Fintech 2024

Last Updated March 21, 2024

India

Law and Practice

Authors



Shardul Amarchand Mangaldas & Co (SAM & Co) is founded on a century of legal achievements, and is one of India’s leading full-service law firms. The firm’s mission is to enable business by providing solutions as trusted advisers through excellence, responsiveness, innovation, and collaboration. SAM & Co is known globally for its exceptional practices in M&A, private equity, competition law, insolvency and bankruptcy, dispute resolution, international commercial arbitration, capital markets, banking and finance, tax, intellectual property, data protection and data privacy, technology law and projects and infrastructure. The firm has a pan-India presence and has been at the helm of major headline transactions and litigations in all sectors, besides advising major multinational corporates on their entry into the Indian market and their business strategy. Currently, the firm has over 829 lawyers including 166 partners, offering legal services through its offices in New Delhi, Mumbai, Gurugram, Ahmedabad, Kolkata, Bengaluru, and Chennai.

India is an established market for fintech innovation and investment. with the sector accounting for about 11% of the country’s GDP. It is projected to reach USD350 billion by 2026, or about 20% of the financial sector.

On the consumer side, there has been a significant increase in the adoption of digital payments in India over the past year. The Reserve Bank of India’s (RBI) digital payments index increased from 377.46 in September 2022 to 418.77 in September 2023. India’s 87% fintech adoption rate (leading ahead of the global average of 64%) is a clear indicator of the Government of India’s (GOI) focus on financial accessibility and technical infrastructure.

The Past 12 Months

Over the past 12 months, several key developments have contributed to significant growth in the fintech sector.

UPI global

India’s United Payments Interface (UPI) has enabled seamless, affordable digital payments throughout India, which has been revolutionary for the fintech sector. The RBI is also focusing on integrating the UPI platform with payment systems of foreign jurisdictions. For this international expansion, National Payments Corporation of India (NPCI) has set up a dedicated wholly-owned subsidiary – NPCI International Payments Limited (NIPL).

The UPI global collaborations can be divided into three categories:

  • NIPL’s creation, for countries with developed payment systems or with large remittances to India, of bilateral linkages between UPI and the payment systems locally available to reduce the cost of remittances (eg, the UPI-PayNow linkage enabling P2P remittances with Singapore);
  • QR code-enabled payments by Indian travellers to merchants abroad (eg, the UPI-Lankapay linkage enabling P2M payments in Sri Lanka, the NIPL-NETs linkage enabling P2M payments in Singapore, and the NIPL-Neopay linkage for P2M payments in UAE); and
  • extending India’s UPI technology to nations without their own instant payment infrastructure (eg, NIPL has collaborated with Bhutan’s central bank).

The limits for cross-border payments through UPI global are the same as UPI’s domestic payment limits (ie, typically INR100,000). The NPCI has also issued an operational circular to all members of the UPI payments system directing them to enable the country and currency codes for 40 jurisdictions.

Payment aggregators – cross border

The RBI has issued a circular on “Regulation of Payment Aggregators – Cross Border” on 31 October 2023 (PA-CB Circular), bringing all entities facilitating cross-border payment transactions for import and export of goods and services (PA-CB) under the direct regulation of the RBI. Through the PA-CB Circular, the RBI has moved from a light-touch approach to a full approval regime for PA-CBs. All PA-CBs, except authorised dealer category-1 banks (AD Banks), will need to obtain prior approval from the RBI to facilitate payments involving the import and export of goods and services.

Further, PA-CBs need to comply with all obligations applicable to domestic payment aggregators (PAs). Further, every non-bank PA-CB must register with the Financial Intelligence Unit-India (FIU-IND) as a prerequisite to applying for the RBI’s approval. PA-CB activity is then further classified into three categories – “export only”, “import only“ and both “export and import”.

KYC norms for virtual asset service providers

GOI recently brought all virtual asset service providers under the ambit of the PMLA. The FIU-Ind subsequently published the “AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets” (the “FIU-Ind Guidelines”) which came into effect on 10 March 2023. Every virtual asset service provider operating in India needs to:

  • register with the FIU-Ind;
  • adopt the prescribed KYC verification processes to verify the identity of users at the time of onboarding; and
  • comply with PMLA requirements (eg, maintaining transaction records, reporting suspicious transactions and specified transactions to the FIU-Ind).

The FIU-Ind has also enforced the FIU-Ind Guidelines quite aggressively – it has recently served show cause notices to several crypto-exchanges for failing to register, and directing GOI to block their URLs.

The Next 12 Months

Self-regulation for fintechs

Following the success of the self-regulation model for non-banking financial companies (NBFCs) – microfinance, the RBI issued a “Draft Framework for Self-Regulatory Organisations (SROs) in the FinTech Sector” on 15 January 2024 and has invited stakeholder feedback. By pivoting towards an SRO, the RBI is maintaining a delicate regulatory balance – it is permitting the fintech sector to proactively set and adhere to its own industry standards and best practices.

The RBI is expected to issue the fintech SRO framework this year and to also grant recognition to at least two fintech SROs, in line with the NBFC-microfinance model.

The rupee goes digital

The digital rupee (e₹) is India’s central bank digital currency (CBDC). It is legal tender to be issued in digital form by the RBI and holds a 1:1 exchange rate with physical currency. The current e₹ design framework contemplates both a retail (CBDC-R) and wholesale (CBDC-W) use case. The CBDC-R will power the growth of digital payments in India, while the CBDC-W is expected to significantly reduce inter-bank settlement costs and risk.

India launched the pilot for CBDC-W and CBDC-R last year and has been gradually scaling up its pilots. RBI is also exploring several functionalities during the pilots; eg, offline e₹ and specific end-use restrictions.

Regulation of personal data

GOI enacted the Digital Personal Data Protection Act (DPDP Act) on 11 August 2023. The DPDP Act is a technology- and sector-agnostic umbrella framework that governs the processing of all digital personal data. Unlike the Current Data Privacy Framework (see 2.2 Regulatory Regime), there are no tiered obligations for different categories of data.

The DPDP Act is individual consent-centric. The processing of all personal data (any data about an individual who is identifiable by or in relation to such data) of an individual can largely be undertaken based on consent of such individual or, in limited circumstances, for certain legitimate uses carved out under the DPDP Act. Note that a data fiduciary (ie, the entity determining the purpose and means of processing personal data) is responsible for ensuring compliance with obligations under the DPDP Act.

Note that while the DPDP Act has been enacted, it is not currently in force. We expect the DPDP Act to come into force in phases over the next few months with sector-specific regulations. Several financial players are in the process of aligning internal consent architecture frameworks and data protection systems and controls with the requirements of the DPDP Act.

Operational difficulties for PA-CBs

A PA-CB will be treated as a reporting entity and will be obligated to undertake client due diligence, maintain a record of specified transactions for the prescribed period and report specified transactions to the FIU-IND. The requirement of obtaining the RBI’s prior approval and registration with the FIU-IND could also prove to be operationally and practically challenging for PA-CBs. While such changes will encourage transparency and reporting for cross-border transactions, the recent regulatory framework will increase compliance and operational costs for PA-CBs and result in smaller players re-thinking their business model in India.

The various fintech business models or verticals that are currently predominant in India are, broadly:

  • digital payments;
  • digital lending; and
  • a host of intermediary services such as payment aggregation, payment gateway services, credit analysis, post-disbursement services etc, that serve to create a seamless user experience.

Products pertaining to other significant aspects of fintech, such as insurtech, regtech and wealthtech are starting to scale in the Indian market.

Digital Payments

UPI payments

The UPI is a payments platform managed and operated by NPCI, which enables real-time, instantaneous, mobile-based bank-to-bank payments. It leverages India’s fast-growing mobile and telecommunications infrastructure to offer easily accessible, low-cost and universal remittance facilities to users (see 1.1 Evolution of the Fintech Market).

Prepaid payment instruments (PPIs)

PPIs are stored-value instruments that facilitate the purchase of goods and services (including financial services). They may be issued as pre-paid cards or virtual wallets and may be issued by banks, authorised non-banking entities and/or under a co-branding arrangement between licensed and non-licensed entities. Under the revised Master Directions on Prepaid Payment Instruments issued by the RBI on 27 August 2021 (PPI Master Directions), PPIs may be issued under one of the following categories:

  • closed-system PPIs, for purchase of goods or services offered only by the PPI issuer (they do not require prior approval from the RBI); or
  • PPIs that require RBI approval/authorisation prior to issuance are classified under two types: small PPIs and full-KYC PPIs.

