There are two kinds of fintech: the conscientious and the reckless. The former treads with caution. They know that being cavalier isn’t an option if you deal with public money. Then there’s the reckless. The sort that calls your grandmom if you default on a Rs. 200 loan you didn’t even know you took. Unfortunately, fintech regulations are increasingly calibrated for the latter. A laundry list of do this, don’t do that. Now these rules for the rogue render the already cautious fintech players in a constant state of fear.
A 2009 study found that excessive road safety signs are counter-productive as they distract and desensitize drivers. Much like hyperbolic road safety signs, fintech regulations often fail to deter the drunk driving fintech from careening through the hilly terrain of risk and regulation. What we need is more implementation and less regulation. We don’t need more road safety signs. We need more fines for traffic violations.
As fintech lawyers, we’ve seen every approach to risk and regulation. You can reach out to our subject matter experts to chat about regulation, policy, and industry trends. For data, write to Sreenidhi Srinivasan at sreenidhi@ikigailaw.com. For fintech, write to Aparajita Srivastava at aparajita@ikigailaw.com. And for crypto and blockchain, write to Anirudh Rastogi at anirudh@ikigailaw.com.
Onto this month’s FinTales menu.
Main Course: Fintechs’ wishlist for 2023, and a tear-away list for fintechs to prep for all things data in 2023
Dessert: delightful news about UPI for NRIs
Mints: quick refresher about developments in the fintech and crypto world
Takeaways: articles, podcasts, and documentaries to grab and go
*********************************************************************************
Main Course
Fintech Wishlist Jar for 2023
2022 was a tumultuous year for fintech. One dotted by regulatory rebukes and restrictions coupled with a funding winter. Here’s what the industry wishes for in 2023.
Wish 1: Clarity on first loan default guarantees
Fintechs want first loan default guarantees (FLDG) to be regulated instead of prohibited. FLDG is an arrangement under which a fintech entity compensates the lender (it partners with) if borrowers it recommended default on loans. But last September, the digital lending guidelines created confusion about the permissibility of FLDG. The industry wants the regulator to provide clarity and cap the percentage of risk transferred under FLDG, instead of a complete prohibition. Some fintechs are seeking permission for FLDG between regulated entities, while others want risk-sharing to be allowed with unregulated fintechs too.
Wish 2: Transparent process for NBFC authorization
Fintechs want the NBFC authorization process to stop being a black box. The RBI is clear, either be an authorized lender, or don’t lend. An NBFC license allows a non-bank fintech to lend off its own books. But last year, only a handful of NBFC licenses were granted. While the NBFC applications of many prominent players were rejected. The RBI seems uneasy about the ownership and source of funds of fintechs being linked to tax havens, and the high-interest rates charged by fintechs. While these are the reasons being speculated, industry bodies like the Digital Lenders Association of India have sought formal clarity on why NBFC authorizations are being rejected.
Wish 3: Tax relief for fintechs
Services that fintechs provide to regulated entities attract a GST of 18%. The industry has requested GST exemption for early-stage fintechs and those enabling financial inclusion.
Wish 4: Enabling framework for neo banks
Under current law, fintechs can’t accept deposits, give loans, or operate a payment system without regulatory approval. So, fintech entities partner with banks, NBFCs, and payment system operators. But these partnerships are governed by a patchwork of regulations, like outsourcing norms for banks and guidelines for business correspondents. These regulations often have overlaps and inconsistencies. We spoke to Deena Jacob, Co-founder and CFO at Open on this. “The regulations for operating neobanking model (as a whole) in partnership with banks need to be clearer. Right now, the guidelines regulate the partnerships in a fragmented manner”, she observed. “A partnership-led digital banking wave will be a game changer for faster penetration of banking and financial services”, she added. So, fintechs want clearer risk-based regulations governing partnerships that acknowledge changing market realities. In 2023, neo banks also hope for a licensing framework for full-stack digital banks (which don’t have any physical presence). So that they can provide deposit and lending services on their own.
