What's New?
Master Directions on Cyber Resilience and Digital Payment Security Controls for Non-Bank Payment System Operators
The Reserve Bank of India ("RBI"), vide notification dated July 30, 2024 has issued the Master Directions on Cyber Resilience and Digital Payment Security Controls for Non-Bank Payment System Operators to establish a governance mechanism for managing information systems and cybersecurity risks among non-bank Payment System Operators ("PSOs").
These directions will be phased in from April 2025 to April 2028, based on the PSO's categorisation as small, medium and large as per the Oversight Framework for Financial Market Infrastructures and Retail Payment Systems . Large PSOs, such as the National Payments Corporation of India ("NPCI"), card payment networks and payment aggregators must comply by April 2025. On the other hand, small PSOs, such as Small Prepaid Payment Instrument ("PPI") issuers and money transfer operators have until April 2028 to ensure compliance with the directions.
Key provisions under the directions include:
- PSOs' boards are responsible to oversee information security risks, with the option to delegate to a subcommittee;
- PSOs must adopt board-approved information security policies and cyber crisis management plans to address security risks and cyber threats, along with policies for access control and network security measures;
- PSOs must follow a 'secure by design' approach, conducting regular security testing, implementing data leak prevention policies, and complying with outsourcing guidelines;
- PSOs must establish incident response mechanisms, including stakeholder notification procedures;
- for digital payments, PSOs must provide online alerts for failed transactions, transaction velocity and other parameters, including behavioural biometrics; and
- PSOs issuing PPIs must send One-Time Passwords ("OTPs") and transaction alerts in a customer's preferred language and enforce cooling periods for fund transfers.
PSOs are also required to ensure that the third parties they engage with (such as payment gateways and vendors), are contractually obligated to comply with the directions.
Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions
RBI, vide a press release dated July 31, 2024 published Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions, aiming to reduce the reliance on OTPs sent via Short Message Service ("SMS") for Additional Factor Authentication ("AFA").
The draft guidelines state that all digital payments must include mandatory AFA, which must be:(a) dynamically generated after the transaction is initiated (other than for card-present transactions);
(b) specific to each payment; and (c) not reusable. The requirements in (a), (b) and (c) above do not apply to card present transactions, which may continue to rely on Personal Identification Number ("PIN") based AFA.
However, certain transactions, such as small value card-present transactions, mass transit payments, gift PPIs, and recurring e-mandate transactions, are exempt from the requirement for AFA.
RBI has advised issuers to adopt a risk-based approach considering factors such as customer risk profile, transaction value, and payment channel to determine the appropriate AFA.
The draft guidelines signal RBI's push towards modernising digital payment authentication emphasising flexibility in securing transactions. This approach aims to reduce vulnerabilities associated with SMS-based OTPs while accommodating diverse transaction types and risk profiles.
Draft Directions on Aadhaar Enabled Payment System – Due diligence of Aadhaar Enabled Payment System Touchpoint Operators
RBI has published draft directions on Aadhaar Enabled Payment System – Due Diligence of Aadhaar Enabled Payment System ("AePS") Touchpoint Operators to safeguard bank customers from fraud in AePS based transactions caused by identity theft or compromised credentials.
AePS allows acquiring banks to onboard agents to operate AePS touchpoints and terminals for transactions using Aadhaar-based biometric or OTP authentication. The draft directions state that acquiring banks must conduct due diligence on these agents, as prescribed under the Master Direction - Know Your Customer (KYC) Direction, 2016. The draft directions also specify that each AePS touchpoint operator can only be onboarded by 1 (one) acquiring bank. Additionally, acquiring banks are required to monitor operators' activities and set operational limits based on their location and risk profile.
The draft directions highlight RBI's focus on mitigating fraud risks in Aadhaar-enabled transactions by enforcing strict due diligence and monitoring of agents. By limiting operators to 1 (one) acquiring bank, the guidelines aim to enhance accountability and tighten oversight in rural and remote payment ecosystems.
NPCI launches Unified Payments Interface Circle for delegation of payments
NPCI, vide circular dated August 13, 2024 introduced Unified Payments Interface ("UPI") circle ("UPI Circle") , a feature that allows UPI users to delegate payment authority to trusted secondary users.
The UPI Circle allows for 2 (two) types of delegation:
- Full Delegation: The primary user grants the secondary user full authority to initiate and complete transactions within a defined spending limit (subject to maximum monthly limit of INR 15,000 (Indian Rupees fifteen thousand) and per transaction limit of INR 5,000 (Indian Rupees five thousand) without needing further approval; and
- Partial Delegation: The secondary user can initiate transactions, but the primary user must authenticate and approve the payment using their UPI PIN.
