FinTales Issue 36: Payment Intermediaries, Card Data and UPI

“Ignoring technological change in a financial system based upon technology is like a mouse starving to death because someone moved their cheese” - Chris Skinner

On 15 April 2024, the RBI penned a letter to non-bank payment system operators (PSO) like payment aggregators (PAs) and e-wallet issuers. Through the letter, the RBI directed PSOs to “track high-value and suspicious transactions. Keep an eye out for payments possibly made to fund poll candidates or influence voters. Report fishy transactions to relevant authorities”. A timely instruction by the RBI before the upcoming 2024 general elections.

Interestingly, this is the first time ever that fintechs have been asked to monitor fund movement during polls. Usually, banks are given these kind of instructions. This indicates how critical fintechs have become in safekeeping and moving of public funds. The RBI has taken several measures recently to account for this. Increasing significance of PAs, for instance, has prompted the RBI to propose major changes to the PA guidelines. More about this in our main course.

Onto the FinTales menu for the month.

Main Course: meaty stories about the RBI’s draft PA guidelines, and amendments to the card directions.

Dessert: sweet news about RBI’s proposal to link PPIs to third-party UPI apps.

Mints: a refresher on recent fintech developments.


🍱 Main Course 

β›” ‘PAps’ eye Draft PA Guidelines

On April 16, the RBI dropped a press release that could significantly alter the regulatory approach towards payment aggregators or ‘PAs’. The RBI press release has introduced two new guidelines: 

Before we proceed, let us understand what PAs are and what they do. Any payment involves multiple parties – a buyer, buyer’s issuing bank (where the buyer maintains her/his bank account), seller, seller’s acquirers (who onboard sellers on a payment ecosystem like card network), payment intermediaries, etc. A PA is a payment intermediary. PAs act as a bridge between merchants (who provide services, including marketplaces like e-commerce platforms) and customers (who avail products and services). Let us break this down: You go to Myntra, zero-in on a pair of Levi’s jeans, add it to your cart. Now, you need to make a payment and notice that Myntra has multiple payment options - UPI, credit card, debit card, wallets, pay later, net banking. After much thought, you choose UPI and pay. How is Myntra able to give its customers so many payment options? Is Myntra separately integrated with NPCI, each wallet-issuer, each issuing bank and acquirer? No, likely not – here’s where PAs come in. They partner with payment system providers to offer different payment options to buyers, eliminating the need for merchants to do so. They also partner with merchant’s acquirers, collect payments from users, pool it in their escrow account and settle it to merchants. PAs, in short, are in the business of moving money.

PAs are of two kinds: online and offline. Online PAs facilitate non-face-to-face e-commerce payments (illustrated above) on websites like Myntra. Until now, the PA Guidelines only regulated online PAs. The RBI has now proposed to regulate offline PAs (this has been on the RBI’s radar since 2022). Let us understand what offline PAs are. You now go to a Levi’s store to buy jeans instead of buying it from Myntra. You tell the cashier that you will pay by UPI – the cashier shows you a point-of-sale (PoS) device. The device has a UPI QR code. You scan the QR code and pay.

The PoS machine facilitates payments through varied payment modes like cards, UPI and wallets. The operators of such PoS devices and other similar tools that facilitate face-to-face payments are offline PAs. The Draft Offline PA Guidelines require all non-bank entities (including online PAs) to get RBI’s authorisation to start/continue their offline PA business. Existing offline PAs should comply with the PA Guidelines within 3 months of the Draft Offline PA Guidelines being notified.

The RBI has also proposed changes on permissible debits from PA’s escrow account and storage of card transaction data - we have covered these (along with other key highlights of the Draft PA Amendments and Draft Offline PA Guidelines) in our LinkedIn post here. In this edition, we will focus on one key change proposed under the Draft PA Amendments: KYC. 

The Draft PA Amendments require PAs to KYC merchants (even existing ones within the specified timelines) as per the standards given under the RBI KYC Master Directions. A relaxation is given for small and medium merchants – (i) for small merchants (turnover of less than INR 5 Lakh per annum), PAs must do contact point verification (CPV) of the business and verify the merchant’s bank account in which funds will be settled; (ii) for medium merchants (turnover of less than INR 40 Lakh per annum), PAs must conduct CPV and verify an officially valid document (OVD) of the business and its beneficial owner. The Draft PA Amendments also prohibit PAs from settling funds to any accounts which are not merchant-owned.

