INTRODUCTION
As we cross the halfway mark of 2024, the fintech landscape continues to evolve rapidly, with regulatory bodies and industry players alike actively shaping the future of digital finance. True to the trend throughout the year, the Reserve Bank of India ("RBI") and other financial sector regulators have remained proactive, issuing several key directives aimed at strengthening the integrity of digital transactions.
While cybersecurity has been one of the main focus points for the RBI, the need to further enhance cyber security practices remains, given the fast paced evolution of technology.
In this edition of our fintech newsletter, which covers the timeline from July 1, 2024, to August 31, 2024, we explore different developments in this sector, highlighting the intersection between regulatory oversight, technological innovation, and market dynamics, an environment ripe for transformative changes.
RECENT LEGAL & REGULATORY DEVELOPMENTS
RBI notifies Master Direction on Cyber Resilience and Digital Payment Security Controls1 RBI notified the 'Cyber Resilience and Digital Payment Security Controls for non-bank PSOs Master Directions 2024' ("Cyber Resilience MD") to improve safety and security of non-bank payment systems operated by the payment system operators ("PSOs"). It is intended that the Cyber Resilience MD will be adopted in a phased manner to provide adequate time to different categories of PSOs to put in place the necessary compliance structure.
The Cyber Resilience MD inter alia, covers robust governance mechanisms for identification, assessment, monitoring and management of existing and emerging information systems, cyber security, and technology risks that non-bank PSOs are exposed to.
While the Cyber Resilience MD apply only to non-bank authorised PSOs, PSOs are mandated to ensure that unregulated entities that they partner with also comply with the Cyber Resilience MD subject to mutual agreement in order to effectively mitigate the abovementioned risks, and a board-approved organisational policy in that regard, needs to be formulated by PSOs. Some key controls include:
- As part of governance controls, PSOs must inter alia:
(i) formulate a board approved information security policy ("IS Policy") to manage potential information security risks. This policy must cover all applications and products concerning payment systems as well as management of risks that have materialised; (ii) prepare a board approved Cyber Crisis Management Plan to detect, contain, respond and recover to cyber-attacks and threats; and (iii) ensure that the responsibility and accountability for implementation of the IS Policy and the cyber resilience framework, is with a senior level executive of the PSO having expertise in areas of information security including cyber security.
- As part of digital payment security measures/ controls PSOs must inter alia (i) facilitate its members/ participants to have mechanisms for online alerts based on parameters such as failed transactions; and
(ii) ensure redaction of bank account numbers/card numbers in the SMS/email alert or other notification sent to customers.
RBI releases draft framework on alternative authentication mechanisms for digital transactions2 The RBI released the Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions ("Draft Framework") to inter alia, allow the payments ecosystem to leverage technological advancements and implement alternative authentication mechanisms. The Draft Framework applies to all 'payment system providers' and 'payment system participants' (including non-banks), who must comply with the same within 3 (three) months from the date of issuance of the final directions. Some key aspects of the Draft Framework are provided below.
- All digital payment transactions shall be authenticated with an additional factor of authentication ("AFA"), unless specifically exempted.
- All digital payments (except card present transactions) must ensure that one of the factors of authentication is dynamically created i.e., the factor is generated at the initiation of payment and must be transaction specific, which cannot be re-used.
- Banks/non-banks, where customers' accounts are maintained ("Issuers"), may adopt a risk-based approach in determining the appropriate AFA for a transaction and obtain explicit consent before enabling any new factor of authentication.
- Issuers are liable for the process and technology deployed for authentication of a digital payment transaction, and they shall also maintain the integrity of the authentication technology/process.
- Issuers are prohibited from entering into exclusivity arrangements with any Payment Service Provider or Technology Service Provider that are likely to alter the former's ability of offering alternative authentication solutions.
- AFA requirement shall be exempt for the following transactions: small value contactless card payments up to INR 5,000 (approximately USD 60) per transaction in contactless mode at Point of Sale (PoS) terminals, certain e-mandates for recurring transactions (other than first transactions), utility through gift prepaid payment instruments and prepaid payment instrument – mass transit service and small value digital payments in offline mode up to INR 500 (approximately USD 6).