Wish 5: Priority sector lending classification for fintechs
To receive affordable access to capital, fintechs want to be included in the priority sector lending category. Amidst a challenging macroeconomic environment, fintech players have difficulty raising funds. So, they want loans to fintechs to be classified as priority sector lending – a category that the RBI encourages banks and NBFCs to lend to, like MSMEs.
Wish 6: A fair share of MDR compensation for fintechs
Fintechs have been critical to UPI’s success and want to be compensated for providing UPI services for free. Banks and payment service providers are not allowed to charge any fees from merchants on UPI and Rupay debit card payments. So, banks, payment intermediaries (like payment aggregators), and technology service providers (like Google Pay and PhonePe) absorb the cost of providing these services. The government recently announced an Rs.2600 crore incentive scheme to compensate them. Under the scheme, banks must share the incentives they receive with other payment system operators and participants. But historically, these incentives haven’t trickled down to fintechs in the payment chain. The government and NPCI will prescribe the proportion and manner in which banks must share the incentives with fintechs. Fintechs want a fair share of the pie, especially because of their contribution to merchant and customer onboarding.
Wish 7: New remote-KYC solutions
Fintechs hope for innovative remote KYC solutions, especially for low-value savings and loan accounts. Video KYC through Aadhar-based verification simplified the customer identification process for financial services. But it’s expensive, high friction, and unsuitable for areas without reliable internet access.
Preparing for data regulations in 2023
For the last 5 years, data lawyers have been like the boy who cried wolf. The data bill is always being tabled “in the next session of Parliament”. We’ve seen explainers, primers, deep dives, checklists (well, including our own) to help prepare for the law. The fourth version of the draft law is now out for public consultation. Meanwhile, the RBI has stepped in as a stopgap regulator for financial data for regulated entities (REs) and fintechs. As fintechs grapple with more existential questions: how much should you worry about data? Our fintech and data teams join forces to tell you what to do. We break down five key RBI regulations to help you identify priorities for 2023.
Local storage of payments data by payment system providers
The RBI brought in stringent data regulation with its data localization direction. It asked payment system providers to store payments data in India. Payments data can be processed outside India but must be brought back within 24 hours of processing. It can be accessed from outside India for activities like settlement processing and chargebacks (but must still be stored in India).
This direction is limited to a subset of financial data – ‘payments data’ – which forms part of a payments instruction or transaction. It covers end-to-end transaction details, including customer information, beneficiary account details, transaction details, etc. And it extends only to certain types of entities – payment system operators or PSOs (and through PSOs, to all system participants in the payments chain).
Which means PSOs must map their data, identify what is and what isn’t ‘payments data’, identify whether they need offshore access (for e.g., for global banks, payments processing may take place centrally outside India), re-orient systems to delete data from offshore systems within 24 hours of processing, and contractually agree with vendors/ other processors to store data within India.
No access to transaction data for co-branding partners
RBI’s master directions on credit card and debit card (RBI Card Directions) set out dos and don’ts for co-branding arrangements. Co-branding partners are barred from accessing transaction information. This is because a co-branding partner’s role is limited to marketing/ distribution of the card.
Transaction information isn’t defined in RBI Card Directions. It seems to cover any data related to an activity on the card post its issuance. Such as spends, chargebacks, rewards, etc. on the card. But not activities pre-issuance. Such as the cardholder’s name, address, contact details, etc. Which means a co-branding partner can’t directly be given data about spends, chargebacks, rewards, etc. to run loyalty programmes or other incentive schemes. But it can still access cardholder’s name and contact details – information that it needs to carry out its function as a distributor/ marketer.
Only co-branding partners are barred from accessing transaction data. Not outsourced service providers generally – since the outsourcing guidelines don’t have a similar prohibition. If this were to be extended to outsourced service providers generally, it would mean functions like running reward or loyalty programmes, etc. couldn’t be outsourced.
Limited access to borrowers’ data by unregulated lending service providers (LSPs)
RBI’s digital lending guidelines (DLG) were predominantly data guidelines – no surprise, given that data is a vital ingredient in underwriting and default predictions.
