FinTales Issue 32: Anti-money laundering laws, Data Bill & Fintechs

The Prevention of Money Laundering Act (or, as its friends call it, the ‘PMLA’) is a long-arm law. It gives its enforcing agency, the Enforcement Directorate (or as its, umm.. acquaintances call it, the ‘ED’), sweeping powers. In 2019, the ED used this power to cease three chimpanzees and four marmosets as ‘proceeds of crime’. What are marmosets you ask? They are a kind of punk rock monkey. Google them.  

Fast forward to the last month, the Delhi High Court used the long arm of the PMLA to classify PayPal as a ‘reporting entity’ under the PMLA. Reporting entities must follow several compliance and reporting obligations under the anti-money laundering law. PayPal fought hard to resist this classification. It claimed that since it isn’t classified as a ‘payment system’ under the Payment and Settlement Systems Act, 2007 (by the RBI), it shouldn’t be classified as one under the PMLA either. Payment systems are a type of ‘reporting entity’ under the PMLA. Paypal argued that much like Google Pay and PhonePe, it is a technology layer over the bank’s functions. That it facilitates digital payments, but doesn’t ‘handle funds’, and therefore cannot be a ‘payment system’ (and in turn a reporting entity) under the PMLA. The Court rejected this premise. It held that even though PayPal isn’t a ‘payment system’ according to the RBI, it is still classified as one under the PMLA. It did not concur with PayPal’s self-categorization as a mere ‘technology layer’. The judgement reaffirms just how sweeping the powers under the PMLA are.  

It also sends an important message to the digital payment ecosystem: even if you are a technology layer (that doesn’t handle funds), you may be covered by the PMLA. It’s no longer safe to assume that only RBI authorised payment systems are covered by the PMLA.

In all this kerfuffle, the important thing to note is that the chimpanzees and marmosets are safe. Blissfully unaware of their status as ‘proceeds of crime’.

Now onto our FinTales menu for the month.

Main Course: Deep dive stories on card network portability, and impact of the data protection bill on fintechs.

Dessert: sweet news about the upward trajectory of the digital payments index.

Mints: a refresher about recent fintech developments.

Takeaways: articles to grab and go.

Main Course

Fintech and the Data Protection Bill

No piece of legislation has taken more punches than our elusive data protection law. You’ve heard this before, but we’ll say it again. The data law is nearly here! The Digital Personal Data Protection Bill, 2023 was introduced in Parliament on 3 August 2023. And this time, the stars may well align for the law to be passed.

The new bill is lean and principle-based and leaves the details to the rules (which will be framed by the government). Once passed, it will affect all businesses including fintech companies that collect and use digital personal data. Read our primer on the law for a quick explainer, and our summary for an overview of the law and changes from the earlier version.

Earlier this year, we listed what fintechs must do to prepare for data regulations. Our three priorities were: know your data, share with care, and tell it all. We discuss a step zero today – know yourself. 

Are you a planet or a moon?
Say you are a payment aggregator or a KYC service provider or an AI-based data analytics service provider. Your clients are entities – not people. The data protection law aims to protect humans (and their privacy), not entities. Does that mean you skip the whole ‘DPDP and what it means for me’ conversation? No, not so fast.

A KYC service provider services a bank. It conducts KYC verification of the bank’s customers for the bank. The service provider sits on large volumes of data. But it hasn’t collected the data in its own right. It only accesses the data to do a task for its enterprise customer – the bank.

Data laws recognise two types of entities:  

(a) Data fiduciaries – those who call the shots about their users’ data. They decide what data is needed, what it’ll be used for, how it’ll be used, and so on.
(b) Data processors – those who only process data on behalf of the fiduciary. They have no independent business having that data if not for the fiduciary.

Under data laws (including our proposed one), it is the fiduciary whose neck is on the line. The law says “Hey bank, your customers trusted you with this data. Whether you do the job yourself or outsource it, it’s your job to protect their data.”

Our solar system analogy for the RBI and its regulated entities works for the data law as well. The data law/ data protection board is the sun, the bank (data fiduciary) is the planet, and the KYC service provider (data processors) are the satellites orbiting the planet.

And so, before you start thinking about how to comply with the law, you must understand your role. Also, just because you’re a processor for one activity, doesn’t mean you are processor for everything you do. The fiduciary/ processor distinction is activity specific. The KYC service provider is a processor when processing bank’s customers’ data on the bank’s behalf. But it may be a fiduciary when it’s collecting training datasets from various sources to train its AI model. Similarly, the KYC service provider is a fiduciary when it collects and uses its own employees’ data.

What you should do as a processor

Once you identify your role, in situations where you are a fiduciary, compliance is your responsibility. (Our primer sets out the basics for you.)

