FinTales Issue 31: Cow Paths & Regulatory Approaches

The price of doing the same old thing is far higher than the price of change.”
Bill Clinton


Regulating emerging tech is an exercise in navigating dichotomies. Governments and regulators across the world are grappling with pretty much the same questions: Will the old, tried, and tested laws endure the onslaught of new technologies? Take the FTX debacle, for example – is it good-old-fraud? If so, are anti-fraud and money laundering laws (that old battle axe) enough to deter and punish it? What about disruptive tech, like, AI – what happens when it hallucinates, or acts of its own accord, or is just plain creepy? When is technology novel enough… disruptive enough… odd enough… to command new rules of the game – new regulatory pathways?

Not to belabour the point, but I can’t help sharing this story about the allure of old, weather-beaten pathways: There once was a man who grew up on a farm; he spent many an idle childhood hour observing cows of the farm. Day after day, he saw them walk the same path – navigate the same trees, bushes and cross the same river. Come rain or shine, the cows followed the same path to their pasture. As years passed, the man moved away from the farm, only to return after twenty years. Much had changed – the trees, bushes, rocks around the farm were all gone; even the river was dry. But to his surprise, the cows still treaded the same path, avoided the same (now, imaginary) obstacles; taking the same circuitous path their ancestors followed – remaining frozen in time.

[Story credit: Stop Missing Your Life, Cory Muscara]

In this edition of FinTales, we explore: how RBI is creating new paths to regulate digital lending, while United States’ Securities Regulator continues to follow its old path to regulate crypto-businesses.

Now onto our FinTales menu for the month.

Main-course: stories on evolution of RBI’s outlook on FLDG, and US Securities Regulator’s choice to rely on existing laws to regulate crypto businesses.

Dessert: sweet news about e-RUPI opening new doors for PPI issuers.

Mints: a refresher about recent fintech developments.

Takeaway: articles and podcasts to grab and go.

Main Course

FLDG hits a sweet spot

First Loan Default Guarantees (FLDGs) made it to the top of our fintech wishlist for 2023. Regulate, don’t prohibit – was the fintechs’ ask of the RBI. On 8 June 2023, this wish was granted. The RBI greenlit FLDG.

A quick re-cap: FLDGs are risk-sharing arrangements where fintechs promise to compensate lenders for loan defaults. They are lifeblood of lender-fintech relationships. Fintechs use their credit underwriting algorithms to help lenders assess the creditworthiness of borrowers. And assure lenders of the quality of their services by offering FLDG. This gives lenders confidence to lend to customers with limited credit history. So, FLDG helps lenders bridge the credit gap and enables financial inclusion. But FLDG arrangements took a hit when the digital lending guidelines (released in September 2022) cast a shadow on their legality. The new guidelines lift this shadow.

Now, lenders can accept FLDG from their fintech partners. Or as the RBI calls them ‘loan service providers’ (LSPs) – these are entities that perform services like acquiring customers, underwriting, loan recovery, etc. RBI has, however, set a limit on FLDG: fintechs can only compensate (lenders) up to 5% of the loan portfolio that they source. But that’s not what our story is about. You can read all about the FLDG guidelines here and the industry reactions to it here. We, instead, trace how RBI’s outlook on FLDG has evolved over time: from suspicion to consultation, and finally to acceptance.

It all starts (and ends) with RBI’s ‘lend with a license or don’t lend’ policy. Back in the day, only banks could lend. Then, in the late 1990s, RBI allowed non-banks to lend if they got an NBFC license. A few years later, fintech entered the mix. Fintechs wanted to be front and centre of the lending action. The best option was to get an NBFC license, which was no walk in the park. So, they looked for alternatives. They tied-up with lenders (who would lend off their books), sourced borrowers for them, and provided value added services to their customers. They further sweetened the deal with a FLDG promise: they will foot the bill (partly or fully), if the borrowers failed to repay. FLDG slowly became a market practice. In some instances, the fintechs bore 100 % of the credit risk on loans. This, in effect, meant that fintechs took the entire risk of the loan portfolio, by piggybacking on a lender’s license. Lenders also benefitted. They expanded their loan books without added risk of borrower default. But FLDG’s unbridled growth posed concerns. It could proliferate unregulated lending. Lender’s reliance on FLDG may go up. And they may not mark unpaid loans as stressed or non-performing assets (in their books).  This may make identifying economical stress harder. To avert these risks, RBI stepped in. It sent notices to lenders, asking them to explain their arrangements with fintechs. At this point, FLDG was operating in a regulatory grey.

