In its November 2020 publication FinTech: The Force of Creative Disruption, the Reserve Bank of India (RBI), the Indian central bank and a key financial sector regulator, recognised fintech as contributing to the Indian financial sector through cost optimisation, better customer service and financial inclusion. The National Investment Promotion and Facilitation Agency attributes to India one of the highest fintech adoption rates, globally. This distinction is illustrated, in part, by data presented by the National Payments Corporation of India (NPCI), which illustrates that the transaction volume of digital payments on the Unified Payments Interface (UPI) network increased by approximately 58% between February 2020 and October 2020, crossing 2 billion transactions in October 2020.
The spurt in digital transactions was likely fuelled by COVID-19 and corresponding lockdowns and has been facilitated by institutional and economic factors such as a strong policy shift towards digitisation and increasing banking and smartphone penetration. The digital payments market in India is estimated to reach the USD1 trillion mark by 2023.
The Past 12 Months
Key developments that have contributed to significant growth of the fintech sector over the past 12 months.
Regulations mandating Zero Merchant Discount Rate (MDR)
In 2019, the Payment and Settlement Systems Act, 2007 (“PSS Act”) was amended to boost to indigenous payment instruments by prohibiting banks and payment system providers from imposing any charges (or MDR) on transactions using certain electronic modes of payment, including viz., UPI, UPI QR codes and debit cards issued on the Rupay network.
Lowering customer onboarding cost
Changes in law (particularly around the permissibility of Aadhaar-based "know-your-customer" (KYC) checks for onboarding customers) had significantly increased the costs of operation for non-bank fintech players. In early 2020, the RBI permitted fintech players to utilise certain modes of digital and video KYC to on-board customers, leading to the emergence of more cost-effective customer acquisition strategies. Video-based customer verification methods have since been adopted by several bank and non-bank fintech players.
Managing concentration of digital transactions with select market players
A key, emerging priority for the RBI and NPCI is the management of systemic and operational risk associated with the concentration of digital payments transactions in the hands of a few operators. Towards this objective, the NPCI issued a circular dated 5 November 2020, requiring payment service providers and third-party application providers for UPI transactions (TPAP) to ensure that the total volume of UPI transactions processed through a TPAP does not exceed 30% of the overall volume of transactions processed on the UPI network during the preceding three months, on a rolling basis (“UPI Volume Cap Circular”).
Existing TPAPs have been granted a two-year timeline, starting January 2021, to comply with these limits in a phased manner. While the implementation of this regulatory move is yet to be assessed, there have been some concerns in the industry that such limitations may hamper the seamless user experience provided by the UPI. A possible consequence of the circular may be entry of new smaller players as TPAPs, which will enhance customer choice while undertaking UPI transactions.
In order to exert some competitive pressure on the NPCI in connection with managing and operating retail payment systems and to incentivise innovation in the retail payments space, the RBI released a framework on 18 August 2020, for the authorisation of a new pan-India umbrella entity or entities (“New Umbrella Entity”) focusing on retail payment systems, such as:
Focus on enhancing interoperability of payment instruments and systems
The RBI has been building on its broad 2018 guidelines for interoperability across prepaid payments instruments (PPIs) and bank accounts with concerted regulatory measures. On 22 October 2020, the RBI issued a notification prohibiting authorised payment system operators from issuing new non-interoperable/proprietary QR codes with a view to streamlining the QR code infrastructure in the digital payments space. Payment system operators are now only permitted to issue interoperable QR codes.
Aligned with the inter-operable agenda, the New Umbrella Entity framework prescribes that the RBI expects such New Umbrella Entity and its offerings to interact and be interoperable with the payments systems operated and managed by the NPCI, as far as possible.
Relaxations in additional factor of authentication for card and UPI transactions
In December 2020, the RBI increased the respective per-transaction limits for contactless card transactions at point of sale terminals and recurring transactions undertaking using cards or UPI to INR5,000 from INR2,000, without requiring an additional factor of authentication (typically a one time password/personal identification number generated at the time of the transaction).
Policy/budgetary impetus from the government
The evolving market and regulatory landscape has also received a boost in the recent budget passed by the Government of India in Parliament on 1 February 2021 (“2021 Union Budget”). The 2021 Union Budget:
Focusing on cybersecurity for financial transactions
On 18 February 2021, the RBI notified the Master Directions on Digital Payment Security Controls (“DPS Directions”), a step in the direction of strengthening cybersecurity obligations of regulated entities and other key players in the digital payments ecosystem. These directions require regulated entities to set up a robust governance structure for digital payment systems in India and implement common minimum standards of security controls for channels like internet banking, mobile-based payment applications, card payments, etc.
The DPS Directions have been made directly applicable to the following regulated entities, which have been given six months to ensure technical readiness:
However, the effect of the DPS Directions may likely also extend to other entities operating in the payments ecosystem, through contractual arrangement entered into with directly regulated entities.
The Next 12 Months
Data protection and privacy
Personal Data Protection Bill 2019
A draft Personal Data Protection Bill 2019 (“PDP Bill”) is expected to be tabled in the India Parliament this year. Once it comes into force, the PDP Bill will bring Indian data protection and privacy closer to global standards. The PDP Bill will regulate the access, use, processing and storage of personal data of individuals. It also envisages concepts and institutions such as:
The introduction of the PDP Bill will require businesses operating in India to re-think their data policies, infrastructure and practices, as far as data privacy is concerned, to match the shift to heavier regulations.
Draft Data Centre Policy 2020
Recognising the growth witnessed by the Indian economy across e-commerce, information technology and fintech, the Ministry of Electronics and Information Technology (Government of India) had, in November 2020, opened up a draft Data Centre Policy for public comments. The policy recognises the interaction between data localisation provisions of the PDP Bill and the need for enhanced data centre infrastructure.
Cryptocurrency and blockchain
While currently cryptocurrency is not prohibited in India, the RBI and the Government of India have each indicated that "private cryptocurrencies" do not constitute valid legal tender in India. The Indian government is proposing to completely ban the use, possession, trading or otherwise dealing in cryptocurrencies in India, which is currently pending approval of the Parliament of India. Market sentiment seems to indicate that the prohibition on cryptocurrencies may become law within the year.
