant to facilitate. In light of such outsourcing, all three sectors have legislated outsourcing regulations to ensure that the regulated entity remains liable for all outsourced material. This approach by the regulators of not clamping down directly on the third parties has ensured the steady growth of the sector while ensuring compliance with the law.
In addition, the regulators have also been discussing the implementation of a regulatory sandbox in order to test new financial technology innovations prior to their exposure to the masses. The RBI has been a first mover in this case, with its “Enabling Framework for Regulatory Sandbox” report dated 13 August 2019 laying down the eligibility criteria and relaxations boundary condition, among other items, for an innovative financial product to be tested prior to full release. SEBI and the IRDAI have been contemplating the release of a similar sandbox for their own sectors, but there have been no official circulars on the matter.
The sectoral regulators (the IRDAI, the RBI and SEBI) have their own outsourcing guidelines in relation to outsourcing activity in each financial field, respectively. The outsourcing guidelines mandate having a contract with the technology providers, which is entered into between the respective financial service provider and the technology provider based on the norms in the market. However, the manner in which the outsourcing guidelines are drafted in relation to each sector is such that they expressly lay out which activities may be outsourced and the manner in which they are to be outsourced, and all the regulations abundantly clarify that the financial service provider shall remain liable in the event of any breach caused by the technology provider in relation to the outsourced activity.
In light of the above, financial service providers seek to control the performance of technology providers through including certain customary clauses within their contracts, which outline reporting requirements in relation to the outsourced activities, providing the right to financial service providers to inspect various facets of the technology providers business, safeguards to ensure that technology providers are not further outsourcing the activities, and ensuring that all technology providers have robust information technology in place, among other items.
In addition, the RBI has mandated through a directive that, in relation to payment system operators, all data generated in that regard must remain and be stored in India itself. Therefore, for all activities outsourced in this regard it is clarified that, even if they can be outsourced to offshore entities, the data concerning these payment system operators should be preserved in India in such a manner as to ensure that it is readily accessible if it is requested to be furnished to the RBI.
The outsourcing guidelines in force with respect to each financial sector do not specifically mandate that any financial service provider or technology provider must actively report any suspicious or unlawful behaviour of any manner or form. However, by virtue of the existence of these outsourcing guidelines, certain obligations are extended to the technology provider from the financial service provider. For instance, in the outsourcing guidelines as mandated by the RBI, the RBI has the ability to call for data and to conduct audits of the technology provider in the same manner as for the financial entity which it directly regulates.
Therefore, in law there are no obligations on technology providers to report any instances of non-compliance themselves; under the appropriate outsourcing guidelines, each of the technology providers are required to co-operate with the respective regulator in the event of an investigation conducted or data requested in relation to the activities that are outsourced.
In India, large corporates have been exploring blockchain technology with enthusiasm, as demonstrated by the "Bankchain" alliance (with 35 members, including institutions such as the State Bank of India, HDFC Bank, and the National Payments Corporation of India) and the Enterprise Ethereum Alliance, a global coalition of more than 500 firms globally which includes Accenture, Cisco, Deloitte, Intel, Microsoft and Thomson Reuters as members. Indian banks have also been testing the adoption of xCurrent 4.0, which is a decentralised, cross-border remittance system based on Ripple architecture to ensure faster and more trustworthy transactions than the present SWIFT system.
Financial institutions are looking to implement blockchain solutions for executing tasks such as e-KYC, trade finance, loan syndication, verification of guarantees, etc.
SEBI recently set up the Committee of Financial and Regulatory Technologies (CFRT) in order to explore the implantation and adaptation of blockchain technology in the securities market. It was recognised that the stock exchanges presently suffer from issues of interoperability, trust and transparency.
The insurance industry is also seeking to leverage the flow of data as facilitated by the implementation of blockchain technology in order to provide tailored insurance for their customers without having to replicate data collection each time. Such activity is possible on a blockchain vis-à-vis central ledgers, due to the fact that data on a blockchain is largely considered tamper-proof unless a single entity gains more than 50% computing power on the blockchain, which on a reasonably large blockchain is technologically impossible to achieve.
The regulators in India are not averse to the implementation of blockchain for the improvement of data redundancies, the reduction of data duplication and the general ease of access of data. However, the challenge in this regard lies in divorcing blockchain assets from the implementation of blockchain. Due to the fact that any successful blockchain requires “gas” (blockchain assets) to function, the actual implementation of this technology at the regulatory level has been minimum, due to the Government’s stance on blockchain assets.
