FinTales Issue 28: A partnership of equals?

As we speak, the RBI is scrutinizing bank-fintech relationships. It’s looking under the hood to decide if banks are over-reliant on their tech partners.

But are banks and fintechs partners? No, they are not – at least not as far as the RBI is concerned. Theirs is not a relationship of equals. It’s more like a parent and child relationship. One where the parent accords the child some autonomy, but within guardrails – while remaining ultimately responsible for the child’s actions. Underneath it all, the bank-fintech relationship is a hierarchical one, not one of equal partners.

For example, in the UPI ecosystem, third-party application providers (TPAPs) like PhonePe and Google Pay must be supervised by banks. TPAPs, as service providers, access the UPI platform through the bank. The bank is also responsible for ensuring the TPAP’s systems are secure. Similarly, in the digital lending ecosystem, lending service providers (LSPs) like Simpl must be supervised by regulated lenders – banks or NBFCs. Regulated lenders can’t let LSPs have the final say on the creditworthiness of customers or play a role in the fund flow. If these guardrails aren’t enforced, the bank-fintech relationship ceases to be a hierarchical one, something the RBI doesn’t approve of.

Moving onto our FinTales menu for the month.

Main-course: lessons from the US bank runs and the implications of crypto-entities being brought under anti-money laundering laws.

Dessert: sweet news about NPCI allowing charges on UPI-based PPI payments.

Mints: a refresher about recent fintech developments.

Takeaway: articles and podcasts to grab and go.

Main course

The 2023 tech financial crisis

The collapse of Silicon Valley Bank (SVB) caused widespread panic in the startup ecosystem, with effects being felt in India too. Indian startups had $1 billion in deposits at SVB which could have been at risk. Indian regulators also immediately swung into action. Minister of State for IT, Rajeev Chandrashekhar, met affected startups. And the RBI sought information from banks and NBFCs about their exposure to SVB. But SVB isn’t the only tech friendly bank that went belly up last month. Two other crypto focused banks – Silvergate and Signature – also joined its ranks.

Silvergate was the American crypto industry’s banking partner of choice. Almost all its deposits were from crypto customers. In September 2022, Silvergate had $12 billion in deposits from its crypto customers. But by December 2022, that number fell to $7.3 billion. The reason: the crypto meltdown triggered by the FTX crash in November 2022. As customers withdrew their assets from crypto exchanges, the crypto exchanges in turn withdrew their assets from Silvergate. Silvergate had invested its customers’ deposits in safe but long-term assets like government bonds. It couldn’t sell those bonds immediately without incurring a loss. But to meet customer withdrawals, it had to sell bonds worth $5.2 billion and suffer a loss of $750 million. Banks are subject to capital reserve requirements. For example, if a bank accepts $100 in deposits, it must roughly have $8 as shareholder’s or bondholder’s money. Any losses that a bank suffers reduces its capital reserve. And in Silvergate’s case, the losses incurred due to the bond sales threatened to bring the bank’s capital reserve below regulatory requirements. Silvergate eventually voluntarily shut down its business.  Shortly after this, the other American crypto-friendly bank, Signature, was also shut down by US regulators. Interestingly, US regulators had warned banks that crypto customers may pose unique risks. Because most crypto customers were exchanges that were parking their own customers’ assets with the bank. So, a run on a crypto exchange could turn into a run on its partner bank.

The Silvergate and SVB crisis share several commonalities. Both banks were heavily reliant on a single sector. In Silvergate’s case, it was crypto businesses. In SVB’s case, it was startups. Both banks invested their customers’ deposits in long-term assets which couldn’t be sold immediately without incurring a loss. And both banks faced exceptionally high customer withdrawals in a short period. For instance, SVB faced $42 billion in withdrawals in a single day, nearly 25% of its total deposits. Even the most regulatorily compliant bank can’t keep up with this pace of withdrawals. Such high withdrawals are a black-swan event that regulations can’t fix. The reasons behind the customer withdrawals were different though. In Silvergate’s case, crypto businesses withdrew assets to pay back their own customers who were spooked by the FTX crash. In SVB’s case, startups withdrew assets partly to survive the funding winter and partly due to herd behavior.

The recent American bank-runs expose a fundamental tension between the finance and technology worlds. Modern neo-banks target a user segment (college students, blue-collar workers, small businesses, etc.) and build products to suit its specific needs. Banks, on the other hand, want a diversified customer base to control risk. Because if all your customers belong to the same segment, they may face the same market conditions or exhibit herd behavior. When we think about concentration risk, it’s often in the context of borrower diversification, not depositor diversification. It’s common sense that a bank shouldn’t lend all its customers’ deposits to a single industry. But the latest bank runs remind us that accepting all its deposits from a single industry may be just as risky.

