FinTales Issue 30: In Memoriam of the 2000-rupee note

The 2000-rupee note is teetering on its last leg, ready to kick the bucket, living on borrowed time.

You get the drift.

It’s not a sudden death (none of the horrors of the demonetization). It’s more of a slow fade into oblivion. Come 30 September 2023, the 2000-rupee note may cease to exist. The RBI wants the public to exchange or deposit these notes before this deadline. It’s unclear what happens after this deadline: will the 2000-rupee note remain as a legal tender? Will there be conditions on its exchange or deposit? Who knows. Which is why many citizens are flocking to the bank – the Biryani bank that is – to exchange their 2000-rupee notes for hillocks of Biryani.

Now, why did the RBI do this? According to the central bank, the 2000-rupee note was a stop-gap measure meant to tide through the cash scarcity post demonetization (in 2016). Seven years later, there are enough new 100 and 500-rupee notes in circulation, meaning the 2000-rupee note has outlived its utility. The central bank is also worried about the frail health of most 2000-rupee notes. 89% of these notes were issued before March 2017, which is a long life for a currency note.

Although the 2000-rupee notes still account for 11% of the total currency notes in terms of value. So, it won’t be a painless end.

In the meanwhile, here’s an obituary for the 2000-rupee note which had a short but eventful life.

In loving memory of the 2000-rupee note

With a heavy heart, we announce the demise of the 2000-rupee note. Born in November 2016, the 2000-rupee note lived a remarkable life. Having grown up amidst the chaos of demonetization. It will be remembered for being a pillar of support during those trying times and single-handedly delivering more value than its ancestors.

Featuring the Mars orbiter, Mangalyaan, it was a symbol of India’s aspiration to become a superpower. With its vibrant magenta color, it served as a beloved companion for life’s big (and expensive) milestones, from buying a house to hosting a wedding. Ailing since 2017, it finally lost the battle against the digital economy. It is survived by its siblings, the new 100 and 500-rupee notes, and will be dearly missed by all those whose lives (and wallets) it touched.

Join us for the memorial service on 30 September 2023 to bid farewell to the 2000-rupee note. May its soul rest in peace with its ancestor, the 1000-rupee note.

Now onto our FinTales menu for the month.

Main course: unpacking the labyrinth of RBI KYC rules and a new crypto-regulation wave.
Dessert: DLT finds a supporter in RBIH.
Mints: a refresher about recent fintech developments.
Takeaway: articles and podcasts to grab and go.

Main Course

Finding a way around the circuitous KYC maze

The challenge of KYC compliance haunts every financial institution. Be it established banks, or nascent and tech-savvy fintech companies. Over the years, the RBI’s KYC rules have undergone multiple amendments, each one raising the complexity-bar of KYC for regulated entities or REs (like banks and NBFCs). Recently, RBI released another amendment to the KYC directions.

Before we get to it, let’s begin with the basics. Financial institutions must conduct KYC to verify their customer’s identity, as part of their anti-money laundering obligations. The RBI KYC directions prescribe processes that REs must follow. Some of these can be completed remotely. Conversely, others require RE officials and customers to meet (physically) in person. These processes include KYC through audio-visual interaction over internet (Video KYC) and government repositories (of customer identification data) like UIDAI’s data repository, Central KYC Registry (CKYCR) and DigiLocker.

REs can pick any of the prescribed KYC processes. Although once chosen, the process must meet the standards under the KYC directions. REs increasingly prefer remote KYC processes – because they are faster, cheaper and (in many ways) better than in person verification. In the recent amendments, RBI seems aligned with this sentiment. It (once again) places Video KYC, the gold standard for remote KYC, at par with in-person KYC. This is because in Video KYC, an RE’s official completes a live audio-visual interaction with customers and an online verification of their documents. It also (for the first time) explicitly refers to CKYCR and DigiLocker based KYC as remote KYC methods. Which indicates that RBI may view these processes as standalone full-KYC processes. But, in the same breath, RBI also categorizes accounts opened through these remote KYC modes (except Video KYC) as high risk. And prescribes enhanced ongoing due-diligence measures for them. These measures include periodic KYC updation of these accounts at least once every 2 years, and verification of customer’s current address.