Small PPIs are issued by banks and non-banks after obtaining minimum details of the PPI holder. They can be used only for purchase of goods and services. Fund transfers or cash withdrawal from such PPIs are not permitted. Small PPIs can be used at a group of clearly identified merchant locations/establishments which have a specific contract with the issuer (or contract through a payment aggregator/payment gateway) to accept the PPIs as payment instruments. Full-KYC PPIs are issued by banks and non-banks after completing KYC of the PPI holder. These PPIs can be used for purchase of goods and services, fund transfers or cash withdrawal.

Access to central payment systems

The RBI, as part of its drive to encourage digital payments, announced that all non-bank payment system providers like PPI issuers, white label ATM operators and card networks will also be granted access to central payment systems like NEFT and RTGS. This is to promote stability and minimise risk in the payment and settlement ecosystem.

Digital Lending

Digital lenders

In India, banks and NBFCs alike have moved to digital platforms for credit products, particularly to cater to relatively underbanked sectors such as micro, small and medium-sized enterprises (MSME) and retail clients.

Digital Lending is under the regulatory purview of the RBI – under the Digital Lending Guidelines of 2 September 2022 (the “DL Guidelines”), prescribing a regulatory framework for the digital lending ecosystem in India.

The DL Guidelines apply to both regulated entities (REs) and the lending service providers or digital lending platforms that enter into partnership arrangements with REs to provide digital lending products to consumers.

The DL Guidelines prescribe guardrails in connection with the kinds of customer data that can be accessed and stored by lending service providers, the consent architecture that must be in place for the collection and storage of such customer data and detailed disclosure requirements to protect customer interest and prevent mis-selling of credit products. DL Guidelines also provide for indirect regulation of lending service providers through regulated lending institutions.

P2P lending platforms

Online P2P lending platforms are governed by the RBI and offer loan facilitation services between lenders registered on the platform and prospective borrowers – ie, they constitute a regulated online marketplace for P2P lending. To offer such services, eligible entities are required to obtain registration with the RBI as an NBFC–P2P lending platform, subject to a few identified exceptions.

Payment Intermediaries

Payment aggregators

These entities facilitate online sale and purchase transactions primarily on e-commerce platforms, without requiring e-commerce merchants to create a separate payment integration system. Payment aggregators receive payments from customers, and pool and transfer them to the merchants after a period of time. The RBI has recently brought cross-border payment service providers into its regulatory purview (see 1.1 Evolution of the Fintech Market).

Payment gateways

Payment gateways are entities that provide technology infrastructure to route/facilitate processing of online payment transactions, without handling any funds.

Payment aggregators and payment gateways are governed by the RBI’s regulatory framework (PA/PG Guidelines) requiring payment aggregators to be licensed by the RBI, while prescribing recommended technical standards for payment gateways.

The regulatory framework governing key verticals (see 2.1 Predominant Business Models) and industry participants is fragmented and spread across several legislations and regulations. There are no state-specific variations in terms of the regulatory framework.

The 2007 Payment and Settlement Systems Act (PSS Act)

This is the principal legislation regulating payments in India. The PSS Act prohibits the commencement and operation of a payment system without prior authorisation of the RBI. Here, a payments system is any system that enables payment to be effected between a payer and a beneficiary, utilising clearing, payment or settlement services, and excluding stock exchanges. This includes card network operations, PPIs, UPI payments, and other digital payment services.

The 2002 Prevention of Money Laundering Act (PMLA)

This is the primary anti-money laundering regulation governing entities offering financial products. PMLA is supplemented by the 2005 Prevention of Money Laundering (Maintenance of Records) Rules (the “PML Rules”). Together, they provide detailed procedures for financial sector entities to follow in order to conduct KYC and anti-money laundering verifications, as well as to report suspicious transactions.

RBI Master Directions/Circulars

The RBI, as the principal financial regulator, periodically issues “master directions” and circulars governing and regulating specific offerings in the fintech space. The RBI has issued subject-specific master directions regulating:

  • PPIs;
  • NBFCs;
  • P2P lending;
  • payment aggregators and payment gateways (including PA-CBs);
  • account aggregators; and
  • other market participants and offerings.

The RBI Master Directions on KYC (dated 25 February 2016 and last amended on 4 January 2024) draw from the PMLA and the PML Rules and further prescribe that all REs must undertake identity verification of their customers before commencing any account-based relationship or other prescribed transactions with such customers.

The RBI introduced a circular dated 13 September 2021, which permits REs such as NBFCs, payment systems operators/system participants to obtain authorisation to conduct Aadhaar-based E-KYC authentication of their customers. Aadhaar is a 12-digit unique identification number issued by GOI to its citizens.

NPCI Circulars

UPI payments in India are governed by the procedural guidelines issued by the NPCI. The NPCI also issues more specific operational circulars to the UPI payment system participants from time to time. They collectively govern transaction volumes, transaction caps, technical standards, data privacy and security measures, usage of UPI API, manner of settlement of transactions, etc.

Data Protection Framework

Currently, the 2000 Information Technology Act and the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Current Data Privacy Framework) govern protection of personal data in India. However, given the increasing collection and use of customer data, these have widely been recognised as outdated and insufficient – and, once effected, the DPDP Act will overhaul the existing data protection framework.

Separately, the RBI also issued a circular in April 2018 (Data Localisation Circular), which mandates that all payment data be stored on servers located in India. While such data can transferred outside of India for processing, it must be returned to India within 24 hours. Note that the Data Localisation Circular only pertains to payment data. There are no generalised data localisation requirements under the Current Data Privacy Framework or under the DPDP Act (once brought into effect).

Compensation models across key product offerings typically take the following form:

  • PPIs/debit cards/credit cards/UPI, all charge Merchant Discount Rate (MDR) – ie, charges payable by the merchant to the payment acquirer and/or the card network/payment system operator. For cards, transaction interchange fee, interest and float income and card issuances act as additional income lines.
  • Digital lenders charge loan processing fees and interest from their customers, which are usually linked to the volume and tenor of the loan. Digital lenders can also levy additional penal charges for defaults, in a manner that is reasonable and only for material non-compliance. Penal charges must not be used as a revenue enhancement tool.
  • Payment aggregators/gateways charge the e-commerce marketplaces and merchants for their payment aggregation services and/or technological support provided. These charges are in some instances contractually passed on to the customer transacting on the e-commerce or merchant platform.

To promote indigenous payment instruments, GOI has mandated zero MDR for certain transactions. This could impact the cost competitiveness and revenue flows of foreign fintech players, in comparison with domestic fintech players.

The overarching regulatory requirement surrounding disclosures in connection with these compensation models mandates that:

  • REs (such as banks and NBFCs) adopt a “fair practices code”, to be made available on their websites (in English as well as in the vernacular language), setting out the process for loan applications and the key terms and conditions associated with the lending product (including all charges, fees and interest rates);
  • all lending institutions provide a “key fact statement” in a standardised format for loan processing, and such standardised format must specify the annualised percentage rate for the lending product (which is inclusive of all charges, fees and interest rates in connection with the credit product offered by them); and
  • all REs (such as PPI Issuers, payment intermediaries, banks, and NBFCs) adopt suitable customer grievance redressal mechanisms and designate “nodal officers” to address customer complainants, so as to ensure fairness in operation of such products, including the compensation models employed by them.

Taking a holistic view of the regulatory framework (see 2.2 Regulatory Regime), it appears to treat both new fintech players and established players (like banks) impartially.

However, there is a significant discrepancy when it comes to banks' ability to conduct Aadhaar-based E-KYC checks for customer onboarding, a capability that is not extended to non-bank players (like NBFCs). This discrepancy imposes additional compliance costs on non-bank players. Nevertheless, the RBI has taken steps to address this issue by allowing non-bank players to obtain authorisations to conduct Aadhaar-based E-KYC authentication, enabling them to utilise the services provided by the Unique Identification Authority of India (UIDAI) for E-KYC purposes. Further, the RBI’s focus on enabling centralised KYC processes (which may be used by several kinds of regulated entities) may potentially bridge the cost disparity between banks and non-bank players.

RBI

Framework and eligibility

The RBI issued a Regulatory Sandbox Enabling Framework in August 2019 permitting eligible fintech companies to live-test their products in a controlled/modified regulatory environment, provided that such product is compliant with the designated theme for the sandbox cohort.

