The Indian fintech sector has received over USD 2 billion in investments in 2021 as of August 2021, which is USD 411 million more than the investments received in 2020.1 The value of transactions through digital modes such as Unified Payments Interface ("UPI") and payments through cards, also continue to grow at record rates.2
In line with the policy objective of consumer protection and to make digital payment systems more secure and convenient for consumers, the Reserve Bank of India ("RBI") has introduced some important changes to the extant guidelines for digital wallets, recurring payments and tokenisation, and has also introduced new outsourcing norms for operators of payment systems to bring them at par with banks and non-banking financial companies ("NBFCs").
This newsletter highlights the key developments in the Indian fintech space from July 01, 2021 to September 30, 2021.
RECENT REGULATORY DEVELOPMENTS
Prepaid Payment Instruments
The RBI, on August 27, 2021, has issued a fresh set of Master Directions on Prepaid Payment Instruments ("New PPI Guidelines"),3 introducing some key changes to the erstwhile regulatory framework viz. the 'Master Direction on Issuance and Operation of Prepaid Payment Instruments' dated October 11, 2017.
The New PPI Guidelines have overhauled the existing prepaid payment instruments ("PPIs") framework and has simplified the categorisation of PPIs into two limited categories of 'small PPIs' and 'full-KYC PPIs', both of which can be issued by banks and non-bank entities. Small PPIs, that only require minimum details of the PPI holder, can be used only for the purchase of goods and services from an identified group of merchants (that have a specific contract with the PPI issuer or contract through a payment aggregator or payment gateway), and such PPIs cannot be used for cash withdrawals or fund transfers. On the other hand, full-KYC PPIs, that require the entire KYC process of the PPI holder to be completed, are not restricted for use at an identified group of merchants and allow for cash withdrawals and fund transfers back to the source account (subject to certain prescribed limits) which is similar to the earlier open system PPIs. Closed system PPIs continue to remain outside the ambit of the New PPI Guidelines.
Amongst many other changes introduced in the New PPI Guidelines, the RBI has: (a) reiterated its objective to mandate interoperability for full-KYC PPIs as per its earlier directions (and identified the role of the NPCI and authorised card networks in this regard); (b) allowed the use of video-based identification processes for customer onboarding – both for the issuance of full-KYC PPIs and to convert small PPIs to full-KYC PPIs; and (c) introduced norms for escrow account management, information security measures, and customer grievance redressal, to be followed by PPI issuers (in line with the RBI's guidelines for non-bank payment aggregators).
The above development aimed at simplifying the regime for PPIs and creating a level playing field between bank and non-bank issuers, reinforces RBI's objective of driving financial inclusion through PPIs given its high degree of penetration across smartphone users in India, while simultaneously increasing consumer protection safeguards for PPI transactions.
New regulatory norms for outsourcing by nonbank payment system operators
To mitigate and effectively manage the risks involved in the outsourcing of payment and settlement-related activities by non-bank payment systemi operators ("PSOs"), the RBI has issued a new regulatory framework for outsourcing of such activities by PSOs ("Outsourcing Framework").4 Crucially, PSOs have been prohibited from the outsourcing of certain 'core management functions' (such as risk management, internal audit, and determining compliance with KYC norms).
PSOs must necessarily comply with certain minimum criteria in their outsourcing arrangements with entities in India and abroad. In particular, these arrangements must reflect the PSO's supervisory oversight in ensuring compliance with RBI's norms, framing a board-approved outsourcing policy, conducting a due diligence, confidentiality and security of data norms, additional requirements for off-shore outsourcing, amongst other obligations. Importantly, incidental activities like onboarding customers and IT-based services have been construed as 'payment and settlement-related' services which can be outsourced. The RBI has reserved the ultimate responsibility and liability of the PSOs (together with their senior management), with respect to the outsourced activity and actions of the service provider.