Despite being forward looking, the amendments fail to address the biggest bottleneck – the complexity of KYC framework. They don’t declutter the convoluted KYC framework, especially when it comes to remote KYC. We’ve been pouring over the KYC rulebook to decipher which KYC method is low-friction, cost-effective, yet compliant. But each KYC method has its gaps. Some are scalable but may not be compliant. For others, it’s unclear if they can be conducted remotely. These are some other ambiguities:

(a) Can remote KYC processes (other than Video KYC) be considered standalone full-KYC processes? For instance, a KYC process where an RE remotely verifies customer’s details against her DigiLocker documents and photo against her live-selfie. This clarity is important because despite being a gold standard for remote KYC, Video KYC is not scalable. It’s a cost and resource intensive process, which requires robust tech-infrastructure and presence of RE’s official during video interaction.

(b) What are some ways in which current address verification be conducted? Can it be conducted remotely?

(c) To what extent can KYC processes be outsourced by REs? For instance, can an independent contractor who is not RE’s employee complete the Video KYC process?

The regulatory clarity on these and other similar issues is missing. REs must, therefore, be cautious while designing their KYC strategy – because the procedural aspects of conducting KYC are mired in regulatory grey. This often leads to incorrect or inconsistent interpretations. For instance, there are media reports of CKYCR being flagged as ‘high risk’ by the RBI. This is not entirely correct. Because all forms of remote KYC (except Video KYC) – and not just CKYCR – are categorized as high-risk KYC modes. Further, it’s the customers onboarded through CKYCR (and other remote KYC modes) that are categorized as high risk, and not CKYCR. Such ambiguities cause inconsistency in market practice, resulting in some entities becoming over-cautious.

So, there is a pressing need to address the ambiguities and simplify KYC norms. The regulator must prioritize solving this piece of the puzzle over other proposals on its agenda – like a risk-based KYC regime or KYC processes based on innovations like distributed ledger technology.

But even if KYC norms are simplified and ambiguities are clarified – compliance with the letter of the law is not enough.REs’ internal KYC practices must be tailored to the unique levels of risk exposure that they face. Because even gold standards like Video KYC can fail, let alone other remote KYC modes. Recently, 5 imposters duped the fintech company, OneCard, of around 21.32 lakh rupees. They used publicly available personal details (like GST) of certain Bollywood celebrities to avail credit cards. To complete the live video interaction, they put their own pictures on the PAN cards. Miscreants will always find ways to exploit gaps and game the system. But REs must ensure they have appropriate defense mechanisms that can counter systemic risks like that one that OneCard faced – besides ensuring compliance with KYC norms.

Buckle up as regulators walk the talk of crypto regulations

May 2023 was an action-packed month for crypto regulations. The European Union (EU) adopted the Market in Crypto-Assets Regulation (MICA) – a first-of-its-kind comprehensive rulebook to govern crypto-assets. International Organization of Securities Commissions (IOSCO), the international securities watchdog, released its consultation paper on crypto-regulations. Comments on IOSCO paper can be submitted until 31 July. IOSCO will release its final recommendations after that.

These developments are significant but unsurprising. Increasing exposure of retail customers to crypto-assets has made regulations inevitable. Especially after a somber 2022 – that witnessed events like the FTX’s, Coinbase employee’s insider trading, and Bitzlato’s. Many of these events were avertable with stricter regulations in place. In fact, during the FTX crisis, Japan reaped the benefits of its existing digital assets laws. Its citizens recovered their assets (from FTX) way before FTX customers in other countries could. So, the impact of crypto regulations – even if unsettling in the short term – is a net positive. Regulatory certainty bolsters user and investor confidence. More companies will be encouraged to invest in underlying technology and financial innovation. Also, with crypto-asset’s increasing impact on traditional finance, regulations may enable better control over financial stability.

These global developments are also likely to impact India. More so, because India does not have a comprehensive law to regulate cryptos and is keen to adopt common global standards. Earlier this year, India proposed that IMF (International Monetary Fund) and FSB (Financial Stability Board) must suggest a global regulatory approach that the G20 countries (like India and Australia) can adopt. IMF and FSB may rely on the EU’s MICA for this – because EU (being a G20 member) would push for the global standards to be aligned with its laws. They may also rely on IOSCO’s recommendations (when finalized). Because G20 endorses IOSCO’s view, and more than 95 % of the world’s securities regulators are IOSCO’s members.