Fast forward to 2021, RBI’s working group (WG) on digital lending report recommended banning FLDG. Now, it was up to RBI to decide if it agrees with the WG’s recommendations. Then, in September 2022, RBI released the digital lending guidelines. Instead of offering clarity, the guidelines raised some new questions on FLDG’s legality. They mentioned that lenders entering FLDG arrangements were ‘advised’ to follow RBI’s securitization rules. These rules prohibit lenders from transferring risk in a loan pool to third-parties, while the loans are on their books. While this prompted lenders to re-evaluate their arrangements, FLDGs were not clearly outlawed. Meanwhile, a confused industry knocked on RBI’s door for clarity. They also wanted to make their point on why FLDG is important. To them, capping on FLDG was fair and acceptable. But a complete ban was not.

Amidst all this, RBI kept mum. It watched. It listened. But said nothing. In February 2022, it released FAQs on digital lending guidelines. Still nothing on FLDG. But behind the scenes, RBI was framing a calibrated FLDG framework. RBI, once again, began screening bank-fintech partnership agreements. It wanted to know who was underwriting customers – lenders or their fintech partners? Who bore the credit risk for defaults? RBI also regularly consulted industry to seek its views on FLDG. We spoke to Hardeep Singh, Head – Legal and Policy, CRED. “RBI adopted a consultative process from the start. It actively engaged with fintech players and regulated entities, seeking their views on FLDG,” he said. Perhaps, the consultation reshaped RBI’s outlook. It realised that FLDG with adequate oversight wasn’t undesirable. In fact, through FLDG, fintechs further the RBI’s vision of financial inclusion. So, RBI finally greenlit FLDG arrangements in the June 8 guidelines.

This is not the first time that RBI has softened its view after industry consultations. The journey of RBI’s data localisation rules was also similar. In 2018, RBI mandated that payment system data must be stored locally. If at all, the payment data is sent abroad, it must be deleted from foreign servers within 24 hours. But foreign banks, with Indian branch offices, typically house their money laundering detection software abroad. So, they told RBI that it must allow them to store a few attributes of payment data offshore. RBI relented by making limited concessions. RBI has, however, also denied changing its view in some cases. The implementation of card tokenization rules was one such instance. The rules prohibited several entities like payment aggregator and merchants from saving card details of payers. Despite industry push back, RBI did not relent. In RBI’s view, though the rules disrupted operations (in the short term), they were necessary to address data privacy and safety concerns. All it did was extend the implementation deadline multiple times to ensure preparedness.

These episodes tell us two things.

First, RBI is keeping a close eye on fintech’s growth. It is scrutinizing lender-fintech arrangements, collecting industry feedback, and asking fintech companies to explain their practices. Through this, it ensures that its regulation-making is not siloed, but consultative.

Second, RBI is a measured proponent of innovation. It has the appetite to allow, and in some cases promote innovative business models. But only after it has figured out a way to mitigate risks. That’s was happened with FLDG. It decided that 5 % cap will be the sweet spot for FLDG – where ecosystem can reap its rewards while warding-off its risks. Hardeep agrees. “The 5% cap (with adequate disclosures and controls that RBI has placed) is a great limit to start with for the digital lending ecosystem. A higher % cap would have perhaps enabled reckless lending practices”, he elaborates.RBI may, in some cases, decide that a product or proposition is a no-go because the risk posed is more than the reward promised. For instance, it refused to lift ban on loading of e-wallets through credit lines. Because the products operated like a credit card but weren’t regulated as one.

These patterns in regulatory behaviour offer valuable insight. Because regulations for fintech are often murky, inadequate, or even absent. So, the patterns may help fintechs assess how the regulator is likely to view a business model or idea. And when they should make representation to regulators. Even if a business model doesn’t fit neatly in the existing framework, RBI may be supportive if its impact on the ecosystem is a net positive.

SEC chooses stick over carrot for the crypto-industry

On 5 June, the Securities Exchange Commission (SEC), US’ securities regulator, filed a complaint in a US District Court against Binance. The next day, it filed a complaint against Coinbase. Earlier this year, crypto exchanges like Kraken, Beaxy, and Bittrex also faced similar actions. We won’t get into the details of the complaints in our story. We’ll, instead, explore SEC’s approach to regulating crypto. And why it’s problematic.