UPI Circle thus introduces a flexible delegation system, allowing primary users to securely share payment authority with trusted individuals. This feature enhances convenience while maintaining control through customisable limits and optional approval steps, broadening UPI's use cases for families and businesses.
RBI announces the Unified Lending Interface
RBI has announced its plans to launch the Unified Lending Interface ("ULI") during the RBI@90 Global Conference held on August 26, 2024.
ULI aims to enable lending institutions to offer frictionless, end-to-end digital credit. The system will streamline lending by granting access to digitised financial and non-financial data from multiple data service providers. Additionally, ULI proposes to utilise standardised Application Programming Interface ("APIs") that will allow lenders to easily access information from various sources without complex integrations, thereby reducing the time required for credit appraisal and particularly benefiting smaller and rural borrowers.
Previously known as the 'Public Tech Platform for Frictionless Credit', ULI is currently in its pilot phase, and regulations are yet to be finalised. RBI has indicated that the regulations will be notified once the system is officially launched.
The introduction of ULI marks a significant step towards digitising and streamlining the lending process, enhancing access to credit for underserved segments. By utilising plug and play APIs and consent-based data sharing, ULI aims to facilitate faster and more efficient credit appraisals, driving financial inclusion in India's lending landscape.
Quick Snapshots
- NPCI introduces auto top-up on UPI Lite: NPCI has introduced a new auto top-up feature on UPI Lite. UPI Lite is a wallet that enables users to make small-value transactions without the need for a UPI PIN. Currently, users can make PIN-less transactions of up to INR 500 (Indian Rupees five hundred) and maintain a maximum balance limit of INR 2,000 (Indian Rupees two thousand). However, when the balance is exhausted, users must manually reload it from their bank accounts. The new auto top-up feature aims to streamline this process, automatically reloading the UPI Lite balance by a user-selected amount (within the maximum balance limit) whenever the balance falls below a minimum threshold set by the user. NPCI has requested that members currently using UPI Lite implement this feature by October 31, 2024.
- NPCI enables UPI mandate feature of single block multiple debits: NPCI has introduced a new single block multiple debits feature on UPI mandate services. Currently, users can create a UPI mandate to authorise transactions by blocking funds in their accounts for future debits. With this new feature, users will be able to establish a UPI mandate with a blocking functionality that allows them to pre-authorise a transaction by reserving funds in their account for multiple debits. These debits can be initiated later until the blocked funds are exhausted or the mandate service is revoked. NPCI has issued guidelines regarding this feature and has instructed members to implement the changes by November 30, 2024.
- NPCI launches UPI Interoperable Cash Deposit ("UPI-ICD") to enable cash deposits at Automated Teller Machine ("ATMs") using UPI: NPCI has launched ("UPI-ICD") facility enabling users to deposit cash at cash deposit and recycler machines in banks and ATMs using UPI. Currently, cash deposits at cash deposit and re-cycler machines are primarily done using debit card. With UPI-ICD, users can now deposit cash without the need to carry a debit card, offering greater convenience and flexibility. The transaction limit for UPI-ICD is INR 50,000 (Indian Rupees fifty thousand) per transaction.
- NPCI launches 'UPI One World' wallet for all foreign tourists: In a bid to further boost the usage of India's leading digital payment infrastructure, NPCI has introduced the 'UPI One World' wallet for all international tourists. This wallet will enable foreign visitors to make payments at merchant locations by simply scanning quick response codes using the 'UPI One World' app. NPCI initially launched 'UPI One World' wallet during last year's G20 summit, but its usage was limited to tourists from G20 countries. This functionality has now been expanded, allowing almost all foreign tourists to access the UPI payment system.
- NPCI launches 'UPI One World' wallet for all foreign tourists: In a bid to further boost the usage of India's leading digital payment infrastructure, NPCI has introduced the 'UPI One World' wallet for all international tourists. This wallet will enable foreign visitors to make payments at merchant locations by simply scanning quick response codes using the 'UPI One World' app. NPCI initially launched 'UPI One World' wallet during last year's G20 summit, but its usage was limited to tourists from G20 countries. This functionality has now been expanded, allowing almost all foreign tourists to access the UPI payment system.
- RBI recognises a self-regulatory organisation in the FinTech sector: Under the aegis of RBI's framework for Self-Regulatory Organisation(s) in the FinTech Sector ("SRO-FT"), RBI has recognised the Fintech Association for Consumer Empowerment as an SRO-FT. RBI also noted that it received 2 (two) other applications, one of which was returned for resubmission while the other is still under review.
- RBI approves cross border payment aggregator licences: RBI has granted the Payment Aggregator Cross Border ("PA-CB") licences to Cashfree, Billdesk, Amazon Pay and Adyen. These companies are the first to receive PA-CB licences following issuance of new regulations for the same in October 2023.
