Fintech 2020 Comparisons

Last Updated March 02, 2020

Law and Practice

Authors



Jerome Merchant + Partners has a primary office in Mumbai, with associate offices in New Delhi and Bangalore. Its lawyers advise financial institutions and corporates on various aspects related to securitisation and the assignment of different portfolios of receivables, including housing, credit card, operational and loan portfolio receivables. The securitisation practice works closely with the M&A and disputes practices in structuring securitisation transactions. Many large portfolio assignment transactions are undertaken by way of a business transfer of the portfolio and associated assets (including employees and technology), and are advised by the firm's financing/securitisation and M&A lawyers. Given the rising levels of distressed assets in the Indian economy, Jerome Merchant's securitisation lawyers increasingly work with its disputes and insolvency teams in advising on the structure for the sale and acquisition of debt portfolios which are non-performing and are under different stages of restructuring or insolvency.

India’s expansion into one of the fastest growing fintech markets in the world continued throughout 2019. According to the Report of the National Investment Promotion and Facilitation Agency (Government of India, 2019), the key drivers behind the growth in the sector include the following:

  • widespread identity formalisation (Aadhar): 1.2 billion enrolments;
  • a high level of banking penetration through the Jan Dhan Yojana: more than a billion bank accounts;
  • high smartphone penetration: 1.2 billion mobile subscribers;
  • IndiaStack: a set of application programming interfaces (APIs) for businesses and lenders;
  • key government initiatives such as UPI and Digital India; and
  • growing middle-class expansion: it is estimated that India will add 140 million middle-income and 21 million high-income households by 2030, which will drive demand and growth in the Indian fintech space.

Other key events that have shaped the fintech industry in India over the last 12 months include the Government’s measures to allow for on-tap licences for small finance banks, bringing P2P lenders within the overall financial services regulatory framework, the regulatory sandbox of the Reserve Bank of India (RBI) and the National Common Mobility Card, which is a transport card that enables the user to pay for travel, toll duties and retail shopping, and to withdraw money.

The overall stability in the sector is evidenced by continuously increasing collaboration between banks and fintech startups in the form of supplementary offerings, partnerships, acquisitions, incubators and investment, greater adoption of digital payments on the consumer end, and the adoption of technology like artificial intelligence (AI), machine learning (ML), blockchain and robo-advisory services by banks.

The Next 12 Months

A distillation of the views of industry experts suggests that a major trend in the fintech sector in 2020 will be developing technologies, including software and APIs to build solutions to reduce distressed assets and to build services that will lead to improved credit recovery. The industry may also see the first major state-backed cryptocurrency pegged to fiat along with the extension of blockchain initiatives.

The expansion of the alternative lending ecosystem will be a key focus area in 2020, driven by technology-enabled “alternative” lenders such as P2P players, mobile lending platforms, pay later loans, crowdfunding, or invoice financing, and AI in the banking and financial services sector to improve productivity and efficiency. Accordingly, the expected outlook for this sector over the next 12 months is summarised as follows:

  • Neobanking and banking-as-a-service (BaaS) platforms are expected to experience the highest growth. With the RBI moving towards recognising various types of innovations in open banking, banks and payment service providers will look to develop customer solutions in collaboration with neobanks and BaaS platforms. Over the last few months, digital-only banking services have been commenced by Kotak Mahindra Bank, Paytm and DBS.
  • Tokenisation: companies are expected to continue adopting technologies such as biometrics, card tokenisation and Aadhaar-linked biometrics for completing and undertaking transactions in India.
  • Financing medium, small and micro enterprises (MSMEs): lending tech companies primarily targeting lending to MSMEs will pursue digital technologies and alternative credit scoring methodologies.
  • Data analytics and new-age technologies: Indian wealth management and insurtech startups are continuously utilising real-time data analytics as well as IoT devices and blockchain to introduce personalisation, security and quick approvals at different stages. Moreover, banks are already using technologies like AI/ML and blockchain to reduce errors and offer a more streamlined digital banking experience to consumers.
  • Cloud: increased investments by the banking industry in public cloud services will be a key component of growth in the fintech space in 2020.
  • Experiments to continue with RPA: the development of robust robotic process automation that integrates the unique and complementary capabilities of the robotic and human workforces is expected to receive more investments, along with robo-advisories.
  • Robo-advice: although miniscule at present, the applicability of robo-advice is gaining ground, and robo-advisories can be revolutionary in personal finance management.
  • Rise of niche fintech players: players in the fintech space will concentrate on finding solutions to bridge finance gaps in areas such as agriculture and the supply chain in the B2B segment. At the same time, fintech startups are introducing flexible loan options for the short-term needs of salaried professionals, freelancers and young students. This will encourage fintech stakeholders to invest further to bring in more innovation and evolve the sector.

In May 2019, the RBI released a vision document for ensuring a safe, secure, convenient, quick and affordable e-payment system, as it expects the number of digital transactions to increase more than four times to 8,707 crore in December 2021. The "Payment and Settlement Systems in India: Vision 2019 - 2021", with its core theme of "Empowering Exceptional (E)payment Experience", seeks to achieve "a highly digital and cash-lite society" through the goal posts of competition, cost-effectiveness, convenience and confidence (the 4Cs). In addition to the initiatives under the vision document, the proposed data privacy legislation is expected to have a significant impact on the manner in which the industry operates in 2020 and beyond.

The predominant fintech business models that are popular among Indian consumers and fintech players are as follows:

  • payment gateways;
  • digital wallets;
  • digital insurance/insurtech;
  • digital lending;
  • PoS;
  • payments and small finance banks;
  • tech companies in financial services;
  • transaction delivery;
  • neo/open banking;
  • alternative credit scoring;
  • alternative insurance underwriting;
  • wealthtech; and
  • API-based bank-as-a-service platforms.

Payment systems are governed and regulated by the Payments and Settlements Act, 2007 (PSS Act). Any person operating a "payment system" is required to register with the RBI and comply with the provisions of the PSS Act and the rules and regulations framed thereunder.

A "payment system" is defined as a system that enables payment to be effected between “a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange”, and “includes the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations”. Therefore, any activity that effects a settlement of a payment between a payer, on the one hand, and a payee or beneficiary on the other, constitutes a payment system and will require registration under the PSS Act.