Move towards regulation of digital lending
In India, digital lending is primarily undertaken by regulated entities such as banks and non-banking financial companies (NBFCs). However, the digital lending landscape involves other entities and platforms (which may or may not be regulated) that provide value-added services such as data analytics, underwriting processes, credit modelling and distribution of credit products.
Recently, in January 2021, the RBI constituted a working group to review digital lending activities by regulated as well as unregulated entities with the objective of formulating a regulatory framework for digital lending. The working group’s recommendations are expected to be submitted to the RBI around April 2021, following which, it is likely that the digital lending sector will see greater regulation.
The various fintech business models or verticals that are currently predominant in India are, broadly:
Products pertaining to other significant aspects of fintech such as insurtech, regtech and wealthtech are also starting to emerge in the market.
Key product offerings across each of the predominant verticals are:
PPIs are stored-value instruments that facilitate the purchase of goods and services (including financial services). They may be issued as pre-paid cards or virtual wallets and may be issued by banks, authorised non-banking entities and/or under a co-branding arrangement between licensed and non-licensed entities. PPIs may be issued under one of three categories:
In December 2019, the RBI also introduced a new sub-category of semi-closed PPIs, ie, semi-closed PPIs with minimum KYC which may be recharged only using a bank account or a credit card and may be used only for purchase of goods and services from select merchants and not for funds transfer.
The UPI is a payments platform managed and operated by the NPCI, which enables real-time, instantaneous, mobile-based bank-to-bank payments. It leverages India’s fast-growing mobile technologies and telecommunications infrastructure to offer easily accessible, low-cost and universal remittance facilities to users. UPI-enabled payments have constituted a significant percentage of the consumer-to-merchant and peer-to-peer (P2P) digital payment transactions, crossing the 2 billion mark in October 2020 and precipitating regulatory developments such as the UPI Volume Cap Circular (see 1.1 Evolution of the Fintech Market).
In India, banks and NBFCs alike have moved to digital platforms for credit products, particularly to cater to relatively underbanked sectors such as micro, small and medium enterprises (MSME) and retail clients. Digital lending platforms typically provide an end-to-end digital customer experience, from on-boarding and initial credit verification and checks to disbursement.
P2P lending platforms
Online P2P lending platforms are governed by the RBI and offer loan facilitation services between lenders registered on the platform and prospective borrowers, ie, they constitute a regulated online marketplace for P2P lending. To offer such services, eligible entities are required to obtain registration with the RBI as a NBFC–P2P lending platform.
These entities facilitate online sale and purchase transactions primarily on e-commerce platforms, without requiring e-commerce merchants to create a separate payment integration system. Payment aggregators receive payments from customers, and pool and transfer them to the merchants after a period of time.
are entities that provide technology infrastructure to route/ facilitate processing of online payment transactions, without handling any funds.
In view of significant growth in digital payments facilitated by payment aggregators and payment gateways, in March 2020, the RBI issued a full-fledged regulatory framework (the “PA/PG Guidelines”) requiring payment aggregators to be licensed by the RBI, while prescribing recommendatory technical standards for payment gateways. The PA/PG Guidelines illustrate a paradigm shift in regulatory regimes governing such payment intermediaries, which were earlier subject to only light-touch regulation.
The regulatory framework governing key verticals (see 2.1 Predominant Business Models) and industry participants is fragmented and spread across several legislations and regulations. There are no state-specific variations in terms of the regulatory framework.
The Payment and Settlement Systems Act, 2007 (PSS Act)
It is the principal legislation governing payments regulation in India. The PSS Act prohibits the commencement and operation of a ‘payment system without prior authorisation of the RBI. A "payment system" is defined as “a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service of all of them, but does not include a stock exchange”, ie, includes card network operations, PPIs, UPI payments, and other digital payment services.
The Prevention of Money Laundering Act, 2002 (PMLA)
This is the primary anti-money laundering regulations governing entities offering financial products, and is supplemented by the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (“PML Rules”). The PMLA read with the PML Rules prescribe detailed procedures for financial sector entities to undertake "Know Your Customer" and "Anti-money Laundering" verifications and reporting of suspicious transactions.
RBI Master Directions/Circulars
The RBI being the principal financial regulator, periodically issues "master directions" and circulars governing and regulating specific offerings in the fintech space. For instance, the RBI Master Directions on PPIs (dated 1 October 2017, and last updated on 17 November 2020) govern issuance of PPIs, eligibility criteria for PPI issuers, transaction limits, settlement cycles, etc. Similarly, the RBI has issued subject-specific master directions regulating:
The RBI Master Directions on KYC (dated 25 February 2016 and last updated on December 18, 2020) draw from the PMLA and the PML Rules and further prescribe that all entities regulated by the RBI must undertake identity verification of their customers before commencing any account-based relationship or other prescribed transactions with such customers.
UPI payments in India are governed by periodic procedural guidelines issued by the NPCI. These circulars govern transaction volumes, transaction caps, technical standards, data privacy and security measures, usage of UPI API, manner of settlement of transactions etc.
Data Protection Framework
Currently, the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Current Data Privacy Framework”) govern protection of personal data in India. However, given the increasing collection and use of customer data, these have widely been recognised as dated and insufficient – and the enactment of the PDP Bill will completely overhaul the existing data protection framework.
Separately, the RBI has also issued a circular in April 2018 (“Data Localization Circular”) that requires all payments data to be stored on servers located in India. While such data can be taken outside of India for processing, it must return to India within 24 hours. While the RBI’s Data Localization Circular only focuses on “payments data”, the PDP Bill contemplates a wider localisation requirement that extends beyond just payments data.
Compensation models across key product offerings typically take the following form.
For certain transactions, with the intention of promoting indigenous payment instruments, the Government of India has mandated zero MDR (see 1.1 Evolution of the Fintech Market) – which may have the effect of impacting the cost competitiveness and revenue flows of foreign fintech players vis-à-vis Indian players.
The overarching regulatory requirement surrounding disclosures in connection with these compensation models mandate that:
On a holistic overview, the regulatory framework (see 2.2 Regulatory Regime) is agnostic to new fintech players and legacy players (such as banks).