SEC’s key allegation is that crypto businesses are offering unregulated securities (to US citizens). There’s no standalone law or rule that regulates crypto-businesses in the US. So, SEC relies on Regulation by Enforcement or RBE:  where instead of making new rules, SEC takes crypto businesses to court, based on existing securities laws. For instance, SEC, in its complaints against Coinbase and Binance, has alleged that they offer unregulated investment contracts. And hence, violate securities laws.

To SEC, RBE is a time-tested approach. And so, is less likely to go wrong. In October 2000, Richard H. Walker, an ex-SEC Director, explained why SEC prefers this approach.

“[……] While I suppose this will come as a shock to no one, I truly believe that the enforcement process offers advantages over rulemaking.

First, the Commission’s enforcement tools enable us to respond more nimbly to change. A new spin on an old fraud can be attacked quickly with our existing investigative and prosecutorial powers. Drafting and adopting effective rules, on the other hand, typically requires the accumulation over time of evidence of a particular type or pattern of misconduct, followed by a lengthy notice and comment period. Thus, rulemaking always leaves us a little behind the curve. Moreover, as technology and the markets evolve rapidly, we can only expect to lose ground more quickly [……]

Second, the enforcement process enables the Commission to take targeted action against those engaged in misconduct, without necessarily implicating the conduct of those engaged in similar, but legal, activity. Enforcement actions require the Commission to make far fewer difficult determinations about where to draw lines among types of conduct.”

21 years later, Gary Gensler, SEC Chairperson, doesn’t mince his words while supporting RBE.

[….] If a driver is pulled over for speeding, it doesn’t really matter if she’s driving an electric vehicle or a gas-powered one.

There’s an old saying: When I see a bird that walks like a duck and swims like a duck and quacks like a duck, I call that bird a duck.

[….] Some market participants may call this “regulation by enforcement.”

I just call it enforcement.”

We agree that RBE has its benefits. It gives regulators agility to prevent and punish misconduct. But the cons outweigh the pros.

First, regulators are in the best position to regulate a nascent technology when they deeply engage with the industry. RBE is an adversarial process from the start. If the defending business fails in court, it faces punitive action. For example, SEC has, through the complaint, asked courts to permanently stop Coinbase from offering its services in the United States. This creates distrust between regulator and the businesses. And makes regulatory process non-inclusive and non-consultative.

Second, retrofitting existing laws to regulate cryptocurrencies is often like trying to fit a square peg in a round hole. In this context, a pertinent example is a legal challenge that e-Bay, a leading e-commerce business faced. In 2007, the French government classified eBay as a traditional auction house, subjecting it to strict regulations. But eBay successfully convinced courts that its business is different. Over time, as e-commerce businesses matured, regulatory approach also evolved on similar lines. Lawmakers realised that using laws that apply to brick-and-mortar businesses, to regulate e-commerce, is not suitable. For instance, European Union and India have already prescribed bespoke regulations for e-commerce entities.

Third, RBE may create regulatory uncertainty, leaving crypto-businesses in a constant fear of prosecution. The prominent players, unwilling to invest in an unfriendly regulatory environment, may take their business elsewhere. Bad actors may, however, continue to operate under the radar. Conversely, nations with forward looking regulations – like Market in Crypto-Assets Regulation – may be better placed to attract crypto-business (to set up shop). In fact, French officials have extended an open invitation to US crypto-business to set up shop in their country which boasts of a clearer regulatory regime.

So, while RBE may be effective in selected instances, it is unlikely to work for the crypto sector. The World Economic Forum rates it as one of the least preferred approaches to design crypto-regulations. So, are these reasons enough to persuade SEC to adopt a fresh outlook? If not, courts may, while deciding on the SEC’s complaints, nudge SEC in the right direction. Coinbase has already filed response to SEC’s complaint, and trial may commence soon.


e-RUPI to sweeten the deal for PPI issuers 

The RBI has plans to allow non-bank pre-paid instrument (or PPI) issuers (like MobiKwik and Paytm) to issue e-RUPI. So far, only banks could issue it. Also, at present, only Government and business entities can buy e-RUPI. RBI has proposed to extend this facility to individuals too.