So, let’s look at the broad themes under MICA and proposed recommendations of IOSCO to gauge how global crypto standards – that India may also adopt – are shaping up.

Same activity, same risks, same regulations: is the principle that both MICA and IOSCO rely on. It means that crypto-assets that exhibit features similar to traditional financial services must be regulated as such. The crypto-businesses must comply with criteria like capitalization and reporting requirements – that apply to existing financial institutions – to obtain and retain licenses. For other crypto-assets that pose unique risks, a bespoke regulatory regime may be prescribed.

Prohibition of Market abuse: MICA is the first regulation that expressly prohibits crypto-market abuse – which includes insider trading (using non-public information to gain an advantage), unlawful disclosure of confidential information and market manipulation by circulating false information. ISOCO also recommends regulators to prohibit and penalize market abuse.

Disclosures and conflict of interest: MICA mentions that customers must be aware of functions and risks of crypto-assets they intend to purchase. So, issuers of crypto-assets must publish a white-paper to make these disclosures. Also, crypto-businesses must have robust policy for identification, prevention, management and disclosure of conflicts of interest. The IOSCO recommends that crypto-asset service providers (like exchanges) must disclose trading history, rights of crypto-asset holder, past incidences of manipulation or security failures, etc. (with respect to crypto-assets they offer or allow trading-in).

Measures for customer asset protection: are prescribed under both MICA and IOSCO report. They include the obligation of crypto businesses to maintain records of customer’s assets, and segregate customer’s assets from their own.

Management of technological and operational risks: includes implementing measures to address cyber-security and system resiliency risks. As per IOSCO, this may include conducting frequent audits, and regularly updating systems. MICA also mandates crypto-business to maintain resilient and secure ICT systems – as required under EU regulations. And makes crypto-business liable for customer losses due to preventable cyber-incidents or operational failures.

Cross-border service providers: Crypto-assets are inherently borderless. And crypto-business often provide services without any substantive presence (in a country). This creates challenges with the implementation of regulations. But as per IOSCO, laws of a country become applicable if an entity makes its services available there. So, a crypto business must comply with a country’s crypto regulations if it provides services to its citizens.

Crypto-businesses must brace for these upcoming regulations. And comply with these global best practices (to the extent possible). By doing so, they can seamlessly expand their business to multiple jurisdictions. And carry on their businesses without any major disruptions – even if these regulations are implemented with a shorter deadline for compliance.

Dessert

RBIH bats for DLT adoption

The Reserve Bank Innovation Hub (RBIH), a wholly owned subsidiary of RBI, published a paper this month on adoption of distributed ledger technology (DLT) for financial services.

Before we delve into the paper’s findings, let’s start with the basics. DLT is a technology that lets multiple network participants access, verify and consensually update a shared database. Because of its distributed, immutable, and consensus-based nature, DLT can securely maintain data without a centralized authority. And this eliminates the risk of a single point-of-failure. DLT can also support smart contracts that automatically execute instructions without manual intervention. Blockchain is a type of DLT. But there are other types of DLT too (like Directed Acrylic Graph and Hashgraph). Regulators favor closed and trusted DLT networks like private blockchains. Unlike public blockchains, only permitted entities can participate in a private blockchain.

The paper builds on RBIH’s proof of concept (PoC) project for DLT adoption (in financial services) conducted in June 2022. Based on stakeholder consultation, inland letters of credit were selected as the use-case for the PoC. A letter of credit or LC is an instrument which guarantees that the issuing bank will pay the seller if the buyer does not do so. LCs – traditionally issued in paper form – are susceptible to fraud. For instance, LCs were at the heart of the INR 14,000 crore scam committed by Nirav Modi. By leveraging DLT, LC-based transactions can be made efficient and secure. The transactions can be confirmed in real time and communicated to all participating banks – which, at present, is completed by physical exchange of multiple documents over many days.