The Draft PA Amendments tighten PA’s obligations on transaction monitoring too: PAs must monitor merchants’ transactions on an ongoing basis. Based on such monitoring, PAs must enhance KYC and due diligence checks if required. PAs must check that merchants’ transactions are in line with their business profile (for instance, if the merchant has described itself as an online ticketing platform, it should not receive and settle payments for gaming transactions). PAs should also set risk-based payment limits for merchants.

The USP of most new-age PAs is the quick onboarding of merchants. PAs do minimal KYC of merchants by taking comfort in the merchant settlement bank account already being KYC-ed. This will change if the Draft PA Amendments on KYC are implemented.

We imagine a debate between two opposing sides on this aspect would look like this:

For (an RBI official): PAs onboard merchants on the payment ecosystem. They have the direct interface with merchants, and hence the ability to monitor merchants and their transactions. So, they are the gatekeepers and first line of defence against fraudulent merchants. They also have ground-level visibility to catch risky transactions.

So far, we allowed PAs to skip KYC if they settled funds to already KYCed account of merchants. Lately, however, we have realised that the system is not working so well. Take the Chinese lending and betting apps scrutinized by the enforcement directorate as an example. The investigations revealed that the apps leveraged PA services for their operations. They collected and laundered funds earned (through the platforms) using mule accounts opened in names of several shell companies. They eventually converted funds to cryptocurrency and remitted it offshore against made-up purchases of software, foreign currency, etc. The PAs were unable to help the law enforcement agencies to trace the flow and end-beneficiary of the funds – primarily because of lax KYC of the mule accounts where funds were settled.  

As a regulator, our main concern is to protect customers and intercept the bad actors who might be using PAs as a means to meet their (non-compliant) ends. We believe that if PAs do KYC, they can weed out the bad actors before it’s too late. Because even if a shady digital lender or a gambling platform opens a bank account, it can dupe customers (at scale) only if it avails PA services to collect online payments.

Against (a PA): We only settle amounts in KYCed bank accounts of merchants. We must now re-do full KYC of the merchants when banks have already completed their KYC once. We are also required to undertake CPV of small and medium merchants – does this mean we need to hire personnel to physically visit the merchant’s store for verifying their details? That sounds expensive and cumbersome. Are we required to collect OVDs of businesses? What would that be? The RBI KYC Master Directions define what OVDs of individuals are but are silent on what they are for businesses – we’d like some clarity on that. The last thing we want to be in is a regulatory soup. Also the RBI deleted the provision in PA Guidelines that allows us to settle to ‘any other account’ upon merchant’s instructions. Does it mean we can’t offer the split settle feature – where out of total settlement amount (for a good/service sold through a marketplace), we settle the commission to the marketplace and the balance amount to the sellers (of the goods/services), delivery service providers and other participants on the marketplaces? It will be a logistical nightmare – we must brace ourselves for a lot of merchant drop-offs. Above all, we are worried about the proposed norms hampering our digitization efforts and financial inclusion of small and medium merchants. These merchants may opt-out of PA services if the services are costly or if they find the onboarding process cumbersome. We urge the RBI to re-consider some of these requirements. For instance, instead of a bank-grade KYC for merchants, the RBI must consider introducing light-touch KYC norms.

Reportedly, the Draft PA Amendments will slow down the onboarding process for online merchants by 90%. Industry insiders estimate that the timelines for completion of merchant onboarding will increase from few hours/ days to few weeks. The immediate cost impact to conduct KYC checks is estimated to be somewhere between INR 40-50 crore. Smaller sellers on e-commerce platforms might find the onboarding process too cumbersome and switch to bank transfers, UPI or cash.

Regardless of which side you are on, if you have thoughts on the Draft Offline PA Guidelines or Draft PA Amendments which you think must reach the RBI’s ears, you might want to mark 31 May 2024 – the deadline for submitting your comments on the draft directions to the RBI – on your calendar.