Entities that satisfy the following eligibility criteria may approach the RBI to test their products in a sandbox:

  • net worth of at least INR1 million;
  • satisfactory credit score/history of promoters and directors;
  • promoters and directors of the applicant entity meeting the prescribed “fit and proper” criteria;
  • demonstrated ability to comply with personal data protection laws; and
  • adequate IT infrastructure and safeguards to protect against unauthorised access, destruction and disclosure.

The framework outlines the five stages of the sandbox process for a single cohort involving preliminary screening, finalising test designs, application assessment, closely monitored testing and lastly, assessment of the final output by the RBI. The end-to-end sandbox process practically takes more than 1.5 years for each cohort.

To date, the RBI has announced five cohorts – on retail payments (February 2021), cross-border payments (December 2020), micro, small, and medium-sized enterprise lending (October 2021), prevention and mitigation of financial frauds (June 2022) and a fifth “theme-neutral” cohort (October 2023). The successful exit of 15 applicants from the first three cohorts has led to innovations such as a purely digital cash flow-based credit underwriting process for MSMEs and a voice-based UPI payment solution that supports local languages and offline use.

IRDAI and SEBI

Similar to the regulatory sandboxes implemented by the RBI for fintech products, the Insurance Regulatory and Development Authority of India (IRDAI) and the Securities and Exchange Board of India (SEBI) have proposed similar regulatory sandbox products in the insurtech space, and for market-linked financial products offered by SEBI-regulated entities, respectively.

The regulatory regime governing the fintech space across most key verticals is primarily driven and implemented by the RBI, with support on specific, specialised aspects from the NPCI, the UIDAI, IRDAI and the SEBI (see 2.2 Regulatory Regime), as set out below.

RBI

In India, the primary regulator for fintech is the RBI, which has shifted from a light-touch approach to a full-regulation model in recent years. The RBI is responsive to market changes and technological advances, and regulations have been promptly updated to account for such developments.

NPCI

The NPCI is an umbrella, quasi-regulatory organisation for operating retail payments and settlement systems in India. It is a joint initiative of the RBI and the Indian Banks’ Association under the PSS Act and was established with a view to creating an innovative and robust payment and settlement infrastructure in India.

UIDAI

The UIDAI is a statutory body responsible for administering the Aadhaar programme – the largest identity project in India and one of the largest globally. The UIDAI has been central to framing the rules governing the use of Aadhaar by fintech players as a means for customer onboarding and verification.

IRDAI

The IRDAI is the primary regulator in the insurance sector in India and supplements the regulatory framework of the RBI applicable to fintech players, specifically for insurtech elements.

SEBI

The SEBI is the key financial markets regulator in India charged with the function of regulating the securities market and protecting investor interest. It has jurisdiction over aspects of fintech related to robo-advisors, algorithmic trading and financial research platforms, although these areas are still nascent in India.

The permissibility of outsourcing regulated functions in the Indian fintech space is governed largely by the outsourcing guidelines issued by the RBI, which are applicable to banks and NBFCs. Broadly speaking, the core regulated activities cannot be outsourced to unregulated entities, under the extant regulatory framework. The RBI also issued Outsourcing Guidelines with respect to non-bank payment system operators on 3 August 2021 (collectively with the outsourcing guidelines applicable to banks and NBFCs, the “Outsourcing Guidelines”) in order to mitigate any risk in relation to the outsourcing of payments and settlement-related activities.

Outsourcing Guidelines

These guidelines require that banks, payment system operators and NBFCs have a board-approved outsourcing policy and that they do not outsource “core management functions”, such as internal audit, undertaking regulatory compliance, and decision-making roles such as determining compliance with KYC requirements, etc. The RBI imposes a geographical limitation in connection with even the outsourcing of non-core functions – the service provider must not, even in such permissible cases, be situated outside of India. Moreover, any outsourced functions have to be duly supervised by the RE outsourcing the activities.

The RBI imposes all gatekeeping obligations on the entities directly regulated and supervised by it (the REs) – and in connection with whom suitable corrective and/or enforcement action can be undertaken by the RBI. Illustratively:

  • Banks, payment system operators and NBFCs are required to retain ultimate control over any outsourced activities and cannot pass on customer accountability to the service provider.
  • Payment aggregators are responsible for checking the technical and security infrastructure of the merchants onboarded by them, and for assessing compliance with regulatory and industry security standards.
  • Banks and NBFCs that lend through partner digital lending platforms are required to ensure that their names are disclosed on such lending platforms and have the primary responsibility to comply with the DL Guidelines.

A standard industry practice is that the risks borne by REs as gatekeepers are contractually passed on to unregulated entities, backed by suitable indemnity and termination of access provisions. However, while the costs associated with non-compliance can be passed on contractually, the reputational risks continue to rest with the RE. In some cases, the RBI even specifies the contractual safeguards that an RE must build in, to ensure the regulatory compliance of the unregulated partner or service provider.

In case of non-compliance with the regulatory framework (see 2.2 Regulatory Regime) the RBI may undertake enforcement actions under the provisions of the 1934 Reserve Bank of India Act, the 1949 Banking Regulation Act, or the PSS Act.

The RBI has stepped up its enforcement actions against REs in the last three years. Enforcement actions typically take the form of monetary fines and penalties and, in exceptional cases, revocation of the authorisations and licences granted by the RBI to the REs. The RBI recently prohibited an RE from onboarding new customers and restricted any further deposits due to their failure to comply with KYC verification requirements. The RBI has also in the past revoked NBFC licenses of entities engaging in unfair lending practices, and aggressive recovery tactics or which did not fulfill the regulatory criteria.

Certain non-financial services regulations (such as those relating to privacy/data protection, social media content, and access to Aadhaar for customer verification) are governed by independent regulatory frameworks, which indirectly impact delivery of financial services:

  • the Current Data Privacy Framework requires certain REs (including banks, NBFCs, and PPI issuers) to maintain a publicly available privacy policy and handle customer data in accordance with the framework and such policy (note that the Current Data Privacy Framework will be replaced by the DPDP Act upon effectiveness);
  • the Data Localisation Circular (see 2.2 Regulatory Regime);
  • the Aadhaar framework (see 2.4 Variations between the Regulation of Fintech and Legacy Players); and
  • the intermediary guidelines/rules under the 2000 Information Technology Act, require intermediaries to monitor the display and sharing of data on their platforms and to ensure that such data is not appropriated from someone else, does not infringe intellectual property, and does not violate any other prevailing laws.

Besides regulators and quasi-regulatory bodies (see 2.6 Jurisdiction of Regulators), the regulatory framework (see 2.2 Regulatory Regime) requires REs to have in place several checks and balances that serve to review the functioning and operations of industry participants. By way of an indicative overview:

  • Banks and NBFCs are subject to a detailed ongoing compliance framework that involves a review of their operations by external auditors/accountants.
  • The RBI has set up designated ombudsman offices under its management and supervision, charged with receiving and considering complaints from customers relating to deficiencies in banking or other digital payment services, creating an additional, consumer-driven oversight mechanism on REs.

These compliances represent strict regulatory requirements, deviation from which can lead to enforcement actions and/or penal consequences by the RBI (see 2.9 Significant Enforcement Actions). Thus, industry practice is fairly aligned with the regulatory mandate and there is little room for adopting alternative approaches.

While regulated products are offered by REs (such as banks, NBFCs and PPI issuers), several intermediaries and service providers (that may not fall within the regulatory framework) have emerged to cater to gaps that may arise in the delivery of financial services and to ensure a seamless, end-to-end digital product delivery. Some of these have led to the emergence of interesting market trends in the Indian fintech space.

Credit Analysis

Traditional credit information in India is collated by specialised REs called credit information companies (CICs). Access to traditional credit information through such CICs was originally restricted only to REs. Some non-bank entities, fulfilling the criteria prescribed by the RBI, have now been allowed to access information from CICs. However, this criterion is still quite strict (including a net worth of at least INR2 crores, Indian-owned and controlled status, at least three years of experience in data processing and a clean track record).

Due to such restricted access to traditional credit information, a market space for unregulated players to undertake non-traditional “behavioural scoring” has grown in India. These fintech entities typically utilise data that does not strictly constitute credit data and is therefore not currently subject to regulatory limitations. Such behavioural scoring may be based on social media presence of consumers, consumption patterns on e-commerce websites, etc. However, the consent requirements under the DPDP Act (once enforced) will also cover such data collection and processing.