This is a significant development, especially for PPI issuers. Before we explore how, let’s start with the basics. Launched in August 2021, e-RUPI is a pre-paid voucher powered by UPI. e-RUPI was originally launched to enable cashless welfare delivery. The buyers of e-RUPI (like Government or businesses) can distribute it to beneficiaries (like farmers and employees) of their choice. The beneficiaries receive e-RUPI on their cell phones as a QR code or SMS. e-RUPI is, however, purpose specific. If beneficiaries receive e-RUPI to pay school fees, they cannot use it to buy electronics. It can be used without the internet and on feature phones. So, it is accessible for beneficiaries who are not tech savvy or are in remote areas.

Now, onto why this is an important development for PPI issuers. PPIs are ideal for small ticket transactions, because they offer easy access to funds. This value proposition, however, has diminished with the advent of UPI. Customers, using UPI, can make payments from their savings account with similar ease. PPI as a deposit account is an inferior product compared to savings accounts because it does not offer any interest. At the same time, like bank accounts, it requires full KYC. So, this gives UPI a leverage. UPI has exposed an inherent weakness of PPI accounts. Attempts to use PPIs for credit delivery have also hit regulatory roadblocks.

But e-RUPI may help PPI issuers reclaim some of the ground they have lost. At present, the only PPI instrument that bears similarity to e-RUPI is a gift card. Like e-RUPI, gift cards are (often) purpose specific, and their buyers can transfer them freely to beneficiaries. But, they aren’t reloadable and can’t have a value of more than Rs. 10,000. Also, internet is necessary for gift-card redemption. e-RUPI will be reloadable, and have a separate authentication process, issuance limits, etc. It can be used without internet. So, by issuing e-RUPI, PPI issuers can now leverage a bigger market. The buyers of e-RUPI may use it for multiple purposes like: targeted donations, scholarships, utility bill payments, employee reimbursements, customer discounts and giving pocket money to children.


Cyber resilience rules for PSOs are in the making

RBI has released draft Master Directions on cyber resilience and digital payment security controls, for payment system operators (PSOs) like payment aggregators and PPI issuers. The draft directions aim to improve security of payment systems operated by PSOs. They outline baseline information security measures that PSOs must implement. The deadline to submit comments was 30 June 2023.

India and Philippines ink a pact on fintech cooperation

India and the Philippines have signed an MOU on fintech cooperation. Under the MoU, both countries will form a joint working group that will outline a framework for cooperation in three key areas: digitalization of payments, direct benefit transfer using national IDs, and financial inclusion. India has similar pacts with Singapore and the UK too.

NPCI’s diktat for PPI issuers

NPCI has, reportedly, asked all prepaid payment instrument issuers to stop their wallets from being used on their co-branding partners’ platform, for UPI-based transactions. The deadline for implementation was 30 June 2023.

UPI shines, locally and globally

UPI recorded over 9 billion transactions in May 2023 – the highest till date. A PwC India report says that by 2026-27, UPI will account for 90% of the total retail digital payments in the country. Apparently, UPI is also processing around 40% of the global real-time payments!

Coinswitch’ wealth-tech ambitions in India

Coinswitch is looking to enter the Indian stocks trading and financial services market. It also plans to apply for a stock broker license (with SEBI). Coinswitch’ aim is to be a go-to platform for wealth tech products in India. To succeed, it has to compete with players like Zerodha and Paytm Money.

India’s metaverse and web3 market to reach USD200 billion by 2035

A report by Arthur D. Little, a global management consulting firm, estimates that India’s metaverse and web3 market will become a USD 200 billion industry by 2035. India’s growing retail and financial services sectors are expected to drive this expansion.


  • The State of Web3 perception around the world [Consensys]
  • India wants a credit rating upgrade! [Finshots]
  • Save Now, Pay Later (SNPL)- An emerging business model in Fintech [ Credgenics Blogs]
  • Fintech Global: Will AI take over the regulation and compliance in the future? [Theta Lake Article]

How does Big Tech shake up the payments industry? [11FS Podcast by Fintech Insider]

Image credits: Shutterstock

That’s it from us. We’d love to hear from you. Write to us at to chat with our team about all things fintech regulation and policy.

See you next month.

If you enjoyed this edition of FinTales, do share it.

the status quo

Bringing what's next...