πŸ›οΈ πŸ’³ Banks need to do a lot more to keep card data sacrosanct

Exactly a year back, we had written that bank-fintech relationships are like parent-child relationships. One where the child is given some autonomy within guardrails, but the ultimate responsibility lies with the bank.

Recent amendments to RBI’s ‘Master Directions on Credit and Debit Cards, 2022 (Card Directions) and developments in the co-branded credit card universe validate our understanding. The amendments, among other things, tighten the data privacy norms for co-branding partners and other outsourced service providers of card issuers.

Let us cover the basics before we jump to the specifics.

Banks can issue credit cards without RBI’s prior approval. NBFCs can issue credit cards with RBI’s approval, but the RBI doles out these approvals sparingly – only two NBFCs have been granted this permission. Unregulated fintech entities can’t issue credit cards. They can partner with banks to issue co-branded credit cards. Under a co-branding scheme, the bank issues the credit card, whereas the fintech’s role is limited to marketing and distributing the cards (as a co-branding partner). The co-branded card has both of their identifiers (say logo, name, etc.). For banks, it’s a great customer acquisition strategy, particularly where the co-branding entity has a loyal customer base. For fintechs, this partnership is their entry ticket to a heavily regulated party. A few examples of co-branded cards are Amazon Pay-ICICI Bank Credit Card, Swiggy-HDFC Bank Credit Card, and Federal-Fi Cobranded Credit Card.    

What about co-branded credit card partnerships between NBFCs and banks? Until the recent amendments to the Card Directions, such partnerships between NBFCs and banks required RBI’s prior approval, which has now been done away with. We might see a lot more NBFC-bank co-branded credit card partnerships going forward.

Now, moving to the crux of our story, the amendments to Card Directions also clarify who can access transaction data and how. The Card Directions were clear, even before the amendments, that a co-branding partner’s activities should be restricted to marketing/ distribution of cards and providing card-related services. They prohibited co-branding partners from accessing transaction data. Now, this did not lead to an optimal customer experience – imagine, as a regular Swiggy user, you applied for the Swiggy-HDFC Bank credit card to win cash-back and other rewards on your Swiggy purchases. Now, you’re forced to go to HDFC Bank’s website / download its mobile application to access your card’s transaction history. You can’t do this on Swiggy.

Fintechs go to great (and often regulatorily risky) lengths to solve their users’ pain points. And that’s what happened here – fintechs began to display transaction data on their portal by supposedly drawing it directly from the bank’s system. The amendment to the Card Directions now greenlights this practice as long as (i) only the customers can view the transaction data which is drawn from the bank’ system in encrypted form, and (ii) fintechs do not access or store the transaction data.

The RBI has also issued FAQs on Card Directions along with the amendments. They clarify that a co-branding partner cannot access card transaction data even if they offer other services to the card issuer. This addresses a grey area under the Card Directions. Before the amendments, the Card Directions did not (expressly) restrict co-branding partners acting in other capacities – technology service provider (TSP), business correspondent (BC) – from accessing transaction data. Some fintechs acting as co-branding partners utilized the loophole to access transaction data. They argued that they also provide technology services to card issuers and can access transaction data in that capacity, and that TSPs are not prohibited from accessing transaction data – only the co-branding partners are. For instance, OneCard, which reportedly acted as a co-branding partner and a TSP for co-branded credit cards, accessed transaction data in the capacity of a TSP. The RBI reportedly barred Federal Bank and South Indian Bank, OneCard’s partner banks, from issuing new co-branded credit cards because of this practice until the card issuer comply with the amended Card Directions. After all, the buck stops with the banks – who are responsible for what co-branding partners do or do not do.


πŸ‘› πŸ“±RBI breathes life into wallet-based UPI payments

The RBI has proposed to link prepaid payment instruments or ‘PPIs’ (like wallets and prepaid cards) to third-party UPI apps.

Present: UPI payments can be made through different accounts linked to a user’s UPI ID. Wallet is one of them. But, presently, users have limited choice in terms of the app through which they can make wallet-based UPI payments. You can use wallets to make UPI payments only through the app of the wallet issuer. For instance, you can use the money in your MobiKwik wallet only to pay through MobiKwik UPI app – you cannot use UPI apps like PhonePe or GPay for this.  