The guidelines are entity-specific. Meaning they extend to lenders, and through lenders, to lending service providers and digital lending applications. Under the DLG, data collection by digital lending apps must be need-based and with the prior, explicit consent of the borrowers. Apps must inform users of the purpose of obtaining their consent at the appropriate stage of the app interface. The DLG restricts access to mobile phone resources (such as contact lists and telephony functions) which lenders usually rely upon. It allows certain permissions to be taken once, with the borrowers’ explicit consent (such as location access for the purpose of onboarding/KYC requirements). Overall, the DLG promotes transparency, data minimisation, and purpose limitation – as seen in global data privacy laws.
The restrictions are also proportionate to the criticality of the data. For example, the DLG encourages access to the economic profile of the borrower (such as age, occupation, income, etc.). But it restricts access to location data, which can only be taken for the purpose of onboarding borrowers. Interestingly, RBI has imposed limitations on location data, despite acknowledging that it’s required to prevent fraud.
Storing card data
Last year, the RBI also implemented the card tokenization mandate – prohibiting all entities, except card issuers and card networks, from storing actual card data. The restriction also seems to be based on the criticality of actual card data, which, if stolen, could cause serious harm to users.
Limited access to credit information
The RBI regulates access to/ sharing of credit information. Credit bureaus can only share credit information with ‘specified users’ (which usually includes regulated entities). This is understood as a ‘hard pull’ – where a potential borrower’s credit score is pulled by a lender from the credit bureau without the borrower’s consent. Specified users are further restricted from sharing such data with any unauthorised person. Fintechs also access credit information of users through ‘soft pull’ – where they access credit information from credit bureaus on behalf of the user with the user’s consent.
Patterns
The RBI has sporadically regulated data. RBI’s data regulation is entity-specific (meaning, because you are a certain type of fintech, you may/ may not access data or must only use it a certain way) or data-specific (meaning, because the data is of a certain nature – sensitive or critical – it must be handled a certain way). The RBI is also increasingly exploring core privacy principles like data minimization (collect only the data that you need), purpose limitation (use it only for a specific purpose), consent (tell users what you’re doing and get their approval) – drawing from the draft data laws we’ve seen over the years.
Importantly, the RBI is regulating for the absolute reckless – those that are leaving banana peels on the floor or leaving their doors unlocked – those with little or no data hygiene.
What should you focus on?
Know your data. The RBI is worried about certain types of data. For instance, card details are sensitive and if shared/ stored willy-nilly, could expose an individual to fraud. Transaction data can be a treasure trove of information about an individual. And so, the RBI only wants you to share it with partners who need it (and not co-branding partners whose job is only to market the card). Location data is highly sensitive, as its unauthorized disclosure could put an individual at risk of physical harm. And so, the RBI only wants digital lenders to collect it once for user onboarding. So, fintechs must know what data they collect, why they need it, can they do without it, how long they need it, and so on.
Share with care. The RBI is worried about wanton data-sharing. For instance, credit information can only be shared by credit bureaus with ‘specified users’. Borrowers’ data can be shared with lending service providers only on a need-to-know basis, with borrowers’ explicit consent. So, regulated entities and their tech partners must evaluate who can access data, whether they can share data with an entity, can they limit access, etc.
Tell it all. The RBI is worried that individuals know nothing about their data. So, RBI wants digital lenders to disclose their purpose at the appropriate stage through the user interface and get borrowers’ consent for data collection. Also, several privacy policies obfuscate more than they communicate. Consider this – “Notwithstanding anything to the contrary mentioned elsewhere, we may store and retain your Personal Information until the fulfilment of the duration which was conveyed to you at the time of collecting the Personal Information.” What they mean is – “When you give us any personal information, we’ll let you know how long we’ll hold it for.” Instead of word salads, fintechs must tell users plainly how their data is collected, used, shared, etc.
*********************************************************************************
Dessert ?
A no-fuss UPI for the NRIs
“How to spot an NRI in an Indian mall? Notice how they are the only ones paying in cash”, quipped a Twitter user. “Jokes apart, it’s tough for NRIs to use UPI because they don’t have a local bank account with local phone number”, he added. NPCI, perhaps, was all ears. Because on 10 January, it allowed NRI bank accounts linked to foreign phone numbers to be onboarded on UPI. Banks have until 30 April to get this up and running.