Through the recent amendments and changes in law, it appears that RBI is increasingly adopting a principles-based approach to allow for innovation.
RBI issues draft directions on streamlining onboarding of Aadhaar Enabled Payment System touchpoint operators.3
The RBI has issued draft directions aimed at enhancing the robustness of Aadhaar Enabled Payment System ("AePS"). AePS facilitates transactions by way of Aadhaar number and biometrics or OTP authentication.
As per the draft directions, acquiring banks4 are responsible for (a) conducting due diligence of 'AePS touchpoint operators' onboarded by them, (b) updating Know Your Customer ("KYC") where an AePS touchpoint operator has not performed any financial transaction for a period of 6 (six) months, and (c) monitoring activities of AePS touchpoint operators on an ongoing basis and set operational parameters. Acquiring banks as well as the National Payments Corporation of India ("NPCI") must ensure that an AePS touchpoint operator is onboarded by only one acquiring bank.
Separately, the draft directions also prescribe that all system participants must comply with all regulations concerning the operation of AePS as issued by the NPCI. RBI issues Master Directions on Treatment of Wilful Defaulters and Large Defaulters.5
On July 30, 2024, RBI issued the Master Directions on Treatment of Wilful Defaulters and Large Defaulters ("Wilful Defaulters MD") to introduce a 'non-discriminatory and transparent procedure' for the classification of borrowers as wilful defaulters with the aim of cautioning lenders and ensuring that no further institutional finance is made available to such defaulters. The Wilful Defaulters MD are applicable to entities such as banks, All India Financial Institution ("AIFI") or Non-Banking Financial Companies ("NBFCs") including Housing Financial Companies (collectively, "Lenders"), and shall come into force on October 30, 2024. Lenders are responsible for identifying and classifying a person as wilful defaulter in accordance with the procedure laid out in the Wilful Defaulters MD. This includes taking into consideration the track record of borrowers as opposed to isolated transactions/incidents and the examination of evidence of wilful default by an identification committee.6 The Wilful Defaulters MD also contains specific provisions on treatment of wilful defaulters in a transparent manner, reporting and dissemination of credit information of 'large defaulters' and 'wilful defaulters', and other preventive measures that may be adopted.
SEBI streamlines prudential norms for passive schemes, to promote ease of doing business for mutual funds.7
By its circular dated July 8, 2024 ("SEBI Circular"), Securities Exchange Board of India ("SEBI") streamlined the norms applicable to "investments by passively managed mutual fund schemes in the group companies of their sponsors". This was undertaken pursuant to the public consultation on the working group constituted by SEBI to review the SEBI (Mutual Fund) Regulations, 1996 ("MF Regulations") and recommendations on augmenting ease of doing business for mutual funds. As per the SEBI Circular, mutual fund schemes are inter alia prohibited from making investments in listed securities of the sponsors' group companies exceeding 25 (twenty-five) percent of the net assets of the scheme, except for investments by equity-oriented exchange traded funds and index funds subject to conditions prescribed by SEBI.
RBI issues the framework for self-regulatory organizations ("SROs") in the fintech sector8 On August 19, 2024, RBI issued a press release announcing the framework for recognition of SROs in the fintech sector ("SRO Framework"). The framework sets out the objectives, responsibilities, eligibility criteria, membership, governance standards, and application process for the SROs.
One of the key objectives and responsibilities of SRO is that an SRO must promote a culture of compliance and encourage progressive practices and conventions amongst its members. Further, SROs must also constructively engage with the RBI, and share relevant data with the RBI for policymaking.
The framework also sets out the eligibility criteria for recognition as an SROs. Key factors include the applicant being a not-for-profit company registered under Section 8 of the Companies Act, 2013 and having a minimum net-worth of INR 10 crores (approximately USD 1.20 million). Its membership should be voluntary, and it must adequately represent the sector with a diverse set of members of types and sizes.
Pursuant to the release of the SRO Framework, the RBI had received three applications for recognition as SRO in the fintech sector, out of which it has recognized one of the applicants, the FinTech Association for Consumer Empowerment (FACE), as an SRO.9
To view the full article please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.