The PoC project involved 11 banks, 3 DLT platforms and 2 fintech startups. The DLT platforms – Hyperledger Fabric, R3 Corda and Billion FIS – were chosen based on their permissioned nature, active developer community, and industry acceptance. The Weaver Protocol was used to ensure data sharing and asset movement (also known as interoperability) between these DLT platforms. Fintech startups – Digiledge and Settlemint – were also chosen to help banks integrate with the DLT platforms. The paper mentions that RBIH is now exploring an interoperable DLT platform for the Indian financial sector based on learnings from the PoC. Some of the use-cases that are being considered are – cross-border remittances, bank guarantees for trade financing, syndicated loans (financing offered by a lender group) and DLT-based KYC processes (Indian fintechs are also pushing for this).

The RBIH paper bodes well for the fintech industry for three reasons. First, it shows that regulators are keen to work with the industry to solve hard technical challenges (like DLT interoperability). Second, it indicates that regulators view DLT as a digital public good (like UPI or Aadhaar) which could benefit the society at large, and therefore, deserves the government’s support. Third, with growing acceptance, DLT may solve persistent pain-points like KYC. DLT powered KYC processes exist or are being launched in UAE, Singapore, and Thailand. We hope India jumps on the bandwagon because DLT can increase efficiency of financial services (by reducing customer acquisition and servicing costs) and foster financial inclusion.

Mints

Visa and RuPay enable CVV free payments

Visa and RuPay have launched a feature that eliminates the need for CVV (Cardholder Verification Value) for domestic transactions made using tokenised cards. For tokenised cards, an alternate code is stored by the merchant instead of actual card data. Tokenisation protects cardholders against frauds. For tokenised cards, customers won’t have to reach for the card tucked away in their wallet anymore. They can just enter an OTP and complete the transaction.

FIDC urges review of penalties on defaulting borrowers

In April 2023, the RBI released a draft circular which sought to revise how penalties are levied on borrowers who haven’t repaid their loans. We discussed the proposal in the April 2023 edition of FinTales. An industry body, Finance Industry Development Council (FIDC) has raised concerns that the proposal may harm borrowers and pose operational challenges for these reasons. First, the proposal does not clarify what constitutes ‘material terms’ of a loan agreement, whose breach can lead to penalties. Second, penal interest has been prohibited entirely, instead of imposing a reasonable cap on penal interest rate. Third, replacing ‘penal interest’ with ‘penal charges’ can increase the GST burden on borrowers.

22 non-banks receive Aadhaar e-KYC access

The Ministry of Finance has granted 22 non-bank regulated entities permission to use Aadhaar e-KYC. The entities include Amazon Pay and Uniorbit Payment Solutions, among others. Broadly, there are two modes of Aadhaar based identity verification – e-KYC and offline KYC. e-KYC involves verifying the applicant’s data through the Central Identities Data Repository and requires OTP or biometrics. Access to e-KYC is expected to reduce cost, friction and fraud in customer onboarding.

RBI declines to disclose whitelist of digital lending apps

Earlier this year, the RBI shared a whitelist of permitted digital lending apps with the Ministry of Electronics & Information Technology (MeitY). The whitelist was then shared by MeitY with app stores to ensure only permitted apps were made available to the public. Responding to an RTI, the RBI recently refused to disclose the details of the whitelist. The RBI claims the whitelist is exempt from disclosure under the RTI Act for two reasons. First, it contains confidential information, whose disclosure could harm the economic interests of India. Second, the whitelist was shared in a fiduciary capacity (a relationship of trust), and not pursuant to a legal requirement.

Offline PA regulations in the works

Building on the Payments Vision 2025, the RBI is expected to introduce a regulatory framework for offline payment aggregators (PAs) soon. Offline PAs are payment service providers who help brick-and-mortar stores accept payments through point-of-sale machines, mobile payment terminals, QR codes, etc. The regulatory requirements for offline PAs are likely to be similar to those for online PAs, including obligations relating to KYC and minimum net-worth. Since major offline PAs also operate as online PAs and have already applied for online PA authorizations, the approval process for offline PAs may be less time-consuming.

Binance faces regulatory pressure in US and Canada

Binance is reportedly being investigated by the US Department of Justice for allowing users to bypass US sanctions against Russia. Binance has also exited the Canadian market in response to new regulations which treat ‘stablecoins’ as securities and require regulatory approval for dealing in stablecoins.

Image credits: Shutterstock

Takeaways