Pre-Paid Instruments (PPIs) are governed by the Master Direction on Issuance and Operation of Pre-paid Payment Instruments in India dated 11 October 2017 and issued by the RBI (Prepaid Instrument Directions). PPIs can be issued through various methods, such as cards, e-wallets or digital accounts, and are primarily of three types: closed, semi-closed and open. A PPI that can be used only for the purchase of goods or services sold by the issuer and not by any other third person is a “closed prepaid instrument” and does not qualify as a payment system. Consequently, the issuer of such PPI does not need to obtain any prior authorisation from the RBI, nor does it need to comply with the PSS Act or the Prepaid Instrument Directions. However, for the purposes of issuing a semi-closed PPI, which is capable of being used for the purchase of goods and services by customers with clearly identified merchants (other than the issuer of the prepaid instrument), the issuer will be required to register as a payment system with the RBI, and to comply with the requirements of the Prepaid Instrument Directions. An open PPI is issued only by banks (approved by RBI) and can be used at any merchant for the purchase of goods and services, including financial services, remittance facilities, etc. Cash withdrawal at ATMs/Points of Sale (PoS) terminals/Business Correspondents (BCs) is also allowed through such PPIs. The Prepaid Instrument Directions stipulate certain additional requirements, as follows:

  • issuers must be a person incorporated in India;
  • minimum capitalisation and net worth;
  • fee disclosures;
  • transaction limitations;
  • compliance with the "know your customer" (KYC) requirements while issuing the PPIs; the level and nature of the KYC requirements depends on the underlying value of the semi-closed prepaid instrument;
  • the issuer must maintain an escrow account with a scheduled bank in India for the purposes of maintaining the amounts received from the beneficiary; and
  • dispute resolution mechanisms must be in place.

In addition to the Prepaid Instrument Directions, the RBI has specific master directions on the issuance of credit cards and debit cards by banks and non-banking financial institutions. The regulatory framework in India also allows for customers to make transfers to or from other PPI providers or banks for e-wallets and cards, in accordance with the Prepaid Payment Instruments – Operational Guidelines for Interoperability dated 16 October 2018 (Interoperability Guidelines) and issued by the RBI.

Remittances and transfers of monies may be made through the various instruments that are permitted to be used through existing money transfer systems, such as RTGS, NEFT, IMPS and UPI.

The primary compensatory models for entities that operate in the fintech space are as follows:

  • transaction processing fees from remittances made via NEFT, RTGS, IMPS, UPI; fees are also payable by the consumer when he or she uses a PPI or credit/debit card or POS. The government regulates such fees, and at times may direct the quantum of fees to be paid or transactions that are to be exempted from fees and thereby affect the revenue projections/models of payment operators;
  • the deployment of funds that are maintained by the payment settlement system is a source of compensation. The PSS Act sets out the manner and type of instruments where such funds can be deployed;
  • in the lending space, compensation is earned by way of interest and processing charges;
  • fees are also charged to the customer for registering with a particular payment provider and for delivering a PPI to the customer; and
  • compensation is also received by the fintech player from the allied services provided to its customers, such as the distribution of mutual funds, insurance policies and wealth management, amongst others.

All fees charged to the customer are required to be expressly and fairly disclosed to the customer in the terms of use and on the website of the applicable service provider for certain items, such as interest rates and processing charges.

The regulatory framework in India does not distinguish between a legacy player and a new entrant to the fintech market in any business that is regulated by the RBI, such as payments, credit facilities, the operation of cards, or PPI instruments and P2P lending.

In August 2019, the RBI prescribed detailed guidelines and an operational framework on a regulatory sandbox to be set up in the fintech space. Late in 2019, it also announced that its first sandbox will be in the "Retail Payments" space. The RBI noted "mobile payments including feature-phone-based payment services", "offline payment solutions" and "contactless payments" as potential categories for inclusion. Experimentation and the testing of new products and services is likely to commence in the first half of 2020.

The RBI has laid down various eligibility criteria for sandbox applicants, including that:

  • the applicant should be a company incorporated and registered in India or a bank licensed to operate in India; financial institutions constituted under a statute in India would also be eligible;
  • the applicant entity shall have a minimum net worth of INR25 lakh (approx. USD35,000) as per its latest audited balance sheet; and
  • the promoters and directors of the entity should be "fit and proper", as per the enumerated criteria.

The securites regulator – the Securities and Exchange Board of India (SEBI) – issued a circular in May 2019 laying down the framework for an innovation sandbox, wherein fintech firms and entities not regulated by SEBI will be provided an offline testing environment for their products or solutions.

The products/services or solutions should be intended for the securities or commodities market in India, with the help of the datasets available in the sandbox, and should be able to reach secure solutions that have clear benefits for consumers and the capital markets.

The data sets include data from depositories, stock exchanges and Registrars and Transfer Agents (RTAs) in a phased manner to conduct their testing, depending upon the validations. Such data shall be governed by comprehensive confidentiality and end-user agreements. The testing on the datasets shall be conducted offline, in isolation from the live market, but with configurations similar to the live market for testing the innovative solutions.

As regards payments and related activities such as the issuance of cards, PPIs and P2P lending, the RBI continues to be the sole regulator of industry participants.

Fintech participants operating in the securities and insurance space are regulated by SEBI and the Insurance Regulatory and Development Authority of India (IRDAI).

Unlike for banks and registered non-banking financial companies (NBFCs), there are no express regulations governing outsourcing by fintech players. However, as a general principle it must be assumed that the core functions of a regulated entity (ie, an entity registered with the RBI) should not be outsourced, and all functions that are outsourced must adhere to the outsourcing regulations governing banks and NBFCs.

The salient conditions that must be complied with in any outsourcing arrangement are as follows:

  • the agreement should clearly define the activities that are going to be outsourced;
  • the agreement should provide for the continuous monitoring and assessment of the service provider, such that any corrective measures may be taken immediately;
  • a clause on termination and the minimum period in which to execute such a provision should be included in the agreement;
  • a provision should be included relating to controls to ensure the confidentiality of customer data and the service provider’s ability in the case of a breach of confidential information relating to the customer;
  • the agreement should provide for the prior approval of the financial services entity for the use of subcontractors by the service provider for all or part of the outsourced activity;
  • the agreement should provide for recognition of the rights of the RBI to cause an inspection to be made of the service provider; and
  • the agreement shall also provide for the confidentiality of customers’ information to be maintained even after the termination of the agreement.

It is important to note that the Prepaid Instrument Directions require a PPI entity to comply with the following conditions in respect of its third party service provider:

  • a contract must be in place with its service provider to allow audit/inspection by the RBI;
  • all information with the service provider and PPI entity must be made available to the RBI;
  • security processes and controls being followed by service providers must be reviewed periodically; and
  • step-in rights are to be available, incorporating an obligation to disclose any security breaches to the RBI.

The RBI has been very active in taking regulatory action against players in the payment space for violations of regulatory norms. Such violations include breach of data processing compliances, mis-selling, incorrect transactions and dealings. In 2019, fines ranging from USD1 million to USD30 million were imposed on various players. Companies have also been directed to temporarily suspend their operations so as to ensure that regulatory compliances are met before business re-commences.

