You cannot have your cake and eat it too
This proverb always confused me. Why, I thought, if I have the cake can’t I eat it? I imagine it’s a perfectly nice cake – chocolate, pecan, carrot (the possibilities are endless) – what stops me then. Turns out the proverb isn’t as idiotic as I thought. And if you (like most sensible folks) know what this proverb means, then please skip this part. Move on to the newsletter – read about what’s new in fintech – and spare us the embarrassment. But for anyone as befuddled by this proverb as I was, let me tell you about it: Once you’ve devoured your cake, you can’t have it. It was athing of beauty; but it’s gone now. So before applying cake to face, you must decide: do you want to possess the cake or ‘eat it’? You can’t have both. I, for one, vote eat (in case anyone was asking).
Now before you close this newsletter, in search of cake (a perfectly noble pursuit), let’s start by asking if fintech players can partake in heavily regulated functions like moving, lending and investing public money – without regulatory throttlers. Can they, have their cake and eat it too? In this edition of FinTales, we cover a few stories that probe this duality.
UPI may soon dominate credit if regulation is favourable. Account aggregator framework goes live. Positive regulations revive e-wallets or pre-paid payment instruments (PPIs). Card payments are here to stay. NUE framework is still not out of the woods. And RBI is committed to ensuring effective financial regulation.
Let’s dive in!
UPI’s uber can take credit to places
Moving money through UPI is like taking an Uber between two deposit accounts. UPI picks money (already lying-in deposit accounts) and moves it to another deposit account, like bank accounts and PPI accounts.
But what if UPI could travel to and from other destinations? Like loan accounts, fixed deposits, or liquid mutual funds. What if you could pay through UPI by accessing a short-term loan from a digital lender? We conducted a LinkedIn poll few weeks ago, where we asked participants which underlying account they would prefer to make UPI payments: 36 % respondents chose credit products. Credit on UPI, we think, is a powerful value proposition.
But the regulatory landscape for credit on UPI is fuzzy. Right now, only bank and PPI accounts can be the underlying asset to pay through UPI. NPCI enabled credit through overdraft (OD) of bank account under UPI 2.0. But it prohibits any other form of credit through UPI. In July 2021, NPCI reportedly asked fintech players to stop offering non-compliant UPI credit products. Although recently the NPCI started reconsidering the potential of credit on UPI. It is reportedly consulting industry players to enable popular credit products like buy-now-pay-later through UPI rails.
The success of credit on UPI also hinges on fintech players. Tech players like GooglePay and Phonepe were key to UPI’s success. They have enabled mass adoption of UPI through their technical expertise and vast marketing budgets. Growth of digital lending is also attributed to tech players like Lazypay and Simpl. They enabled cheaper and quicker loans. So, NPCI regulations must also allow tech players (regulated and unregulated) to participate in the UPI credit ecosystem. All in all, the success of credit on UPI depends on how effectively and quickly RBI and NPCI frame the regulations and work together.
Data is the new commodity with account aggregators
RBI’s account aggregator (AA) framework going live grabbed headlines this month. Top Indian banks are already part of the AA system. CAMSfinserv, Finvu, NADL and Onemoney are licensed AAs. And Perfios, PhonePe and Yodlee have in-principle AA approvals.
Here is a brief recap: AAs are NBFCs which enable data sharing with user consent. They provide the pipes through which data flows between financial information providers (FIPs) and financial information users (FIUs). Any company regulated by a financial sector regulator (RBI, SEBI, IRDAI or PFRDA) can participate in the AA ecosystem as an FIP or FIU. For e.g. through the AA system, your mutual fund house can share data about your investments with your bank to establish your creditworthiness. Or your existing bank can share your bank statements and transaction data with digital lenders. This will help the digital lender understand your income, savings and expenditure patterns. And it will be able to assess your overall creditworthiness and recommend custom fit financial products.
The AA system will boost innovation in the financial sector because incumbents will not be able to use data to hold customers hostage within their walled gardens. Instead, they must compete on the quality of their product and service. The AA framework makes data a commodity and service/product quality the differentiator.
A new skin for PPIs
After multiple regulatory blows, the RBI is trying to resuscitate PPIs. Last month, RBI also reclassified PPIs as closed, small and full-KYC PPIs.
- Closed PPIs continue to be unregulated.
- Small PPIs are sub-classified: with and without cash loading facilities. Cash withdrawal and fund transfer from small PPIs is not permitted.
- Full-KYC PPIs can offer cash withdrawal and fund transfer features. Banks as well as non-banks can issue full-KYC PPIs.
Non-banks can now permit cash withdrawals from full-KYC PPIs at par with banks. Which makes these full-KYC PPIs issued by non-banks a viable alternative to savings accounts offered by banks. This is especially important for low-income users and rural users who may not have access to traditional banking channels.
Another key change is that PPI authorisation is now granted in perpetuity. Earlier the authorisation was valid for 5 years, after which the PPI issuer had to apply for renewal. Perpetual PPI registration will reduce red tape. Also, customers of non-bank PPI issuers (like PhonePe) will have recourse to the Ombudsman Scheme for Digital Transactions. Which till now was only available to customers of bank issued PPIs (like ICICI Pocket).
It’s a hawk, it’s a dove, it’s an owl … it’s RBI
“RBI is neither a hawk, nor a dove. But is actually a
vigilant owl.” – Raghuram Rajan said this in 2014 while defending an RBI policy. RBI appears to
be living up to this reputation recently. The Indian financial services sector
has seen unprecedented growth. And with this, RBI’s penal actions against
regulated entities have become stricter.