A key area of difference, however, emerges in the ability of banks to undertake Aadhaar-based e-KYC checks to undertake customer on-boarding – and the corresponding prohibition incumbent on non-bank players (such as NBFCs), raising cost of compliance for non-bank players. This disparity has been addressed, to some extent, by regulatory moves such as the permissibility of digital and video KYC (see 1.1 Evolution of the Fintech Market), that has emerged in response to concerns presented by industry participants.
Framework and Eligibility
The RBI issued an "Enabling Framework for Regulatory Sandbox" in August 2019. The regulatory sandbox framework enables eligible FinTech companies to test their products in the regulatory sandbox, provided that such product is compliant with the ongoing theme of the sandbox cohort.
Entities that satisfy the following eligibility criteria may approach the RBI for testing their products in a sandbox:
Cohort-based model and stages of sandboxing
The RBI framework envisages product testing by a few select entities in a single regulatory sandbox cohort (ie, end-to-end sandbox process, typically lasting up to six months each), where products broadly fall within a shared theme. While certain regulatory requirements may be relaxed for the duration of the sandbox, the RBI has mandated that applicants will have to comply with data protection laws and KYC requirements. Separately, applicants will also continue to be liable to customers for financial products tested in the sandbox.
The framework outlines the five stages of the sandbox process for a single cohort:
The RBI recently opened up “Cross-border Payments” as the theme for its second cohort, in December 2020 (see 1.1. Evolution of the Fintech Market).
IRDAI and SEBI
Similar to the regulatory sandboxes implemented by the RBI for fintech products, the Insurance Regulatory and Development Authority of India (IRDAI) and the Securities and Exchange Board of India (SEBI) have proposed similar regulatory sandboxes products in the insurtech space, and for market-linked financial products offered by SEBI-regulated entities, respectively.
The regulatory regime governing the fintech space across most key verticals is primarily driven and implemented by the RBI, with support on specific, specialized aspects from the NPCI, the Unique Identification Authority of India (UIDAI), IRDAI and the SEBI (see 2.2 Regulatory Regime), as set out below.
The primary regulator for fintech in India is the central bank itself. The RBI has, over the past few years, demonstrated a clear shift from a light-touch approach to fintech regulation to a full-regulation model. The RBI is responsive to market changes and technological advances, and there have been near-contemporaneous updates in the regulations to account for such developments.
The NPCI is an umbrella, quasi-regulatory organisation for operating retail payments and settlement systems in India. It is a joint initiative of the RBI and the Indian Banks’ Association under the PSS Act, and was established with a view to create an innovative and robust payment & settlement infrastructure in India.
The UIDAI is a statutory body responsible for administering the Aadhaar programme – the largest identity project in India and one of the largest globally. The UIDAI has been central to framing the rules governing use of Aadhaar by fintech players as a means for customer on-boarding and verification.
The IRDAI is the primary regulatory in the insurance sector in India and supplements the regulatory framework of the RBI applicable to fintech players, to the extent of insurtech elements.
The SEBI is the key financial markets regulator in India charged with the function of regulating the securities market and protecting investor interest. Aspects of fintech pertaining to robo-advisors, algorithmic trading and financial research platforms, albeit nascent in India, fall within the ambit of the SEBI’s jurisdiction.
The permissibility of outsourcing regulated functions in the Indian fintech space is governed largely by the outsourcing guidelines issued by the RBI, which are applicable to banks and NBFCs. Broadly speaking, the core regulated activities cannot be outsourced to unregulated entities, under the extant regulatory framework. In addition, the RBI has recently announced a policy move to introduce outsourcing guidelines for entities authorised as payment system operators under the PSS Act.
These guidelines require that banks and NBFCs have a board-approved outsourcing policy and that they do not outsource “core management functions”, such as internal audit, undertaking regulatory compliances, and decision-making roles such as determining compliance with KYC requirements, etc. The RBI imposes a geographical limitation in connection with even the outsourcing of non-core functions – the service provider should not, even in such permissible cases, be situated outside of India. Further, any outsourced functions are required to be suitably supervised by the regulated entity outsourcing the activities.
The twin objectives behind this regulatory position are that outsourcing arrangements should not take away from the regulated entities accountability to its customers and that the RBI’s effective supervision of such regulated entities should not be impeded. The outsourcing guidelines mandate regulated entities to undertake appropriate due diligence of the service providers and to include appropriate safeguards in the outsourcing agreement in order to ensure audit and access rights by the regulated entity and the RBI, if so required.
The RBI follows a model whereby it imposes all "gatekeeping" obligations on the entities directly regulated and supervised by it – and in connection with whom suitable corrective and/or enforcement action can be undertaken by the RBI. Illustratively:
A common industry practice is that the risk carried by regulated entities as "gatekeepers" is passed on contractually to unregulated entities, backed by suitable indemnity provisions. However, it is only the cost associated with a non-compliance that can be passed on contractually – and reputational risks continue to rest with the regulated entity. In some cases, the RBI expects that the regulated entity will ensure appropriate contractual safeguards to ensure compliance with regulatory requirements by the unregulated partner or service provider.
Enforcement actions that may be undertaken by the RBI in the event of non-compliance from the regulatory framework (see 2.2 Regulatory Regime) in terms of the Reserve Bank of India Act, 1934; the Banking Regulation Act, 1949; or the PSS Act.
Enforcement actions typically take the form of monetary fines and penalties and in exceptional cases, revocation of the authorisations and licences granted by the RBI to regulated entities. The RBI has, in the past, prohibited regulated entities from on-boarding new customers for non-compliance with its instructions on KYC verification for a specified period of time.
Certain non-financial services regulations (such as those relating to privacy/data protection, social media content, and access to Aadhaar for customer verification) are governed by independent regulatory frameworks, which indirectly impact delivery of financial services.
"Intermediaries" are defined as any person or service who, on behalf of another person, receives, stores or transmits an electronic record or provides any service with respect to that record.
A key distinction that exists between new fintech players and legacy participants in this regard is the ability to undertake Aadhaar-based e-KYC checks (see 2.4 Variations between the Regulation of Fintech and Legacy Players).
Besides regulators and quasi-regulatory bodies (see 2.6 Jurisdiction of Regulators), the regulatory framework (see 2.2 Regulatory Regime) requires regulated entities to have in place several checks and balances that serve to "review" the functioning and operations of industry participants. By way of an indicative overview:
These compliances represent hard regulatory requirements, deviation from which can lead to enforcement actions and/or penal consequences by the RBI (see 2.9 Significant Enforcement Actions). Thus, industry practice is fairly aligned with the regulatory mandate and there is little room for adopting alternative approaches.
