Welcome to MoneyRules, a fortnightly newsletter from Setu written by Atulaa Krishnamurthy and Vinay Kesari. Financial services is arguably the most regulated sector of every economy, which means that fintech companies looking to move fast and break things are likely to find themselves on a quick collision course with a powerful regulator. Regulatory changes can (and often do) make or break fintech products overnight, which means keeping on top of these changes are critical to your business. We aim to alert you to these changes, provide context, and demystify where necessary.
This edition, we cover the RBI’s comprehensive new security rules for digital payments products; the latest developments in the race to set up a new NPCI-like payments company, and new headaches for fintechs with NBFC aspirations as the FATF adds the Cayman Islands to its grey list. It’s also been a happening fortnight for social media platforms internationally - hot on the heels of a game of brinksmanship with Australian lawmakers, Facebook and Google (along with others such as Netflix and Prime Video) have far-reaching new Indian regulations to contend with. We help decode whether these will matter to fintechs.
FATF greylist expands to include the Cayman Islands#
The TL;DR: Fintechs keen on NBFC licenses will need to ensure their investors coming through investment vehicles in Mauritius and the Cayman Islands collectively hold voting power of 20% or less.
The full story: In our last newsletter, we had highlighted the RBI’s de facto bar on NBFC applicants with any investment from FATF non-compliant jurisdictions. This was of specific concern to VC-backed fintech startups, since a significant chunk of such funding flows through vehicles based in Mauritius, which has been on the FATF ‘grey list’ since early 2020. However, last month, the RBI relaxed this bar slightly, and allowed these investors to hold up to 20% of the voting rights in such applicant entities. This was welcome news, especially when coupled with reports that Mauritius appeared to be approaching a détente with the global AML watchdog.
In a surprise move this week, the FATF added the Cayman Islands (another favoured investor domicile), to its grey list of countries subject to increased monitoring. Fintechs will now need to ensure that investments routed through Mauritius and the Cayman Islands do not give rise to direct or indirect voting rights beyond the 20% limit. They will also need to factor this in while undertaking any restructuring exercises designed to bring them within the 20% limit.
RBI releases Master Direction on Digital Payments Security Controls#
The TL;DR: In light of recent IT infra outages at major banks and a major leak of credit card information, RBI issued guidelines consolidating and enhancing rules relating to payment standards, monitoring of security of internet, mobile, and card payment transactions, and customer grievance redressal.
The full story: The Master Direction places baseline security requirements on regulated entities (banks and card-issuing NBFCs), which are required to be instituted within 6 months of the date of the guidelines. These include formulation of an internal digital payments security policy and periodic vulnerability assessments on its systems. It also calls out the need to address third party security, fraud and downtime risks through oversight, penal provisions for breach, and robust UAT tests. They also introduce a source code escrow requirement for “digital payment applications that are licensed by a third party vendor” to a regulated entity.
The corollary to RBI’s emphasis on payment information security standards for banks and NBFCs has been a ban on other entities storing certain types of card data altogether. With effect from July 2021, payment aggregators and merchants have been instructed by the RBI to stop storing customer card information on their database or on servers accessed by merchants. A representation by merchants such as Amazon, Flipkart, Microsoft, Flipkart and Zomato seeking exemptions for PCI-DSS Level 1 compliant merchants has reportedly been refused by the RBI as well. This puts at risk established customer-friendly transaction modes such as card-on-file, and may signal a regulatory emphasis on tokenisation of card information.
Four consortiums to apply for NUE license as RBI extends application window#
The TL;DR: Four ‘supergroups’ consisting of banks, large corporates and fintech players, are vying for two licenses that the RBI is giving out to operate an NPCI-esque umbrella entity for retail payments. RBI has extended the date of applications to 31 March 2021.
The longer story: For some background on why this matters, nearly 60% of all digital retail payments pass through the NPCI infrastructure around UPI and IMPS. With the intent of decreasing what they see as a concentration risk, the RBI put out a framework inviting applicants to act as umbrella entities for retail payments. These entities are proposed to operate for-profit, and perform a similar role to that played by NPCI today.