Until 2019, RBI imposed smaller penalties for violations. In 2020, RBI notified a detailed framework for imposing monetary penalty. After which there was a noticeable increase in quantum of RBI penalties. In May 2021, RBI imposed a fine of Rs. 10 crores on HDFC Bank for irregularities in the bank’s loan portfolios. In July 2021, RBI imposed fines ranging between Rs. 1-2 crores on 14 banks for irregularities and non-compliance. Besides banks, RBI has been imposing considerable penalties on non-banks too. Last month, RBI penalized five payment operators for non-compliance with RBI guidelines like KYC norms. Besides imposing fines, RBI also took some one-of-a-kind punitive actions last year. Like RBI banned HDFC bank’s new digital offerings due to tech outages. And barred MasterCard, American Express and Diners Club from onboarding new customers as they failed to comply with data localisation norms.
In global financial regulation, fines have been an effective deterrence technique. Fines imposed on the financial sector rose by 27 % in 2020, compared to 2019.
Besides the cost and operational inconvenience, RBI’s penal actions also cause reputational concerns for financial entities. They may impact stock prices of established players in the short term. And they could take down smaller and newer players who still have not gained the public’s confidence. So, regulated entities in the financial services space need to be more careful. Non-compliance with KYC, anti-money laundering norms and data privacy norms are some key concerns for regulators globally (including the RBI). So, the regulated entities will see increase in their compliance costs. But in the long term, effective compliance will boost customer confidence, weed-out non-compliant and inefficient entities, and create a more stable financial ecosystem.
RBI has been playing hard-ball on the card details storage norms. It asked payment aggregators (PAs) and merchants to stop saving card details from 1 January 2022. The goal was data security. Despite industry objections, RBI did not budge. Instead, it suggested tokenisation as a solution. We wrote about this in the July edition of FinTales. But what is tokenisation? Why were industry players unhappy with RBI’s earlier policy? What has changed now? And is the revised policy a viable solution?
Tokenisation aims to strike a balance between security and convenience. Merchants and PAs can store tokens – which are irreversible and non-sensitive placeholders for card details. There are two types of tokens: Card-on-file tokens (CIF Tokens) and Device tokens (Device Tokens). CIF Tokens are linked to card details saved with the issuing entity or card networks. On the other hand, Device Tokens are generated by card networks. And linked to a cardholder’s device like laptop, mobile and smart watch. The entities which are allowed to store card details and generate tokens are token service providers (TSPs).
In 2019, RBI allowed card networks to operate as TSPs. And issue Device Tokens only for mobile phones and tablets. In August 2021, RBI extended the scope of Device Tokens to desktops, wearables and Internet of Things devices. In September 2021, RBI allowed CIF Tokens too. And allowed issuing banks (in addition to card networks) to act as TSPs.
RBI is hopeful that tokenisation’s expanded scope will minimise friction at the customer’s end. While ensuring data security. But will this promise hold? Tokenisation is a complex technology. Issuing banks must work with their technology partners to act as TSPs. Card networks like MasterCard and Visa have technological sophistication to implement this technology. But issuing banks still operate on their legacy networks. And may need more time for implementation. So, 4 months from now will not be sufficient time.
While expanding the scope of tokenisation is a step in the right direction, it is not enough. Merchants are already shifting to alternatives like UPI autopay for recurring payments. This might lead to further concentration risk in UPI. Merchants will also become dependent on TSPs for processing card-based transactions even if they follow the prescribed security standards. For their part, customers have little choice over payment methods because card-based recurring payments now involve significant friction. So, we hope that the RBI will extend the deadline further and encourage parity between different payment methods. After all, RBI also wants to ensure implementation of the norms without any disruption in customer convenience.
RBI and NUE: it’s a long story
RBI’s New Umbrella Entities (NUE) framework attracted interest from banks, fintech players, industry houses and tech giants. 6 consortiums applied for the NUE license. Many of these consortiums had foreign big tech players like Amazon, Google, Facebook and MasterCard as their members. But a few bank employee unions and civil society organisations requested RBI to review the NUE framework. These bodies are concerned about entry of foreign companies in the Indian retail payments space. They fear that NUEs will disrupt NPCI’s operations and compromise India’s data sovereignty. We wrote about this in the FinTales June edition. After a brief lull, last month, reports about new developments on the NUE framework were abuzz.
At first, RBI reportedly put the new payment network plan on hold. Citing the data security concerns if the foreign entities operate NUEs. The RBI recognises that UPI is too big to fail and NUEs were meant to reduce concentration risk in retail payments. But recently the RBI set-up a five-member panel on NUE licenses. The panel will assess risks around the NUE framework including data privacy considerations. At least two NUE licenses may be doled out in the first phase.
RBI’s back and forth on its own policy might not bode well with the industry. Specially the industry factions who have invested time and effort to make NUE applications. We hope that the RBI’s NUE panel dispels the concern around participation of foreign players. Who are anyways deeply entrenched in payments systems like UPI. In addition, NPCI should also be turned into a for-profit entity. And NPCI’s regulatory functions should be separated from its role as a market participant. Converting NPCI into a for-profit entity will provide more liquidity and enable it to compete with private players. As a for-profit company, NPCI can pay dividends to shareholders which will incentivise investments. And NPCI can then use its expanded financial resources to improve infrastructure and develop new products. This will be a win-win for customers, NPCI and foreign players.
That’s it from us, folks.
Tell us what you think about the developments we covered. Or if you’d like us to cover any other development in the next edition.
If you missed our previous editions, you could read them here.
Write to us at email@example.com
See you in October!
Ikigai Fintech Team