While "regulated" products are offered by regulated entities (such as banks, NBFCs, PPI issuers), several intermediaries and service providers (that may not fall within the regulatory framework) have emerged to cater to gaps that may arise in the delivery of financial services and to ensure a seamless, end-to-end digital product delivery. Some of these have led to the emergence of interesting market trends in the Indian fintech space.
While access to credit information of consumers in the financial services sector are restricted to specialised, regulated entities termed as "credit information companies" and regulated entities such as banks and NBFCs, the regulatory framework governing credit analysis dates back to 2005. This has led to the development of a market space for unregulated players to undertake non-traditional "behavioural scoring" by utilising data that does not strictly constitute "credit data" and is therefore, currently not subject to regulatory limitations.
Such behavioural scoring may be based on social media presence of consumers, consumption patterns on e-commerce websites, etc. However, the enactment of the PDP Bill will likely bring even such data collection and analysis within the regulatory ambit.
Virtual Credit Lines
Virtual credit lines (such as easy EMIs, pay-later products) and similar features are popular on e-commerce platforms – as they offer the consumer the flexibility to pace out payments towards purchases. While the credit line for such products is offered by regulated players (banks/NBFCs), the front-facing user interface is typically that of the e-commerce platform itself, which acts as a facilitator for distribution of these credit products to consumers and also offer customer on-boarding services.
Authorised PPI issuers are also inter alia offering ticketing (railways, airlines, etc) and hotel booking services in addition to their core product offering to provide their customers a seamless customer experience.
The robo-adviser financial market has been evolving rapidly in India over the last few years; however, the regulatory framework is at a very nascent stage.
While undertaking the business of investment advice requires registration with the SEBI, the current regulations do not stipulate a specific requirement for registration of robo-advisers with SEBI.
As a matter of market practice, robo-advisers have focused on one or more asset classes, depending on their client base and area of expertise. There are a range of robo-advisers in India which focus on offering advice in connection with equity based investments, while others focus on investments in funds and other general wealth advisory.
The legacy players in India have been quick to recognise and utilise the potential of robo-advisers. There are a number of players that have been quick to establish a multi-asset robo-advisory platform.
Legacy players across India have taken a two-pronged approach towards inculcating robo-advisory in their services through:
The robo-advisory landscape in India is still evolving. A focus area has been to solve for network creation and connectivity issues between the client and the robo-adviser platform, which may affect the speed of execution.
Further, it is critical that the nuances of the material and procedural aspects of investments in various assets through a robo-advisory platform are covered by the internal policies of the robo-adviser entities. This is especially important from the perspective of new or first time investors operating through a robo-advisory platform.
Broadly, the regulatory framework governing loans does not differ across borrower segments. However, the regulations differ depending on the category of lender, ie, whether banks or NBFCs. Both banks and NBFCs, are required to comply with specific capital adequacy, asset quality and prudential norms, however, while banks are generally heavily regulated, NBFCs are only subject to relatively less stringent regulation.
From a business perspective, banks primarily extend secured credit to large entities that pose a lower credit risk and have substantial credit history and business operations. A significant proportion of fintech lenders are licensed as NBFCs – which typically cater to MSMEs and start-ups, which may be unable to demonstrate the same degree of credit strength and operations as large corporations. In the retail/individual borrower space, traditional forms of credit such as home loans/mortgage-backed loans are offered by banks, and more unique products, including smaller ticket, salary/cashflow-backed loans are largely the domain of NBFCs/fintech players.
The RBI has also issued a designated regulatory framework for P2P lenders, ie, entities that do not lend on their own books, but offer loan facilitation services between lenders registered on the platform and prospective borrowers.
Further, the Indian financial sector also often sees lending partnerships between banks and NBFCs – whereby the bank brings the advantage of capital, and the NBFC partner assists with the customer distribution channels and technological aspects.
Traditionally, as a market practice, industry participants have been relying on the following key parameters for credit underwriting processes:
Notably, the traditional credit underwriting processes are focused on identifying red flags on a historical performance basis.
However, with technological developments, lenders have started to develop and adopt modern credit analysis techniques, which go beyond the traditional sources of data. These techniques involve analysing a prospective borrower’s spending behaviour and pattern, digital footprint, social media behaviour, and other behavioural factors. Technology platforms that already have access to some of this behavioural data have taken the lead in development of these alternate credit scoring models.
In addition, with the objective of facilitating easy credit to borrowers with little or no credit/operating history or weak balance sheets such as start-ups and MSMEs, lenders are also developing alternate credit underwriting models and risk management frameworks that seek to rely on alternate factors while making credit decisions.
While credit underwriting processes are not strictly dictated by legislation, players have traditionally identified the key points of analysis, on the basis of market practice. However, the RBI regulations do dictate detailed regulatory requirements and procedures to be followed for undertaking KYC and anti-money laundering checks on prospective borrowers at the time of on-boarding.
Future Changes in the Underwriting Process
Going forward, account aggregators will play an instrumental role in the credit underwriting process. In September 2016, the RBI issued the NBFC-Account Aggregator Directions setting out the regulatory framework within which account aggregators will operate. Since then, the RBI has issued licences to a select group of entities currently in the process of operationalising their licences. Account aggregation is poised to become the next big tool in accessing and unlocking value in multiple financial data sets.
Data of a customer linked to bank accounts, investment products such as mutual fund units, shares and bonds, and insurance policies can now, under the RBI account aggregator framework be “pulled” from a financial information provider and “pushed” to a financial information user (FIU). The account aggregator is the intermediary that manages and controls this data flow. The FIU analyses the aggregated data to determine the eligibility of the customer for various kinds of financial products and services.
Different lender categories in India rely on varied sources of capital for lending. Traditional lenders primarily rely on deposits for providing loans to borrowers and are governed by capital requirements and prudential norms in connection prescribed by the RBI. Further, the RBI restricts banks from sanctioning loans for certain specified end-uses, such as:
NBFCs primarily rely on borrowed funds (either from domestic banks or external commercial borrowings, ie, borrowings taken from eligible overseas lenders) and equity funds, to provide loans to customers. NBFCs are also regulated by prudential regulations prescribed by the RBI which inter alia include maintenance of leverage ratio, capital adequacy norms, etc.
