"Overall, on behalf of Paytm, I can say that it is more of a big speed bump, but we believe that with the partnership of other banks and the capabilities that we have already developed, we'll be able to see through in the next few days or quarters....."
- Vijay Shekhar Sharma, CEO Paytm & Promoter Paytm Payments Bank Limited
On 31 January 2024, the RBI imposed a series of restrictions on Paytm Payments Bank Limited. Starting 29 February, Paytm Bank cannot offer customers any banking and payment services, including wallets, UPI facility, bill payments, fund transfers etc. It must also terminate the nodal accounts of two of its group companies. Much has been said and written about RBI's action and only time will tell whether it's a speed bump or a head-on collision in Paytm's journey.
Largely, two reasons emerged for the action against Paytm Bank:
First, KYC/AML violations: lapses in KYC/AML checks and inadequate KYC infrastructure.
Second, dependency on One97 Communications Limited (One97): One97 is the listed promoter company which owns the platform through which Paytm Bank distributes its banking/payment products. The bank's co-dependency on One97 made the RBI uncomfortable.
Whether or not the regulator's wrath is justified is speculative and futile at this point. The fact is that it has happened. Paytm must deal with the aftermath and the industry must deal with the second order effects of this action. A few learnings (from Paytm's ordeal) are:
- The obvious bit – KYC/AML compliance: Nothing new here. No interesting angle. No novel lesson. Just do your KYC and keep pushing it – which to be fair is akin to an 'eat your vegetables' sermon to the industry. Anyone in the business of moving or holding public money already knows how important robust KYC/AML systems are. But vegetables suck. So do endless KYC checks. KYC bumps up customer acquisition cost (especially if it's in-person), making it more expensive and even unviable for small ticket financial products. It also bugs the customer. Many of us just give-up mid-KYC (a sort of 'for the love of cake just take my damn documents and be gone'). As fintech lawyers, we've also fielded many a 'cute' interpretations of the RBI KYC guidelines. In the end we'd say, when it comes to KYC/AML checks – err, dear industry, on the side of caution. Digital financial safety is not only crucial to the regulator, it is also becoming a political hot-potato. Resist the honey-trap of 'frictionless' on-boarding. KYC, by definition, adds friction to the user experience. Let it.
- The daunting part - detangling regulated and unregulated functions: This is a tricky one. Most fintech businesses offer multiple regulated and unregulated products/features through a single umbrella platform. The platform (and the brand) is owned by a parent company where the core value vests. The platform may not on its own operate a regulated financial services business. Instead, these regulated businesses/products may be housed in group companies. Inevitably, there may be dependency and overlap between the regulated and unregulated businesses - where the group companies rely on the unregulated parent company for marketing, distribution, customer acquisition etc. This dependency between One97 and Paytm Payments Bank seems to have irked the regulator. So, should financial services platforms consider restructuring their offerings? Yes, we think so. The best case is to unbundle all regulated and unregulated activities - house them in separate apps/platforms. If that's not doable, then at the very least, these are a few principles to consider:
🫷 Arms-length distance (both, in form and substance) between group companies: Don't engage in any activity with your group entity, that you wouldn't with a third-party. Create sufficient distance between functions of group companies. This is basic hygiene and good governance.
🧼Data-sharing hygiene: In a platform play, there may be bi-directional data flow between unregulated (platform-owning) entity and regulated entity. Data may be collected at two levels: First, the platform-owing entity (that acquires users) generates and collects 'user data'. Second, the regulated entity generates and collects 'customer data' to offer its financial product to platform users (that avail these products). Now, the platform-owning entity may share user data with the regulated entity and the regulated entity may share customer data with the platform. This data sharing must not be unfettered. Data should not be porous across group entities. Creating data-sharing hygiene within the group is important. Of course, data-flow from the regulated entity to the unregulated group entity is a far more slippery territory than the other way round.
⛽Extent of control and co-dependency: If regulated entity excessively depends on the platform to steer its business operations (like marketing, product distribution, access to the brand name, sourcing capital etc.), it could be problematic. It should retain a demonstrable degree of independence and control over its business activities. In other words, if the platform is hit by a storm, the regulated entity should be able to weather it.
🧑🦰|👦Separate employees: Have a separate set of personnel/employees oversee the regulated and unregulated products/functions/features. So that the segregation (of both entities) exists functionally (not just optically).
📱A cleaner UI/UX: The customer is often unaware that there is another entity behind the platform that offers the regulated product. This happens when the brand of the platform-owning entity becomes synonymous with all the products and services offered through that platform. This is a red flag for the RBI. We saw this concern pop-up in the context of digital lending, when the RBI said that the borrower must know that the loan is offered by a regulated entity (and not a service provider of the entity). To sum-up, the platform's unregulated features and regulated product should not be co-mingled. So, consider structuring your UI/UX in a way that the customer can discern that the entity offering the regulated product and the one powering the platform, differ.