Booking Services

Authorised PPI issuers are also offering ticketing (railways, airlines, etc) and hotel booking services in addition to their core product offering to provide their customers with a seamless customer experience.

The KYC Master Directions apply to REs (including banks, NBFCs, PPI issuers, and payment system providers). The KYC Master Directions require such entities to abide by the provisions of the PMLA and various rules framed under it. REs must file reports of suspicious transactions, including transactions relating to terrorism, with the FIU-Ind. REs are also required to appoint a principal officer who is responsible for monitoring and reporting all transactions and sharing information as required under the law.

Unregulated entities are not required to comply with the provisions of the PMLA and various rules framed under it. The Outsourcing Guidelines also restrict banks, payment system operators and NBFCs from outsourcing core functions such as KYC compliance.

The robo-adviser financial market has been evolving rapidly in India over the last few years; however, the regulatory framework is at a very nascent stage. While undertaking the business of investment advice requires registration with the SEBI, current regulations do not stipulate a specific requirement for registration of robo-advisers with SEBI.

As a matter of market practice, robo-advisers have focused on one or more asset classes, depending on their client base and area of expertise. There are a range of robo-advisers in India which focus on offering advice in connection with equity-based investments, while others focus on investments in funds and other general wealth advisory.

The legacy players in India have been quick to recognise and utilise the potential of robo-advisers. Several RE players have been quick to establish a multi-asset robo-advisory platform.

Legacy players across India have taken a two-pronged approach to incorporate robo-advisory services:

  • acquisition or partnerships with players in the robo-advisory space; or
  • development of in-house technology, using internal analytical information to provide robo-advisory, putting them in competition with new and upcoming specialised start-ups.

The robo-advisory landscape in India is still evolving. A focus area has been to solve network creation and connectivity issues between the clients and robo-adviser platforms, which may affect the speed of execution.

Further, it is critical that the nuances of the material and procedural aspects of investments in various assets through a robo-advisory platform are covered by the internal policies of the robo-adviser entities. This is especially important from the perspective of new or first-time investors operating through a robo-advisory platform.

The lending regulations in India are broadly borrower-agnostic. However, the extent of regulatory supervision differs depending on the category of lender. Both banks and NBFCs are required to comply with specific capital adequacy, asset quality and prudential norms. While banks are generally heavily regulated, NBFCs are subject to relatively less stringent regulation. Lending service providers or digital lending applications are front-end entities and are only indirectly governed by the DL Guidelines.

From a business perspective, banks primarily extend secured credit to large entities that pose a lower credit risk and have substantial credit history and business operations. A significant proportion of fintech lenders are licensed as NBFCs – which typically cater to MSMEs and start-ups, which may be unable to demonstrate the same degree of credit strength and operations as large corporations. In the retail/individual borrower space, traditional forms of credit such as home loans/mortgage-backed loans are offered by banks, and more unique products, including smaller ticket, salary/cashflow-backed loans are largely the domain of NBFCs/fintech players.

The RBI has also issued a designated regulatory framework for P2P lenders – ie, entities that do not lend on their own books, but offer loan facilitation services between lenders registered on the platform and prospective borrowers.

Furthermore, the Indian financial sector also often sees lending partnerships between banks and NBFCs, whereby the bank brings the advantage of capital, while the NBFC partner assists with the customer distribution channels and technological aspects.

Traditionally, as a market practice, industry participants have been relying on the following key parameters for credit underwriting processes:

  • credit score and credit reports from CICs;
  • annual income and sources of income; and
  • status of existing loan accounts, including any delayed repayments, defaults, etc.

Non-traditional behavioural data is increasingly being used for credit analysis (see 2.12 Conjunction of Unregulated and Regulated Products and Services). Technology platforms that already have access to some of this behavioural data have taken the lead in the development of these alternative credit scoring models.

The DL Guidelines mandate that REs undertake responsible lending by capturing the economic profile of the borrowing (including age, occupation, income, etc) to assess the borrower’s creditworthiness in an auditable way. To this end, the DL Guidelines permit collecting data that is required in connection with its operations, provided the digital service provider/regulated entity is able to demonstrate a tangible and direct link between the borrower data collected and economic profiling of the borrower enabling credit decision-making.

The RBI also dictates detailed regulatory requirements and procedures to be followed for undertaking KYC and anti-money laundering checks on prospective borrowers at the time of onboarding.

Different lender categories in India rely on varied sources of capital for lending. Traditional lenders primarily rely on deposits for providing loans to borrowers and are governed by capital requirements and prudential norms prescribed by the RBI. Further, the RBI restricts banks from sanctioning loans for certain specified end uses, such as:

  • banks are prohibited from sanctioning loans against the security of its own shares;
  • banks are prohibited from sanctioning such loans that are to be used for buy-back of securities; and
  • banks are restricted from granting loans to their directors or their relatives, except where approved by the bank’s board of directors and subject to compliance with other specified restrictions.

NBFC

NBFCs primarily rely on borrowed funds (either from domestic banks or external commercial borrowings – ie, borrowings taken from eligible overseas lenders) and equity funds, to provide loans to customers. NBFCs are also regulated by prudential regulations prescribed by the RBI, which include maintenance of leverage ratio and capital adequacy norms.

The Bond Market

The bond market in India is growing and investors in corporate debt securities include primarily banks, mutual funds, and wealth management funds. The investor entities in debt securities may either be domestic or foreign portfolio investors registered with the SEBI. In case of foreign portfolio investors, there are restrictions on end uses, in other words, funds raised from such foreign portfolio investors cannot be used for investments in real estate business, capital markets and purchase of land. Given the rating requirements linked to the issuing of debt securities, access to debt capital markets tends to be restricted to larger corporates, and these markets have not been fully tapped into by the newer fintech platforms.

Eligible entities are permitted to borrow funds as external commercial borrowings from eligible overseas lenders, subject to compliance with requirements such as all-in cost ceilings, minimum average maturity periods and end-use restrictions.

P2P Lending

The RBI also permits P2P lending via REs which act as facilitation platforms for lenders to identify prospective borrowers through a digital platform. Under such P2P lending arrangements, only unsecured plain vanilla loans are permitted. Such loans are also subject to maximum exposure limits on lenders sanctioning loans to borrowers through such platforms. The P2P lending platform is itself restricted from providing any loans or granting credit support to loans disbursed on its platform.

Syndication of loans is a common practice in India for funding large borrowing requirements, primarily by corporates. Syndication primarily involves distribution of credit exposure amongst a consortium of lending banks with a common security agent/trustee appointed for holding security for the benefit of the lending banks. The arrangement typically also involves the appointment of a “lead bank” for administrative and decision-making purposes.

The lending banks typically also enter into a security-sharing or inter-creditor arrangement, which sets out their respective rights and obligations and the approach to be followed in case of a default by the borrower and enforcement of security.

The RBI has mandated information sharing measures to be followed by banks while granting loans under multiple banking/consortium arrangements. The key measures mandated by the RBI include obtaining declarations from the borrower of the credit facilities availed by them from other banks, and establishing a system of exchange of information with respect to the borrower’s credit facilities between banks (upon obtaining appropriate consent from the borrower).

Payment processors primarily rely on existing payment rails for processing and completing payment transactions. For example, payment processors such as payment aggregators use the existing payment rails such as card networks (for card transactions), NEFT and RTGS (for online banking transactions), etc, to process payments. TPAPs for UPI transactions rely on the UPI (operated by the NPCI) for processing and completing UPI payment transactions.

Cross-border payments and remittances are primarily regulated under the 1999 Foreign Exchange Management Act (FEMA) and the rules, regulations and circulars issued thereunder. FEMA prescribes different regulations and compliance requirements, depending on the nature of transaction (ie, whether a capital account transaction or a current account transaction) and whether remittances are inbound to India or outbound from India. Such transactions are undertaken by AD Banks, authorised under FEMA to deal in foreign exchange on behalf of their clients.

For personal remittances inbound to India, residents may use the facility to receive such payments through money transfer operators.

RBI-approved PA-CBs also facilitate cross-border payments in exchange for goods and services. Additionally, UPI global is the latest entrant in the cross-border payments space in India (see 1.1 Evolution of the Fintech Market).

Fund administrators/managers such as mutual funds, alternative investment funds and portfolio managers, are regulated by the SEBI. Depending on the nature and scope of their activities, entities engaged in providing investment services through mutual funds, alternative investment funds and portfolio management services, are required to obtain authorisation from the SEBI to undertake their business activities.