The Bond Market
The bond market in India is growing and investors in corporate debt securities include primarily banks, mutual funds, and wealth management funds. The investor entities in debt securities may either be domestic or foreign portfolio investors registered with the SEBI. In case of foreign portfolio investors, there are restrictions on end-uses, viz., funds raised from such foreign portfolio investors cannot be used for investments in real estate business, capital markets and purchase of land. Given the rating requirements linked to issue of debt securities, access to debt capital markets tends to be restricted to larger corporates and has not been fully tapped into by the newer fintech platforms.
Eligible entities are permitted to borrow funds as external commercial borrowings from eligible overseas lenders, subject to compliance with requirements such as all-in cost ceilings, minimum average maturity periods, end-use restrictions, etc.
The RBI also permits P2P lending via regulated entities which act as facilitation platforms for lenders to identify prospective borrowers through a digital platform. Under such P2P lending arrangements, only unsecured plain vanilla loans are permitted. Such loans are also subject to maximum exposure limits on lenders sanctioning loans to borrowers through such platforms. The P2P lending platform is itself restricted from providing any loans or granting credit support to loans disbursed on its platform.
Several NBFCs are also looking at post loan origination liquidity structures (such as securitisation and participation agreements) as methods to raise capital.
Syndication of loans is a common practice in India for funding large borrowing requirements, primarily by corporates. Syndication primarily involves distribution of credit exposure amongst a consortium of lending banks with a common security agent/trustee appointed for holding security for the benefit of the lending banks. The arrangement typically also involves appointment of a “lead bank” for administrative and decision-making purposes.
The lending banks typically also enter into a security-sharing or inter-creditor arrangement, which sets out their respective rights and obligations and the approach to be followed in case of a default by the borrower and enforcement of security.
The RBI has mandated information sharing measures to be followed by banks while granting loans under multiple banking/consortium arrangements. The key measures mandated by the RBI include obtaining declarations from the borrower of the credit facilities availed by them from other banks, establishing a system of exchange of information with respect to the borrower’s credit facilities as between the banks (upon obtaining appropriate consent from the borrower), etc.
Payment processors primarily rely on existing payment rails for processing and completing payment transactions. For example, payment processors such as payment aggregators use the existing payment rails such as card networks (for card transactions), NEFT and RTGS (for online banking transactions), etc, to process payments. TPAPs for UPI transactions rely on the UPI (operated by the NPCI) for processing and completing UPI payment transactions.
The RBI released a framework on 18 August 2020, for the authorisation of a New Umbrella Entity (see 1.1 Evolution of the Fintech Market) focusing on retail payment systems and ensuring competitive and efficient functioning of the payments space. Licences are expected to be issued by the RBI by the end of the year.
Cross-border payments and remittances are primarily regulated under the Foreign Exchange Management Act, 1999 (FEMA) and the rules, regulations and circulars issued thereunder. The FEMA prescribes different regulations and compliance requirements, depending on the nature of transaction (ie, whether a capital account transaction or a current account transaction) and whether remittances are inward bound to India or outward from India. Such transactions are undertaken by authorised dealers authorised under the FEMA to deal in foreign exchange, on behalf of their clients.
For personal remittances bound inwards to India, residents may use the facility to receive such payments through money transfer operators.
For export and import of goods, the RBI permits authorised dealer category-I banks (“AD-I Banks”) to enter into arrangements with online payment gateway system providers to facilitate payments for such export and import transactions in partnership with the AD-I Banks, subject to compliance with requirements governing timelines for settlement, funds-flow, etc.
Fund administrators/managers such as mutual funds, alternative investment funds, portfolio managers, etc, are regulated by the SEBI. Depending on the nature and scope of their activities, entities engaged in providing investment services through mutual funds, alternative investment funds, portfolio management services, etc, are required to obtain authorisation from the SEBI for undertaking their business activities.
Fund administrators in India are directly regulated by the SEBI and are required to comply with the regulations specified by the SEBI from time to time, depending on the nature of their business. Requirements pertaining to assured performance and accuracy are primarily guided by the SEBI under regulations and not contractually between fund advisors and fund administrators.
Under Indian laws, the key marketplaces and trading platforms for trading in securities are registered stock exchanges and privately managed platforms operated by stock-brokers, each of which are registered with the SEBI.
Stock exchanges facilitate trade in a number of assets such as equity, equity derivatives, currency derivatives, commodity derivatives, debt securities, units in pooled investment vehicles such as infrastructure investment trusts and real estate investment trusts, etc. Different asset classes are governed by varying regulations, depending on the nature of the asset (ie, whether equity linked, debt linked or pooled investment vehicle, etc).
The principal regulators for stock exchanges are the SEBI, the Ministry of Finance and the RBI, depending on the asset class being traded on the stock exchange. Stock exchanges are highly regulated entities and also operate as quasi-regulators, to some extent, by enacting their own separate bye-laws and guidelines which govern trading in securities on the stock exchange.
In addition to traditional stock exchanges, the RBI has also recognised electronic trading platforms for transactions in financial market instruments regulated by the RBI. Such electronic trading platforms must be registered with the RBI and are required to comply with minimum capital norms, technological standards and other safeguards
See 7.1 Permissible Trading Platforms.
Cryptocurrency is not viewed favourably by Indian regulators. In April 2018, the RBI had prohibited all entities regulated by the RBI from facilitating trade in cryptocurrencies by any person. While this prohibition was struck down by the Supreme Court of India in Internet and Mobile Association of India v Reserve Bank of India, the government is proposing to enact a legislation prohibiting trading, use or possession of cryptocurrencies by any person. Upon this legislation coming into force, cryptocurrency exchanges in India will be severely impacted as a majority of their business activities will not be permitted under the proposed legislation.
Listing standards and disclosure requirements are governed by the SEBI and registered stock exchanges. SEBI regulations on listing are fairly comprehensive and detailed and have separate requirements for public issues and private placements. In addition, the regulations also prescribe continuous disclosure requirements in connection with listed securities, based on materiality of events and their impact on the performance of the listed securities.
