The recent developments and updates in the second quarter of 2022 are reflective of a potential remarkable year ahead for the fintech industry. The quarter has witnessed the introduction and announcement of several key initiatives and changes by the Reserve Bank of India ("RBI"), with an aim to drive digitisation and enhance the outreach for digital payments in India. Some of the key updates in this sector are (1) introduction of the "Payments Vision 2025", - which is a document setting out the roadmap that the RBI proposes to follow over the next few years to bolster digital transactions and empower users with accessible and affordable payment options in India; (2) the launch of 'open network digital commerce', – which is an initiative to develop open and interoperable infrastructure for the e-commerce industry in India that is expected to particularly boost businesses of small merchants; and (3) the consolidation of the Credit Card and Debit Card - Issuance and Conduct Directions, 2022, - which has set out comprehensive instructions to card issuers on matters involving the issuance process and safeguards, telemarketing and strategic partnerships, among others. While some of these developments have been hailed by the market as a step forward in the right direction, some of the other measures introduced during this quarter have also created uncertainties. For instance, the recent circular issued by RBI on loading of prepaid payment instruments ("PPIs") through a credit line has put the future of several marquee fintech players in a limbo. Such measures are likely to impact the growth of this sector which was earlier expected to grow at an estimated rate of 7.5%, this year.
This newsletter highlights these key developments and measures as well as other developments in the Indian fintech space from April 01, 2022 to June 30, 2022.
RECENT LEGAL AND REGULATORY DEVELOPMENTS
On April 28, 2022, CERT-In issued 'directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for safe & trusted internet' ("CERT-In Directions") pursuant to subsection (6) of section 70B of the Information Technology Act, 2000. The CERT-In Directions have come into effect from June 27, 2022. This deadline has however been extended to September 25, 2022 for Micro, Small and Medium Enterprises (''MSMEs'').
The CERT-In Directions have covered different dimensions of cybersecurity measures and set out very extensive and onerous compliances and reporting requirements on all service providers, intermediaries (including financial intermediaries), data centres and body corporates to whom it is applicable. Some of the key provisions in the CERT-In Directions are as follows:
- All entities are required to report any cyber incidents to CERT-In within 6 hours of noticing the incident or being brought to notice about such incidents.
- All entities are to mandatorily enable logs of all their information and communication technology systems and maintain them securely for a rolling period of 180 days and the same must be maintained within Indian territorial jurisdiction.
- Virtual asset service providers, virtual asset exchange providers and custodian wallet providers must mandatorily maintain all information obtained as part of know your customer ("KYC") checks and records of financial transactions, for a period of 5 years.
- All data centres, virtual private server providers, cloud service providers and virtual private network ("VPN") providers are required to collect certain information in relation to customer accounts including contact numbers, names, etc., and store it for a period of 5 years even after the cancellation or withdrawal of such subscription.
- CERT-In has the power to issue orders to entities mandating them to take action or provide information that assists CERT-In to prevent, pre-empt or address cyber incidents.
RBI's guidelines on establishment of digital banking units ("DBU Guidelines")1 were issued following the announcement made in the Union Budget 2022-23 for setting up 75 DBUs in 75 districts to commemorate 75 years of independence of India. The DBU Guidelines seek to promote digitalisation of existing banks.
A DBU is a specialised fixed point business unit or hub, housing certain minimum digital infrastructure for delivering digital banking products and services as well as servicing existing financial products and services digitally, to enable customers to have cost effective, convenient access along with an enhanced digital experience in an efficient, paperless, secured and connected environment with most services being available in self-service mode at any time, all year round.2
Scheduled commercial banks with past digital banking experience in tier 1 to tier 6 centres have been permitted to open DBUs with a direction to deploy adequate cybersecurity measures and use various tools and methods to create awareness about digital banking. Additionally, these banks have been provided an option to engage digital business facilitators or business correspondents, in conformance with relevant regulations, to expand the virtual footprint of DBUs.
It may be relevant to note that as recently as June, 2022, the RBI governor discouraged the idea of operating and regulating full stack 'digital only banks'.3 The RBI governor stated that there was no proposal currently to regulate neo-banks as it was felt that existing banks and non-banks could adopt additional technology for delivering banking services digitally.4 The DBU Guidelines accordingly are reflective of the sentiment shared by the RBI governor as the RBI for the time being aims to aid existing regulated banks offer better digital services while being disinclined about regulation of neo-banks.