Fund administrators in India are directly regulated by the SEBI and are required to comply with the regulations specified by the SEBI from time to time, depending on the nature of their business. Requirements pertaining to assured performance and accuracy are primarily guided by the SEBI under regulations and not contractually between fund advisors and fund administrators.

Under Indian law, the key marketplaces and trading platforms for trading in securities are registered stock exchanges and privately managed platforms operated by stockbrokers, each of which is registered with the SEBI.

Stock exchanges facilitate trade in a number of assets such as equity, equity derivatives, currency derivatives, commodity derivatives, debt securities, units in pooled investment vehicles such as infrastructure investment trusts and real estate investment trusts. Different asset classes are governed by varying regulations, depending on the nature of the asset (eg, equity-linked, debt-linked or pooled investment vehicle).

The principal regulators for stock exchanges are the SEBI, the Ministry of Finance and the RBI, depending on the asset class being traded on the stock exchange. Stock exchanges are highly regulated entities and also operate as quasi-regulators, to some extent, by enacting their own separate by-laws and guidelines which govern trading in securities on the stock exchange.

In addition to traditional stock exchanges, the RBI has also recognised electronic trading platforms for transactions in financial market instruments regulated by the RBI. Such electronic trading platforms must be registered with the RBI and must comply with minimum capital norms, technological standards and other safeguards.

See 7.1 Permissible Trading Platforms.

The RBI and GOI exhibit a marked reluctance to acknowledge cryptocurrency as a legitimate form of currency in India. However, over the last year, their stance on cryptocurrency has softened from a “complete ban” to a “regulation” approach, in line with the global developments in the cryptocurrency space.

Indian regulators are therefore now focused on regulating crypto-intermediaries (including crypto-exchanges) with rules centred around KYC requirements, consumer protection, disclosures and reporting requirements (see 1.1 Evolution of the Fintech Market). 

Additionally, advertisements dealing with cryptocurrency and/or virtual assets must contain adequate risk disclaimers and must not equate such products with regulated products, in accordance with the code issued by the Advertising Standards Council of India.

Listing standards and disclosure requirements are governed by the SEBI and registered stock exchanges. SEBI regulations on listing are fairly comprehensive and have separate requirements for public issues and private placements. In addition, the regulations also prescribe continuous disclosure requirements in connection with listed securities, based on materiality of events and their impact on the performance of the listed securities.

Placement of orders and settlement of funds for trades completed on the stock exchange are governed by applicable procedural rules which stipulate settlement cycle, timelines for placement of orders and completion of trades, etc. Given that listed securities are mandated to be in dematerialised form, transactions are undertaken through dematerialised accounts through registered brokers or agents.

As far as digital lending is concerned, currently there are 24 P2P lending platforms authorised by the RBI in India. P2P lending platforms have simplified delivery of credit to interested borrowers from non-traditional lenders such as small digital lending platforms and lending start-ups.

Given the extant regulatory framework and regulatory stance against cryptocurrency in India, P2P cryptocurrency trading platforms have very limited operations in India.

In 2010, the SEBI approved the smart order routing facility to improve the procedure for the execution of trades on the stock exchanges. The facility was introduced to enable brokers and trading engines to systemically choose the execution destination based on factors such as price, costs, speed, likelihood of execution and settlement, size, nature or other relevant considerations in connection with the execution of an order.

The SEBI prescribes procedural rules for processing payments for trades in listed securities. For example, in 2018, the SEBI introduced the electronic book process (EBP) for private placement of listed debt securities. Under the EBP, subscription monies in respect of debt securities must be routed through an escrow account or the bank account of the Clearing Corporation of India Limited and should be credited to the issuer’s account upon allotment of the debt securities.

Trading in securities in India is regulated and governed primarily by SEBI through policy moves for market surveillance and risk mitigation measures at the stock exchanges. The market surveillance systems of SEBI also oversee whether appropriate systems and safeguards have been adopted by stock exchanges to check market movements and flag any issues (eg, timely reviews of the margining system).

SEBI, by way of a circular dated 3 April 2008, introduced the concept of Direct Market Access (DMA) and provided a legal framework for regulating such access to the DMA framework.

SEBI permitted institutional investors to use DMA through SEBI-registered investment managers.

In respect of algorithmic trading, SEBI issued the Broad Guidelines on Algorithmic Trading and subsequently issued additional guidelines pertaining to the same.

Additionally, SEBI issued the Measures to Strengthen Algorithmic Trading and Co-location/Proximity Hosting Framework, which discussed the framework around managed co-locations, measurement of latency for co-location and proximity hosting and the free-of-charge tick-by-tick data feed (TBT Feed), order-to-trade ratio (OTR) penalties, unique identifiers for algorithms/tagging of algorithms and the testing requirements for software and algorithms. These obligations were targeted at stock exchanges (except for commodity derivatives exchanges) in the country. Recent trends of SEBI have been towards relaxing the OTR and orders per second (OPS) limits.

Recently, SEBI released a notification banning mis-selling of algorithmic strategies by making references to past performance or expected returns.

The circulars cumulatively constitute the key regulatory framework governing high-frequency and algorithmic trading.

The Guidelines for Market Makers require market makers to register with the stock exchanges per the relevant requirements notified by the stock exchanges.

Generally, any member of a stock exchange is eligible to act as a market maker provided the criteria laid down by the exchange are met.

Currently, the regulations do not distinguish between funds and dealers in the algorithmic trading space.

The regulatory framework governing the trading algorithms and other electronic trading rules, lay down the following obligations on programmers:

  • all algorithmic orders be tagged with a unique identifier provided by the stock exchange in order to establish an audit trail; and
  • the testing procedures which are to be followed by market participants before deployment of software and algorithms.

While India has not yet enacted specific guidelines to regulate decentralised finance, GOI is proposing to enact a legislation governing cryptocurrencies, crypto-wallets as well as decentralised finance platforms. In the absence of specific guidelines, decentralised finance is currently governed under the extant regulations on payment systems, and payment and investment intermediaries.

The companies or individuals operating Financial Research Platforms may be required to be registered as a research analyst or research entity under the Securities and 2014 Exchange Board of India (Research Analysts) Regulations (the “Research Analyst Regulations”).

A Research Analyst requires registration if they are primarily responsible for:

  • preparation or publication of the content of a research report;
  • providing a research report;
  • making “buy/sell/hold” recommendations;
  • giving price targets; or
  • offering opinions on a public offer with respect to securities that are listed or to be listed on a stock exchange.

A research entity is subject to registration if it is an intermediary registered with SEBI that is also engaged in merchant banking, investment banking, brokerage services or underwriting services and issues research reports or research analysis in its own name through the individuals employed by it as a research analyst and includes any other intermediary engaged in the issuance of research reports or research analysis.

The Research Analyst Regulations lay down the various checks and balances that ensure rigorous scrutiny of research reports and eliminate any unverified information. The Research Analyst Regulations also include obligations for acting with honesty and in good faith, conducting appropriate due diligence, and abiding by professional standards to ensure adherence to standards of conduct and procedures. Non-compliance with the prescribed code of conduct has legal repercussions under the Research Analyst Regulations.

The financial research platforms in India usually do not allow for readers to post on the platforms, but function rather as closed digital publications. However, if any unacceptable behaviour is observed, the financial research platforms usually reserve the right to modify and regulate the content being posted on their websites through their terms and conditions of use.

Additionally, liabilities for persons engaging in unacceptable behaviour such as pump and dump schemes, spreading of insider information, etc, are set out in specific regulations such as the 2015 SEBI (Prohibition of Insider Trading) Regulations, the 1860 Indian Penal Code, and the 2000 Information Technology Act.

Entities undertaking insurance business in India are required to be registered as an insurer or an insurance intermediary with the IRDAI. The underwriting processes to be undertaken by insurers and insurance intermediaries are specified by the IRDAI and include making appropriate disclosures on costs, expenses and charges payable on insurance policies, rates, terms and conditions of the policy, and audit and reporting mechanisms.

Different kinds of insurance business are subject to different regulatory frameworks. Broadly, insurance business may be categorised into two main categories: life insurance and general insurance. General insurance further includes sub-types such as fire insurance, marine insurance and vehicle insurance.

Most regtech providers in India are centered around providing KYC and related onboarding services. There is also a recent boost in regtech solutions focusing on end-to-end automation of securities and labour compliances.

