“The quicker you let go of old cheese, the sooner you find new cheese.”
– Spencer Johnson, Who Moved My Cheese?
Neo-banking is the proverbial new cheese in India’s fintech ecosystem. But are e-wallets the old cheese?
Welcome to this month’s edition of FinTales. If you missed our previous editions, you could read them here. Write to us if you (or someone you know) wants to subscribe.
In this edition, we talk about the future of neo-banks. RBI making interoperability mandatory for e-wallets or pre-paid instruments (PPIs). Cryptocurrency developments that left the industry guessing (again). Foreign banks grappling with data storage rules. And finally, NUEs being back in news.
It has been an interesting month.
The neo-banking Catch 22
Indian neo-banks Niyo, Open, and RazorPayX raised a colossal USD 90 million last year. At their core, neo banks offer financial products (issued by regulated entities like banks or NBFCs). Over which they layer a bouquet of value-added services. Like cash management, invoicing, personal finance, budgeting, and others.
Although investments are pouring in, neo-banks remain loosely regulated. Which is good and bad. Good because it gives neo-banks elbow room to innovate. And bad because it adds regulatory uncertainty to the neo-banking model. RBI could (at any time) choose to regulate neo-banking. Like it did in the payment intermediation, peer-to-peer lending, and payment aggregationspace. Direct regulation disrupted each of these industries. As it would neo-banking.
As of now, RBI does not issue ‘neo-bank licenses’. Even using the word ‘bank’ in neo-bank is a regulatory sticky point. RBI regulates banks and NBFCs, which in turn partner with neo-banking platforms. So neo-banks are indirectly regulated by a patchwork of RBI guidelines which pre-date the fintech era. Regulations also disable neo-banks from taking some core decisions about financial products issued on their platform. These remain the bank’s forte.
So, neo-banks are caught in a catch-22 situation. Without direct regulation neo-banks can scale without the cost and friction of compliance. At the same time, the threat of potential regulation looms. And till then, neo-banks are dependent on banks to take core decisions about their products.
PPIs bounce back
A decade ago, PPIs were the poster child for digital payments in India. They were convenient, easy-to-use, and came loaded with exciting cashbacks and rewards. The idea of a ‘digital’ wallet struck a chord. But as users became familiar with digital payments, alternate products saw more adoption. RBI licensed payments bank. Card transactions became cheaper. And UPI became a run-away success.
But PPIs are still important in promoting digital payments in India, especially for small-ticket transactions. And RBI wants to bolster their adoption. To that end, it notified revisions to the Master PPI Guidelines last month.
These are the changes:
Mandatory interoperability: All PPI issuers must offer interoperability for all KYC-compliant PPIs by March 31, 2022. Which was optional so far. Users can now send and receive money from various e-wallets (like PhonePe, MobiKwik, Paytm). Interoperability will be offered using the rails of UPI (for PPIs in the form of wallet) or card networks (for PPIs in the form of cards).
PPIs with full-KYC can hold upto INR 2 lakh: The total amount one can hold in a KYC compliant PPI is increased from INR 1 lakh to INR 2 lakh.
Cash withdrawals allowed for KYC compliant PPIs: Till date, users were allowed to withdraw cash only from open PPIs (which only a bank can issue). RBI has now extended this facility to KYC compliant semi-closed PPIs issued by non-banking entities too. Withdrawal limits are capped at INR 2000 per day and INR 10000 per month.
RBI’s attempt to revive PPI has come at the right time. Especially since UPI transactions are increasingly failing. And card payments have faced security concerns. Greater adoption of PPIs will spread the transaction load among various payment modes. And give PPI issuers more room to innovate.
Where are crypto regulations in India headed?
Spoiler alert: we are mulling over the same question. Recent developments have been such a roller coaster that it is difficult to predict where things might go next (much like Bitcoin’s price). NPCI refusing to ban crypto trades. Banks citing RBI’s 2018 circular to block crypto transactions. And then RBI clarifying that the said circular is defunct. It almost feels like a game of ‘pass the ball’ where no one is pressing pause.