Various regulators, especially SEBI and the RBI, have mobilised their specialised committees and groups to explore the advantages and disadvantages of blockchain solutions within their respective sectors. As stated above, the RBI has facilitated the creation of a regulatory sandbox in order to facilitate the testing of new financial products prior to mass adoption. There are no explicit restrictions with regards to blockchain technologies being a part of this sandbox; the only restriction in this regard is that cryptocurrency and/or virtual currency will not be permitted under this regulatory sandbox.
The financial technology research wing of the RBI – the Institute for Development and Research in Banking Technology (IDRBT) – has published its findings on the implementation of blockchain in the financial sector, pointing out that the core issue of blockchain in the retail banking space is scalability.
There are no specific regulations classifying the treatment of blockchain assets. However, in April 2018 the RBI explicitly stated that no individual shall deal or attempt to deal in any virtual currencies using any banking channel or any instrument that is governed by the RBI.
Due to this blanket restriction by the RBI on trading in virtual currencies, India has not classified blockchain assets as utility assets, storage of value or security, as has been attempted by various other jurisdictions, such as Switzerland, Estonia, Malta, the USA, etc.
Given the nascent stage of blockchain solutions and the framework in the country, there is no regulatory framework governing blockchain assets. The only restriction is with regard to the prohibition in dealing with virtual currencies (see 12.3 Classification of Blockchain Assets).
Having said this, the issues relating to blockchain assets and the framework will include the manner in which the information is stored (especially data localisation requirements), the sharing of financial/sensitive information and confidentiality obligations under the privacy laws, providing governmental entities access to private networks, and the form and enforcement of contracts.
Please see previous sections.
As set out above, all pooling or investment vehicles are regulated in the manner in which they are set up and function. Due to the lack of clarity on the regulatory framework governing blockchain assets and the prohibition on dealing with virtual currencies, tokens or blockchain assets have not been active investment opportunities for funds.
At the time of writing, Indian regulators have not specifically defined VCs separately from blockchain assets. However, as set out above, the RBI circular passed in April 2018 prohibits dealing with "virtual currencies".
Essentially, India does not recognise any form of cryptocurrency or VC as legal tender, and the regulatory authorities have cracked down on individuals/entities trading or attempting to trade in any VCs, including conducting raids and seizing the technology assets of such individuals.
The existing legislation with respect to data privacy is contained within the IT Act and the Security Practices Rules. The latter is only concerned with sensitive personal data or information such as passwords, financial information, biometric information, medical records, etc, while the former deals with general data protection and the treatment of data stored electronically. While there is no explicit data protection law like the GDPR in India, certain standards of data protection may be read into the law. In its present state, there are no limits or discernible impact on blockchain vis-à-vis privacy regulation in India.
However, the legislature in India is seeking to implement the Personal Data Protection Bill (Data Bill) sooner rather than later. While still being discussed with industry participants and among the wings of government, the present draft of the Data Bill suggests that it is materially in line with the European GDPR. If the Data Bill is passed in this shape, then it is likely that the Indian individual shall be afforded the following rights:
A blockchain is by its very nature transparent and immutable. Since the Data Bill in its present state makes exceptions for anonymised data, it may be argued that, since the data on a blockchain in not immediately identifiable (without a combination of private keys), the data may be considered to be anonymised and thus may be exempt from the ambit of the Data Bill.
However, if it is determined that the data is sufficiently identifiable, then the rights listed above would have to be provided to individuals transacting on the blockchain. These are to be reconciled with the premise upon which the blockchain and/or distributed ledger technology functions.
Although open banking in India is still nascent, regulatory and actual operational steps are being taken by the RBI and the Government to build open banking in India through the implementation of the UPI, which is an instant real-time payment system that allows users to perform inter-bank money transfers and pay merchants from one’s bank account through various mobile applications, including Google Pay. The other step taken by the Government and the RBI relates to the concept of an account aggregator, which registers with the RBI and is licensed to collect, aggregate and store data of an individual from diverse financial institutions, and to share such data with other financial service providers. However, the account aggregation business in India has not kicked off in any significant manner.
In addition to the principles discussed in 2.9 Implications of Additional Regulation, the Government has set out certain conditions in respect of the treatment of data collected and used through the UPI. Firstly, customer consent is required to opt for the UPI and thereafter allow for the data to be used by the various participants in the UPI. The data collected – such as the customer’s name, mobile number, residential address, email ID, gender, location details, device details, transaction-related details, UPI ID, transaction ID, beneficiary UPI ID and beneficiary account number – is required to be anonmyised and stored in an encrypted manner.
The details that will be stored and collected by the account aggregator must also adhere to the strict principles of privacy and be shared in an encrypted form and only to the extent of the consent provided by the customer.