Privacy Laws

The treatment of data collected by fintech entities from their customers (Customer Data) will need to comply with the requirements of the Information and Technology Act, 2000 (IT Act), read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Security Practices Rules). The IT Act and the Security Practices Rules provide for certain statutory provisions in the treatment of “personal information” and “personal sensitive information”. The Security Practices Rules define “Personal Information” to mean any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available to a body corporate, is capable of identifying such person; “sensitive personal data or information of a person” is defined to mean information of a person relating to:

  • password;
  • financial information such as bank account or credit card or debit card, or other payment instrument details;
  • physical, physiological and mental health condition;
  • sexual orientation;
  • medical records and history;
  • biometric information;
  • any detail relating to the above clauses as provided to a body corporate for providing service; and
  • any of the information received under the above clauses by a body corporate for processing, that is stored or processed under lawful contract or otherwise.

While Customer Data will not always qualify as “sensitive personal data or information”, it would qualify as “personal information” if, coupled with other information available to the fintech company, there is a possibility of identifying the customer concerned. Accordingly, the fintech company will be required to maintain the confidentiality of the Customer Data, and not disclose it to any third parties. The fintech company will also have to store the data using reasonable security processes, as prescribed under the IT Act and Security Practices Rules. Pursuant to Rule 11 of the Security Practices Rules, the Payment Co will be deemed to be compliant with maintaining reasonable security processes if it adopts any technology that meets IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under the IT Act.

Rules 4 and 6 of the Security Practices Rules require any body corporate that collects, receives, possesses, stores, deals or handles “personal information” to obtain prior permission from the provider of such information before such information is disclosed to any third party, unless such consent is already obtained pursuant to a contract between the body corporate and the provider of such information.

Furthermore, the Government has introduced comprehensive legislation on data privacy, and the implications of such law on the data management systems of fintech companies will have to be examined once such law comes into force.

All data relating to payment transactions of the customer will be required to be stored in India.

There is no distinction made between the applicability of privacy laws to fintech and legacy players.

KYC

Players in India’s fintech segment continue to have issues on know-your-customer (KYC) norms as well as rules for customer data access and use. Entities are still seeking further regulatory clarity on offline and electronic KYC mechanisms as against having to comply with the physical verification. Recently, the RBI has permitted video-based authentication of KYC compliances, and has taken steps to allow for more offline/online non-physical methods of KYC verification. However, the use of biometrics and Aadhaar-based data is still limited and adds to the compliance costs of fintech players. There is no distinction made between the applicability of KYC laws to fintech and legacy players.

Cybersecurity

The RBI requires both banks and payment settlement system operators to adhere to policies and processes to ensure cybersecurity. Such measures include conducting third party audits, risk profiling/transaction monitoring, centralised security control to monitor transactions on a real-time basis, disaster recovery and step-in mechanisms, and immediate customer response to any fraudulent transaction reporting. There is no material distinction made between the applicability of cybersecurity laws to fintech and legacy players.

Any social media tool that undertakes a regulated activity will be subject to the same regulations as any other fintech player. For example, the WhatsApp money remittance service is regulated like any other payment system operator, independent of its chat application.

The PPI Master Directions and applicable regulations applicable to banks and NBFCs require third party audit firms to undertake audits to ensure compliance with financial conditions related to their licence and regulatory conditions. Cybersecurity and information technology system audits are also required to be conducted by third party audit firms. All of these reports are required to be submitted to the RBI on a quarterly or annual basis.

Furthermore, fintech players are increasingly having their systems and processes audited for ISO and similar standards to increase customer and third party confidence in their business models.

It is common for entities to offer regulated and unregulated products and services. However, in most such cases, the entities through which regulated and unregulated products/services are offered will be distinct. Furthermore, where there are different regulators that monitor a service or product, such as between the RBI and SEBI, then the entities through which the services and products are offered will also be separate.

The regulators carefully consider these structures, but as long as no lines are crossed whereby a service or product that is intended to be regulated is being offered in an unregulated manner merely on account of breaking up the offering through nifty structuring, there is no regulatory push back.

From a regulatory perspective, robo-advisers do not need any specific or different business model. The use of robo-advisers in the banking, securities, wealth or insurance areas is adopted into the tools of the relevant business and deployed accordingly. The use of robo-advisers does not increase or decrease an entity's levels of registration or regulatory compliance.

In India, legacy players havebeen very quick to adapt and use robo-advisers in their businesses over the last few years. Private sector banks use robo-adviser-based solutions in developing tools for customer satisfaction, new products and services and improvements.

Needless to say, the most major deployment of robo-advisers has occurred in the wealth management, advisory and insurance space, in developing custom-made trading and wealth solutions.

The “best execution of customer trades” is directly related to the level of investment that the fintech player makes in developing bespoke solutions for its customers. For high net worth premium clients, banks and fintech firms provide very tailormade robo-advisory services and are therefore able to enhance the levels of best execution – ie, optimal returns and minimal cost of investment.

However, for a majority of fintech firms that target relatively less premium segments of the market, robo-advisory services tend to address the broad requirements of a particular customer class by making decisions based on the mean, and therefore provide less than optimal results for customers.

The overall framework governing the extending of loans and the entities providing loans is regulated by the RBI. For example, financial institutions such as banks and non-banking financial companies are carefully regulated by the RBI and have specific frameworks governing the manner of set up as well as functioning.

With regard to lending to individuals, in October 2017 the RBI notified the Master Direction – Non-Banking Financial Company – Peer to Peer Lending Platforms (Reserve Bank) Direction, 2017 (NBFC P2P Directions), and notified that Peer to Peer lending service providers (NBFC P2P) need to be registered as a NBFC vide following the eligibility criteria stated in the NBFC P2P Directions, which state that such NBFC-P2P platforms may only act as an intermediary platform that connects lenders and borrowers.

The NBFC P2P Directions further make it compulsory for any NBFC P2P to undertake credit assessment and risk profiling of the borrowers, and to disclose the same to the prospective lenders. In addition to the mandate required to be followed vide the NBFC P2P Directions, NBFC P2P platforms also provide ad-hoc services such as providing the loan documentation used by lenders and borrowers in relation to the loan.

A “participant” is defined under the NBFC P2P Directions as “a person who has entered into an arrangement with an NBFC-P2P to lend on it or to avail of loan facilitation services provided by it.” The usage of the word “person” by the NBFC P2P Directions grants a wide interpretation to the nature of entities who are eligible to use NBFC P2P platforms for the purposes of borrowing and lending. The NBFC P2P Directions provide for prudential norms that must be followed while allowing “participants” to transact on such NBFC P2P platforms.

With regard to borrowing, the NBFC P2P Directions have set hard limits on the amounts that may be borrowed by any single “participant”. Also, any and all loans as availed through the NBFC P2P platform are only unsecured loans – ie, a lender may not mandate any borrower to provide any security or hypothecate any asset in lieu of advancing any funds. Furthermore, any and all loans availed through these NBFC P2P platforms shall be subject to a maximum maturity period of 36 months.

However, platforms that assist only banks, NBFCs and other regulated financial institutions to identify borrowers are not to be treated as P2P platforms. In cases where retail lenders other than banks or NBFCs or AIFIs use the platform for lending, the platform will have to register separately as an NBFC-P2P.