There is no direct regulation governing regtech providers in India. Certain functionalities of regtechs may, however, be subject to regulatory oversight. For example, customer onboarding regtech providers in India are typically engaged as agents of the REs through outsourcing arrangements and are subject to indirect regulation to some extent through audit, access rights and other similar checks and balances.

In addition, under the regulatory framework governing the use of Aadhaar, there are certain specific data security requirements such as masking of Aadhaar information and requirements on storage of Aadhaar, which are also relevant for regtech providers utilising the Aadhaar database for their services.

See 11.1 Regulation of Regtech Providers and 2.7 Outsourcing of Regulated Functions. Requirements pertaining to assured performance and accuracy for unregulated regtechs are contractually agreed. They usually contain a limitation of liability clause and an express “no warranty” clause as to their accuracy and completeness.

Traditional financial services players such as banks are developing interesting and effective applications for the use of blockchain in the financial services industry in India. India’s Bankchain consortium has recently launched a permission-based blockchain for integrated and shared KYC (Primechain KYC) and is exploring its use for processing letters of credit, tax invoices, and e-way bills, particularly for MSMEs.

Meanwhile, the Indian regulator is also currently exploring a blockchain-based pilot project for reducing loan frauds through its wholly-owned subsidiary.

On the private side, financial blockchain start-ups in India are primarily focused on cryptocurrency exchanges. However, there is a growing interest in newer applications for blockchain, such as supply chain financing and digital identity verification.

Unlike towards cryptocurrency, GOI and regulators have taken a positive stance towards blockchain technology. The RBI is playing an active part in collaborating with banks piloting blockchain applications and has also included applications of blockchain technologies to be tested in its sandbox.

GOI has developed a National Strategy on Blockchain to synergise stakeholder inputs and develop e-governance applications of blockchain. NITI Aayog, the policy think tank of GOI, published a report titled Blockchain: The India Strategy, highlighting the different use cases for blockchain.

Blockchain assets are not considered a form of regulated financial instruments. They have not been classified as securities and are not regulated under the current legal framework laid down by SEBI.

The “issuers” of blockchain assets as well as initial sales or offerings of blockchain assets are not regulated under a dedicated legal framework. Protection against potential fraud by the issuer or intermediaries involved will be based on appropriate legal recourse under general penal laws and consumer protection legislations such as the 1860 Indian Penal Code, and the 2019 Consumer Protection Act.

Blockchain asset trading platforms as well as secondary market trading networks for blockchain assets are not currently regulated by a consolidated framework. See 7.3 Impact of the Emergence of Cryptocurrency Exchanges and 7.7 Issues Relating to Best Execution of Customer Trades.

The current regulatory framework does not contemplate blockchain assets. The funds investing in blockchain assets are therefore unregulated.

Owing to a lack of clarity on how to classify virtual currencies (they do not fall under securities, commodities, currency, payment or security tokens), they remain excluded from most regulations. However, after the 2022 budget speech, GOI declared virtual currencies to be taxed as a separate class called “virtual digital assets”.

All income from the transfer of virtual assets including cryptocurrencies is subject to 30% tax. GOI also announced a tax deducted at source (TDS) of 1% on all cryptocurrency-based transactions. A gift of virtual digital assets is also proposed to be taxed in the hands of the recipient.

The RBI and GOI exhibit a marked reluctance to acknowledge cryptocurrency as a legitimate form of currency in India. India is currently piloting the e₹, which is anticipated as a replacement for all privately owned cryptocurrencies in India after its launch. See 1.1 Evolution of the Fintech Market.

DeFi has not been defined under any regulations in India, at present. There is a regulatory vacuum with regard to DeFi platforms. Moreover, India operates a centralised finance model, with the RBI acting as the chief financial regulator, and does not recognise a DeFi system or related activities.

The regulatory landscape surrounding NFTs is unclear. However, NFTs have been recently recognised as a subclass of virtual digital assets and subject to the same taxation regime.

India has adopted a distinctive approach to open banking. It has created several comprehensive public infrastructure and standards, collectively known as the “India Stack”. The India Stack acts as a platform which brings together traditional financial institutions and fintech firms, creating a common infrastructure.

The India Stack has been developed in layers over the past decade, with a proactive role played by regulators:

  • Identity layer: the Aadhar digital identity system. It facilitates identity verification and tracing of individuals' particulars across various datasets. The RBI has mandated Aadhar-interlinked KYC practices for all REs through the 2016 Master Direction – KYC Direction.
  • Payments layer: the UPI, Aadhaar-enabled Payment System, and Aadhar Payments Bridge. These create a fully interoperable payment system that is subject to the supervision of the NPCI.
  • Documents layer: the “Digilocker” – a cloud-based platform which enables registered governmental authorities to issue, and citizens to access, authenticated identity documents and certificates.
  • Data layer: the data empowerment and protection architecture. In the financial sector this equates to the Account Aggregator (AA) framework, which is currently under development.

AAs are regulated entities, which allow users to share their financial data securely and seamlessly, and have gained traction with both financial information users (FIUs) and financial information providers (FIPs). It is an NBFC that facilitates the retrieval or collection of financial information pertaining to a customer from FIPs on the basis of explicit consent of the customer. The financial information shared through the AA is not stored with the AA and is to be used solely for providing it to the customer or consented FIU. The RBI licenses the AAs and registers the data providers and users under the AA framework. However, in the long run AAs are expected to be self-regulated under the industry body Sahamati, with a lighter role for the RBI.

Data protection remains the biggest concern surrounding open banking. Market players in India are generally gearing up for the DPDP Act to become effective. Banks, financial institutions, technology platforms and fintech players will need to align their existing systems and processes to comply with the detailed consent architecture prescribed in the DPDP Act and with the restrictions on the use, processing and storage of data that are mandated by the DPDP Act.

With the expansion of digital payments, fraudulent transactions through compromised credentials, identity theft and phishing attacks have been on the rise in India. A typical fraud involves the perpetrator of fraud getting illegal access to card or other payment credentials (such as illegal tapping on unsecured internet networks, phishing attacks, spam and fraudulent calls to retrieve sensitive payment credentials like card numbers, PINs, OTPs and passwords) and then using them to make payment transactions. Financial regulators are quick to react and introduce regulatory measures to protect customers, for example, in light of increasing card fraud, the RBI has introduced guidelines on the storage of customer card data and a tokenisation framework to control such fraudulent transactions.

Indian regulators primarily focus on frauds affecting retail customers and the general public (such as card frauds, fraudulent loan recoveries, unauthorised transactions) as well as frauds that have larger system-wide implications on the banking and financial ecosystem of the country (for example, wilful defaulters, diversion of bank-borrowed funds, etc). The RBI is constantly engaged in monitoring emerging fraudulent techniques in order to protect retail consumers from such threats.

Shardul Amarchand Mangaldas & Co

Okhla Phase III
Okhla Industrial Estate Phase III
New Delhi
Delhi 110020
India

+91 11 4060 6060

Connect@AMSShardul.com www.amsshardul.com
Author Business Card

Trends and Developments


Authors



Shardul Amarchand Mangaldas & Co (SAM & Co) is founded on a century of legal achievements, and is one of India’s leading full-service law firms. The firm’s mission is to enable business by providing solutions as trusted advisers through excellence, responsiveness, innovation, and collaboration. SAM & Co is known globally for its exceptional practices in M&A, private equity, competition law, insolvency and bankruptcy, dispute resolution, international commercial arbitration, capital markets, banking and finance, tax, intellectual property, data protection and data privacy, technology law and projects and infrastructure. The firm has a pan-India presence and has been at the helm of major headline transactions and litigations in all sectors, besides advising major multinational corporates on their entry into the Indian market and their business strategy. Currently, the firm has over 829 lawyers including 166 partners, offering legal services through its offices in New Delhi, Mumbai, Gurugram, Ahmedabad, Kolkata, Bengaluru, and Chennai.

Introduction

Recent trends and developments dominating the Indian fintech sector can be broadly divided into four key areas. This article will delve into the hot topics within these areas.