The RBI issued the Card Directions which are applicable to every scheduled commercial bank (excluding payments banks, state co-operative banks, and district central co-operative banks) and all non-banking financial companies ("NBFCs") operating in India, effective from July 1, 2022.5 The Card Directions have been issued to regulate the conduct of credit and debit payments, and to provide an elaborate set of instructions to be followed by card-issuers. The Card Directions have replaced the master circular on credit card, debit card and rupee denominated co-branded pre-paid card operations of banks and credit card issuing NBFCs released in 2015 ("Master Circular of 2015").6 The new directions are more elaborate and have provided more clarity by explicitly providing the scope of co-branding arrangements and the roles of card-issuers and cobranding partners.
While most of the conditions have been reinstated from the Master Circular of 2015, the key distinction between the Card Directions and the Master Circular of 2015 is that the Card Directions have also allowed NBFCs to issue credit cards in tie-up with other banks after obtaining the approval of the RBI. Additionally, under the Card Directions, a co-branding partner has been restricted from accessing the customer's transaction data and from being involved in any of the processes or the controls relating to the co-branded card except for being the initial point of contact in case of grievances.
Draft guidelines on 'processing and settlement of small value export and import related payments' ("Draft OEIF Guidelines")
As per the extant guidelines on processing and settlement of export related receipts facilitated by online payment gateways that were issued by the RBI in November, 2010 ("Existing Guidelines"), banks are permitted to offer a facility of processing and settlement of import and export-related remittances by entering into standing contracts with online payment gateway service providers ("OPGSPs"). In the Draft OEIF Guidelines issued by the RBI, the concept of an OPGSP has been replaced with that of an online export-import facilitator ("OEIF").7 In this context, several additional responsibilities are proposed to be placed on an OEIF to reinforce consumer protection. For instance, an OEIF is required to ensure that the buyer is compensated and protected from liabilities that may arise from cross-border imports before the delivery of goods and digital products. It is also the responsibility of an OEIF to indicate the exact amount that can be refunded before a purchase is made. Additionally, an OEIF is accountable for the creation of a reserve fund for refunds in cases of disputes.
One of the other major changes proposed through the Draft OEIF Guidelines is an increase in the cap on the transaction limits for the online import and export of digital goods and products, which is now proposed to be fixed at USD 3,000 and USD 15,000, respectively.
Overall, the Draft OEIF Guidelines aim to modify the Existing Guidelines to simplify and rationalise the process for settlement of payment for export and import through e-commerce, given that more than 300,000 MSME exporters already rely on OPGSP services to collect payments.8 The additional compliance burden and financial risk on the putative OEIFs is something the RBI will need to navigate with stakeholders.
ONDC is an initiative launched by the Department for Promotion of Industry and Internal Trade with the aim of promoting open networks for all aspects of exchange of goods and services over digital or electronic networks.
ONDC is an open-sourced methodology which is independent of any specific platform. The network is based on an open protocol that will display products and services from all participating e-commerce platforms on one single network as an aim to democratize India's online market. The open protocols would be used for establishing public digital infrastructure to enable exchange of information between providers and consumers.
ONDC protocols aim to standardize operations like cataloguing, inventory management, order management and order fulfilment. Thus, small businesses will be able to use any ONDC compatible applications instead of being governed by specific platform centric policies. Through ONDC, consumers can potentially discover any seller (small or big), product or service by using any compatible application or platform, thus increasing the freedom of choice for consumers. As a result, ONDC would standardize operations, promote inclusion of local suppliers, drive efficiencies in logistics and lead to enhancement of value for consumers. However, the responsibility for onboarding of sellers and buyers and the management of the end-to-end order lifecycle will continue to reside with the relevant digital e-commerce applications and platforms.
All existing digital e-commerce applications and platforms are free to voluntarily choose to adopt and be a part of the ONDC network and accordingly, it is not a mandatory direction.