Underwriting is a credit-rating system that enables a credit institution to assess the creditworthiness and capacity of a borrower to repay his loan and advances, and to discharge his other obligations in respect of credit facility availed or to be availed by him. The process of underwriting facilitates the lending institutions' access to the credit profile of the borrower, enabling the lenders to have better information about the borrower, which enables the lender to undergo a more reliable and streamlined lending exercise.

In India, Credit Information Companies (CICs) provide underwriting services to the credit institutions, enabling the credit institution to undertake an informed credit decision. The regulatory framework governing the process of the collection of a borrower’s data by the credit institutions is set out under the Credit Information Companies (Regulation) Act, 2005, read with Credit Information Companies (Regulation) Regulations, 2006 (CICRA).

Under the NBFC P2P Directions, in order to underwrite the lenders’ risk, it is mandatory for the NBFC-P2P platforms to undertake credit assessment and risk profiling of the borrowers, and to disclose the same to the prospective lenders on their platform. There is no restriction and/or obligation on the lenders to undertake their own additional underwriting processes different from the one undertaken by the NBFC-P2P platform.

Under the NBFC P2P Directions, P2P lenders are under no obligations to disclose the sources of funds that are utilised by them to grant loans on the NBFC P2P platforms. Furthermore, such lenders on the NBFC P2P platforms are not required to provide any certification regarding their wealth, unless they are seeking to offer funds greater than INR1,000,000 across all NBFC P2P platforms. It is abundantly clarified that vide Regulation 6 of NBFC P2P Directions, no NBFC P2P shall be allowed to accept deposits of any kind, nor to loan out of its own funds.

Since the NBFC P2P Directions came into effect, the Digital Lender’s Association of India (DLAI) has recommended that the low thresholds therein should be revised in order to ensure greater participation among high net worth individuals, family offices, etc. The RBI has now increased the previous limit of INR1,000,000 for lenders to INR5,000,000. Any lender seeking to offer more than INR1,000,000 for lending across multiple NBFC P2P platforms shall be required to provide a net worth certificate from a Chartered Accountant.

Other financial institutions that provide loans to individuals (either online or offline) (such as banks or non-banking financial companies) deploy funds/loans to individuals, subject to maintaining the statutorily prescribed credit ratios and adequacy norms. The source of funds is either in the form of equity or debt availed from financial institutions, which is then utilised to conduct their lending activities.

The syndication of loans is a common feature of online lending. The same can also be structured as a co-lending, whereby the particular fintech lender co-lends with a larger financial institution to enable it to service the client’s requirements. Therefore, the fintech lender has the ability to leverage the financial recourses of the larger financial institution through a co-lending model.

In India, payment and settlement systems are regulated by the PSS Act, read with the Payment and Settlement System Regulations, 2008 (PSS Regulations). Under Section 4 of the PSS Act, no person other than the RBI can commence or operate a payment system in India unless explicitly authorised by the RBI. The RBI has authorised payment system operators of pre-paid payment instruments, card payment systems, cross-border in-bound and out-bound money transfers, Automated Teller Machine (ATM) networks, payment settlement systems and centralised money clearing systems.

The RBI introduced technology-based solutions for the improvement of the payment and settlement system infrastructure, including the National Electronic Funds Transfer (NEFT) System, which facilitates one-to-one funds transfer requirements of individuals/corporates, and the Real Time Gross Settlement (RTGS) System, which funds transfer systems where the transfer of money takes place from one bank to another in "real time" and on a "gross" basis. However, each system has its limitations in terms of amounts that may be transferred and the speed at which transference occurs.

In order to make money transfer smoother and more seamless, the National Payments Corporation of India has developed the UPI, which is a real-time payment system for facilitating inter-bank transactions. It is worth noting that all these payment rails – NEFT, RTGS and UPI – have been developed and authorised by central governmental corporations.

However, certain companies have obtained licences to operate as payment rails under the PSS Regulations, such as One97 Communications Limited and PhonePe Private Limited.

The market practice to date has been to implement UPI or provide separate access to a payment gateway within the application as a payment method of choice in order to avoid the requirement to obtain a licence as a “payment settlement system” under the PSS Regulations read with the PSS Act. Therefore, this model enables a fintech platform to provide a platform whereby the funds are routed through authorised payment gateways and thereby not trigger the requirement to obtain a registration from the RBI.

As India is an exchange-controlled economy, any inflow or outflow of foreign exchange is regulated under the prevalent foreign exchange regulations prescribed by the RBI.

For example, with respect to individuals, the RBI has issued a "Master Direction on Liberalised Remittance Scheme" (LR Scheme) governing the framework for the remittance of funds abroad by the resident individuals for the transactions facilitated through a current account or capital account. The LR Scheme limits the amount allowed to be remitted per financial year by a resident individual to USD250,000. The cap amount includes within its scope all the remittances for current account transactions, such as private visit, gift/donation, going abroad on employment, emigration, maintenance of close relatives abroad, business trip, medical treatment abroad and studies abroad, in addition to capital account transactions as described below. Funds can be remitted abroad by an individual under the LR Scheme for only the permitted capital account transactions specifically.

PPIs for cross-border payments are only allowed to be used for foreign-denominated transactions that meet the criteria as mandated under the Prepaid Instrument Directions. Therefore, KYC-compliant reloadable semi-closed and open system PPIs, issued by Authorised Dealer Category-I banks, are permitted to be used in cross-border outward transactions for permissible current account transactions under FEMA viz. purchase of goods and services. This facility shall be enabled only on the explicit request of a PPI holder. Furthermore, the Prepaid Instrument Directions have clarified that such PPIs shall only be used for current account transactions as permitted by the RBI, and shall not be used for any capital account transaction as permitted under the LR Scheme.

Any entity used for the pooling of funds is essentially regulated by SEBI. Therefore, investment vehicles such as mutual funds, venture capital funds, alternate investment funds, infrastructure investment trusts, real estate investment trusts, collective investment schemes, etc, are all regulated and require appropriate registrations to be obtained. In the process of obtaining registrations, the sponsor/manager of such investment vehicles is also vetted and regulated.

For example, an Alternative Investment Fund (AIF) is a privately pooled investment vehicle that collects funds from investors (Indian or foreign) for investing in accordance with the defined investment policy, for the benefit of its investors. An AIF can be established in the form of a trust, a company, a limited liability partnership or a body corporate, and is regulated by the Securities and Exchange Board of India (Alternative Investment Funds) Regulations, 2012 (AIF Regulations). As per these AIF Regulations, any change in sponsor or investment manager requires prior approval from SEBI.

Having said this, sub-advisers or other third party advisory entities engaged by investment vehicles are not required to obtain any registration from SEBI (subject to the activities performed by such entities).

SEBI is an investor-friendly regulator, so regulations are drafted in a manner so as to ensure the alignment of the interests of the sponsors and managers of the funds along with the unit holders (investors).