Placement of orders and settlement of funds for trades completed on the stock exchange are governed by applicable procedural rules which stipulate settlement cycle, timelines for placement of orders and completion of trades, etc. Given that listed securities are mandated to be in dematerialised form, transactions are undertaken through demat accounts through registered brokers or agents.
As far as digital lending is concerned, currently there are 21 P2P lending platforms authorised by the RBI in India. P2P lending platforms have simplified delivery of credit to interested borrowers from non-traditional lenders such as small digital lending platforms and lending start-ups.
Given the extant regulatory framework and regulatory stance against cryptocurrency in India, P2P cryptocurrency trading platforms have very limited operations in India.
In 2010, the SEBI had approved the smart order routing facility to improve the procedure of execution of trades on the stock exchanges. The facility was introduced to enable brokers and trading engines to systemically choose the execution destination based on factors such as price, costs, speed, likelihood of execution and settlement, size, nature or other relevant considerations in connection with execution of an order.
The SEBI prescribes procedural rules for processing of payments for trades in listed securities. For example, in 2018, the SEBI introduced the electronic book process (EBP) for private placement of listed debt securities. Under the EBP, subscription monies in respect of the debt securities must be routed through an escrow account or the bank account of the Clearing Corporation of India Limited and should be credited to the issuer’s account upon allotment of the debt securities.
Trading in securities in India is regulated and governed primarily by SEBI through policy moves for market surveillance and risk mitigation measures at the stock exchanges. The market surveillance systems of SEBI also oversee if appropriate systems and safeguards have been adopted by stock exchanges to check market movements and flag any issues.
An illustration of a tool for risk management at stock exchanges is review of the margining system on a timely basis.
The SEBI, by way of a circular dated 3 April 2008, introduced the concept of Direct Market Access (DMA) and provided a legal framework for regulating such access to the DMA framework.
Further, SEBI permitted institutional investors to use DMA through SEBI-registered investment managers.
In respect of algorithmic trading, SEBI notified the Broad Guidelines on Algorithmic Trading and subsequently notified another set of additional guidelines pertaining to the same.
Additionally, SEBI notified the Measures to strengthen Algorithmic Trading and Co-location/Proximity Hosting framework, which discussed the framework around managed co-locations, measurement of latency for co-location and proximity hosting and free of charge tick-by-tick data feed (“TBT Feed”), penalties on order to trade ration (OTR), unique identifier for algorithms/tagging of algorithms and the testing requirements for software and algorithms. These obligations were directed towards stock exchanges (except commodity derivatives exchanges) in the country.
Recently, the SEBI also notified additional guidelines for OTR for algorithmic trading focused on putting in place effective economic disincentives for high daily OTR of algorithmic trading orders placed by trading members.
The circulars cumulatively constitute the key regulatory framework governing high-frequency and algorithmic trading.
The Guidelines for Market Makers (“Market Maker Guidelines”) require market makers to register with the stock exchanges as per the relevant requirements notified by the stock exchanges.
Generally, any member of a stock exchange is eligible to act as Market Maker provided the criteria laid down by the exchange are met.
Currently, the regulations do not distinguish between funds and dealers in the algorithmic trading space.
The regulatory framework governing the trading algorithms and other electronic trading rules, lay down the following obligations on programmers:
The companies or individuals operating Financial Research Platforms are required to be registered as research analyst or research entity under the Securities And Exchange Board Of India (Research Analysts) Regulations, 2014 (“Research Analyst Regulations”) provided they fall under the definition of a research analyst and that of a research entity under the Research Analyst Regulations.
A Research Analyst requires registration if they are primarily responsible for:
A research entity is subject to registration, provided it is an intermediary registered with SEBI that is also engaged in merchant banking, investment banking, brokerage services or underwriting services and issue research report or research analysis in its own name through the individuals employed by it as research analyst and includes any other intermediary engaged in issuance of research report or research analysis.
The Research Analyst Regulations lay down the various check and balances that allow for thorough vetting of the research report and sieving out any unverified information.
Additionally, the Research Analyst Regulations also include obligations for acting with honesty and in good faith, conducting appropriate due diligence, abiding by professional standards and a strict responsibility for the senior management. Non-compliance with the prescribed code of conduct has legal repercussions under the Research Analyst Regulations.
The financial research platforms in India usually do not allow for readers to post on the platforms, they function as closed digital publications. However, in case of any unacceptable behaviour being observed, the financial research platforms usually reserve the right to modify and regulate the content being posted on their websites through their terms and conditions of use.
Additionally, liabilities for persons indulging in unacceptable behaviours such a pump and dump schemes, spreading of insider information, etc, are set out in specific regulations such as the SEBI (Prohibition of Insider Trading) Regulations, 2015, the Indian Penal Code, 1860, the Information Technology Act, 2000, etc.
Entities undertaking insurance business in India are required to be registered as an insurer or an insurance intermediary with the IRDAI. The underwriting processes to be undertake by insurers and insurance intermediaries are specified by the IRDAI and include making appropriate disclosures on costs, expenses and charges payable on insurance policies, rates, terms and conditions of the policy, audit and reporting mechanisms, etc.
Different kinds of insurance business are subject to different regulatory frameworks. Broadly, insurance business may be categorised into two main categories: life insurance and general insurance. General insurance further includes sub-types such as fire insurance, marine insurance, vehicle insurance, etc.
Regtech providers in India are currently primarily centred around providing KYC and related on-boarding services to their clients who are mandatorily required to adopt specified procedures under the PMLA and other AML regulations. Such regtech providers are typically engaged as agents of the regulated entities through outsourcing arrangements and are subject to indirect regulation to some extent through audit, access rights and other similar checks and balances.
In addition, under the regulatory framework governing use of Aadhaar, there are certain specific data security requirements such as masking of Aadhaar information, requirements on storage of Aadhaar, etc, which are also relevant for regtech providers utilising the Aadhaar database for providing their services.
See 11.1 Regulation of Regtech Providers and 2.7 Outsourcing of Regulated Functions.
Traditional financial services players such as banks are unearthing effective and interesting applications for use of blockchain for the financial services industry in India. Currently, 11 Indian banks have aligned in a consortium to introduce and execute a blockchain-based loan system for MSMEs in India.
Further, Banks as well as NBFCs are looking to rely on the blockchain technology for facilitation of KYC procedures. Certain players are also looking to utilise the blockchain technology for order processing and streamlining of internal processes.
