RBI’s increased scrutiny of new Mauritius and Cayman investments into PSOs, new KYC rules, draft offline Aadhaar regulations, and more...

Welcome to MoneyRules, a fortnightly newsletter from Setu written by Atulaa Krishnamurthy and Vinay Kesari. We’ve been on hiatus for the last few weeks as the Covid second wave rearranged priorities, but we’re now back to our fortnightly update schedule, and hope you are all safe, healthy and (CoWin-willing) on the road to vaccination.

In this edition of the newsletter, we cover the RBI’s increased scrutiny of new foreign investments into payment systems operators; changes to KYC rules that finally unlock a fully-presenceless account opening experience for individuals and corporates; draft changes to the Aadhaar regulations that flesh out offline Aadhaar verification; and track the latest on RBI’s regulatory stance on crypto.

RBI caps investments from Mauritius and Cayman into new payments companies#

The TL;DR:

Any new investors from Mauritius, Cayman or other countries flagged by the FATF as high-risk, into existing payment system operators (PSOs) or entities applying for PSO registrations, can hold only up to 20% of the voting power in such entities.

The longer story:

As we had previously covered, the Financial Action Task Force (FATF) over the last year had added Mauritius and the Cayman Islands to its ‘grey list’, highlighting the inadequacy of their AML/CFT measures. As a result, the RBI began to reject NBFC applications from entities that had any investment from these jurisdictions. The RBI later partially relaxed this stance, and placed a cap of up to 20% voting power on investments by new investors from these jurisdictions into NBFCs or NBFC-applicants.

It was however left unclear whether the RBI had similar concerns with respect to other types of licensed entities such as PSOs, and if so what rule they would apply. This was of specific concern to applicants for the new Payment Aggregator (PA) license, with the June 30 application deadline (now extended to September 30) fast approaching. The reason for the concern is obvious - out of the dozens of potential PA applicants, many are VC-backed startups with foreign investment routed through pooling vehicles in one of these two jurisdictions.

On June 14 the RBI put speculation at rest and clarified that, similar to NBFCs, PSOs would also be subject to a 20% voting power cap on new investors from FATF non-compliant jurisdictions. Specifically, the RBI requires new investors from these jurisdictions to ensure they do not directly or indirectly hold ‘significant influence’ in their investee PSOs. Notably, to safeguard business continuity, this absolute 20% voting rights threshold does not apply to existing investors in PSOs, who can continue to hold their stakes in such companies, and infuse additional capital if necessary.

What does this mean for existing PSOs and for those who are in the process of applying for a PSO license?#

If you already have a PSO license (eg. a PPI/wallet license), it’s likely business as usual and you can continue to raise additional funds from your existing investors without worrying about how the investment is routed. However, funds from new investors will be subject to this 20% rule.

If you have filed or are in the process of filing a PSO application (such as for the PA license), it’s possible that the rule will operate similarly. However, this will depend on factors such as which date is relevant while judging who/what constitutes a ‘new investor/ fresh investment’. Expect more clarity on this in coming weeks as people put their heads together and discuss these issues.

RBI allows full-KYC accounts to be opened through a completely presenceless process

The TL;DR:

Banks and NBFCs can now:

(i) open full fledged accounts through a video-based customer identification process (or V-CIP) for individuals, as well as authorised signatories of legal entities,

(ii) use V-CIP in conjunction with one of 4 electronic KYC methods to constitute a full KYC: Aadhaar eKYC & offline XML, DigiLocker, and CKYC.

Expect fintech and bank app-based onboarding flows to get a whole lot simpler and more powerful.

The longer story:

Over the last few years, amendments to the RBI’s KYC Master Direction have signalled a steady shift towards a more paper-free customer onboarding process for banks and NBFCs. One development was the acceptance of electronic versions of officially valid documents (OVDs), provided they’re created and digitally signed by the authority who originally issued the document. This, mirroring amendments to the PMLA, also included electronic documents accessed through DigiLocker. Another prescient move (mere months before COVID hit) was the introduction of V-CIP as an alternative to in-person verification for individual accounts. Since then, the RBI has also expanded the scope of the Central KYC Registry (CKYCR) run by CERSAI to include corporate accounts in addition to individual accounts.

On May 5th this year, the RBI Governor’s speech announced three changes to the KYC norms to enhance customer convenience, which were notified in the Master Directions shortly after (“Amendment”):

Expanded scope of video verification: Until May 10, V-CIP was an option available solely to onboard new individual customers. Financial institutions may now carry out V-CIP for sole proprietors, authorised signatories and beneficial owners of legal entities like companies, and all persons required to update their KYC information from time to time.

Upgrade of Aadhaar OTP-based ‘partial KYC’ accounts to Full-KYC accounts through V-CIP: The sole ‘contactless’ customer verification process open to financial institutions thus far has been through Aadhaar OTP-based authentication. This, however, counted only as ‘partial-KYC’, with both time limits (1 year) and deposit and loan limits (1 INR lakh and INR 60,000 respectively) placed on these accounts. Thanks to the Amendment, these accounts can be upgraded to full-KYC accounts by repeating OTP authentication and carrying out V-CIP of the account holder.

Periodic KYC updation: Financial institutions are required to update KYC records of their customers at a frequency that depends on each FI’s internal risk policies - high risk customers every 2 years, medium risk customers every 8 years, and low risk customers every 10 years. While self-declarations will suffice in case of no change in the customer’s KYC information, any modification will require FIs to carry out fresh customer due diligence. This fresh CDD process can also now be carried out via V-CIP.