The private placement memorandums for each fund/investment vehicle require appropriate disclosures and risk analysis, so as the investor is informed and cognisant of the investment risk. In addition, certain regulations prescribe the sponsors/investment managers of the investment vehicle to have sufficient “skin in the game”. For example, with AIFs, sponsors and managers are required to provide a minimum contribution of 2.5% or INR50,000,000, whichever is lower. This has been termed as “continuing interest” – as capital is drawn down or positions are unwound, the capital required to be maintained will change vis-à-vis the situation.

Regulations also prescribe statutory information that has to be provided by the sponsors/investment managers to the investors. Further, SEBI stipulates that the sponsor/investment manager is to ensure that the interest of the contributors/investors is of paramount importance and hence appropriate conflict of interest policies are be adopted by such entities.

The AIF Regulations do not impose any obligations on the sponsors and/or managers of funds mandating the investigation of unlawful behaviour. However, there is a general premise that the sponsors/investment managers are to act in the best interest of the fund/investors.

SEBI, however, has been armed via the same AIF Regulations to inspect documentation and call for information from the funds if it receives any information or complaint, or even to take suo moto action if it has reason to believe that there is any unlawful or suspicious behaviour happening at the fund level. The limited obligation on the fund and its sponsor and/or manager is to assist and co-operate with SEBI in any investigation being conducted in this regard.

The principal marketplaces and trading platforms for financial products in India are recognised stock exchanges that deal with trading in capital market instruments, and electronic trading platforms that govern trading in financial products not covered by a stock exchange.

Stock exchanges are governed by the Ministry of Finance, SEBI and the RBI. The Ministry of Finance regulates through the Department of Economic Affairs – Capital Markets Division, which is responsible for formulating policies regarding the orderly growth and development of the securities markets (ie, share, debt and derivatives), and for protecting the interest of the investors. In particular, it is responsible for:

  • institutional reforms in the securities markets;
  • building regulatory and market institutions;
  • strengthening investor protection mechanisms; and
  • providing efficient legislative framework for the securities markets.

The principal statutes governing stock exchanges are the Depositories Act, 1996, the Securities Contracts (Regulation) Act, 1956 and the Securities and Exchange Board of India Act, 1992.

SEBI is the regulatory authority established under the SEBI Act 1992, and is the principal regulator for stock exchanges in India. SEBI’s primary functions include protecting investor interests, and promoting and regulating the Indian securities markets. All financial intermediaries permitted by their respective regulators to participate in the Indian securities markets are governed by SEBI regulations, whether domestic or foreign.

The RBI is governed by the Reserve Bank of India Act, 1934, and is responsible for implementing monetary and credit policies, issuing currency notes, and being banker to the government, regulator of the banking system, manager of foreign exchange, and regulator of payment and settlement systems, while continuously working towards the development of Indian financial markets. The RBI regulates financial markets and systems through different legislation. It regulates the foreign exchange markets through the Foreign Exchange Management Act, 1999. In the role of a securities market participant, exchanges are also required to set out and implement rules and regulations to govern the securities market. These rules and regulations extend to member registration, securities listings, transaction monitoring, members' compliance with SEBI/RBI regulations, and investor protection. Each exchange has a set of regulations specifically applicable to each of its trading segments.

Trading segments in Indian stock exchanges include equities, bonds, derivatives, commodities, exchange traded funds, securitised receipts, units of mutual funds, investment funds and investment trusts. Commodities trading that occurs on specific commodity exchanges is also governed by SEBI.

Trading in forex and currency assets, interest rate swaps and other banking-related derivatives is typically governed by the RBI and undertaken with at least one counterparty being a regulated dealer in foreign exchange or banks.

The RBI has issued regulations governing electronic trading platforms (ETP), which define an ETP as any electronic system, other than a recognised stock exchange, on which transactions in securities, money market instruments, foreign exchange instruments, derivatives or other instruments of a like nature are traded. The regulations specifically deal with platforms that allow for algorothmic trading, and such ETPs are required to put a framework in place for the testing and on-boarding of algo systems, to ensure that such facilities are offered in a transparent and non-discriminatory manner, and to ensure that their systems and controls are adequate and effective for monitoring and managing risks arising from algo systems. ETPs are required to do the following in their operation:

  • have objective, fair and transparent membership criteria;
  • undertake due diligence at the time of on-boarding all members, and maintain all relevant information about each member;
  • identify its members uniquely using Legal Entity Identifier and/or Permanent Account Number;
  • have well-documented rules and regulations regarding, but not limited to, the on-boarding, suspension and cessation of membership, the roles and responsibilities of members and operators, the liability framework for ETPs and users in case of breaches of rules and regulations, restrictions or other requirements that may apply when using the ETP, processing and execution of orders, and risk management and control;
  • make available pre-trade information such as bid/offer prices, related quantities, depth of trading interest, or such other information, to its members in a fair and non-discriminatory basis consistent with the rules governing transactions;
  • make available post-trade information such as the price, volume and time of transactions or such other information, to its members, in a fair and non-discriminatory basis consistent with the rules governing transactions; and
  • ensure that all documents, rules or regulations referred to above above are freely available to the members.

ETPs that are operated by banks for bilateral transactions with their clients and do not allow access to the markets are not required to comply with ETP regulations.

Please see 7.1 Permissible Trading Platforms.

By way of a circular dated 6 April 2018, the RBI has mandated that entities regulated by the RBI shall not deal in Virtual Currencies (VCs) or provide services for facilitating any person or entity dealing with or settling VCs. Such services include maintaining accounts, registering, trading, settling, clearing, giving loans against virtual tokens, accepting them as collateral, opening accounts of exchanges dealing with them and the transfer/receipt of money in accounts relating to the purchase/sale of VCs. The RBI circular has, therefore, effectively shut down the cryptocurrency exchange and trading business in India, given that regulated entities are not permitted to deal with such VCs. VCs are viewed by the RBI as a potential currency, and hence it has refused to classify it as a permitted instrument for dealing in India. The order of the RBI has been challenged before the Supreme Court of India, but it is unlikely to be struck down given that the regulation of VCs is a policy matter of the RBI.

The listing of and trading in different types of securities is governed by the rules and regulations of SEBI and the relevant stock exchanges. SEBI has different regulations governing public and private placements of securities. There are also specific regulations governing the listing of equities, which can typically initially be offered to the public and cannot be privately placed at the time of its initial offer. Other securities, such as bonds, units of mutual funds, investment trusts and securitised receipts, can typically be offered on a public and private basis.

Indian securities regulations are recognised to be reasonably sophisticated and follow the highest level of disclosures consistent with global markets in South East Asia. The regulations also require firms that are publicly listing their securities to follow the norms related to a minimum offer size, minimum contributions from promoters, lock-in requirements, minimum public float, track record over the preceding three years, stricter corporate governance rules and continuous disclosure requirements.