These services include operating their own payments systems (which may be interoperable with NPCI), offering clearing and settlement services, and pursuing any other line of business that strengthens digital retail payments in the country. Two key asks of these entities is an INR 500 crore net worth requirement, and that each promoter hold at least 10% but no more than 40% of the ownership of the company. This has given rise to a motley crew of established names in the banking, fintech and corporate worlds coming together to form consortiums hopeful of securing an NUE license.
Here’s what we know from reports by ET of the 4 consortiums in the running:
Reliance, Infibeam Avenues (the folks behind CCAvenue), Google and Facebook,
Tata (through its subsidiary Ferbine), HDFC Bank, Kotak Mahindra Bank, Airtel, PayU and Mastercard,
Amazon, ICICI, Axis, Visa, PineLabs and BillDesk,
PayTM, Ola Financial and IndusInd Bank.
For a rundown of what each group’s respective plays as an NUE could be, check out this twitter thread by the ET team that broke these stories, and this by Sanjay Elangovan on why the prospect is of particular interest to banks (it has to do with zero MDR!).
The TL;DR: While the new Intermediaries Rules are the most significant overhaul of India’s internet regulatory regime in a decade, they won’t have a significant impact on fintech companies.
The longer story: After nearly two years of back and forth, the Government notified new rules for internet intermediaries and a ‘code of ethics’ for digital media companies. They replace the existing intermediaries rules, and some of the biggest changes they make are:
In case of content takedowns, intermediaries are now required to act only on court or government orders, removing the broader language in the old guidelines.
In cases of content takedowns, intermediaries will need to retain information and records for 180 days to assist with investigations.
User registration information will need to be retained for at least 180 days after the user has deleted or cancelled their account.
Entities classified as ‘significant social media intermediaries’ have additional obligations, including:
enabling identification of the ‘originator’ of a message (also known as traceability), though this can only be mandated as a last resort, and the provision leaves legal room for keeping end-to-end encryption intact
having a dedicated Chief Compliance Officer and other staff to liaise with law enforcement, who must all be Indian residents; have a physical address in India
expressly demarcating sponsored, promoted, and proprietary content, in order to distinguish it from regular user-generated content
deploying automated tools to detect and remove content depicting sexual violence and child sexual abuse
In addition, the rules establish a sprawling new regulatory regime for streaming platforms with proprietary content (such as Netflix and Prime Video) and for digital media such as online news publications. They have been brought explicitly under the Ministry of I&B, and made subject to almost identical content standards as broadcast and satellite television.
While some fintechs fall within the definition of ‘intermediaries’, the new rules are likely to have negligible impact on them since they deal mostly with content-related issues relevant to social media, communications, and streaming platforms.
Some articles that caught our attention this fortnight:#
In Bloomberg Quint, Bhargavi Zaveri questions the need to apply stringent KYC requirements to payment gateways, given that they facilitate movement of funds between accounts that have already undergone KYC/AML processes with RBI-regulated entities.
Medianama reported that the Blockchain and Crypto Committee of the Internet and Mobile Association of India (IAMAI), an industry body of crypto-exchanges, have finalized a Code of Conduct mandating KYC checks, record maintenance, audits and consumer protection measures. This comes at a time when the industry awaits the introduction of the proposed Cryptocurrency Bill 2021 (which may or may not be tabled in the ongoing Parliament session).
Crypto-exchanges aren’t the only ones bracing themselves for the Bill. ET reports that SEBI is informally instructing IPO-hopeful promoters to sell any crypto they might hold, for fear that public funds might be used to purchase ‘illegal assets’.
The RBI’s Report on Currency and Finance 2020-21 (pages 152-154) contains a useful rundown of its current thinking with respect to the role of fintechs and central bank digital currencies (CBDCs) in transmission of monetary policy. Last week also saw the RBI Governor mention that an approach paper on CBDCs would be released soon.
UPI AutoPay, the recurring payments solution built on top of the UPI platform, went live with its first subscription use case.
These are all our updates for the fortnight, folks! Both of us (Atulaa and Vinay) are on twitter, so feel free to DM us with feedback and topics to include in the next edition. If you liked this, please share it with people interested in Indian fintech regulation!