RBI discusses scale-based regulation for NBFCs, crypto ban redux plus an official digital currency, China-linked apps face more woes, and more...

While we were all transfixed by a subreddit-sparked, Robinhood-powered insurrection against Wall Street (and the resulting calls for more regulation), India had a much less dramatic fortnight. In this edition, we cover India’s continued crackdown on predatory digital lenders, the RBI’s proposed framework for scale-based NBFC regulation, and more.

RBI proposes scale-based regulation for NBFCs#

As promised in its December 2020 Statement on Developmental and Regulatory Policies, the RBI issued a discussion paper proposing to take a scale-based approach to regulate NBFCs.

A quick TL;DR on the position today: NBFCs are more lightly regulated than banks on the assumption that they operate on a smaller scale and are less likely to create systemic risks. IL&FS however gave the lie to this assumption, and in spectacular fashion. The RBI wasn’t unaware of this risk - back in 2006, they moved to categorise NBFCs as systemically important (NBFC-SI) and non systemically important (non-SI). NBFC-SIs and NBFCs that took public deposits had higher capital requirements and more detailed prudential norms and corporate governance guidelines than smaller NBFCs that didn’t take deposits.

In a post-IL&FS world, and one where NBFCs are growing faster than banks, the RBI believes a new approach is required. The move to a scale-based approach would involve grouping of NBFCs by:

1. Overall risk perception
2. Size of operations
3. Activity

Smaller non-deposit taking NBFCs, specialised NBFCs such as P2P lenders and account aggregators, and others with a book size under INR 1,000 cr would fall within the green ‘base layer’ (NBFC-BL), with lighter regulatory controls.

Systemically important NBFCs, deposit taking NBFCs, housing finance companies and others would fall within the yellow ‘middle layer’ (NBFC-ML), with higher regulatory controls aimed at reducing regulatory arbitrage versus banks.

The 25-30 largest and most systemically significant NBFCs will constitute the peach ‘upper layer’ (NBFC-UL), and subject to regulation similar to banks.

The top red-tier is for high-risk NBFCs that may be identified at some point in the future, and require bespoke regulation.

If you are a fintech looking to secure an NBFC license to commence lending, or become an account aggregator, you will likely be at the lightly-regulated bottom tier. All isn’t rosy there though - the RBI has proposed enhancing the minimum capital required from INR 2 cr to INR 20 cr. That could be a significant entry barrier, and also a lot of money to be locked up as regulatory capital!

For more perspective on the proposed changes, check out this twitter thread from Setu’s head of strategy Krishna Hegde on why the new framework means more for very big and very small NBFCs than it does for those in the middle.

Government moots crypto ban redux + central bank digital currency#

The list of business expected to be taken up by Parliament in its upcoming session includes a Bill that seeks to introduce an RBI-backed ‘official’ digital currency, while simultaneously banning all private cryptocurrencies. Both would be far-reaching moves, and in keeping with the government approach so far. An official digital currency was first suggested in 2019, and there have been numerous rumblings since. Separately, the RBI in April 2018 banned banks from dealing with cryptocurrencies, making it near-impossible to run a crypto business in India. This ban was overturned by the Supreme Court in March 2020, leading to the slow resurgence of crypto businesses. Passing a law to ban cryptocurrencies would mean the pendulum swinging back, leaving crypto businesses in limbo once again.

There’s still a lot of blanks to be filled in though. A Bill being mentioned in the list of business does not guarantee it will be introduced, let alone passed. While talking about prohibiting private cryptocurrencies, there is also mention of ‘certain exceptions to promote the underlying technology of cryptocurrency’ - it will be important to see how these exceptions are framed. We can expect a major advocacy effort by the crypto industry in the coming days, highlighting the importance of crypto innovation to India’s startup industry, and doubling down on the self-regulatory code they announced just last week.

Payments companies face crackdown for links with China-based lending apps#

Last week we covered the RBI setting up a new working group on digital lending apps, sparked at least in part by predatory lending practices by China-linked online lenders. Close on the heels of this development, the Enforcement Directorate issued notices last week to payments companies such as Paytm and Razorpay, asking them to stop processing transactions for a host of fintechs with links to Chinese online lenders. The authorities cited insufficient KYC and illegal lending practices as being behind the move, though geopolitical concerns are likely also relevant. Razorpay has stated that they have severed links with 300-400 entities in the context of this crackdown, and we can likely expect a general tightening of KYC and AML checks across the Indian payments industry.

IRDAI’s renewed focus on cyber insurance#

Protecting customer interests against cyber attacks, online financial frauds and personal data breaches is naturally an issue for regulator concern. In recognition of the role played by cyber insurance policies in mitigating the costs of such attacks, IRDAI released a draft of its working committee report on Cyber Liability Insurance.

A few key recommendations on individual cyber insurance are to relax the requirement of filing an FIR, at least for claims up to INR 5000, to define explicit exclusions, to expand its scope to cyber incidents worldwide (given many frauds might originate outside India), and to increase coverage to online shopping frauds, sim-jacking, card-cloning and hardware damage.

On the corporate cyber insurance front, the report details the need for insurers to address ‘silent cyber’, or unintended coverage of losses that spill over from a cyber event. As the image below demonstrates, a cyber attack might trigger events like product recalls, negligence claims against management and hardware damage, over and above first-order data loss costs and business continuity losses. Cyber policies will need to be far more specific in their inclusions and exclusions to avoid what the committee calls ‘non-affirmative coverage’.

Here are some other developments and interesting pieces that got our attention:#

The RBI released an expansive and very useful document outlining the journey of payments systems in India in the decade of 2010-20. It serves as a good primer for anyone who wants an introduction to payments regulation in India.

The Ministry of Electronics & IT issued a permanent ban against 59 Chinese apps, cementing the first wave of temporary bans issued in June 2020.

WhatsApp published FAQs reiterating that WhatsApp Pay UPI payments data complies with data localisation norms, and is subject to a dedicated payments-related privacy policy, which prevails in case of any conflict with the general privacy policy.

The RBI increased the grievance redressal obligations of banks, requiring them to report more statistics and reasons surrounding complaints, and creating monetary disincentives for them if complaints exceed the ‘peer group average’.

The deputy governor of the People’s Bank of China wrote in the FT about China’s new approach to fintech regulation. The statements about ‘big tech companies using profits from other businesses to cross-subsidise and unfairly grab fintech market share’ and the ‘challenges posed by fintech’ are particularly significant in light of the recent domestic troubles faced by Ant Financial and other major Chinese fintechs.

$GME’s wild ride brought into focus the business model of ‘free’, gamified online brokerages such as Robinhood, and the ethics of information arbitrage in public markets.

That’s all for this fortnight! If you know of folks who might find this interesting, send them our way. As always, we’re open to feedback, so hit us up on Twitter with your thoughts.