Order handling rules apply for all securities traded on regulated stock exchanges. Trades are required to be made only through registered brokers, and each member is required to maintain a depository account and place a minimum level of margin with its brokers. Trades are ordinarily settled in cash on a T+2 basis. Order handling rules in the ETP environment are not as sophisticated as the stock exchange. However, here too the trade can be undertaken only between registered users such as banks with a counterparty who has a genuine interest in the underlying instrument.

Please see 4 Online Lenders regarding P2P lending platforms.

Unregulated P2P trading platforms do exist in areas such as the raising of capital in private transactions. However, in order not to trigger public offer conditions, such platforms merely serve as a connector between participants, and the actual transaction or trade is purely bilateral.

Given the regulatory environment regarding VCs, the P2P trading platform for cryptocurrencies is extremely muted in India.

Indian stock exchanges have adapted SEBI’s regulations on smart order routing (SOR), which enables best execution in electronic trading, with the trading engine picking up the venue that offers the best price at any given moment.

The SEBI circular on SOR requires brokers to consider the following factors: price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. Salient conditions of the SOR system are set out below:

  • stock brokers are to submit a third party system audit of their SOR system and software;
  • stock brokers shall provide the following to the respective stock exchanges:
    1. an undertaking to the respective stock exchanges that SOR shall route orders in a neutral manner; and
    2. the features of the SOR to stock exchange;
  • stock exchanges shall ensure that brokers adhere to the best execution policy while using SOR;
  • an SOR facility shall be provided to all classes of investors;
  • stock brokers shall maintain logs of all activities to facilitate an audit trail. Brokers shall maintain records of orders, trades and data points for the basis of decision;
  • a system audit of the SOR systems and software shall be periodically carried out by the brokers as may be specified by the exchange, and a certificate in this regard shall be submitted to the exchange;
  • stock exchanges shall ensure that SOR is not used to place orders at venues other than the recognised stock exchanges;
  • the stock broker shall carry out appropriate validation of all risk parameters before the orders are placed in the SOR system;
  • stock exchanges shall provide unique identification numbers for orders placed through the SOR system, and maintain data on SOR orders and trades;
  • stock exchanges shall have necessary surveillance mechanisms in place to monitor trading done through SOR;
  • stock brokers shall ensure that an alternative mode of trading system is available in case of the failure of the SOR facility; and
  • the broker server routing orders placed through the SOR system to the exchange trading system shall be located in India.

Order flow rules are well established in regulated trading platforms. In the securities market, payments are made at the time of placing the order for the securities, and such securities are to be credited to the client account immediately on settlement and brokers are not allowed to benefit from any arbitrage on either the monies or the securities.

In April 2008, SEBI introduced algorithmic trading by allowing Direct Market Access (DMA) facilities to institutional clients. In short, DMA allows brokers to provide their infrastructure to clients, and gives clients access to the exchange trading system without any intervention from their brokers. Initially, it was provided only to institutional clients and not retail traders.

Nevertheless, the facility brought down costs for the institutional investor and facilitated better execution by cutting down the time spent in routing the order to the broker and issuing the necessary instructions.

The National Stock Exchange (NSE) started offering an additional 54 co-location server "racks" on lease to broking firms in an effort to improve the speed in trading.

Broker commissions had started shrinking as a result of an increasing number of institutional clients warming up to the Direct Market Access concept. To keep up with the times, brokers started offering automated software to clients.

The new entrants to this space are discount brokers who are essentially brokers who provide facilities at very low brokerage charges. They are able to do this by providing only minimal facilities, unlike full-service brokers who usually provide support as well as training programmes for their clients.

SEBI stipulates conditions to be followed by traders and brokers to keep the algo trading industry safe and risk-controlled. SEBI emphaises effective risk management for algorithmic trading. In order for any algorithm to be approved by the markets, exchanges require a firm to undergo a series of stringent tests if it intends to trade through algo trading. These tests include the number of orders that would be placed per second, the maximum order value of any order placed, and the maximum traded quantity during a particular trading day.

A brief summary of SEBI’s regulations on algorithmic trading is set out below:

  • exchanges should change the pricing structure of their co-location renting to make it accessible to small and medium-sized members, as the current practice of renting the entire server rack to one entity leads to a high cost;
  • in order to provide greater transparency when it comes to reporting the latency for co-location and proximity hosting, it has been suggested that the exchanges should provide the minimum and maximum as well as mean latencies, along with the latencies at the 50th and 99th percentiles;
  • SEBI has suggested providing a tick-by-tick data feed free to the members of the exchanges;
  • SEBI has instructed that all algorithmic orders reaching their platform should be tagged with the unique identifier assigned when the specific algorithm was submitted for approval; and
  • SEBI has imposed price and quantity checks to ensure that the price and quantity quoted do not violate the price bands and maximum permissible quantity per order defined by the exchange for the security.

The RBI has set out the following conditions for those ETPs that use algorithmic trading systems:

  • ETPs are to put a framework in place for the testing and on-boarding of algo systems;
  • ETPs are to ensure that such facilities are offered in a transparent and non-discriminatory manner;
  • ETPs are to ensure that their systems and controls are adequate and effective for monitoring and managing risks arising from algo systems; and
  • ETPs are to put appropriate controls in place to reduce the likelihood of erroneous transactions such as off-market quotes or trades, fat finger errors, and unintended or uncontrolled trading activity by members.

Please see 7.1 Permissible Trading Platforms.

When acting in a principal capacity, market makers in the securities market are required to register as market makers with SEBI to participate in the relevant market. Similarly, platforms that allow for regulated trading outside the stock exchanges, such as ETPs, are required to register with the RBI in order to operate such platforms.

Please see 7.7 Issues Relating to Best Execution of Customer Trades.

From a regulatory perspective, there is no distinction between funds and dealers in the algo trading space.

Please see 7.8 Rules of Payment for Order Flow.

Financial research as a subject is extremely wide and covers a vast area. While there are no specific regulations governing financial research platforms, SEBI has mandated that research analysts (ie, individuals or body corporates that conduct research on the securities market and allow for the publication of such reports) shall be required to obtain a specific Research Analyst licence and are governed by the SEBI (Research Analyst) Regulations, 2014 (RA Regulations). According to these RA Regulations, any person or entity that is in the business of preparing reports, making buy/sell recommendations, providing target prices, etc, in relation to listed securities or to-be-listed securities is required to obtain registration from SEBI.

In relation to research analysts, the RA Regulations strictly govern the nature of information that can be published, and the manner in which it is required to be published. Due to this, SEBI mandates specifically the quality of the information that is published, due to its price-sensitive nature. Speculative information should not form a part of any report published by entities that are governed by the RA Regulations.

There are limited safeguards in place that restrict incorrect information from being advertised, through the Advertising Code of Conduct, Cable TV Act provisions and the Information Technology Act, 2000. This legislation includes provisions that are read as guiding principles and not negative covenants on the subject. The Government has attempted to curb fake news of late, but there has been concrete legislation passed to this effect.