This isn’t the first time that NPCI has opened the UPI ecosystem for NRIs. In 2018, it enabled UPI-based fund transfers from Non-Resident External (NRE) accounts – maintained for NRI income earned in India. But there was a catch. NRI bank accounts are typically linked to foreign phone numbers (of NRIs). Now, for UPI onboarding, customers must authenticate their mobile number linked to their bank accounts – a facility that was unavailable for foreign mobile numbers. So, to use UPI, NRIs had to jump through multiple hoops. First, they needed an active Indian number, which is costly and inconvenient. After that, they had to link their Indian number to their bank account. This also required delinking their foreign number from their bank account. Because only one phone number can be linked to a bank account.
But this is set to change. NRI accounts can be onboarded on UPI, even if they’re linked to foreign mobile numbers. To start with, this facility is extended to NRI bank accounts linked to foreign numbers from 10 countries – including USA, UK, Singapore, and UAE. NPCI may also extend this facility to NRIs residing in other countries. So, going forward, NRIs can make cheaper, faster, and seamless payments in India.
*********************************************************************************
Mints
Final approvals stamped
Paytm Payments Bank Limited has reportedly received final RBI approval to operate as a Bharat Bill Payment Operating Unit. Until now, it was facilitating bill payments under in-principle RBI authorization. The wholly-owned subsidiary of Protean eGov Technologies Limited has reportedly received final RBI authorization to operate as an NBFC-Account Aggregator.
PhonePe’s million dollar fundraise
While many fintechs face the funding winter, PhonePe has completed the first tranche of its billion-dollar funding plans. It raised USD 350 million at a valuation of USD 12 billion – making it the most-valued fintech in India. PhonePe says it plans to use the funds to invest in new business verticals like insurance, lending, and wealth management. And to amp up UPI payments like UPI Lite and credit cards on UPI.
Payment aggregators and their licenses
RBI has reportedly granted in-principle approval to BharatPe, Enkash, and Hitachi Payment Services to operate as payment aggregators. On the other end of the spectrum, it has reportedly asked PayU to reapply for a payment aggregator license due to its complex corporate structure.
Digital banks to bridge MSME credit gap
The central government may reportedly allow setting-up of digital banks (without any physical presence) to meet the credit gap faced by MSMEs. This can provide formal credit access to small businesses and reduce their reliance on informal sources of credit. The 2023-24 budget may contain provisions regarding this.
Incentive scheme to promote RuPay and UPI
To promote RuPay debit cards and low-value peer-to-merchant UPI transactions, the central government has approved an Rs. 2600 crore incentive scheme. Under this, acquiring banks will receive financial incentives (calculated on the basis of merchant category). They’ll also share a part of the compensation with payment system participants and operators based on the proportion that NPCI decides in consultation with participating banks.
SBM Bank barred from enabling foreign remittances
The RBI has directed the State Bank of Mauritius (India) to stop all foreign remittances under the Liberalised Remittance Scheme till further orders. Reportedly, the RBI is concerned about the money transfer practices of the bank’s fintech partners. The RBI order has disrupted the operations of several fintechs who partnered with the bank to offer foreign remittance products.
Samsung Wallet to be available in India
Samsung recently announced that by the end of January, its wallet app will be launched in eight countries including India. The app integrates with Samsung Blockchain Wallet and allows users to track different cryptocurrencies across various exchanges.
*********************************************************************************
Takeaway
- AI art tools, Stable Diffusion and Midjourney, face copyright lawsuit [The Verge]
- Venture capital’s $300bn question – Why is the industry sitting on the cash? [The Economist]
- A debate between two seasoned programmers on whether Artificial General Intelligence will happen in our lifetime? [Substack]
- A docuseries about the rise and fall of Bernie Madoff [Netflix]
- A podcast about why companies ranging from airlines to stock exchanges still run on ancient software [Odd Lots]
*********************************************************************************
Image credits: Shutterstock
That’s it from us. We’d love to hear from you. Write to us at contact@ikigailaw.com. Or sign up for Ikigai Fintech Office Hours to chat with our team about all things fintech regulation and policy.
See you in February.
If you enjoyed this edition of FinTales, do share it.