While several stakeholders are seeing RBI’s notification as a positive, the move is fraught with open questions. The notification stops banks from using the 2018 circular. And asks them to undertake customer due-diligence in line with the KYC, AML, CFT guidelines. But it nowhere promotes or gives credibility to cryptocurrencies. This rolls the ball back to the banks. Where they can deny service citing KYC, AML, or CFT-related risks. Most crypto exchanges continue to face resistance and have no access to formal banking channels. RBI has further clarified that its stance on cryptocurrency is unchanged. And it continues to have ‘major concerns’ with it – putting at rest all rumours around legitimacy.
Despite RBI’s statements not helping much, the industry is consolidating and responding bravely. Major players like WazirX, CoinDCX, and CoinSwitch Kuber have come together through IAMAI’s Blockchain and Crypto Assets Council (BACC) to oversee implementation of its self-regulatory code. The code requires all crypto exchanges to voluntarily comply with KYC, AML, CFT regulations and other company and taxation laws. While banks will still have their say, adherence to these best practices will make it harder for them to deny service on KYC, AML, or CFT grounds. Efforts from other industry associationsand experts advising against total ban also strengthen the industry’s stand.
As India awaits a new law on cryptocurrencies, we hope that the government and the RBI realise the potential of cryptocurrencies and take a positive outlook.
RBI’s quest for data localisation pushing payment players to the wall
In 2018, RBI asked payment companies to store payments data locally (on Indian soil). For the next 3 years, companies struggledto comply, while expressing their discomfort with the rules. While the RBI insisted on compliance, it did not take any strong action.
Then came 2021. A year marred with data leaks and cyber-attacks on several payment and tech companies. In response, RBI introduced several measures to improve payments data security. Like, it prohibited merchants and payment aggregators from storing card data. Addressing the issue of non-compliance with data localisation norms also became a priority.
In April this year, RBI asked all payment system operators to submit a report confirming compliance with RBI’s data security and storage norms. RBI also restricted American Express and Diners Club from on-boarding new customers, as both were in breach of data localisation norms. With global players like Visa, Mastercard, and WhatsApp already in compliance, RBI is pressing others to follow suit. Even if this deters some foreign players from entering Indian markets, or hampers growth and innovation.
But does data localisation equal data security?
To answer this, let us zoom out. Why did RBI introduce data localisation norms in the first place? RBI wants unfettered control and better monitoring of payments data. Presumably, to ensure data security.
But does data security depend on territorial location? What if storing data at other locations (in some instances) with better technological advancement offers better protection? More so when there are challenges in incorporating such advanced security checks in local servers.
So, data localisation is not the panacea for data privacy and security. And a patchwork of sector specific data protection laws may not work. A lack of regulatory clarity will also spook global players. A comprehensive data protection law is necessary. The Personal Data Protection Bill 2019 will hopefully fill this gap once it becomes the law.
Industry associations ask RBI to re-think its NUE policy
RBI’s invitation to set up a New Umbrella Entity (NUE) for retail payments was hard to ignore. And this made the first quarter of 2021 chaotic. As the deadline neared, everyone from banks and fintech players to industry houses and tech giants wanted a seat at the table. And ultimately six cohorts applied for license.
While RBI is yet to decide who gets the license, industry associations have asked RBI to rethink the NUE policy. The letter sent to the RBI largely challenges the bid made by tech giants. And argues that the entire NUE framework is a bad idea. The associations represent that India’s critical payments infrastructure should remain not-for-profit and monopolised, just like currency. Competition between NPCI and NUE will harm India’s digital payments infrastructure. Especially since NPCI is a not-for-profit entity and NUEs are not. They also submitted that allowing multi-national companies to operate NUEs will compromise India’s data sovereignty. Since they may abuse data for profits.
The association’s stand seems extreme and somewhat misplaced. Yes, it is critical to safeguard India’s digital payment infrastructure. But closing out competition may discourage innovation.
Effective regulation can minimise the risks that the associations anticipate. For instance, allowing multi-national companies to run NUE may not hamper data sovereignty. NUEs will be governed by the same rules as any payments system in the country. So, the concern over MNCs abusing data is misplaced. The solution to data privacy concerns is robust governance. Not scrapping the NUE process itself.
RBI needs greater participation from both traditional banks and tech players to continue India’s digital revolution. Which is one of the reasons it introduced the NUE framework. And it will be interesting to see if RBI blinks after the industry associations expressed their concerns.
Tell us what you think about the developments we covered. Or if you’d like us to cover any other development in our next edition.
Write to us at firstname.lastname@example.org.
See you in July!
Ikigai Fintech Team