But, what do you do for situations where you are a processor?

The data law doesn’t tell processors what to do. It leaves it to the bank to tell them what to do. Interestingly, while the RBI tells its regulated entities (REs) this is what you must include in your outsourcing agreement, the data law doesn’t. It just tells fiduciaries you must have a contract with your processor. It tells REs a few other things re processors, such as, REs must ask processors to stop processing if a user withdraws her consent to the processing or to delete the data when processing is complete.

The bank will pass on some dos and don’ts, checks and balance onto you – through your agreement with them. For instance, don’t use this data for anything else; if there’s a breach, tell us asap; don’t engage any sub-vendors without getting our approval; make sure your systems are secure; and so on.   Of course, a lot of this is already in outsourcing agreements. But with the new law, there’ll be a new sheriff on the block monitoring this – the data protection board.

As a processor, you must also seek some protections. A KYC service provider has no business having the bank’s customers’ data – without the bank having first legally taken it from its customers. Its right to the data depends on the bank having taken customers’ consent. And so, you must make sure that they’ve done this right. Processors must also seek clarity on what security controls are expected of them, what they must do in case of security incidents, what should they do in case third-parties or government agencies make request for data, and so on. And they must seek to cap their liability, depending on the nature of service they provide.

Card network portability

Typically, the card network of your debit, credit, or prepaid card is predetermined by the card issuer, not you. Earlier in July, RBI released a draft circular which seeks to change this. Before we get to the why and how of it, let’s start with the basics.

Card issuers are financial institutions (like banks and non-banks) that issue you the credit, debit, or prepaid card. Card networks are the bridge between card issuers and acquirers (the bank of the merchant you’re transacting with). They route, process, and facilitate the transaction (between card issuers and acquirers). American Express, Diner’s Club, Visa, Mastercard and RuPay are the RBI-authorized card networks in India. Card issuers partner with these card networks to issue cards. Remember, some card networks can also be card issuers (like American Express).

Now, onto the proposals in the draft circular: It asks card issuers to issue cards powered by more than one card network. So, banks can’t offer cards powered by only one card network – it must at least have two card networks on-board. Customers can also select their preferred card network (amongst the ones offered). Also, no more exclusive tie-ups between card issuers and card networks. Meaning, for instance Visa cannot have exclusive arrangement with say ICICI Bank. The draft circular benefits customers in two ways.

One, it gives them more choice. Currently, customers have a narrower bouquet of networks available to them, primarily because of card issuers’ tie-ups with a single card network. But now, customers don’t have to stick with a network they don’t like. Why is the network choice even relevant, you ask. Well, unique benefits, customer service, and acceptance rate (of the card network) are a few reasons. For instance, certain merchants don’t accept cards affiliated to a particular network. Like Netflix doesn’t accept RuPay cards for subscription payments in India; it accepts only international card networks like Visa, Mastercard, and others. Moreover, a card network may give you unlimited access to luxurious airport lounges or 10X welcome reward points, while others may not. So, customers may want to opt for a network that has wider acceptance and better benefits. But do note that the freedom of choice (to opt for or switch a card network) is a limited one. A customer who wants an American Express or a RuPay card can ask for it only if the card issuer has an agreement with those networks in the first place.

Two, by preventing network failures. Depending only on a single card network can be risky. What if that card network breaks down? Customers across that network will be affected. Like Visa cardholders were, in 2018, when it faced a hardware outage. So, issuing cards on more than one card network will ensure customers are not dependent on a single network. 

While customer-centricity lies at the heart of draft circular, we think there’s more to it. For long, Visa and Mastercard have asked banks (not just in India, but globally too) to maintain exclusivity with them. Of course, this creates an uneven playing field for India’s homegrown network, RuPay. In 2020, market share of Visa and Mastercard (for e-commerce and PoS transactions in India) stood at 49% and 36%, respectively. RuPay retained only 13% of the market. Enough has been done to reduce Visa’s and Mastercard’s dominance. RBI (informally) cajoled banks to favour RuPay. The Indian Government doled out incentive schemes to promote RuPay debit cards. And now, we have the draft circular which cracks-down on exclusive tie-ups with card networks.

So, is this another (covert) attempt to deepen RuPay’s reach? Well, maybe. If it is, we don’t think the draft circular will give RuPay the intended fillip. Reasons: Visa and Mastercard are, quite literally, everyone’s (banks, customers, and merchants) favourite. They dominate the card network universe globally – be it in terms of their fraud detection systems, processing infrastructure, or even the rewards program. At present, RuPay is not well-equipped to compete against the behemoths. “RuPay is a part of our bouquet, but when customers choose a credit or a debit card, they look at the kind of rewards offered. In this, Visa, Mastercard and American Express tend to come ahead”, says a banker. Further, while card issuers must issue cards on more than one network, it’s not mandatory for RuPay to be one of them. Card issuers can choose not to offer RuPay cards at all. In fact, they don’t have much of an incentive to. The zero MDR on RuPay debit cards is a dealbreaker for them.