SEBI has prescribed strict limitations on trading for individuals and entities engaged in the business of research analysis, as under the RA Regulations. These safeguards include monitoring, recording and seeking approval wherever necessary. In addition, the code of conduct for RAs expressly prohibits insider trading and related activities. SEBI is extremely vigilant in this regard, as demonstrated in a recent ruling by the SEBI tribunal, where certain individuals were charged with insider trading by virtue of the fact they were connected on social media and presumed to have shared price-sensitive information on that basis.

In the realm of unregulated entities, there are minimal to no safe-guards against the perils of pump and dump schemes and the spreading of inside information. SEBI does have regulations in place to control the flow of insider information from “connected persons”, but this is limited to the field of listed securities. There are no further regulations and/or safeguards for the general public against the spread of such price-sensitive information.

While it is pertinent to note that SEBI-regulated entities and matters incidental to the listed securities market are covered by SEBI mandates, non-regulated entities do not have a legal obligation and/or duty in this regard. The mechanisms present relate to ensuring that no mis-information or misuse of information is generated by such entities. There is no obligation on any entity to take action or report incidents in this regard to the relevant authorities. However, SEBI is empowered to take suo moto action in this regard if it believes that any of the regulations are being breached by market participants.

Any person who is engaged in the insurance business in India is required to register as an insurer or an appropriate intermediary with the IRDA. Only an entity registered as an “insurer” or “insurance company” is permitted to underwrite a policy. Whether an insurer uses technology and acts as an insurtech business or not, all insurers are required to adhere to the conditions set out by the IRDA on the underwriting of policies.

Irrespective of the use of technology, the insurer will need to consider the following when it writes its underwriting policy:

  • disclosures on costs, including marketing expenses, employee expenses, contingency reserves, margins and income levels;
  • rates, terms and conditions of cover;
  • the list of products and services being offered to different classes of customers;
  • the procedure to ascertain losses and coverage, and its impact on rates and premium;
  • audit and reporting mechanisms to review the underwriting of a policy and adhering to the insurer’s guidelines on underwriting; and
  • robust technology systems for risk monitoring, compliance, customer grievances and developing better business practices.

The IRDAI is the principal regulatory body governing the entire insurance business in India, and administers the principal statutes that have been enacted in respect of the insurance business: the Insurance Act, 1938, the Life Insurance Corporation Act, 1956, the General Insurance Business (Nationalisation) Act, 1982, the Marine Insurance Act, 1963, the Motor Vehicles Act, 1988 and the Indian Contract Act, 1872. The insurance business in India is divided into the two broad categories of life and general insurance. The types of general insurance offered in India are as follows:

  • fire insurance;
  • marine insurance;
  • health insurance;
  • motor insurance; and
  • home insurance.

Each type of insurer is governed by the IRDAI and is subject to the principal legislation set out above. Conditions governing disclosures, good faith information to customers on premium, exclusions and terms of the policy are consistent across insurers. Distinctions between the treatment of classes of insurers occur in the quantum of funds that general and life insurers are required to maintain, investment restrictions, and rural and priority sector obligations.

Regulation technology (regtech) essentially involves the deployment of technology in the field of financial regulation in order to streamline compliance workflows and processes. The financial industry in India comprises three primary sectors: (i) securities markets; (ii) insurance; and (iii) banking and finance. Their respective regulators are SEBI, the IRDAI and the RBI. The regulators have recognised the need of the hour and have legislated on the regulation on the development of financial technologies for products and/or services as offered via entities under auspices of each named regulator.

Since such technology is often developed by a third party, financial intermediaries from each of the aforementioned sectors engage such third parties for outsourcing such tasks which the developed technology is meant to facilitate. In light of such outsourcing, all three sectors have legislated outsourcing regulations to ensure that the regulated entity remains liable for all outsourced material. This approach by the regulators of not clamping down directly on the third parties has ensured the steady growth of the sector while ensuring compliance with the law.

In addition, the regulators have also been discussing the implementation of a regulatory sandbox in order to test new financial technology innovations prior to their exposure to the masses. The RBI has been a first mover in this case, with its “Enabling Framework for Regulatory Sandbox” report dated 13 August 2019 laying down the eligibility criteria and relaxations boundary condition, among other items, for an innovative financial product to be tested prior to full release. SEBI and the IRDAI have been contemplating the release of a similar sandbox for their own sectors, but there have been no official circulars on the matter.

The sectoral regulators (the IRDAI, the RBI and SEBI) have their own outsourcing guidelines in relation to outsourcing activity in each financial field, respectively. The outsourcing guidelines mandate having a contract with the technology providers, which is entered into between the respective financial service provider and the technology provider based on the norms in the market. However, the manner in which the outsourcing guidelines are drafted in relation to each sector is such that they expressly lay out which activities may be outsourced and the manner in which they are to be outsourced, and all the regulations abundantly clarify that the financial service provider shall remain liable in the event of any breach caused by the technology provider in relation to the outsourced activity.

In light of the above, financial service providers seek to control the performance of technology providers through including certain customary clauses within their contracts, which outline reporting requirements in relation to the outsourced activities, providing the right to financial service providers to inspect various facets of the technology providers business, safeguards to ensure that technology providers are not further outsourcing the activities, and ensuring that all technology providers have robust information technology in place, among other items.

In addition, the RBI has mandated through a directive that, in relation to payment system operators, all data generated in that regard must remain and be stored in India itself. Therefore, for all activities outsourced in this regard it is clarified that, even if they can be outsourced to offshore entities, the data concerning these payment system operators should be preserved in India in such a manner as to ensure that it is readily accessible if it is requested to be furnished to the RBI.

The outsourcing guidelines in force with respect to each financial sector do not specifically mandate that any financial service provider or technology provider must actively report any suspicious or unlawful behaviour of any manner or form. However, by virtue of the existence of these outsourcing guidelines, certain obligations are extended to the technology provider from the financial service provider. For instance, in the outsourcing guidelines as mandated by the RBI, the RBI has the ability to call for data and to conduct audits of the technology provider in the same manner as for the financial entity which it directly regulates.

Therefore, in law there are no obligations on technology providers to report any instances of non-compliance themselves; under the appropriate outsourcing guidelines, each of the technology providers are required to co-operate with the respective regulator in the event of an investigation conducted or data requested in relation to the activities that are outsourced.

In India, large corporates have been exploring blockchain technology with enthusiasm, as demonstrated by the "Bankchain" alliance (with 35 members, including institutions such as the State Bank of India, HDFC Bank, and the National Payments Corporation of India) and the Enterprise Ethereum Alliance, a global coalition of more than 500 firms globally which includes Accenture, Cisco, Deloitte, Intel, Microsoft and Thomson Reuters as members. Indian banks have also been testing the adoption of xCurrent 4.0, which is a decentralised, cross-border remittance system based on Ripple architecture to ensure faster and more trustworthy transactions than the present SWIFT system.