The Outsourcing Framework brings non-bank PSOs at par with banks and NBFCs (that so far have been following similar outsourcing norms) and underpins the growing importance of non-bank PSOs in the digital payments ecosystem in India. PSOs will also need to undertake a re-assessment of their outsourcing arrangements (current and prospective), to ensure compliance with the Outsourcing Framework by the deadline of March 31, 2022.
Expansion of the scope of the device based tokenisation framework
In order to address stakeholder pushback against the restriction on storage of card-on-file data by merchants and payment aggregators, the RBI is taking steps to scale up 'tokenisation' to balance data security concerns with the convenience of digital payments. To achieve this, the RBI has amended its device-based tokenisation framework for card transactions ("Tokenisation Framework"), and has now permitted authorised card networks (as token service providers) to offer card tokenisation services to any token requestor for consumer devices, including laptops, desktops, wearables (wrist watches, bands, etc.), 'Internet of Things' devices, etc., subject to certain prescribed conditions.5 Earlier, this facility was available only for mobile phones and tablets.
The RBI has extended the Tokenisation Framework to permit authorised card networks to offer Card-on-File Tokenisation ("CoFT") services, subject to taking the explicit consent of the customer (along with additional factor of authentication) for tokenisation of their card data.6 Such tokenisation services offered on a voluntary basis, may hamper the seamless availability of this facility across all card networks.
The restriction on storage of card-on-file data (irrespective of PCI-DSS compliance), is expected to result in significant difficulties and second-order consequences for customers, merchants and the overall digital payments ecosystem in India. Although the RBI is rightly concerned about cyber-security incidents and 'tokenisation' is a step in the right direction, however, full-scale tokenisation is still at a nascent stage in India. Tokenisation will require significant technology investment and infrastructural development by industry stakeholders (including card network operators, banks, payment aggregators and merchants) to effect its widespread adoption and implementation.
Access for non-bank entities to Centralised Payment Systems
In furtherance to its earlier announcement, the RBI has amended the Master Directions on the Access Criteria for Payment Systems,7 to enable direct access of regulated non-bank entities in the payments ecosystem (such as PPI Issuers, Card Networks, and White label ATM Operators) to the Centralised Payment Systems ("CPSs") of the RBI – viz. the RTGS and NEFT systems.
Direct access to the CPSs will include an allotment of a separate IFSC Code, opening of a current account and maintaining a settlement account with the RBI, as well as membership to the Indian Financial Network ("INFINET") and use of the Structured Financial Messaging System ("SFMS") to communicate with CPSs. This is subject to the non-bank entities' adherence to the prescribed eligibility criteria and other operational and prudential norms, including a valid authorisation from the RBI under the Payment and Settlement Systems Act, 2007 ("PSSA").
The above amendment is intended to minimise the overall settlement risk in the payments ecosystem by reducing the dependence on banks, as well as to reduce the cost of payments, risk of failure and the time taken for execution of fund orders.
Aadhaar e-KYC Authentication Licence for nonbanking entities
Through a press release dated September 13, 2021, the RBI has released the format that NBFCs, payment system providers, and payment system participants, can use to submit an application to the RBI for onward submission to the Unique Identification Authority of India ("UIDAI"), to seek an Aadhaar e-KYC Authentication Licenceii issued by the UIDAI, for use of the e-KYC facility of the UIDAI.
Earlier, Section 11A of the Prevention of Money Laundering Act, 2002, permitted only banks and nonbank entities notified by the Central Government (in consultation with UIDAI) to carry out authentication of a customer's Aadhaar number, using the e-KYC facility provided by the UIDAI. This facility enables banks and notified non-banking entities to complete the customer on-boarding process through an efficient, seamless, and remote process (not requiring a physical verification of the customer).
i. The Payment & Settlement Systems Act, 2007 defines "payment system" to mean "a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange but includes the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations"
ii. Aadhaar Authentication Licence – KYC User Agency (KUA) or the sub-KUA Licence
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.