- RBI includes FASTag and National Common Mobility Card ("NCMC") within the e-mandate framework: RBI has extended the e-mandate framework for recurring transactions to cover payment systems like FASTag and NCMC, which involve recurring payments without a fixed period. Previously, the e-mandate framework only applied to transactions with a set frequency. In addition, RBI has introduced an automatic replenishment facility for these payments. Notably, both FASTag and NCMC transactions are exempt from the 24 (twenty-four) hour pre-debit notification, which is otherwise mandatory under the emandate framework. Following this, NPCI has also incorporated these transactions into the UPI Autopay framework, instructing participants to ensure auto-replenishment occurs without the need for the 24 (twenty-four) hour pre-debit notification.
Deals in the FinTech sector
- M2P Fintech, a FinTech company which offers API solutions to payments, lending and banking companies, has raised INR 850,00,00,00 (Indian Rupees eight hundred and fifty crore (approx. USD 101,000,000 (US Dollars one hundred and one million)) in its Series D funding, led by Helios Investment Partners. The company proposes to use the funds to strengthen its market leadership in India and expand its international presence, particularly in Africa.
- Aye Finance, a micro enterprise lending tech startup, has raised INR 250,00,00,000 (Indian Rupees two hundred and fifty crore (approx. USD 30,000,000 (US Dollars thirty million)) in its Series G funding round led by ABC Impact. It has also raised USD 25,000,000 (US Dollars twenty-five million) from Goldman Sachs (India) Finance through a loan securitisation deal. The company proposes to use the funds to scale operations and enhance the ability to deliver value to micro enterprises.
- FlexiLoans, a micro, small and medium enterprise focused digital lending platform has raised INR 290,00,00,000 (Indian Rupees two hundred and ninety crore (approx. USD 34,500,000 (US Dollars thirty four million five hundred thousand)) as a part of its Series C funding led by global investors Accion, Nuveen, and Fundamentum, along with existing backer Maj Invest. The company proposes to use the fresh capital to expand its operations, enhance product offerings, and strengthen its technological infrastructure.
- Drip Capital, a digital trade finance platform has raised USD 113,000,000 (US Dollars one hundred and thirteen million) in funding from GMO Payment Gateway, Sumitomo Mitsui Banking Corporation and International Finance Corporation. The funding round includes USD 23,000,000 (US Dollars twenty-three million) equity along with USD 90,000,000 (US Dollars ninety million) in debt. The company proposes to use the funds to accelerate its expansion plans and enhance product offerings for small and medium-sized businesses across key markets, including India and the United States of America.
- Vayana Network, a trade finance platform, has raised USD 20,500,000 (US Dollars twenty million five hundred thousand) as part of its Series D funding led by SMBC Asia Rising Fund. The company proposes to use the funds to fuel its plan to introduce new products.
- Innoviti, a merchant focused payments platform has raised INR 70,00,00,000 (Indian Rupees seventy crore (approx. USD 8,300,000 (US Dollars eight million three hundred thousand)) in its Series E funding led by Random Walk Solutions in a mix of debt and equity. The company proposes to use the funds to power its online merchant payment business.
- Dezerv, a wealthtech startup, has raised USD 32,000,000 (US Dollars thirty-two million) in its Series B funding led by Premji Invest. The company proposes to use the funds for crafting new investment strategies, boosting its technology platform to deliver superior client experience, and hiring investment specialists for its next growth phase.
- Jai Kisan, a rural-focused agri-fintech startup, has acquired a majority stake in Kushal Finnovation Capital Private Limited, a non-banking finance company ("NBFC") for an undisclosed amount. The company will now be able to cater credit products to their farmer and rural business customers with Kushal's NBFC license.
- Yubi (formerly CredAvenue), a digital lending unicorn has raised INR 250,00,00,000 (Indian Rupees two hundred and fifty crore (approx. USD 29,800,000 (US Dollars twenty-nine million eight hundred thousand)) in an equity capital infusion from its founder and CEO Gaurav Kumar.
- BharatPe, a FinTech startup that provides digital payments services, has raised INR 85,00,00,000 (Indian Rupees eighty-five crore (approx. USD 10,100,000 (US Dollars ten million one hundred thousand)) in debt from Trifecta Venture and InnoVen Capital.
- Neogrowth, a NBFC that offers credit solutions to small and medium-sized businesses, has raised USD 11,200,000 (US Dollars eleven million two hundred thousand) in debt from Symbiotics Group.
- Slice, a FinTech startup that offers UPI payments, consumer credit, and prepaid payment banking services, has raised USD 20,000,000 (US Dollars twenty Million) in debt from Neo Asset Management. The funding is part of a larger USD 30,000,000 (US Dollars thirty million) debt round.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.