The stance of the Indian government towards the Blockchain technology and its various applications has been positive. NITI Aayog, the policy think tank of the Government of India, published a report titled Blockchain: The India Strategy, where the use cases for Blockchain as a tool towards enabling ease of business, ease of living and ease of governance were highlighted.
However, as discussed, blockchain technology in connection with cryptocurrency trading has been met with resistance by Indian regulators. See 7.3 Impact of the Emergence of Cryptocurrency Exchanges.
Blockchain assets are not considered a form of regulated financial instruments. They have not been classified as securities and are not regulated under the current legal framework laid down by SEBI.
The “issuers” of blockchain assets as well as initial sales or offerings of blockchain assets are not regulated under a dedicated legal framework. Protection against potential fraud by the issuer or intermediaries involved will be based on appropriate legal recourse under general penal laws and consumer protection legislations such as Indian Penal Code, 1860, The Consumer protection Act, 2019 etc.
Blockchain asset trading platforms as well as secondary market trading networks for blockchain assets are not currently regulated by a consolidated framework. See 7.3 Impact of the Emergence of Cryptocurrency Exchanges and 7.7 Issues Relating to Best Execution of Customer Trades.
The current regulatory framework does not contemplate blockchain assets. In such a scenario, the funds investing in blockchain assets stand unregulated.
Owing to a lack of legal framework surrounding blockchain technology and its implementation in India, there is no formal definitions for virtual currencies or blockchain assets and by extension, no differentiation in their treatment under law.
DeFi has not been defined under any regulations in India, at present. There is a regulatory vacuum with regard to DeFi Platforms. Moreover, India operates in terms of the centralised finance model with RBI acting as the chief financial regulator and does not recognise a DeFi system or related activities.
Open banking in India is at a very early stage of development. The first steps towards open banking in India have been:
The UPI enables TPAPs (which are primarily technology-based entities) to provide their customers the ability to send and receive payments through their linked bank accounts by utilising mobile technology and infrastructure in a real-time and seamless manner.
Account aggregators are entities which are authorised to collect and collate all financial information of a customer and provide them to financial services providers (when so required for on-boarding purposes), on the basis of approved consent artefacts obtained from customers.
Market players in India are generally gearing up for implementation of the PDP Bill, which will overhaul the existing data privacy and security framework, upon enactment. Banks, financial institutions, technology platforms and fintech players will need to align their existing systems and processes to comply with the detailed consent architecture prescribed in the PDB Bill and with the limitations around use, processing and storage of data that are mandated by the PDB Bill.
Four Key Fintech Focus Areas
Recent trends and developments dominating the Indian fintech sector can be broadly discussed along four key areas:
The digital payments landscape in India has grown significantly over the last few years, both in terms of product innovation and wider consumer usage. COVID-19 has also fuelled this growth. People have found transacting digitally to be a contact free and safer way to make payments and access financial products. This shift from physical to digital is likely to be a permanent one as fintech platforms continue to innovate giving consumers access to more convenient and customised financial solutions.
Payment aggregators – moving away from "light touch" regulation
The Reserve Bank of India (RBI), the Indian central bank and a key financial regulator, has moved from a light touch to a more closely regulated model for the digital payments sector. An important development has been the introduction of a full-fledged regulatory regime for payment aggregators. Payment aggregators are entities that operate as intermediaries between consumers and merchants, and facilitate digital payment transactions by aggregating funds before final settlement with end-merchants. The RBI issued a framework for licensing and closely regulating payment aggregators; the framework requires compliance with, among others, detailed corporate governance rules, know your customer on-boarding procedures and minimum capital norms.
This is a marked shift from the earlier regime where RBI did not require direct licensing of payment aggregators. Payment gateways that provide only the technology for digital payment transactions continue to be unlicensed, but are encouraged to align their technology infrastructure with the baseline technology recommendations applicable to payment aggregators.
Storing sensitive data
Under the new RBI rules, payment aggregators have been prohibited from storing customer card credentials within their systems and must ensure that merchants they on-board also do no store customer card credentials within their systems (except limited details for purposes of transaction-tracking). In addition, merchants are prohibited from storing any “payments data” within their systems, except limited data for purposes of transaction tracking. This restriction is being viewed as one that could severely affect the convenience of using cards as a payment method and is being closely analysed by the industry. An approach the regulator could consider is linking access to card data to the compliance level of the relevant entity with the prescribed PCI/PA-DSS Standards.
Payments on the United Payments Interface (UPI) have grown substantially over the last few years (for both customer to merchant payments and peer-to-peer transfers), and now constitute the largest by volume among all forms of digital payments in India. This growth has been primarily fuelled by developments in mobile and network technologies, minimal enabling infrastructure and seamless customer on-boarding. In 2020, while UPI transactions declined during the early stages of lockdown restrictions, this changed as the lockdown restrictions were gradually relaxed in India and recorded 1.34 billion transactions in June 2020 alone.
Volume-based transactions caps
Due to the significant growth in UPI enabled payments, third party app providers (TPAP) facilitating UPI transactions (by providing the technological interface with back-end arrangements with UPI member banks) have, over the past several years, acquired a significant market share in UPI payments. To prevent concentration of transactions with only a few big players and to mitigate systemic risks on account of such concentration, the National Payments Corporation of India (NPCI) issued volume-based limits on UPI transactions that can be processed by a TPAP. With effect from 1 January 2021, payment service provider banks and TPAPs must ensure that the total volume of transactions initiated through a TPAP shall not exceed 30% of the overall volume of transactions processed in UPI during the preceding three months (on a rolling basis).
Existing TPAPs have been provided a time period of two years from 1 January 2021 to comply with these volume-based restrictions. Industry is working around how to comply with these requirements without affecting the seamless user experience and convenience factor of UPI payments which has been a key reason for its widespread adoption.
New umbrella payments entity
Another important development in the digital payments landscape is the introduction of a regulatory framework for authorisation of pan-India new umbrella entity (NUE) for retail payments. The RBI has indicated the need to mitigate systemic and operational risks in the processing of retail digital payments in India, given that NPCI today processes a majority of all transaction volumes. The NUE will be authorised by the RBI to operate retail payment systems and is likely to be a competitor to the NPCI in the retail payments space in India.