Financial institutions are looking to implement blockchain solutions for executing tasks such as e-KYC, trade finance, loan syndication, verification of guarantees, etc.

SEBI recently set up the Committee of Financial and Regulatory Technologies (CFRT) in order to explore the implantation and adaptation of blockchain technology in the securities market. It was recognised that the stock exchanges presently suffer from issues of interoperability, trust and transparency.

The insurance industry is also seeking to leverage the flow of data as facilitated by the implementation of blockchain technology in order to provide tailored insurance for their customers without having to replicate data collection each time. Such activity is possible on a blockchain vis-à-vis central ledgers, due to the fact that data on a blockchain is largely considered tamper-proof unless a single entity gains more than 50% computing power on the blockchain, which on a reasonably large blockchain is technologically impossible to achieve.

The regulators in India are not averse to the implementation of blockchain for the improvement of data redundancies, the reduction of data duplication and the general ease of access of data. However, the challenge in this regard lies in divorcing blockchain assets from the implementation of blockchain. Due to the fact that any successful blockchain requires “gas” (blockchain assets) to function, the actual implementation of this technology at the regulatory level has been minimum, due to the Government’s stance on blockchain assets.

Various regulators, especially SEBI and the RBI, have mobilised their specialised committees and groups to explore the advantages and disadvantages of blockchain solutions within their respective sectors. As stated above, the RBI has facilitated the creation of a regulatory sandbox in order to facilitate the testing of new financial products prior to mass adoption. There are no explicit restrictions with regards to blockchain technologies being a part of this sandbox; the only restriction in this regard is that cryptocurrency and/or virtual currency will not be permitted under this regulatory sandbox.

The financial technology research wing of the RBI – the Institute for Development and Research in Banking Technology (IDRBT) – has published its findings on the implementation of blockchain in the financial sector, pointing out that the core issue of blockchain in the retail banking space is scalability.

There are no specific regulations classifying the treatment of blockchain assets. However, in April 2018 the RBI explicitly stated that no individual shall deal or attempt to deal in any virtual currencies using any banking channel or any instrument that is governed by the RBI.

Due to this blanket restriction by the RBI on trading in virtual currencies, India has not classified blockchain assets as utility assets, storage of value or security, as has been attempted by various other jurisdictions, such as Switzerland, Estonia, Malta, the USA, etc.

Given the nascent stage of blockchain solutions and the framework in the country, there is no regulatory framework governing blockchain assets. The only restriction is with regard to the prohibition in dealing with virtual currencies (see 12.3 Classification of Blockchain Assets).

Having said this, the issues relating to blockchain assets and the framework will include the manner in which the information is stored (especially data localisation requirements), the sharing of financial/sensitive information and confidentiality obligations under the privacy laws, providing governmental entities access to private networks, and the form and enforcement of contracts.

Please see previous sections.

As set out above, all pooling or investment vehicles are regulated in the manner in which they are set up and function. Due to the lack of clarity on the regulatory framework governing blockchain assets and the prohibition on dealing with virtual currencies, tokens or blockchain assets have not been active investment opportunities for funds.

At the time of writing, Indian regulators have not specifically defined VCs separately from blockchain assets. However, as set out above, the RBI circular passed in April 2018 prohibits dealing with "virtual currencies".

Essentially, India does not recognise any form of cryptocurrency or VC as legal tender, and the regulatory authorities have cracked down on individuals/entities trading or attempting to trade in any VCs, including conducting raids and seizing the technology assets of such individuals.

The existing legislation with respect to data privacy is contained within the IT Act and the Security Practices Rules. The latter is only concerned with sensitive personal data or information such as passwords, financial information, biometric information, medical records, etc, while the former deals with general data protection and the treatment of data stored electronically. While there is no explicit data protection law like the GDPR in India, certain standards of data protection may be read into the law. In its present state, there are no limits or discernible impact on blockchain vis-à-vis privacy regulation in India.

However, the legislature in India is seeking to implement the Personal Data Protection Bill (Data Bill) sooner rather than later. While still being discussed with industry participants and among the wings of government, the present draft of the Data Bill suggests that it is materially in line with the European GDPR. If the Data Bill is passed in this shape, then it is likely that the Indian individual shall be afforded the following rights:

  • the right to confirmation and access;
  • the right to correction and erasure;
  • the right to data portability; and
  • the right to be forgotten.

A blockchain is by its very nature transparent and immutable. Since the Data Bill in its present state makes exceptions for anonymised data, it may be argued that, since the data on a blockchain in not immediately identifiable (without a combination of private keys), the data may be considered to be anonymised and thus  may be exempt from the ambit of the Data Bill.

However, if it is determined that the data is sufficiently identifiable, then the rights listed above would have to be provided to individuals transacting on the blockchain. These are to be reconciled with the premise upon which the blockchain and/or distributed ledger technology functions.

Although open banking in India is still nascent, regulatory and actual operational steps are being taken by the RBI and the Government to build open banking in India through the implementation of the UPI, which is an instant real-time payment system that allows users to perform inter-bank money transfers and pay merchants from one’s bank account through various mobile applications, including Google Pay. The other step taken by the Government and the RBI relates to the concept of an account aggregator, which registers with the RBI and is licensed to collect, aggregate and store data of an individual from diverse financial institutions, and to share such data with other financial service providers. However, the account aggregation business in India has not kicked off in any significant manner.

In addition to the principles discussed in 2.9 Implications of Additional Regulation, the Government has set out certain conditions in respect of the treatment of data collected and used through the UPI. Firstly, customer consent is required to opt for the UPI and thereafter allow for the data to be used by the various participants in the UPI. The data collected – such as the customer’s name, mobile number, residential address, email ID, gender, location details, device details, transaction-related details, UPI ID, transaction ID, beneficiary UPI ID and beneficiary account number – is required to be anonmyised and stored in an encrypted manner.

The details that will be stored and collected by the account aggregator must also adhere to the strict principles of privacy and be shared in an encrypted form and only to the extent of the consent provided by the customer.

Jerome Merchant & Partners

83 Free Press House
Nariman Point
Mumbai 400021
India

+91 226 287 2435

vishnu.jerome@jmp.law www.jmp.law
Author Business Card

Law and Practice in India

Authors



Jerome Merchant + Partners has a primary office in Mumbai, with associate offices in New Delhi and Bangalore. Its lawyers advise financial institutions and corporates on various aspects related to securitisation and the assignment of different portfolios of receivables, including housing, credit card, operational and loan portfolio receivables. The securitisation practice works closely with the M&A and disputes practices in structuring securitisation transactions. Many large portfolio assignment transactions are undertaken by way of a business transfer of the portfolio and associated assets (including employees and technology), and are advised by the firm's financing/securitisation and M&A lawyers. Given the rising levels of distressed assets in the Indian economy, Jerome Merchant's securitisation lawyers increasingly work with its disputes and insolvency teams in advising on the structure for the sale and acquisition of debt portfolios which are non-performing and are under different stages of restructuring or insolvency.