That being said, does an average customer care about the card network? Do they even want card network portability? Not really, most of them don’t care.

Dessert

Digital Payment Index’s onwards and upwards trajectory

RBI’s digital payment index has increased from 349.30 in March 2022 to 395.57 in March 2023 – a 13% year-on-year growth. Digital payment index measures the extent of digitization of payments in the country based on these parameters: payment infrastructure (like QR codes and PoS terminals), number and value of transactions, customer awareness about digital payments, etc. UPI is one of the biggest enablers of this growth. It already accounts for 75% of the total transaction value in the retail payments segment. With credit on UPI, the adoption and reach of UPI is expected to grow manifold. In July 2023, UPI processed around 9.96 billion transactions worth Rs. 15.34 lakh crores. This set the record for the highest number of UPI transactions processed in a month.

Mints

A new cyber authority for the financial sector?

The Standing Committee on Finance presented its report on cybersecurity and white-collar crimes before the Parliament. The report talks about cyber frauds in the payments and digital lending sectors. Presently, there’s no single framework or dedicated body to oversee cybersecurity in the financial sector. To this end, the committee has recommended to establish a Cyber Protection Authority for the sector. It also recommended creation of robust infrastructure to reduce downtime in critical payment systems (like NEFT, UPI, etc.), to prevent cyber threats.  

CBDC and UPI QR codes to be interoperable soon 

RBI and NPCI are working to make retail-CBDC QR codes and UPI QR codes interoperable. This will enable merchants to accept CBDC payments and UPI payments through the same QR code. RBI wants interoperability, because without it, merchants are unwilling to adopt an additional QR code for CBDC payments. It has also asked banks to promote CBDC by making QR codes interoperable. HDFC Bank has already launched an interoperable QR code.

Sri Lanka and France embrace UPI

India has entered into agreements with France and Sri Lanka, to enable UPI services in these countries. To start with, Indians will be able to make UPI payments at Eiffel Tower in France and Colombo city in Sri Lanka. India is in talks to enable UPI services in Indonesia too.

RBI and Central Bank of UAE ink an MOU on payments system

RBI and UAE’s central bank have signed two MoUs. The first MoU aims to establish a framework for use of local currencies, INR and the UAE Dirham (AED), for cross-border transactions. The second MoU aims to link (a) UPI with UAE’s Instant Payment Platform, and (b) RuPay switch with UAESWITCH (a system for inter-bank settlements). The MoUs will facilitate seamless and cost-effective cross border transactions between India and UAE.

Punjab National Bank’s metaverse bank branch

Punjab National Bank has launched a first of its kind virtual branch called ‘PNB Metaverse’. It will deliver an immersive 3D experience to customers. Through this, customers can avail all banking services (like deposits and loans) virtually, just like they would in a physical branch. With this, Punjab National Bank aims to improve customer acquisition process, increase customer engagement, and provide a hyper personalized customer experience.

Rules for fair use of consent in the AA ecosystem in the works

Sahamati, a collective for participants in the account aggregator (AA) ecosystem, is working on a framework to ensure fair use of customer consent in the AA ecosystem. The framework will prescribe guardrails to protect customers against unreasonable data pulls and potential data breaches. Presently, there’s no transparency on how customer’s data is used by financial information users (in the AA ecosystem).

Financial Stability Board’s recommendations on crypto assets

The Financial Stability Board (FSB) has released baseline recommendations to regulate crypto asset activities and markets. The recommendations, among other things, aim to safeguard crypto investors’ interests and enable cross-border co-operation on all things crypto. FSB unveiled the recommendations during a G20 meeting in Gujarat. For context, FSB is an international body that monitors the global financial sector and offers recommendations to regulate it.

Takeways

  • Are banks more than just ‘museums of technology’?  [Fintech Magazine]
  • 76% of Indian respondents believe that CBDC should pay interest: Survey [Financial Express]
  • On the UPI social network, who do you ‘know’? And who do ‘they know’? [The Ken]

Fintech firms fear disruption as Jio Financial readies entry plan[Economic Times]

Image credits: Shutterstock

That’s it from us. We’d love to hear from you. Write to us at contact@ikigailaw.com to chat with our team about all things fintech regulation and policy.

See you next month.

If you enjoyed this edition of FinTales, do share it.

Challenge
the status quo

Sparking Curiosity...