The RBI released the 'Payments Vision 2025', which is a document that sets out a roadmap outlining the vision of the RBI in so far as the legal framework is concerned surrounding digital payments and digital banking in India to increase the number of digital payment transactions threefold by 2025. The core theme of the document is "E-Payments for Everyone, Everywhere, Everytime (4 Es)" with the vision to provide every user with safe, secure, fast, convenient, accessible, and affordable e-payment options (6 attributes).
Some of the key initiatives under the Payments Vision 2025 include:
- Implementing alternative authentication mechanism(s) for digital payment transactions in light of increasing instances of phishing, vishing and smishing attacks, and the vulnerabilities of one-time password-based authentication to such attacks;
- Implementing a real or near real time reporting of payments fraud and operationalising an integrated system called the Central Payments Fraud Information Registry wherein all stakeholders can share information and initiate necessary corrective action to prevent frauds;
- Given the emerging geo-political risks, exploring the possibility of mandating domestic processing of payment transactions by the payment system operators;
- Intention to undertake a comprehensive review of different types of PPIs including the definition of closed-system PPIs and related aspects;
- Regulation of bigtechs and fintechs in the payments space to be explored and a discussion paper to be published;
- Evaluation of charges for all payment systems such as switching fee, interchange fee which are incurred while undertaking digital payments services, to ensure that such charges do not deter digital payments adoption;
- A framework on internet of things device payments covering aspects of data security, authentication, identity validation, etc. is intended to be introduced;
- Linking credit cards and credit components of banking products to unified payments interface ("UPI");
- Contemplating the issuance of guidelines on payments involving 'buy now pay later' ("BNPL") services;
- Undertake a comprehensive review of Review of Payment and Settlement Systems Act and regulations keeping in view the dynamic nature of the payment ecosystem;
- Expansion of inter-operability to contactless transit card payments in offline mode;
- Expanding the global footprint of domestic payments systems like UPI by collaborating with relevant stakeholders. Furthermore, the feasibility of expanding real time gross settlement to settle transactions in major trade currencies such as USD, Pound, Euro, etc. is intended to be explored through bi-lateral or multi-lateral agreements;
- To facilitate cross-border remittances using national electronic funds transfer, and remittance facilities as the one undertaken in the Indo-Nepal Remittance Facility Scheme is intended to be extended to other countries; and
- Constitution of a Payments Advisory Council with experts with a legal background along with those with expertise in payments technology and banking as well as representation from consumer groups, fintechs and start-ups, data analysts etc.
Framework for authorization in financial technologies on International Financial Services Centres (''IFSCs")9
The International Financial Services Central Authority ("IFSCA") issued a framework for authorisation in financial technologies on IFSCs on April 27, 2022 ("IFSC Framework") with a view to develop and regulate financial products, financial services and financial institutions in IFSCs and to encourage promotion of fintech across the spectrum of banking, insurance, securities, and fund management in IFSCs. It also aims to facilitate Indian fintechs seeking access to foreign markets and foreign fintechs seeking entry into India.
Through the IFSC Framework, IFSCA has invited applications for fintech Regulatory Sandbox and will accordingly grant limited use authorisation to the eligible fintech entities. This would enable them to apply and avail grants under the IFSCA Fintech Incentive Scheme 2022. The IFSC Framework also incorporates the inter operable regulatory sandbox mechanism, which is a proposed mechanism to facilitate testing of innovative hybrid financial products or services falling within the regulatory ambit of more than one financial sector regulator.
Accordingly, the IFSC Framework aims to serve as a unified regulator for banking, capital markets, insurance and funds management in IFSC, and accordingly enable fintech firms having innovative ideas or solutions across the banking, capital or insurance sector to have seamless interaction with a single regulator.
The PIDF Scheme was operationalised by the RBI from January 01, 2021 and is being modified by enhancing the subsidy amount and simplifying the subsidy claim process for the deployment of points of sale ("PoS") infrastructure (physical and digital modes) in tier-1 to tier- 6 centres and north-eastern states of the country.10
1. Reserve Bank of India - Notifications (rbi.org.in)
5. Reserve Bank of India - Master Directions (rbi.org.in)
7. Reserve Bank of India - Database (rbi.org.in)
9. International Financial Services Centres Authority (ifsca.gov.in)
10. Reserve Bank of India - Press Releases (rbi.org.in)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.