Now, onto the FinTales menu for the month.
Main Course: deep-dive on how data-related compliances inhibit growth of digital lending and what more is needed to foster a coherent digital lending ecosystem.
Dessert: sweet news about RBI's draft SRO framework for fintechs.
Mints: a refresher on recent fintech developments.
🍱 Main Course
🚧 Digital Lending - it's complicated
The fintech industry is on high alert after the RBI's action against Paytm. From panel discussions to media reports, editorial pieces to LinkedIn posts, compliance-related topics are trending. In keeping with the current mood, we discuss how data-related compliances are inhibiting growth of digital lending. And how the regulator can, with changing times, reimagine digital lending regulations.
India, as an evolving economy, is credit hungry. India's formal retail lending ecosystem has, however, failed to seize this opportunity. Banks and traditional NBFCs chase the creamy layer of borrowers. They rarely lend to 'new-to-credit' and 'thin-file' borrowers. This created a clear gap in the market – a mismatch between demand and supply.
Digital lending has emerged as a solution – especially during the pandemic. Digital lenders have introduced new credit products like small ticket sachet-sized loans, and point of sale loans (BNPL), etc. They have also started bridging the credit gap in unique ways: through innovative credit evaluation algorithms, digital lenders can unwrite borrowers more effectively and reduce bad loans. More importantly, they can risk-price thin-file borrowers by relying on alternate data. So, digital lending has also been an effective enabler of financial inclusion.
TL;DR: India needs digital lending.
Digital lending, however, needs data – vast amounts of data. Digital lenders generally offer unsecured loans (which is a risky business). The RBI has also noted the macro-economic risk of unsecured lending and increased its risk weights accordingly – this makes unsecured loans more expensive for lenders and, in turn, the customers. The only way for digital lenders to hedge their risk is refining their credit-evaluation models through user data. Data allows the models to 'know' the borrowers. This is how digital lenders can afford to dole out inherently risky unsecured loans to sub-prime borrowers. More refined underwriting models can predict delinquencies more accurately – this reduces defaults and the overall cost of lending. Data, therefore, is oxygen for digital lending.
To start with, digital lenders had unrestricted access to data. India's data laws were still in the making, and the digital lending regulations were nowhere in the picture. The story however turned murky when a few rogue digital lenders started harassing borrowers. So much so that the Central Government had to intervene. Our finance minister asked RBI to make a whitelist of digital lending apps. The Indian IT Ministry also blocked access to several unlawful digital lending apps. The RBI, at its end, introduced digital lending guidelines. A big reason why digital lenders earned bad name is misuse of data – like using phone book access to call defaulting borrowers (and their relatives) or phone gallery to morph borrowers' photos. There were existing laws at that time that prohibited such misconduct – RBI's fair practices code, RBI outsourcing code, and if all else failed the Indian Penal Code. The digital lending guidelines however went one step further. They did not just prohibit misuse, but also fettered access to data by digital lenders. For instance, the guidelines prescribe that digital lending apps must obtain only one-time access to the mobile phone resources of a borrower. This is a slippery slope. If regulations restrict access to key data-sets, the accuracy of underwriting diminishes and loan defaults rise. Continued access to data like location and SMS details of borrowers is important to detect early delinquencies. They are also necessary to train the underwriting models. The restrictions on data access makes digital lending riskier.
When digital loans become inaccessible/costlier for financially excluded consumers, they are forced to borrow from local money-lenders (often at exorbitant interest rates). This pushes them deeper into the debt-trap. While the state money lending legislations regulate money lenders, their implementation has been ineffective. This exacerbates the risk of exploitation of vulnerable borrowers by the money-lenders. The risk, however, does not draw as much media and industry attention as the misconduct of digital lenders. Exploitation by money-lenders has been told and retold many times. But the misconduct of a few rogue digital lenders invites strict regulations and scrutiny for entire digital lending industry, including the tech-players with deeper pockets and influence.
So, the problem statement is clear: how to ensure that digital lenders have access to data while preventing user harm? We think it is possible only with concerted efforts of the industry and regulator.
First, the industry and RBI must come together to expedite forming the proposed Self-Regulatory Organizations or 'SROs' (for RBI regulated entities and fintechs). SROs can help the industry players operate in a more cohesive fashion. A coordinated approach will help the industry intercept and prevent proliferation of any undesirable practices. It will also help them self-correct before regulation becomes a necessity. For instance, if the industry was well-coordinated, it could have reported predatory practices of rogue players to the RBI, before they became common-place. This would have prevented the strict scrutiny that adversely impacted most industry players. While banning unlawful lending apps, the Government sent notices to many reputed and compliant players too, asking them to explain their practices. Also, SROs have representations from diverse sections of the industry. Therefore, they are closely aware of the industry realities and best practices, which makes them well-positioned to help RBI frame balanced and enabling regulations.