The fact that two of the three banks that shutdown were crypto friendly banks also raises questions about what banking services for the crypto industry will look like going ahead. In India, despite the Supreme Court striking down RBI’s ban on providing banking services to the crypto industry, securing banking services has been an uphill challenge for crypto businesses. One of RBI’s main concerns about providing banking services to crypto businesses is KYC/AML/CFT compliance. With crypto businesses becoming reporting entities under anti-money laundering laws, those concerns may soon be addressed. More on this in our next main course story. Nonetheless, crypto businesses will still be considered risky depositors because they may pull their money at once due to market volatility. This is a hard problem to solve. But if crypto customers were distributed across multiple banks, then a single bank wouldn’t take the hit if there are mass withdrawals. Banking, at its core, is the business of managing risk. So, regulators and banks must work together to provide banking products to all types of depositors, including crypto businesses.

Know Your (Crypto) Customer – New KYC rules in town!

Roughly 7% Indians own crypto-assets (aka Virtual Digital Assets). Yet, until recently, India did not have regulatory tools to identify crypto-owners or monitor their transactions. Earlier this month, the Ministry of Finance (MoF) changed this. It issued a notification which brought entities dealing in ‘Virtual Digital Assets’ (VDA), under the purview of India’s money laundering legislation – the Prevention of Money Laundering Act 2002 (PMLA). With this change, crypto-businesses are subject to an entirely new compliance universe.

The notification is straightforward. It lists five crypto-related activities that make businesses a ‘reporting entity’ under the PMLA:  

(a) exchanging VDAs and fiat money (like buying bitcoin with INR);
(b) exchange between different VDAs (like trading bitcoins for dogecoins);
(c) transfer of VDAs (like buying pizza with bitcoins);
(d) safekeeping or administration of VDAs or instruments enabling control over VDAs (like crypto-wallet service providers); and
(e) participation in and provision of financial services related to an issuer’s offer and sale of VDAs (like fiat on-ramp service providers).

Businesses classified as ‘reporting entities’ must comply with obligations enlisted in the PMLA. A few of these are:

(a) verifying customer identity – crypto-businesses will have to conduct user KYC, like a bank would when opening an account;
(b) undertaking enhanced due diligence – a crypto-business must have systems in place to detect suspicious transactions or activities that need closer scrutiny. It must then undertake ‘enhanced diligence’ like asking for additional KYC details or source of funds. It must also be able to identify, monitor and report suspicious transactions or transactions involving proceeds of crime;
(c) maintaining records – crypto-businesses will have to store transaction records and identity records of its customers for a period of five years; and
(d) disclosing information – crypto-businesses will have to furnish information as and when required by relevant authorities.  

Undoubtedly, these obligations will increase the compliance burden for crypto-businesses. A lot of work must be done to build a compliance architecture which meets the PMLA’s standards. It can’t be done overnight. Yet, crypto businesses are offered no buffer time to adapt to the new compliance environment. This may not affect established crypto-exchanges which voluntarily implemented KYC/AML processes (as a good practice). But those that did not, are scrambling. Crypto-businesses that voluntarily implemented KYC/AML measures before the MoF notification faced significant trade-offs. It increased their compliance burden, hindered customer acquisition, and reduced their overall competitiveness against those who did not implement these ‘good to have’ measures. By making this a mandatory requirement, the notification reduces the negative impacts of voluntarily implementing these measures.  

Curiously, law enforcement agencies were already (in some ways) viewing crypto-businesses (especially crypto-exchanges) as ‘reporting entities’ even before the MoF notification. For instance, the Enforcement Directorate’s (ED) press release for its WazirX investigation suggests that it scrutinized WazirX’s KYC and AML practices as if it was a reporting entity. By bringing crypto-businesses under PMLA, the government has given more teeth to law enforcement agencies.  

But enforcing these obligations might still be challenging. Crypto-businesses can be centralized or decentralized. Enforcing KYC/AML obligations on centralized models is simple. For example, for a centralized crypto-exchange (like CoinDCX) – it’s clear that the responsibility for implementing the KYC/AML checks is on the corporate entity. And those in charge of the company’s conduct are responsible for the contraventions made by the company. But it’s challenging to enforce such requirements on decentralized models. For example, in case of a decentralized crypto-exchange – no single person or corporate entity is responsible for running the applications. And so, even if we assume that they fall within the ambit of the notification and must implement KYC/AML checks, it’s unclear who is ultimately responsible for contraventions. With decentralized crypto-models playing an increasing role in money laundering activities, the Financial Action Task Force suggests that (on a case-to-case basis), it is possible to identify the creator, owner, operator or individuals with significant influence on such decentralized crypto-models and hold them responsible for implementing the KYC/AML measures. Taking such positions is bound to open a pandora’s box. And they certainly cannot be taken without framing a comprehensive law to regulate VDAs.