Proposed: Under the proposed feature, users can link their PPIs to their UPI account on any UPI app of their choice. With this, users can use their MobiKwik wallet to make UPI payments through GPay and PhonePe UPI apps too. So the wallet issuer’s app won’t be the only medium for making wallet-based UPI payments.

The RBI’s proposed feature will benefit customers – it’ll give them more choice for the apps through which they can make UPI payments using PPIs. It is also a powerful value proposition for growth of digital transactions, especially for small-value payments. This is because e-wallets are popular for small-ticket transactions – they’re convenient and quick. UPI, on the other hand, is by and large, the most effective way to distribute financial products because of its wide acceptance infrastructure. Together, these factors will help increase use cases of PPIs and enhance the growth digital payments. 

The RBI will drop the operational guidelines on the proposed feature soon.


πŸ’­More clarity on FLDG?!

The RBI has come out with FAQs on First Loss Default Guarantee (FLDG) – arrangements in which fintechs compensate lenders for a certain percentage of the loan default. RBI had greenlit FLDG arrangements last June. Among other things, the FAQs clarify that FLDG is not permitted for credit cards, revolving credit facilities, and loans offered on P2P lending platforms. They also explain how to calculate the 5% FLDG cover on the loan portfolio.

πŸ“œA renewed Key Fact Statement

RBI’s new rules for lenders on ‘Key Fact Statement’ (KFS) are out. They reinforce the requirement for lenders to disclose the KFS – a document that summarizes all important details of the loan – to prospective borrowers before the loan contract is executed. Each KFS must have a unique proposal number and a minimum validity period (means the minimum period borrowers must have to accept the KFS terms). The rules aim to ensure that borrowers have the necessary information to make an informed decision to take the loan.

πŸ”—New rules brewing for loan aggregators

The RBI has released draft guidelines for Lending Service Providers (LSPs) that aggregate loan products from multiple lenders (on their platform) and match borrowers-lenders using proprietary solutions. The draft guidelines require LSPs to disclose names of all potential lenders and details of the loan upfront, follow a consistent policy to match lenders-borrowers, and refrain from using dark patterns on their platform while offering their services. Comments on the draft can be submitted by 31 May 2024. Examples of loan aggregators include Yubi, BankBazaar, and Paisabazaar.

βš”οΈ A slew of enforcement actions

The RBI took two major enforcement actions this month: Firstly, the RBI has asked Kotak Mahindra Bank Ltd to immediately stop onboarding new customers through its internet/mobile banking channels, and issuing new credit cards. Deficiencies in the bank’s IT and data security standards led to the RBI’s action. Secondly, the RBI has asked a company called TalkCharge to stop its wallet business. The company was issuing wallets without obtaining RBI authorization to operate a payment system.

βœ… More PA licenses added to the kitty

Groww Pay, Worldine ePayments, Boku, CAMSPay, and Unlimit have received their final PA licenses. This brings the total number of entities with final PA licenses to 27. Additionally, fintechs like CRED and PayU have received RBI’s in-principle approval for their PA applications. The approval allows PayU to onboard new merchants for its payment aggregation business. Last year, the RBI had asked PayU to pause onboarding of new merchants, and re-apply for its PA license due to its complex corporate structure.

🏧UPI for cash deposits: Coming soon

The RBI plans to enable UPI facility for depositing cash at ATMs. It will issue guidelines on this soon. With the proposed feature, customers don’t need to carry debit cards to deposit cash. It will also reduce cash-handling burden on banks. Currently, users can their UPI app to withdraw cash from ATMs.

πŸ“’Who’s Who

Shri T. Rabi Sankar was re-appointed as the Deputy Governor of the RBI for one year. He oversees functions relating to fintech, IT, financial supervision, and payment systems, and previously served as an executive director at the RBI. Additionally, the NPCI has appointed Ankit Kush as the ‘Head of Fintech Solutions’.  Mr. Kush previously held roles at fintech companies, Drip Capital and Zaggle.

See you next month.
If you enjoyed this edition of FinTales, do share it.

Image credit: Shutterstock

the status quo

Bringing what's next...