The RBI had introduced requirements around localisation of payments data, which continue to operate currently. Entities authorised by the RBI are required to ensure that all “payments data” (which is defined to include the end-to-end transaction details in connection with a payment transaction) relevant for the payment system which such regulated entities are operating or participating in, must be stored on servers located only in India.
In India, all digital lending products involve the core lending function being undertaken by a bank or a non-banking financial company (NBFC). Additionally, however, the market landscape involves value add by several intermediaries. Credit and data analytics, creation of new customer distribution channels, management of the technology platform and post-disbursement servicing are all functions that are often performed by unregulated intermediaries, towards whom the regulator follows an "indirect supervision" approach, routed through partner regulated entities.
The RBI has demonstrated a steady shift from a light-touch approach to a full-regulation model. The RBI has shown itself to be a responsive regulator and follows a stakeholder-based approach to developing new regulatory models. It typically issues draft frameworks and invites inputs from the public and industry participants, prior to crystallising regulatory frameworks. In our experience, the RBI has often worked with industry bodies in the digital lending space, to develop codes and guidelines for operation of various participants (whether lending entities or intermediaries).
Recently, in mid-January 2021, a petition was filed in public interest, at the Delhi High Court (“Petition”), emphasising the need to regulate interest rates and charges levied by digital lending platforms, data protection and lending via RBI-regulated channels and entities. Contemporaneously, the RBI constituted a working group on digital lending on 13 January 2021 (“Working Group”), to review digital lending activities by regulated as well as unregulated market participants and recommend a workable regulatory approach.
Recent practices amongst a few errant market players in the digital lending space in respect of collection practices and misuse of personal data, has sharpened the regulatory focus on the sector. An existing June 2020 RBI-issued circular required banks and NBFCs lending through owned or outsourced digital lending platforms, to strictly adhere to the "fair practices code" guidelines and the regulatory framework for outsourcing of financial and IT services. The RBI also issued a press release on 23 December 2020, cautioning the public against unauthorised digital lending platforms, in view of the large number of mobile-based lending applications operating in India.
The Working Group’s recommendations will be released by mid-April 2021, and the outcome of the Petition is also awaited; it is very likely, however, that the sector will see greater regulation. The RBI may choose to regulate intermediaries via the banks and NBFCs already operating in this space.
Regulation of digital lending in India
In a November 2020 fintech bulletin, the RBI notes that globally, most jurisdictions do not have a specialised regulatory framework for fintech lending. Given the tenor of the RBI’s regulatory approach as set out above, instead of directly regulating intermediaries, any new digital lending regulatory framework would ideally follow the same "indirect supervision" model, ie, require the licensed lending entity (bank or NBFC) to supervise the working of partner technology platforms where such platforms assist with credit scoring, loan disbursement or collection. Certain areas of digital lending that are not sufficiently contemplated and addressed by the prevailing framework that primarily caters to a brick-and-mortar lending model can expect greater regulation:
Digital lenders have played a key role in providing credit to traditionally underbanked sectors and segments, such as SMEs, MSMEs and retail customers that may not have a strong credit history. Any regulatory framework seeking to govern the digital lending space will ideally strike a balance between protecting consumers and allowing digital lenders to continue to innovate, partner with technology platforms that enable wider access to credit and meaningful access to and analysis of data that enables customised financial solutions.
Digital lenders have undoubtedly enhanced access to affordable credit, this being particularly significant in the context of economic stresses induced by COVID-19. Further growth and development of the sector will stand to gain from an enabling regulatory framework.
Cyptocurrency and Blockchain
The Indian government has been opposed to the use of cryptocurrency, a position cemented by the introduction of a bill that seeks to ban cryptocurrency.
The Indian blockchain technology landscape has been evolving rapidly. The technology has been observed to deviate from its traditional applications such as cryptocurrency and smart contracts to functions focused on streamlining supply chains across industries, governance efforts and dedicated financing endeavors.
Banks other financial institutions are embracing the use of the blockchain technology-backed smart contracts as a facilitative mechanism of undertaking escrow account arrangements between parties. Blockchain technology can also be very useful in undertaking Know Your Customer (KYC) processes given its ability to provide tools to reliably verify the authenticity of KYC documents and allow for storage in formats that cannot be altered. The use of the blockchain technology for carrying out KYC processes also provides a more robust compliance with anti-money laundering standards.
A leading bank in India has partnered with BankChain to adopt blockchain solutions to manage mandatory KYC processes and related documents in its system. Bankchain is a group of 27 banks in India and the Middle East that use blockchain solutions that increase efficiency of financial transactions without compromising the privacy of clients. Blockchain technology is also being utilised by banks to streamline their supply chain processes, particularly banks lending to small and medium scale enterprises.
Data Protection and Privacy
New data protection regime
A key regulatory development that will be a game changer for the fintech industry in India is the enactment of the Personal Data Protection Bill, 2019 (“PDP Bill”). The PDP Bill seeks to introduce a paradigm shift in Indian data privacy laws, and once enacted, will introduce a comprehensive framework for data privacy and protection that regulates the access, use, processing and storage of personal data of individuals. The central tenet of the PDP Bill is explicit, free and informed customer consent in connection with:
The PDP Bill also contemplates a localisation requirement for critical personal data. The data localisation requirements in the PDP Bill extend to all “critical” personal data and are wider than those currently in place for payments data.
Privacy by design
The PDP Bill contemplates a "privacy by design" culture, where organisations are required to designate specialised data protection officers, organise external data audits periodically, and are assigned data scores by a "Data Protection Authority" sought to be established under the PDP Bill. The enactment of the PDP Bill will have the effect of bringing India’s data protection regime closer to global standards, such as those set by the European Union’s General Data Protection Regulation.
Access to data
Once enacted, the framework set out by the PDP Bill can be employed as one of the tools to regulate and control access to data by fintech platforms. For instance, the PDP Bill contemplates a "data trust score", ie, a score given to a data-handling platform by an independent data auditor, representing the platform’s compliance with requirements of the PDP Bill.
The regulator may consider linking a fintech platforms’ access to Aadhaar-based e-KYC and other sensitive data to such a data trust score – this approach ensures customer data protection, in addition to incentivising maintenance of data protection infrastructure and practices by the industry as a whole.