The Amendments open up possibilities for a completely digital account-opening process for individuals as well as corporate customers. A company earlier needed to submit physically attested copies of its constitutional documents, a power of attorney, PAN certificate and board resolution, and have its authorised signatory undertake in-person verification prior to opening an account with a bank. With these Amendments in effect, the company could potentially share digitally signed copies of its MoA, AoA and PAN from DigiLocker, complete a corporate CKYC process which attests who the authorised signatory is, and have this signatory do a V-CIP, to complete all required KYC processes.

It’s important to remember though, that any V-CIP process must also meet certain baseline technological requirements prescribed by the RBI, such as cyber security norms, VA/PT audits, and related infrastructure must necessarily be housed within the FI’s premises. V-CIP can also be conducted only by ‘an official’ of the FI, and must take place in real time. While the Directions do contemplate ‘technological outsourcing’, they also clarify that ‘assisted V-CIP’ can only take place through Business Correspondents who may offer support at the customer’s end. FIs, and startups working on building V-CIP tech, will need to make sure their solutions meet these specific requirements.

Finally, KYC and customer due diligence is just as much an internal risk call as it is a function of RBI and PMLA compliance. While the RBI has given the change its blessing, the success of any shift to a paperless onboarding journey can only be ensured by financial institutions. It is up to banks and NBFCs to rework their processes, and accommodate e-document collection & V-CIP in a manner that gives them comfort against potential frauds and satisfies their own risk-based customer onboarding policies.

Draft Aadhaar Regulations flesh out obligations for entities seeking offline verification#

The TL;DR:

UIDAI released a draft of the Aadhaar (Authentication and Offline Verification) Regulations, 2021 (“draft regulations”), that sets out the ways in which offline verification can be performed, and obligations on offline verification-seeking entities (or OVSEs). The draft is open for public comments until June 21.

The longer story:

UIDAI introduced the concept of ‘offline verification’ of Aadhaar in the Aadhaar (Amendment) Act, 2019, allowing entities a window to verify the identity of an Aadhaar number holder without undertaking Aadhaar authentication, in ways that would be ‘specified by regulations’. The draft regulations, released on May 20, seek to fill in this gap.

To highlight a few standout provisions, the draft regulations allow OVSEs to perform offline verification through:

(i) QR Code verification,

(ii) Paperless Offline e-KYC verification, using the XML file and share code available on the UIDAI Offline KYC Service Website and shared by the Aadhaar holder,

(iii) e-Aadhaar verification, and

(iv) Offline, paper-based verification.

The draft regulations also specify that all entities that are barred from collecting and storing Aadhaar numbers will have to redact the first 8 digits of the identifier before storing any copies of the Aadhaar letter, as permitted above.

OVSEs must also:

(i) specify the uses to which the information received during offline verification will be put, to the Aadhaar number holder,

(ii) offer alternate means of identification, and inform the user that no service will be withheld if they refuse offline verification,

(iii) collect and store consent of the user prior to offline verification. They must also allow the user to withdraw such consent, delete the Aadhaar data upon withdrawal, and confirm the same to the user,

(iv) ensure that they do not perform offline verification on behalf of any other entity, and

(v) ensure compliance with applicable regulation, even if they sub-contract a part of their operations to another party.

Some respite for crypto HODLers, traders, and exchanges as RBI instructs banks to stop citing its 2018 circular

The TL;DR:

RBI clarifies that banks making reference to its 2018 circular to restrain customers from dealing in virtual currencies was ‘not in order’. It also took the opportunity to remind banks to continue carrying out customer due diligence under KYC and AML regulations.

The longer story:

As those of you trying to ‘buy the dip’ might have found out to your dismay, many leading banks stopped dealing with crypto-exchanges over the past few weeks, reportedly acting on informal guidance from the RBI. After closing down bank accounts held by some crypto-exchanges, at least two major banks were reported to have emailed individual customers cautioning them against dealing in crypto currencies. The RBI’s 2018 circular on the subject, which has since been quashed by the Supreme Court, was cited as the basis for both these moves.

On 31st May, the RBI issued a swift clarification distancing itself (and the 2018 circular) from the move. Given that many entities had considered approaching the Supreme Court again to resolve their crypto woes, it’s clear that the RBI was keen to detach itself from any move that could be viewed as a disproportionate restriction on the right to livelihood (to paraphrase the Court’s views on the 2018 Circular).

The effect of the RBI’s clarification is that banks can no longer use the 2018 circular as a reason to cease all dealings with virtual currencies. As with so much else in the Indian crypto world today, it is unclear whether this move will comfort banks enough to roll back their recent decisions (and to work with the sector to put KYC/AML policies in place), or whether they will continue to snub crypto-businesses citing internal risk policies.

News:#

Here are a few news pieces and developments that caught our eye this past month:

The excitement of the RBI’s announcement aside, crypto exchanges had previously indicated a clear preference for SEBI over the RBI as sector regulator (paywall), arguing that crypto should be viewed as more of an asset than as a currency.

By some accounts, the joint parliamentary committee reviewing the Personal Data Protection Bill is in the finishing stages of its draft report.

As we covered in our previous edition, the RBI notified changes to the PPI framework, mandating interoperability for full-KYC PPI issuers, while also increasing their maximum limit to INR 2 lakh, and allowing cash withdrawals of upto INR 10,000 a month.

Given pandemic-related constraints, the RBI announced relaxation of compliance timelines on multiple fronts. Most crucially, the deadline for existing payment aggregators to apply for registration has been extended from June 30th to September 30th. PAs and merchants holding card data on their systems however, will still have to find workarounds to this approach, by December 31st, 2021.

ET reports that the Payments Council of India is in the process of submitting its application to act as a Self Regulatory Organisation for digital payments.