Digital Payments

Increased adoption

The digital payments landscape in India has grown significantly over the last few years, both in terms of product innovation and wider consumer usage. Initially fuelled by the COVID-19 pandemic and subsequent lockdowns, people have found transacting digitally to be a contact-free, easier and safer way to make payments and access financial products. This shift from physical to digital is likely to be a permanent one as fintech platforms continue to innovate, giving consumers access to more convenient and customised financial solutions. Specifically, in the Indian context, fintech has witnessed an exponential rate of adoption by the retail population, which can be attributed to the following key factors:

  • enhanced penetration and use of mobile and internet technologies across tier one to tier six centres in the country;
  • the Government of India’s increased focus, accompanied by appropriate policy changes to incentivise adoption of digital modes of payment and discourage cash transaction; and
  • growth of indigenously developed low-cost payment services such as United Payments Interface, Rupay card network and Bharat Bill Pay Systems. 

Payment aggregators – moving away from “light-touch” regulation

The Reserve Bank of India (RBI), the Indian central bank and a key financial regulator, has moved from a model involving light-touch indirect regulation (through banks) to a more closely and directly regulated model for the digital payments sector. An important development has been the introduction of a full-fledged regulatory regime for payment aggregators facilitating both domestic and cross-border transactions. Payment aggregators are entities that operate as intermediaries between consumers and merchants, and facilitate digital payment transactions by aggregating funds before final settlement with end merchants. The RBI issued a framework in March 2020 (PA PG Guidelines) for licensing and closely regulating payment aggregators facilitating domestic transactions. The framework requires compliance with, among others, detailed corporate governance rules, KYC onboarding procedures, minimum capital norms and privacy and security of sensitive customer data. In October 2023, the RBI introduced a set of rules to regulate entities facilitating cross-border payment transactions for import and/or export of goods and services, including eligibility criteria, permissible settlement flows, transaction limits, capital, governance and KYC norms.

Payment gateways that provide only the technology for digital payment transactions continue to be unlicensed, but are encouraged to align their technology infrastructure with the baseline technology recommendations applicable to payment aggregators.

As of 16 February 2024, the RBI has granted in-principle authorisation to 32 entities that are permitted to operate as payment aggregators and 17 entities that are not yet permitted to operate. Further, the RBI has granted the final certificate of authorisation to operate as a payment aggregator to seven entities in 2023, and to nine entities in 2024. The deadline to apply for a licence to the RBI for operating as a payment aggregator for cross-border transactions for import and/or export of goods and services is 30 April 2024. Entities facilitating import and export cross-border transactions are gearing up to file their applications to the RBI.

Storing sensitive data

Under the new RBI rules, payment aggregators have been prohibited from storing customer card credentials within their systems and must ensure that the merchants they onboard also do not store customer card credentials within their systems (except limited details for purposes of transaction tracking). In addition, merchants are prohibited from storing any “payment data” within their systems, except limited data for purposes of transaction tracking. This restriction is being viewed as one that could severely affect the convenience of using cards as a payment method and is being closely analysed by the industry.

In a series of circulars, the RBI has stressed the requirement for authorised payment system operators (which include card networks and payment aggregators once they are authorised) to ensure implementation of tokenisation or other similar measures (as may be devised by industry stakeholders for handling any specific use cases) for protecting privacy of customer card data and to mitigate risks attached to fraudulent attacks or security breaches in connection with storage of card data by industry players. Payment players have now put in place tokenisation and other measures to safeguard customer card data. Only card issuers and card networks are permitted to store customer card data. All other entities in the payment chain can store only the customer’s name and the last four digits of the customer’s card, for the purpose of tracking the transaction.

UPI-enabled payments

Payments on the United Payments Interface (UPI) have grown substantially over the last few years (for both customer-to-merchant payments and peer-to-peer transfers), and now constitute the largest by volume among all forms of digital payments in India. This growth has been primarily fuelled by developments in mobile and network technologies, minimal enabling infrastructure and seamless customer onboarding. In 2023, more than 117 billion UPI transactions amounting to over INR182 lakh crore in value were conducted. Capitalising on the growing popularity of UPI for facilitating domestic payments within the country, the NPCI, in September 2021, introduced a framework for enabling international payments through UPI, allowing customers to make payments to merchants located offshore, beginning with Singapore and Bhutan, and with the objective of expanding to other jurisdictions in the future. Increasing the international footprint of UPI has been a regulatory focus area; today, Indian travellers to Bhutan, France (e-commerce), Mauritius, Singapore, Sri Lanka and the United Arab Emirates can pay with UPI at select merchant locations.

The Bharat Bill Payments System (BBPS) is a payment system conceptualised by the RBI as a “one-stop ecosystem” for payment of all bills to provide an interoperable and easily accessible payment platform for customers across India. Customers may utilise multiple payment channels such as internet banking, mobile banking, ATMs, bank branches, agents and business correspondents to pay utility bills, mobile bills, fees for subscription services, etc. In 2023, over 1,305 million BBPS transactions, amounting to more than INR2,649 billion in value, were conducted.

“e-RUPI” is a person- and purpose-specific cashless e-voucher designed to guarantee that the stored money value reaches its intended beneficiary and can only be used for the specific benefit or purpose for which it was intended. It is typically in the form of an SMS or a QR code and is currently being used in the healthcare sector. Both government entities and private corporates can sponsor e-RUPI vouchers. A single e-RUPI voucher has a limit of INR100,000 for government sponsors and INR50,000 for corporate sponsors.

Volume-based transactions caps

Due to the significant growth in UPI-enabled payments, third-party app providers (TPAP) facilitating UPI transactions (by providing the technological interface with back-end arrangements with UPI member banks) have, over the past several years, acquired a significant market share in UPI payments. To prevent concentration of transactions with only a few big players and to mitigate systemic risks on account of such concentration, the NPCI issued volume-based limits on UPI transactions that can be processed by a TPAP. Effective from 1 January 2021, payment service provider banks and TPAPs are obligated to ensure that the total volume of transactions initiated through a TPAP does not exceed 30% of the overall volume of UPI transactions during the preceding three months (on a rolling basis). Existing TPAPs were granted a two-year period, starting from 1 January 2021, to comply with these volume-based restrictions.

Per the standard operating procedures released by the NPCI, the volume cap on UPI transactions will be implemented by controlling onboarding of new users by TPAPs. However, to avoid sudden disruption in business, TPAPs have been given the option to seek an exemption for a maximum period of six months from the NPCI, which may be granted by the NPCI on a case-by-case basis, at its discretion. The standard operating procedures also contemplate sending periodic alerts to TPAPs and their partner banks as and when the TPAPs are about to breach the volume cap thresholds, in order to enable TPAPs to plan their operations effectively.

Data localisation

The RBI introduced requirements for localisation of payments data, which continue to apply. Entities authorised by the RBI are required to ensure that all “payments data” (which includes end-to-end transaction details in connection with a payment transaction) relevant to the payment system in which such regulated entities are operating or participating is stored on servers located solely in India.

Digital Lending

Market landscape

In India, all digital lending products involve the core lending function being undertaken by a bank or a non-banking financial company (NBFC). Additionally, however, the market landscape involves value added by several intermediaries. Credit and data analytics, creation of new customer distribution channels, management of the technology platform and post-disbursement servicing are all functions that are often performed by unregulated intermediaries, towards which the regulator takes an “indirect supervision” approach, routed through partner regulated entities.

The RBI has demonstrated a steady shift from a light-touch approach to a full-regulation model. The RBI has shown itself to be a responsive regulator and follows a stakeholder-based approach to developing new regulatory models.

Industry developments

The digital lending ecosystem in India has grown significantly over the last few years with a lot of the product focus on retail, small to medium-sized enterprises (SME) and micro, small and medium enterprises (MSME) loans. Alternative credit underwriting models (leveraging non-traditional data sets) and cash flow-based lending products have greatly increased credit access to the SME and MSME segments. The digital lending space was largely unregulated. However, prompted by certain “bad practices” around collections and unauthorised use of personal data by a few “bad actors”, in January 2021, the RBI constituted a working group on digital lending (the “Working Group”) to review the digital lending ecosystem and recommend a workable regulatory approach.

After seeking industry feedback, in September 2022, the RBI released a comprehensive framework to regulate digital lending in India (the “DL Guidelines”). The DL Guidelines apply to both regulated lenders and non-licensed lending service providers (LSPs) and digital lending applications (DLAs) that partner with regulated lenders. Consumer protection, data security and supervision of non-licensed technology partners by regulated entities are the key focus areas of the regulations.

A large part of the digital lending in the Indian market was modelled on the first loss default guarantee model; ie, where some part of the credit underwriting of digital loans was carried out by the LSP or DLA. The RBI commented on the systemic risks posed by such a practice on a large scale, and, in response, in June 2023, issued guidelines on default loss guarantee (DLG) arrangements (the “DLG Guidelines”). The DLG Guidelines cap the credit or loan exposure of an LSP to 5% of the aggregate portfolio sourced by such LSP.

