An analysis of RBI's card directions that restrict fintech's access to card transaction data and their interplay with RBI's outsourcing guidelines.

In April 2022, RBI notified the directions on Credit and Debit Cards. In these directions, it asked co-branding partners to keep their hands off card transaction data. The RBI has, this time, gone straight for the fintech jugular – access to data.

A patchwork of regulations govern the fintech space. For example, no single direction governs digital payments or lending. Instead, multiple regulations – issued at different points in time – govern these products. Some regulations read in harmony, others don't. And the recent card directions (which bar co-branding partners from accessing the transaction data) is an example of the latter. Here's why.

Outsourcing directions

These are umbrella directions that govern regulated entities (like banks, NBFCs, non-bank PPI issuers, etc.). Each time these entities outsource any of their functions, they must abide by these directions. For example, a bank that outsources its customer support functions. Or, a more recent market practice, where a regulated entity partners with a tech company to build an app, acquire customers or market its products. Like MakeMyTrip ICICI Bank Credit Cards. Each of these service providers perform a function for the regulated entity – which the regulated entity doesn't want to (or can't do) on its own. The regulated entity can't however outsource its core functions – like making the decision on whether a borrower is creditworthy. RBI doesn't want an entity which it doesn't regulate taking these critical calls.

New card directions which bar access to card transaction data

These rules apply to a sub-set of outsourced service providers – a card issuer's co-branding partner. Like MakeMyTrip (in the earlier example) – which co-brands the credit card that ICICI Bank issues.

A co-branding partner needs access to customer data to perform its functions. Both, the outsourcing directions and new card directions regulate this access. The new card directions prohibit a co-branding partner from accessing customer transaction data. But the outsourcing directions don't. They allow the co-branding partner to access this data on a 'need-to-know' basis. This is where the card directions and outsourcing directions are not harmonized.

The new card directions are also not attuned to market reality. The outsourced service providers are becoming more interwoven in the fabric of the payments value chain. Let's take the example of technology service providers like M2M, Zeta and Setu. They design the tech-stack for the card issuers. And assist in transaction processing. These tech players need access to card transaction data to provide services. In most cases, their logo appears on the cards. So, they also act as co-branding partners. Now whether these players can access card transaction data is open to differing interpretations.

But an even bigger concern is the RBI's intent to put an embargo on outsourced service providers from accessing transaction data. It's likely triggered by events like misuse of data and identity theft on the Dhani App. RBI wants to prevent misuse of card transaction data. But blanket prohibition of this kind will inhibit fintech innovations. As RBI has itself stated on multiple occasions, fintechs are responsible for many data-fueled innovations. Transaction data gives important insights to fintechs on strengths and pitfalls of the tech-infrastructure. It aids in detection of frauds, and better creditworthiness assessment. Regulated entities often rely on their service provider for these tech-enabled functions.

RBI must consolidate and modernise the regulatory patchwork which governs tech-outsourcing arrangements. It has already proposed to issue new Master Directions on IT Outsourcing. The new master directions can prescribe activity-based regulations for different outsourced functions like software-based services and customer-facing services. The directions can be graded according to the criticality of the function outsourced. A fintech which designs and manages chatbots for customer services can be subject to light-touch regulations. On the other hand, a fintech, which designs and manages software for payment processing can be subject to stricter regulatory standards. For example, RBI can ask fintechs like Zeta, M2M and Setu to adopt higher data security and confidentiality measures. This will prevent data misuse, without hampering innovation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.