Second, digital lending is a business of risk-management, and reliance on user data insights is critical for its success. A digital lender can access intercept and manage the risk only if it has access to phone resources of customers. Similarly, payment transaction data, which is indicative of a user's spending habits, can also be a crucial data point to manage risks.
The access of large amount of data by digital lending apps may be intrusive and unsavoury, but it's also necessary. And it's a reality that regulator must reckon with. Misuse of data and harm to borrower should be the inflection point for a practice to become unlawful. Instead of prohibiting digital lenders from accessing sensitive data sets, the regulator may focus on promoting their responsible collection and use. The regulator may, for instance, regularly audit data practices of lenders. Once the Data Protection Board is set up under the Digital Personal Data Protection Act, 2023, the RBI can also tap into its supervisory capacity to effectively oversee the data practices of its lenders.
Third, to address the data privacy concerns, the RBI may, in consultation with SROs and industry experts, consider notifying the broad parameters for credit evaluation models. The RBI and SROs may, for instance, encourage industry players to develop models with enhanced privacy features.
These measures will help foster a well-oiled digital lending ecosystem. This will take us closer to achieving our financial inclusion goals.
🍰 Dessert
RBI is in for self-regulation for fintechs
Last month, the RBI rolled-out a draft framework for SROs in the fintech sector (Fintech SRO). It is accepting comments on the draft till 24 February 2024.
The draft framework lays down the eligibility criteria, governance standards, application process, and conditions for granting recognition to the Fintech SRO. Members of the Fintech SRO must comprise of fintech companies. So fintechs (both regulated and unregulated) may obtain membership in the SRO. Although, the RBI has indicated that it will take a call on whether regulated entities must be members of the Fintech SRO, based on stakeholder discussions.
The RBI has been pushing fintechs to form an SRO for a while now. It views self-regulation as a more balanced way to keep the fintech sector in check, rather than formal or direct regulation (by the RBI). Currently, the fintech sector has several industry bodies. But none of them have been formally recognized by the RBI. The proposed framework will give formal recognition to SROs for fintechs. Doing so will benefit the fintech sector in many ways. SROs can help in effective rule-making – they are well-positioned to help regulators frame more balanced and enabling regulations, because they have representations from diverse sections of the industry. Self-regulation can also promote responsible innovation. Further, if regulatory framework for fintech products is absent or unclear, SROs can fill the regulatory gaps by prescribing best practices (for its members). We've talked at length about the benefits of self-regulation for the fintech sector in FinTales - August 2023 edition.
The RBI will notify the final SRO framework after taking inputs from the industry. The onus is now on the industry, to gear-up, and get the SRO rolling.
☘️Mints
🆑Clarifications to penal charges guidelines
The RBI has released FAQs on 'penal charges in loan accounts'. The FAQs clarify certain provisions of the RBI's 2023 guidelines on 'Penal Charges on Loans' for lenders. This includes clarification on what constitutes material terms and conditions in a loan contract, the upper limit on penal charges, timeline to implement guidelines for existing and new loans, and the type of credit facilities to which the guidelines apply, among other things.
✅A few more final PA approvals
Zomato Payments, Stripe India, GVP Infotech (Arthpay), and Digiotech have received the RBI's final authorization for their payment aggregator applications. A total of 13 entities have received final PA licenses from the RBI till date.
🚀RBI asks regulated entities to up their compliance game
The RBI has asked its regulated entities (RE) to leverage the use of technology solutions for monitoring compliance with regulations. This direction comes after RBI conducted assessments of certain REs' internal compliance functions and the tools they use to monitor compliance. It noticed that while REs use technology to automate compliance monitoring process, there was a need to deploy more advanced and integrated enterprise-wide solutions/tools.
📝 Google Pay inks an MOU with NPCI International
Google Pay has signed an MOU with NPCI International (NPCI's international arm) to expand the global footprints of UPI. The key objectives of the MOU are to enable Indians to make payments when they travel abroad; assist other countries in establishing UPI-like digital payments system; and simplify cross-border remittances between India and other countries through UPI rails. This initiative will position India as a leader in digital payments and accelerate UPI's global acceptance.
⬆️DMI Group acquires ZestMoney
DMI Group has acquired ZestMoney, a buy-now-pay-later (BNPL) fintech platform. The acquisition comes after ZestMoney shut down its business operations in December 2023. Through the acquisition, DMI can expand into check-out financing (a type of BNPL product that enables purchase of consumer durables on credit) by utilizing ZestMoney's BNPL product suite. DMI Finance, DMI Group's NBFC arm, will fund the loans for the BNPL offerings.
📈 India - a thriving hub for fintechs globally
As per a report by the World Economic Forum (WEF), India is among the most significant countries for the operation of fintech companies. The other countries include the US, the UK, and Singapore. The report was released during the WEF's Annual Meeting - 2024.
See you next month.
If you enjoyed this edition of FinTales, do share it.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