Balance-sheet lending

Under the DL Guidelines, all loan servicing and repayments should be executed directly in a bank account of the regulated lender without any pass-through or pooled account of a third party; disbursements should also be made only in the bank account of the borrower, except for disbursals covered exclusively under statutory or regulatory mandate, flow of money between regulated lenders for co-lending transactions and disbursals for specific end use, in which cases the loan should be disbursed directly into the bank account of the end-beneficiary. Consequently, all “buy now pay later” models will now be treated as credit products.

Consumer protection and data governance

The DL Guidelines and the DLG Guidelines prescribe standardisation of contracts between regulated lenders and the LSP, as well as lending contracts, disclosure of a key fact statement by all lenders, adoption of anti-predatory practices by lenders and streamlining debt recovery processes. Regulated lenders are required to make transparent disclosure of the entire cost of lending, including penalties (annual percentage rate (APR)) upfront to customers. Further, the DL Guidelines prohibit collection of fees by LSPs from customers and put in place restrictions on collection of data from customers, as well as on the usage, sharing and storage thereof.

Web aggregators

The RBI has also accepted the recommendation of the Working Group in connection with a regulatory framework for web aggregators of loan products. Web aggregators are engaged in the aggregation of loan offers from multiple lenders on an electronic platform, which enables potential borrowers to compare and choose the best available loan option. The framework for web aggregators will focus on enhancing the transparency in the operations of web aggregators, increasing customer centricity and enabling borrowers to make informed choices.

Prohibition on topping up wallet using credit line

In June 2022, the RBI issued a circular prohibiting non-bank prepaid payment instrument issuers from loading prepaid payment instruments (PPIs) through credit lines. The RBI stated in the circular that, per the relevant RBI directive, credit lines are not sources of funds specifically permitted for loading PPIs and that non-bank PPI issuers should cease this practice with immediate effect. Accordingly, PPIs should only be topped up by the issuer through cash, direct bank transfer, credit or debit card, and other permitted payment instruments and/or PPIs (as allowed from time to time).

Cryptocurrency and Blockchain

Cryptocurrency

Cryptocurrency is not a valid legal tender in India. India has moved away from its earlier “complete ban” approach to an approach that supports regulation of cryptocurrencies. As part of the G20 New Delhi Leaders’ Declaration, India will align itself with the globally agreed principles for crypto-asset regulation. India has already operationalised the Updated Guidance for a Risk-Based Approach on Virtual Assets and Virtual Asset Service Providers dated October 2021 and will be setting regulatory standards in line with the International Monetary Fund–Financial Stability Board’s Synthesis Paper.

The crypto ecosystem is decentralised but still relies on multiple intermediaries (exchanges, wallet platforms, and token issuers). Indian regulators are therefore now focused on regulating crypto intermediaries with rules centred around KYC requirements, consumer protection, disclosures and reporting requirements. The Government of India issued a notification on 7 March 2023 (VASP PMLA Circular) defining virtual asset service providers (VASPs) as “reporting entities” under the Prevention of Money Laundering Act, 2002 (read with the rules and regulations issued thereunder) (PMLA). The Financial Intelligence Unit – India (FIU-Ind) has also published on its website a set of guidelines known as the “AML & CFT Guidelines for Reporting Entities Providing Services Related To Virtual Digital Assets”, which came into effect on 10 March 2023. Every VASP operating in India needs to:

  • register with the FIU-Ind;
  • adopt the prescribed KYC verification processes to verify the identity of users at the time of onboarding; and
  • comply with other obligations under the PMLA (such as maintaining transaction records, reporting suspicious transactions and specified transactions to the FIU-Ind).

Blockchain

The Indian blockchain technology landscape has been evolving rapidly. The technology has been observed to deviate from its traditional applications such as cryptocurrency and smart contracts to functions focused on streamlining supply chains across industries, governance efforts and dedicated financing endeavours.

Banks and other financial institutions are embracing the use of blockchain technology-backed smart contracts as a facilitative mechanism of undertaking escrow account arrangements between parties. Blockchain technology can also be very useful in undertaking KYC processes, given its ability to provide tools to reliably verify the authenticity of KYC documents and allow for storage in formats that cannot be altered. The use of blockchain technology for carrying out KYC processes also provides more robust compliance with anti-money laundering standards.

A leading bank in India has partnered with BankChain to adopt blockchain solutions to manage mandatory KYC processes and related documents in its system. BankChain is a group of 27 banks in India and the Middle East that use blockchain solutions that increase the efficiency of financial transactions while maintaining the privacy of clients. Blockchain technology is also being utilised by banks to streamline their supply chain processes, particularly banks’ lending to small to medium-sized enterprises.

Data Protection and Privacy

New data protection regime

A key regulatory development that will be a game changer for the fintech industry in India is the enforcement of the Digital Personal Data Protection Act, 2023 (the “DPDP Act”) which was enacted and notified in the Official Gazette on 11 August 2023. The DPDP Act provides for the protection of personal data and implements organisational and technical measures in processing personal data to ensure accountability of the entities processing personal data. The DPDP Act seeks to balance the rights of individuals to protect their personal data with the need to process personal data for lawful purposes. It applies to the processing of digital personal data and any personal data that may be collected offline but digitised subsequently. It may also apply to the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to data principals (that is, the individuals whose personal data is subject to processing) within the territory of India.

The DPDP Act also amends the Information Technology Act, 2000 and the Right to Information Act, 2005. Once enforced, the DPDP Act will mark a paradigm shift in Indian data privacy laws, and the framework will provide for data privacy and protection and regulate the access, use, processing and storage of personal data of individuals.

Data localisation

The DPDP Act also contemplates a localisation requirement, providing that the Central Government may restrict the transfer of personal data for processing to any territory outside India as may be notified.

Privacy by design

The DPDP Act contemplates a “privacy by design” culture, where organisations are required to designate specialised data protection officers, organise external data audits periodically, and are statutorily obligated to the data principals. The enforcement of the DPDP Act will have the effect of bringing India’s data protection regime closer to global standards, such as those set by the European Union’s General Data Protection Regulation.

Access to data

Once enforced, the framework set out by the DPDP Act can be employed as one of the tools to regulate and control access to customer data by fintech platforms.

Shardul Amarchand Mangaldas & Co

Amarchand Towers, 216
Okhla Phase III
Okhla Industrial Estate Phase III
New Delhi
Delhi 110020
India

011 4060 6060

Connect@AMSShardul.com www.amsshardul.com
Author Business Card

Law and Practice

Authors



Shardul Amarchand Mangaldas & Co (SAM & Co) is founded on a century of legal achievements, and is one of India’s leading full-service law firms. The firm’s mission is to enable business by providing solutions as trusted advisers through excellence, responsiveness, innovation, and collaboration. SAM & Co is known globally for its exceptional practices in M&A, private equity, competition law, insolvency and bankruptcy, dispute resolution, international commercial arbitration, capital markets, banking and finance, tax, intellectual property, data protection and data privacy, technology law and projects and infrastructure. The firm has a pan-India presence and has been at the helm of major headline transactions and litigations in all sectors, besides advising major multinational corporates on their entry into the Indian market and their business strategy. Currently, the firm has over 829 lawyers including 166 partners, offering legal services through its offices in New Delhi, Mumbai, Gurugram, Ahmedabad, Kolkata, Bengaluru, and Chennai.

Trends and Developments

Authors



Shardul Amarchand Mangaldas & Co (SAM & Co) is founded on a century of legal achievements, and is one of India’s leading full-service law firms. The firm’s mission is to enable business by providing solutions as trusted advisers through excellence, responsiveness, innovation, and collaboration. SAM & Co is known globally for its exceptional practices in M&A, private equity, competition law, insolvency and bankruptcy, dispute resolution, international commercial arbitration, capital markets, banking and finance, tax, intellectual property, data protection and data privacy, technology law and projects and infrastructure. The firm has a pan-India presence and has been at the helm of major headline transactions and litigations in all sectors, besides advising major multinational corporates on their entry into the Indian market and their business strategy. Currently, the firm has over 829 lawyers including 166 partners, offering legal services through its offices in New Delhi, Mumbai, Gurugram, Ahmedabad, Kolkata, Bengaluru, and Chennai.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.