The PMLA notification follows the government’s piecemeal approach to regulating VDAs, as seen before with the advertising guidelines or the taxation rules. And even this time, the government has carefully bypassed granting explicit legitimacy to VDAs or identifying a regulator to overlook this industry. So, while bringing VDAs under the money laundering laws is a step in the right direction, we need to do a lot more. It is time to have a comprehensive law in place regulating VDAs in India.


The end of free UPI lunches – kind of

NPCI recently recommended interchange fees of up to 1.1% on UPI transactions through prepaid payment instruments (PPIs). The fees are applicable on transactions above INR 2000 from 1 April 2023. PPIs include e-wallets and pre-loaded cards. Some examples of e-wallets that must be interoperable via UPI are Paytm and MobiKwik wallets.

Many took the NPCI’s recommendation to mean that UPI transactions were no longer free. This understanding was partly right, but mostly wrong. First, customers will not pay to use UPI – merchants will. Second, the fee is only paid (by the merchant) when a customer uses UPI to pay through her e-wallet (like a Paytm or MobiKwik wallet). If the source of funds is the user’s bank account, no one pays any fee.

To avoid misinformation, PIB debunked misleading news reports, Vijay Shekhar Sharma tweeted how everyone had misunderstood the notification, NPCI published a press release, and Dilip Asbe (NPCI’s MD & CEO) clarified the notification on live TV.  

So, what really happened? Here is what we know:

  1. What is interchange fee? Interchange is the fee that a merchant’s bank (the acquiring bank) pays to the customer’s bank (the issuing bank). Interchange fee is often recovered by the merchant’s bank from the merchant by levying a fee called Merchant Discount Rate (MDR).
  2. Is there any interchange fee on UPI transactions? Yes, but only if the UPI payment is done through PPI and above INR 2000. According to NPCI, 99.9% UPI transactions are not done through PPIs. So, this move will only affect a tiny fraction of UPI transactions.  
  3. Will all PPI transactions be charged? No. The fee is not applicable on peer-to-peer (sending money to another person) and peer-to-peer-merchant (sending money to small merchants) transactions. NPCI classifies merchants who have expected monthly inward UPI transactions of less than INR 50,000 as peer merchants or small merchants.
  4. How much is the fee? The interchange fee ranges from 0.5% to 1.1% of the total transaction amount depending on the merchant category. For example, fuel pumps will attract 0.5% fees and supermarkets will attract 0.9% fees.
  5. Will loading PPIs via UPI attract any fees? Yes. But not for the customer. The PPI issuer will pay 15 basis points as a wallet-loading service charge to the customer’s bank for transactions above INR 2,000.
  6. Will customers pay this fee? No. Dilip Asbe clarified that the interchange fee will be recovered from merchants, not from customers. Vijay Shekhar Sharma also said that merchants who don’t wish to bear the cost may choose to not accept UPI payments made through PPIs.
  7. Who will benefit? Banks and PPI issuers will benefit because the interchange fee will be a much-needed revenue source. Large merchants who have high order values will incur additional costs. But for large merchants, the additional cost may be worth a better customer experience.

NPCI’s recommendation is reportedly subject to RBI’s approval. NPCI will also review the interchange pricing by 30 September 2023. We hope this experiment succeeds because otherwise, there will be UPI payments everywhere, but not a rupee to earn for payment service providers.


RBI & CBUAE join hands to promote innovation

The RBI and the Central Bank of the United Arab Emirates (CBUAE) have signed an MoU to enhance cooperation and promote innovation in financial services. Specifically, the banks will explore interoperability between CBDCs of the two countries. They will jointly conduct proof-of-concept and pilot projects of a bilateral CBDC bridge to facilitate cross-border transactions.

GST on crypto-assets remains uncertain

The proposal to impose GST on crypto-assets will reportedly be delayed due to a lack of consensus between central and state government officials. State governments have sought more time to analyse the complex nature of the crypto ecosystem, classify activities as goods or services, and decide on the applicable GST rates.

RBI investigates bank-fintech partnerships

The RBI is reportedly auditing bank-fintech agreements to understand who is deciding customers’ creditworthiness, bearing credit risk, and owning the customer relationship. The RBI is concerned about banks being over-reliant on fintechs and the quality of fintech-sourced loans being different from other loans.

NPCI launches RuPay SoftPoS solution

The NPCI has launched ‘RuPay SoftPoS with PIN on Glass’ – a mobile-based solution for accepting RuPay card payments for merchants. Using the solution, merchants can accept contactless card payments through smartphones/tablets – without a PoS terminal. NPCI has asked member banks (who acquire merchants) to obtain NPCI’s certification for this solution.

RBI grants extension to Paytm for PA application

The RBI has granted an extension to Paytm to re-apply for a payment aggregator license. Paytm can now re-apply within 15 days of receiving government approval for past foreign direct investments from its parent company. In the meanwhile, Paytm can continue providing online payment aggregation services to its existing customers.

Image credits: Shutterstock


the status quo

Bringing what's next...